We exhibit a hash-based storage auditing scheme which is provably secure in the random-oracle model (ROM), but easily broken when one instead uses typical indifferentiable hash constructions. This contradicts the widely accepted belief that the indifferentiability composition theorem applies to any cryptosystem. We characterize the uncovered limitation of the indifferentiability framework by showing that the formalizations used thus far implicitly exclude security notions captured by experiments that have multiple, disjoint adversarial stages. Examples include deterministic public-key encryption (PKE), password-based cryptography, hash function nonmalleability, key-dependent message security, and more. We formalize a stronger notion, reset indifferentiability, that enables an indifferentiabilitystyle composition theorem covering such multi-stage security notions, but then show that practical hash constructions cannot be reset indifferentiable. We discuss how these limitations also affect the universal composability framework. We finish by showing the chosen-distribution attack security (which requires a multi-stage game) of some important public-key encryption schemes built using a hash construction paradigm introduced by Dodis, Ristenpart, and Shrimpton. 1

Contents List of Figures vi List of Tables vii 1 Introduction 1 2 An Efficient Message Authentication Scheme for Link State Routing 6 2.1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 6 2.2 Background: Link State Update Authentication : : : : : : : : : : : : : : : : 8 2.3 Optimistic Link State Verification : : : : : : : : : : : : : : : : : : : : : : : 11 2.3.1 Assumptions : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 11 2.3.2 Protocol Overview : : : : : : : : : : : : : : : : : : : : : : : : : : : : 13 2.3.3 Sender Process : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 14 2.3.4 Receiver Process : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 16 2.3.5 Recovery Process : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 17 2.3.6 An Example : : : : : : : :

This paper introduces and describes new protocols for proving knowledge of secrets without giving them away: if the verifier does not know the secret, he does not learn it. Three role configurations exist for this type of protocols: (1) the prover may want to pro-actively prove knowledge of a secret, (2) a verifier may ask someone to prove knowledge of a secret, or (3) two players may mutually prove knowledge of a secret. Protocols for all three cases are shown in this paper. This can all be done while only using one-way hash functions. If also the use of encryption is allowed, these goals can be reached in a more efficient way, giving a total of six protocols (three without encryption and three with).

Use of encryption algorithms in message authentication is replaced by secure hash functions which are often faster than encryption algorithms. Tsudik [14] has proposed three methods on message authentication which are only based on one-way hash functions and use some keys to make them secure. In this paper, we give a set of practical methods, each of which uses a fast collision free hash function (such as MD5) and provides secure message authentication. The idea of the proposed methods is almost similar to that of Tsudik's, but we are able to reduce the key length eight times compared to the Tsudik's constructions, while maintaining the same security. In our methods, the secret key is added using exclusive-or or assign operators (instead of concatenation) to make them faster. We also have proved that our methods belong to the Secure Keyed One-Way Hash Function (SKOWHF) group, if the underlying hash function is secure. 1 Introduction In today's communication, existence of a fast method...

The problem of secure key distribution has been the subject of much attention in the recent years. This paper describes a novel method for authenticated key distribution in the distributed systems environment. In particular, a braiding technique for key distribution is introduced. The underlying protocols are extremely compact in both the number of messages and message sizes which facilitates their application at any layer (at lower layers, in particular) in the protocol hierarchy. Furthermore, the protocols are shown to be resistant to a wide range of interleaving attacks. All this is achieved with minimal computational requirements and without the necessity of using traditional encryption (a strong one-way function suffices.) Keywords: Network Security, Network Protocols, Authentication, Key Distribution. 1 Introduction Research in authentication protocols has been fairly active since the publication in the late 1970s of Needham and Schroeder's landmark paper [13]. In it, they prop...

The Domain Name System, or DNS, is a distributed database that is used to provide a name service for the Internet. It has become a critical part of the Internet infrastructure. Because of its importance, DNS is a favorite target of malicious hackers. However, DNS is not designed to be a secure protocol. To make the DNS more robust, a DNS security extension has been proposed. In this extension, the authentication of the queried data can be verified by using a public-private key scheme. But this extension still has some security flaws. This thesis analyzes the security issues of DNS and its security extension. It presents a design and implementation of a Byzantine-fault-tolerant DNS based on a new Byzantine-fault-tolerant algorithm. This DNS also support secure dynamic update operations. The malicious user needs to compromise at least f + 1 replicas to effectively attack the system, which consists of 3f +1 replicas. This thesis also shows that the Byzantine-fault-tolerant DNS performs almost as well as an implementation

Abstract — Data dissemination is an indispensible protocol component for the emerging large-scale sensor networks. In this paper, we propose a secure data dissemination protocol that enhances directed diffusion to operate in the presence of compromised sensors. Our proposed solution, Secure Diffusion, utilizes a novel security primitive called location-binding keys, and exploits the available end-to-end feedback loop in Directed Diffusion. In Secure Diffusion, sensor nodes use pairwise neighbor keys to establish secure gradients, and the sink uses location-binding keys to authenticate the received sensing data. By differentiating authentic data from fabricated ones, the sink can selectively reinforce data paths and assist intermediate nodes in local reinforcement decisions to combat compromised nodes. Our security analysis shows that, in the presence of compromised nodes, Secure Diffusion can ensure both high-quality delivery of authentic data and local containment of malicious traffic. I.

A one-way hash function is an important cryptographic primitive for digital signatures and authentication. Recently much work has been done toward construction of other cryptographic algorithms (e.g., MACs) using hash functions. In particular, such algorithms would be easy to implement with existing codes of hash functions if they are used as a black box without modification. In this paper we present new such constructions for block ciphers and MACs in some general form (i.e., with variable key sizes, block lengths and MAC lengths). 1 Introduction Hash functions play an important role in various cryptographic protocol designs. They are used as a cryptographic primitive for digital signatures and message/user authentication. Consequently a lot of optimized implementations of hash functions, such as MD5 [23] and SHA [24], exist. In this paper we describe several algorithms constructed from keyed hash functions: DES-like block ciphers, stream cipher-like algorithms and MAC algorithms. Al...

In this paper we suggest two new provably secure block ciphers, called BEAR and LION. They both have large block sizes, and are based on the Luby-Rackoff construction. Their underlying components are a hash function and a stream cipher, and they are provably secure in the sense that attacks which find their keys would yield attacks on one or both of the underlying components. They also have the potential to be much faster than existing block ciphers in many applications.

Current hash chain traversal techniques require that the intermediate links of the hash chain be stored secretly on a trusted storage. This requirement is undesirable in several applications. We propose a new construction of hash chains based on inserting a ‘breakpoint ’ after fixed number of links in the chain. We also propose a method with which the current hash chain traversal techniques can be applied to our construction without any significant changes in the storage and computation requirements and with the added advantage that the intermediate links may be stored on a public and non-trusted storage. We are also able to prove the security of our construction by replacing the hash function with a MAC function. 1