Results 11  20
of
260
The order of encryption and authentication for protecting communications (or: how Secure is SSL?)
, 2001
"... We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chose ..."
Abstract

Cited by 123 (5 self)
 Add to MetaCart
We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encryptthenauthenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticatethenencrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticatethenencrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encryptandauthenticate method used in SSH. On the positive side we show that the authenticatethenencrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.
Parallelizable Encryption Mode with Almost Free Message Integrity
, 2000
"... this documentwe propose a new mode of operation for symmetric key block cipher algorithms. The main feature distinguishing the proposed mode from existing modes is that along with providing confidentiality of the message, it also provides message integrity. In other words, the new mode is not just a ..."
Abstract

Cited by 106 (3 self)
 Add to MetaCart
this documentwe propose a new mode of operation for symmetric key block cipher algorithms. The main feature distinguishing the proposed mode from existing modes is that along with providing confidentiality of the message, it also provides message integrity. In other words, the new mode is not just a mode of operation for encryption, but a mode of operation for authenticated encryption. As the title of the document suggests, the new mode achieves the additional property with little extra overhead, as will be explained below. The new mode is also highly parallelizable. In fact, it has critical path of only two block cipher invocations. By one estimate, a hardware implementation of this mode on a single board (housing 1000 block cipher units) achieves terabits/sec (10 12 bits/sec) of authenticated encryption. Moreover, there is no penalty for doing a serial implementation of this mode. The new mode also comes with proofs of security, assuming that the underlying block ciphers are secure. For confidentiality,themode achieves the same provable security bound as CBC. For authentication, the mode achieves the same provable security bound as CBCMAC. The new parallelizable mode removes chaining from the well known CBC mode, and instead does an input whitening (as well an output whitening) with a pairwise independent sequence. Thus, it becomes similar to the ECB mode. However, with the input whitening with the pairwise independent sequence the new mode has provable security similar to CBC (Note: ECB does not have security guarantees like CBC). Also, the output whitening with the pairwise independent sequence guarantees message integrity. The pairwise independent sequence can be generated with little overhead. In fact, the input and output whitening sequence need only be pairwi...
Publickey encryption in a multiuser setting: Security proofs and improvements
, 2000
"... This paper addresses the security of publickey cryptosystems in a \multiuser " setting, namely in the presence of attacks involving the encryption of related messages under di erent public keys, as exempli ed by Hastad's classical attacks on RSA. We prove that security in the singleuser sett ..."
Abstract

Cited by 103 (6 self)
 Add to MetaCart
This paper addresses the security of publickey cryptosystems in a \multiuser " setting, namely in the presence of attacks involving the encryption of related messages under di erent public keys, as exempli ed by Hastad's classical attacks on RSA. We prove that security in the singleuser setting implies security in the multiuser setting as long as the former is interpreted in the strong sense of \indistinguishability, " thereby pinpointing many schemes guaranteed to be secure against Hastadtype attacks. We then highlight the importance, in practice, of considering and improving the concrete security of the general reduction, and present such improvements for two Di eHellman based schemes, namely El Gamal and CramerShoup.
Keyprivacy in publickey encryption
, 2001
"... We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning t ..."
Abstract

Cited by 93 (8 self)
 Add to MetaCart
We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary.We investigate the anonymity of known encryption schemes.We prove that the El Gamal scheme provides anonymity under chosenplaintext attack assuming the Decision DiffieHellman problem is hard and that the CramerShoup scheme provides anonymity under chosenciphertext attack under the same assumption.We also consider anonymity for trapdoor permutations.Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it.We provide a variant of RSAOAEP that provides anonymity in the random oracle model assuming RSA is oneway.We also give constructions of anonymous trapdoor permutations, assuming RSA is oneway, which yield anonymous encryption schemes in the standard model.
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 82 (8 self)
 Add to MetaCart
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
A Computationally Sound Mechanized Prover for Security Protocols
 In Proc. 27th IEEE Symposium on Security & Privacy
, 2005
"... We present a new mechanized prover for secrecy properties of cryptographic protocols. ..."
Abstract

Cited by 78 (9 self)
 Add to MetaCart
We present a new mechanized prover for secrecy properties of cryptographic protocols.
Keyinsulated public key cryptosystems
 In EUROCRYPT
, 2002
"... Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internetconnected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of keyinsulat ..."
Abstract

Cited by 75 (10 self)
 Add to MetaCart
Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internetconnected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of keyinsulated security whose goal is to minimize the damage caused by secretkey exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physicallysecure — but computationallylimited — device which stores a “master key”. All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N)keyinsulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N − t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physicallysecure device. We focus primarily on keyinsulated publickey encryption. We construct a (t, N)keyinsulated encryption scheme based on any (standard) publickey encryption scheme, and give a more ef£cient construction based on the DDH assumption. The latter construction is then extended to achieve chosenciphertext security. 1
Compact Proofs of Retrievability
, 2008
"... In a proofofretrievability system, a data storage center must prove to a verifier that he is actually storing all of a client’s data. The central challenge is to build systems that are both efficient and provably secure — that is, it should be possible to extract the client’s data from any prover ..."
Abstract

Cited by 72 (0 self)
 Add to MetaCart
In a proofofretrievability system, a data storage center must prove to a verifier that he is actually storing all of a client’s data. The central challenge is to build systems that are both efficient and provably secure — that is, it should be possible to extract the client’s data from any prover that passes a verification check. All previous provably secure solutions require that a prover send O(l) authenticator values (i.e., MACs or signatures) to verify a file, for a total of O(l 2) bits of communication, where l is the security parameter. The extra cost over the ideal O(l) communication can be prohibitive in systems where a verifier needs to check many files. We create the first compact and provably secure proof of retrievability systems. Our solutions allow for compact proofs with just one authenticator value — in practice this can lead to proofs with as little as 40 bytes of communication. We present two solutions with similar structure. The first one is privately verifiable and builds elegantly on pseudorandom functions (PRFs); the second allows for publicly verifiable proofs and is built from the signature scheme of Boneh, Lynn, and Shacham in bilinear groups. Both solutions rely on homomorphic properties to aggregate a proof into one small authenticator value. 1
ForwardSecurity in PrivateKey Cryptography
 CTRSA 2003
, 2003
"... This paper provides a comprehensive treatment of forwardsecurity in the context of sharedkey based cryptographic primitives, as a practical means to mitigate the damage caused by keyexposure. We provide definitions of security, practical provensecure constructions, and applications for the main p ..."
Abstract

Cited by 68 (1 self)
 Add to MetaCart
This paper provides a comprehensive treatment of forwardsecurity in the context of sharedkey based cryptographic primitives, as a practical means to mitigate the damage caused by keyexposure. We provide definitions of security, practical provensecure constructions, and applications for the main primitives in this area. We identify forwardsecure pseudorandom bit generators as the central primitive, providing several constructions and then showing how forwardsecure message authentication schemes and symmetric encryption schemes can be built based on standard schemes for these problems coupled with forwardsecure pseudorandom bit generators. We then apply forwardsecure message authentication schemes to the problem of maintaining secure access logs in the presence of breakins.
A tweakable enciphering mode
 of LNCS
, 2003
"... Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in ..."
Abstract

Cited by 66 (5 self)
 Add to MetaCart
Abstract. We describe a blockcipher mode of operation, CMC, that turns an nbit block cipher into a tweakable enciphering scheme that acts on strings of mn bits, where m ≥ 2. When the underlying block cipher is secure in the sense of a strong pseudorandom permutation (PRP), our scheme is secure in the sense of tweakable, strong PRP. Such an object can be used to encipher the sectors of a disk, inplace, offering security as good as can be obtained in this setting. CMC makes a pass of CBC encryption, xors in a mask, and then makes a pass of CBC decryption; no universal hashing, nor any other nontrivial operation beyond the blockcipher calls, is employed. Besides proving the security of CMC we initiate a more general investigation of tweakable enciphering schemes, considering issues like the nonmalleability of these objects. 1