Distributed Sensor Networks (DSNs) are ad-hoc mobile networks that include sensor nodes with limited computation and communication capabilities. DSNs are dynamic in the sense that they allow addition and deletion of sensor nodes after deployment to grow the network or replace failing and unreliable nodes. DSNs may be deployed in hostile areas where communication is monitored and nodes are subject to capture and surreptitious use by an adversary. Hence DSNs require cryptographic protection of communications, sensorcapture detection, key revocation and sensor disabling. In this paper, we present a key-management scheme designed to satisfy both operational and security requirements of DSNs.

and analysis of the generic composition paradigm

We formally study the notion of a joint signature and encryption in the public-key setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encrypt-then-sign” (EtS) and “sign-then-encrypt” (StE) methods are both secure composition methods in the public-key setting. We also present a new composition method which we call “commit-then-encrypt-and-sign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hash-sign-switch” technique of [30], leading to efficient on-line/off-line signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2-security, which we call generalized CCA2-ecurity (gCCA2). We show that gCCA2-security suffices for all known uses of CCA2-secure encryption, while no longer suffering from the definitional shortcomings of the latter.

We describe a parallelizable block-cipher mode of operation that simultaneously provides privacy and authenticity. OCB encrypts-and-authenticates a nonempty string M # {0, 1} # using #|M |/n# + 2 block-cipher invocations, where n is the block length of the underlying block cipher. Additional overhead is small. OCB refines a scheme, IAPM, suggested by Jutla [20]. Desirable properties of OCB include: the ability to encrypt a bit string of arbitrary length into a ciphertext of minimal length; cheap o#set calculations; cheap session setup, a single underlying cryptographic key; no extended-precision addition; a nearly optimal number of block-cipher calls; and no requirement for a random IV. We prove OCB secure, quantifying the adversary's ability to violate privacy or authenticity in terms of the quality of the block cipher as a pseudorandom permutation (PRP) or as a strong PRP, respectively. Keywords: AES, authenticity, block ciphers, cryptography, encryption, integrity, modes of operation, provable security, standards . # Department of Computer Science, Eng. II Building, University of California at Davis, Davis, California 95616 USA; and Department of Computer Science, Faculty of Science, Chiang Mai University, Chiang Mai 50200 Thailand. e-mail: rogaway@cs.ucdavis.edu web: www.cs.ucdavis.edu/~rogaway + Department of Computer Science & Engineering, University of California at San Diego, 9500 Gilman Drive, La Jolla, California 92093 USA. e-mail: mihir@cs.ucsd.edu web: www-cse.ucsd.edu/users/mihir # Department of Computer Science, University of Nevada, Reno, Nevada 89557 USA. e-mail: jrb@cs.unr.edu web: www.cs.unr.edu/~jrb Digital Fountain, 600 Alabama Street, San Francisco, CA 94110 USA. e-mail: tdk@acm.org 1

We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.

Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead.

implementation and management, but also on various flavors of security policies they must support. Clearly, the hardware on which applications run must be secure, as must the operating system and runtime environment in between, while offering a reasonable API for applications developers. To fix problems in the field and enable fast and inexpensive reaction to changing customer needs, we implemented part of the code as firmware, rather than read-only memory. Figure 1 shows the 4758's three major components and their interrelationships. Subdividing the software into different layers raises issues of trust because upper components rely on the security that lower layers offer. Applications cannot be more secure than the kernel functions they call, and the operating system cannot be more secure than the hardware that executes its commands. Thus, if the lower layers are robust, higher layers can choose whether to relinquish some security. We designed the lower layers to b

We define and analyze a simple and fully parallelizable block-cipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a Carter-Wegman MAC), works for strings of any bit length, employs a single block-cipher key, and uses just max{1, #|M |/n#} block-cipher calls to MAC a string M # {0, 1} # using an n-bit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: block-cipher modes, message authentication codes, modes of operation, provable security. 1

We present the design of Mnemosyne , a peer-topeer steganographic storage service. Mnemosyne provides a high level of privacy and plausible deniability by using a large amount of shared distributed storage to hide data. Blocks are dispersed by secure hashing, and loss codes used for resiliency. We discuss the design of the system, and the challenges posed by traffic analysis.

Vaudenay recently demonstrated side-channel attacks on a common encryption scheme, CBC Mode encryption, exploiting a \valid padding" oracle [Vau02]. Mirroring the side-channel attacks of Bleichenbacher [Ble98] and Manger [Man01] on asymmetric schemes, he showed that symmetric encryption methods are just as vulnerable to side-channel weaknesses when an adversary is able to distinguish between valid and invalid ciphertexts.