Results 1  10
of
88
Keying hash functions for message authentication
, 1996
"... The use of cryptographic hash functions like MD5 or SHA for message authentication has become a standard approach inmanyInternet applications and protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis. We present new cons ..."
Abstract

Cited by 476 (38 self)
 Add to MetaCart
The use of cryptographic hash functions like MD5 or SHA for message authentication has become a standard approach inmanyInternet applications and protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis. We present new constructions of message authentication schemes based on a cryptographic hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths. Moreover we show, in a quantitativeway, that the schemes retain almost all the security of the underlying hash function. In addition our schemes are e cient and practical. Their performance is essentially that of the underlying hash function. Moreover they use the hash function (or its compression function) as a black box, so that widely available library code or hardware can be used to implement them in a simple way, and replaceability of the underlying hash function is easily supported.
SinglePacket IP Traceback
, 2002
"... The design of the IP protocol makes it difficult to reliably identify the originator of an IP packet. Even in the absence of any deliberate attempt to disguise a packet's origin, widespread packet forwarding techniques such as NAT and encapsulation may obscure the packet's true source. Techniques h ..."
Abstract

Cited by 152 (4 self)
 Add to MetaCart
The design of the IP protocol makes it difficult to reliably identify the originator of an IP packet. Even in the absence of any deliberate attempt to disguise a packet's origin, widespread packet forwarding techniques such as NAT and encapsulation may obscure the packet's true source. Techniques have been developed to determine the source of large packet flows, but, to date, no system has been presented to track individual packets in an efficient, scalable fashion. We present a hashbased technique for IP traceback that generates audit trails for traffic within the network, and can trace the origin of a single IP packet delivered by the network in the recent past. We demonstrate that the system is effective, spaceefficient (requiring approximately 0.5% of the link capacity per unit time in storage) , and implementable in current or nextgeneration routing hardware. We present both analytic and simulation results showing the system's effectiveness.
The order of encryption and authentication for protecting communications (or: how Secure is SSL?)
, 2001
"... We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chose ..."
Abstract

Cited by 123 (5 self)
 Add to MetaCart
We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encryptthenauthenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticatethenencrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticatethenencrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encryptandauthenticate method used in SSH. On the positive side we show that the authenticatethenencrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.
UMAC: Fast and Secure Message Authentication
, 1999
"... Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction f ..."
Abstract

Cited by 111 (14 self)
 Add to MetaCart
Abstract. We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as times previously reported for the universal hashfunction family MMH. To achieve such speeds, UMAC uses a new universal hashfunction family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic ” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMACauthenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have everfaster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for nextgeneration message authentication. 1
Parallelizable Encryption Mode with Almost Free Message Integrity
, 2000
"... this documentwe propose a new mode of operation for symmetric key block cipher algorithms. The main feature distinguishing the proposed mode from existing modes is that along with providing confidentiality of the message, it also provides message integrity. In other words, the new mode is not just a ..."
Abstract

Cited by 106 (3 self)
 Add to MetaCart
this documentwe propose a new mode of operation for symmetric key block cipher algorithms. The main feature distinguishing the proposed mode from existing modes is that along with providing confidentiality of the message, it also provides message integrity. In other words, the new mode is not just a mode of operation for encryption, but a mode of operation for authenticated encryption. As the title of the document suggests, the new mode achieves the additional property with little extra overhead, as will be explained below. The new mode is also highly parallelizable. In fact, it has critical path of only two block cipher invocations. By one estimate, a hardware implementation of this mode on a single board (housing 1000 block cipher units) achieves terabits/sec (10 12 bits/sec) of authenticated encryption. Moreover, there is no penalty for doing a serial implementation of this mode. The new mode also comes with proofs of security, assuming that the underlying block ciphers are secure. For confidentiality,themode achieves the same provable security bound as CBC. For authentication, the mode achieves the same provable security bound as CBCMAC. The new parallelizable mode removes chaining from the well known CBC mode, and instead does an input whitening (as well an output whitening) with a pairwise independent sequence. Thus, it becomes similar to the ECB mode. However, with the input whitening with the pairwise independent sequence the new mode has provable security similar to CBC (Note: ECB does not have security guarantees like CBC). Also, the output whitening with the pairwise independent sequence guarantees message integrity. The pairwise independent sequence can be generated with little overhead. In fact, the input and output whitening sequence need only be pairwi...
HAIL: A HighAvailability and Integrity Layer for Cloud Storage
, 2009
"... We introduce HAIL (HighAvailability and Integrity Layer), a distributed cryptographic system that permits a set of servers to prove to a client that a stored file is intact and retrievable. HAIL strengthens, formally unifies, and streamlines distinct approaches from the cryptographic and distribute ..."
Abstract

Cited by 79 (1 self)
 Add to MetaCart
We introduce HAIL (HighAvailability and Integrity Layer), a distributed cryptographic system that permits a set of servers to prove to a client that a stored file is intact and retrievable. HAIL strengthens, formally unifies, and streamlines distinct approaches from the cryptographic and distributedsystems communities. Proofs in HAIL are efficiently computable by servers and highly compact— typically tens or hundreds of bytes, irrespective of file size. HAIL cryptographically verifies and reactively reallocates file shares. It is robust against an active, mobile adversary, i.e., one that may progressively corrupt the full set of servers. We propose a strong, formal adversarial model for HAIL, and rigorous analysis and parameter choices. We show how HAIL improves on the security and efficiency of existing tools, like Proofs of Retrievability (PORs) deployed on individual servers. We also report on a prototype implementation. 1
MDxMAC and Building Fast MACs from Hash Functions
 In Crypto 95
, 1995
"... . We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing ..."
Abstract

Cited by 78 (6 self)
 Add to MetaCart
. We consider the security of message authentication code (MAC) algorithms, and the construction of MACs from fast hash functions. A new forgery attack applicable to all iterated MAC algorithms is described, the first known such attack requiring fewer operations than exhaustive key search. Existing methods for constructing MACs from hash functions, including the secret prefix, secret suffix, and envelope methods, are shown to be unsatisfactory. Motivated by the absence of a secure, fast MAC algorithm not based on encryption, a new generic construction (MDxMAC) is proposed for transforming any secure hash function of the MD4family into a secure MAC of equal or smaller bitlength and comparable speed. 1 Introduction Hash functions play a fundamental role in modern cryptography. One main application is their use in conjunction with digital signature schemes; another is in conventional techniques for message authentication. In the latter, it is preferable that a hash function take as a d...
On Fast and Provably Secure Message Authentication Based on Universal Hashing
 In Advances in Cryptology – CRYPTO ’96
, 1996
"... There are wellknown techniques for message authentication using universal hash functions. This approach seems very promising, as it provides schemes that are both efficient and provably secure under reasonable assumptions. This paper contributes to this line of research in two ways. First, it analy ..."
Abstract

Cited by 67 (0 self)
 Add to MetaCart
There are wellknown techniques for message authentication using universal hash functions. This approach seems very promising, as it provides schemes that are both efficient and provably secure under reasonable assumptions. This paper contributes to this line of research in two ways. First, it analyzes the basic construction and some variants under more realistic and practical assumptions. Second, it shows how these schemes can be efficiently implemented, and it reports on the results of empirical performance tests that demonstrate that these schemes are competitive with other commonly employed schemes whose security is less wellestablished. 1 Introduction Message Authentication. Message authentication schemes are an important security tool. As more and more data is being transmitted over networks, the need for secure, highspeed, softwarebased message authentication is becoming more acute. The setting for message authentication is the following. Two parties A and B agree on a secre...
Using Hash Functions as a Hedge against Chosen Ciphertext Attack
, 2000
"... The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to bas ..."
Abstract

Cited by 67 (7 self)
 Add to MetaCart
The cryptosystem recently proposed by Cramer and Shoup [5] is a practical public key cryptosystem that is secure against adaptive chosen ciphertext attack provided the Decisional DiffieHellman assumption is true. Although this is a reasonable intractability assumption, it would be preferable to base a security proof on a weaker assumption, such as the Computational DiffieHellman assumption. Indeed, this cryptosystem in its most basic form is in fact insecure if the Decisional DiffieHellman assumption is false. In this paper we present a practical hybrid scheme that is just as efficient as the scheme of of Cramer and Shoup; we prove that the scheme is secure if the Decisional DiffieHellman assumption is true; we give strong evidence that the scheme is secure if the weaker, Computational DiffieHellman assumption is true by providing a proof of security in the random oracle model.
A BlockCipher Mode of Operation for Parallelizable Message Authentication
 Advances in Cryptology  EUROCRYPT 2002. Lecture Notes in Computer Science
, 2002
"... We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CB ..."
Abstract

Cited by 58 (7 self)
 Add to MetaCart
We define and analyze a simple and fully parallelizable blockcipher mode of operation for message authentication. Parallelizability does not come at the expense of serial e#ciency: in a conventional, serial environment, the algorithm's speed is within a few percent of the (inherently sequential) CBC MAC. The new mode, PMAC, is deterministic, resembles a standard mode of operation (and not a CarterWegman MAC), works for strings of any bit length, employs a single blockcipher key, and uses just max{1, #M /n#} blockcipher calls to MAC a string M # {0, 1} # using an nbit block cipher. We prove PMAC secure, quantifying an adversary's forgery probability in terms of the quality of the block cipher as a pseudorandom permutation. Key words: blockcipher modes, message authentication codes, modes of operation, provable security. 1