Results 1 
8 of
8
A Challenging But Feasible BlockwiseAdaptive ChosenPlaintext Attack on SSL
 SECRYPT 2006, PROCEEDINGS OF THE INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY, SET'UBAL
, 2006
"... This paper introduces a chosenplaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 21000 options. SSL and TLS are widely used for securing communication ove ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
This paper introduces a chosenplaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 21000 options. SSL and TLS are widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL and TLS standards mandate the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the first IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediatelypreceding message, and is therefore known to the adversary. The one
PlaintextDependent Decryption: A Formal Security Treatment of SSHCTR.”In
, 2010
"... Abstract. This paper presents a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of realworld attackers, as well as securityrelevant features of the SSH specifications and the OpenSSH implementation of SSH. Under reasonable assumptions o ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a formal security analysis of SSH in counter mode in a security model that accurately captures the capabilities of realworld attackers, as well as securityrelevant features of the SSH specifications and the OpenSSH implementation of SSH. Under reasonable assumptions on the block cipher and MAC algorithms used to construct the SSH Binary Packet Protocol (BPP), we are able to show that the SSH BPP meets a strong and appropriate notion of security: indistinguishability under buffered, stateful chosenciphertext attacks. This result helps to bridge the gap between the existing security analysis of the SSH BPP by Bellare et al. and the recently discovered attacks against the SSH BPP by Albrecht et al. which partially invalidate that analysis.
Blockwise Adversarial Model for Online Ciphers and Symmetric Encryption Schemes
 In Selected Areas in Cryptography ’04, LNCS
, 2004
"... Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encrypt ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper formalizes the security adversarial games for online symmetric cryptosystems in a unified framework for deterministic and probabilistic encryption schemes. Online encryption schemes allow to encrypt messages even if the whole message is not known at the beginning of the encryption. The new introduced adversaries better capture the online properties than classical ones. Indeed, in the new model, the adversaries are allowed to send messages blockbyblock to the encryption machine and receive the corresponding ciphertext blocks onthefly. This kind of attacker is called blockwise adversary and is stronger than standard one which treats messages as atomic objects. In this paper, we compare the two adversarial models for online encryption schemes. For probabilistic encryption schemes, we show that security is not preserved contrary to for deterministic schemes. We prove in appendix of the full version that in this last case, the two models are polynomially equivalent in the number of encrypted blocks. Moreover in the blockwise model, a polynomial number of concurrent accesses to encryption oracles have to be taken into account. This leads to the strongest security notion in this setting. Furthermore, we show that this notion is valid by exhibiting a scheme secure under this security notion. 1
Online Ciphers from Tweakable Blockciphers
"... Abstract. Online ciphers are deterministic lengthpreserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the ith block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Online ciphers are deterministic lengthpreserving permutations EK: ({0, 1} n) + → ({0, 1} n) + where the ith block of ciphertext depends only on the first i blocks of plaintext. Definitions, constructions, and applications for these objects were first given by Bellare, Boldyreva, Knudsen, and Namprempre. We simplify and generalize their work, showing that online ciphers are rather trivially constructed from tweakable blockciphers, a notion of Liskov, Rivest, and Wagner. We go on to show how to define and achieve online ciphers for settings in which messages need not be a multiple of n bits. Key words: Online ciphers, modes of operation, provable security, symmetric encryption, tweakable blockciphers. 1
The Security of Ciphertext Stealing
"... Abstract. We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly c ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
Abstract. We prove the security of CBC encryption with ciphertext stealing. Our results cover all versions of ciphertext stealing recently recommended by NIST. The complexity assumption is that the underlying blockcipher is a good PRP, and the security notion achieved is the strongest one commonly considered for chosenplaintext attacks, indistinguishability from random bits (ind$security). We go on to generalize these results to show that, when intermediate outputs are slightly delayed, one achieves ind$security in the sense of an online encryption scheme, a notion we formalize that focuses on what is delivered across an online API, generalizing prior notions of blockwiseadaptive attacks. Finally, we pair our positive results with the observation that the version of ciphertext stealing described in Meyer and Matyas’s wellknown book (1982) is not secure.
Online authenticatedencryption and its noncereuse misuseresistance
 CRYPTO 2015, part I, LNCS. 9215, Springer
, 2015
"... Abstract. A definition of online authenticatedencryption (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. A definition of online authenticatedencryption (OAE), call it OAE1, was given by Fleischmann, Forler, and Lucks (2012). It has become a popular definitional target because, despite allowing encryption to be online, security is supposed to be maintained even if nonces get reused. We argue that this expectation is effectively wrong. OAE1 security has also been claimed to capture bestpossible security for any onlineAE scheme. We claim that this understanding is wrong, too. So motivated, we redefine OAEsecurity, providing a radically different formulation, OAE2. The new notion effectively does capture bestpossible security for a user’s choice of plaintext segmentation and ciphertext expansion. It is achievable by simple techniques from standard tools. Yet even for OAE2, noncereuse can still be devastating. The picture to emerge is that no OAE definition can meaningfully tolerate noncereuse, but, at the same time, OAE security ought never have been understood to turn on this question.
Authenticated Streamwise Online Encryption ∗
, 2009
"... In Blockwise Online Encryption, encryption and decryption return an output block as soon as the next input block is received. In this paper, we introduce Authenticated Streamwise Online Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fix ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
In Blockwise Online Encryption, encryption and decryption return an output block as soon as the next input block is received. In this paper, we introduce Authenticated Streamwise Online Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fixedsized blocks), and thus significantly reduces message expansion and endtoend latency. Also, ASOE provides data authenticity as an option. ASOE can therefore be used to efficiently secure resourceconstrained communications with realtime requirements such as those in the electric power grid and wireless sensor networks. We investigate and formalize ASOE’s strongest achievable notion of security, and present a construction that is secure under that notion. An instantiation of our construction incurs zero endtoend latency due to buffering and only 48 bytes of message expansion, regardless of the
On the Impossibility of Strong Encryption over ...
"... We give two impossibility results regarding strong encryption over an infinite enumerable domain. The first one relates to statistically secure onetime encryption. The second one relates to computationally secure encryption resisting adaptive chosen ciphertext attacks in streaming mode with bounded ..."
Abstract
 Add to MetaCart
(Show Context)
We give two impossibility results regarding strong encryption over an infinite enumerable domain. The first one relates to statistically secure onetime encryption. The second one relates to computationally secure encryption resisting adaptive chosen ciphertext attacks in streaming mode with bounded resources: memory, time delay or output length. Curiously, both impossibility results can be achieved with either finite or continuous domains. The latter result explains why known CCAsecure cryptosystem constructions require at least two passes to decrypt a message with bounded resources.