Results 1  10
of
77
Wireless informationtheoretic security  part I: Theoretical aspects
 IEEE Trans. on Information Theory
, 2006
"... In this twopart paper, we consider the transmission of confidential data over wireless wiretap channels. The first part presents an informationtheoretic problem formulation in which two legitimate partners communicate over a quasistatic fading channel and an eavesdropper observes their transmissi ..."
Abstract

Cited by 162 (12 self)
 Add to MetaCart
(Show Context)
In this twopart paper, we consider the transmission of confidential data over wireless wiretap channels. The first part presents an informationtheoretic problem formulation in which two legitimate partners communicate over a quasistatic fading channel and an eavesdropper observes their transmissions through another independent quasistatic fading channel. We define the secrecy capacity in terms of outage probability and provide a complete characterization of the maximum transmission rate at which the eavesdropper is unable to decode any information. In sharp contrast with known results for Gaussian wiretap channels (without feedback), our contribution shows that in the presence of fading informationtheoretic security is achievable even when the eavesdropper has a better average signaltonoise ratio (SNR) than the legitimate receiver — fading thus turns out to be a friend and not a foe. The issue of imperfect channel state information is also addressed. Practical schemes for wireless informationtheoretic security are presented in Part II, which in some cases comes close to the secrecy capacity limits given in this paper.
New proofs for NMAC and HMAC: Security without collisionresistance
, 2006
"... HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. ..."
Abstract

Cited by 117 (9 self)
 Add to MetaCart
(Show Context)
HMAC was proved in [3] to be a PRF assuming that (1) the underlying compression function is a PRF, and (2) the iterated hash function is weakly collisionresistant. However, recent attacks show that assumption (2) is false for MD5 and SHA1, removing the proofbased support for HMAC in these cases. This paper proves that HMAC is a PRF under the sole assumption that the compression function is a PRF. This recovers a proof based guarantee since no known attacks compromise the pseudorandomness of the compression function, and it also helps explain the resistancetoattack that HMAC has shown even when implemented with hash functions whose (weak) collision resistance is compromised. We also show that an even weakerthanPRF condition on the compression function, namely that it is a privacypreserving MAC, suffices to establish HMAC is a secure MAC as long as the hash function meets the very weak requirement of being computationally almost universal, where again the value lies in the fact that known
Efficient Mutual Data Authentication Using Manually Authenticated Strings. Cryptology ePrint Archive, Report 2005/424
, 2005
"... Abstract. Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a ..."
Abstract

Cited by 84 (7 self)
 Add to MetaCart
Abstract. Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a solution, we propose an asymptotically optimal protocol family for data authentication that uses short manually authenticated outofband messages. Compared to previous articles by Vaudenay and Pasini the results of this paper are more general and based on weaker security assumptions. In addition to providing security proofs for our protocols, we focus also on implementation details and propose practically secure and efficient subprimitives for applications. 1
Robust fuzzy extractors and authenticated key agreement from close secrets.
 Advances in Cryptology—CRYPTO 2006,
, 2006
"... Abstract Consider two parties holding samples from correlated distributions W and W ′ , respectively, that are within distance t of each other in some metric space. These parties wish to agree on a uniformly distributed secret key R by sending a single message over an insecure channel controlled by ..."
Abstract

Cited by 68 (19 self)
 Add to MetaCart
(Show Context)
Abstract Consider two parties holding samples from correlated distributions W and W ′ , respectively, that are within distance t of each other in some metric space. These parties wish to agree on a uniformly distributed secret key R by sending a single message over an insecure channel controlled by an allpowerful adversary. We consider both the keyless case, where the parties share no additional secret information, and the keyed case, where the parties share a longterm secret SK that they can use to generate a sequence of session keys {R j } using multiple pairs {(W j , W ′ j )}. The former has applications to, e.g., biometric authentication, while the latter arises in, e.g., the bounded storage model with errors. Our results improve upon previous work in several respects: • The best previous solution for the keyless case with no errors (i.e., t = 0) requires the minentropy of W to exceed 2n/3, where n is the bitlength of W . Our solution applies whenever minentropy of W exceeds the minimal possible threshold n/2, and yields a longer key. • Previous solutions for the keyless case in the presence of errors (i.e., t > 0) required random oracles. We give the first constructions (for certain metrics) in the standard model. • Previous solutions for the keyed case were stateful. We give the first stateless solution.
CRYPTOGRAPHIC HASH FUNCTIONS
, 1993
"... Hash functions were introduced in cryptology in the late seventies as a tool to protect the authenticity of information. Soon it became clear that they were a very useful building block to solve other security problems in telecommunication and computer networks. This paper sketches the history of th ..."
Abstract

Cited by 57 (4 self)
 Add to MetaCart
Hash functions were introduced in cryptology in the late seventies as a tool to protect the authenticity of information. Soon it became clear that they were a very useful building block to solve other security problems in telecommunication and computer networks. This paper sketches the history of the concept, discusses the applications of hash functions, and presents the approaches which have been followed to construct hash functions. In addition, it tries to provide the information which is necessary to choose a practical hash function. An overview of practical constructions and their performance is given and some attacks are discussed. Special attention is paid to standards dealing with hash functions.
Randomness extraction and key derivation using the cbc, cascade and hmac modes
 In Franklin [14
"... Abstract. We study the suitability of common pseudorandomness modes associated with cryptographic hash functions and block ciphers (CBCMAC, Cascade and HMAC) for the task of “randomness extraction”, namely, the derivation of keying material from semisecret and/or semirandom sources. Important appl ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We study the suitability of common pseudorandomness modes associated with cryptographic hash functions and block ciphers (CBCMAC, Cascade and HMAC) for the task of “randomness extraction”, namely, the derivation of keying material from semisecret and/or semirandom sources. Important applications for such extractors include the derivation of strong cryptographic keys from nonuniform sources of randomness (for example, to extract a seed for a pseudorandom generator from a weak source of physical or digital noise), and the derivation of pseudorandom keys from a DiffieHellman value. Extractors are closely related in their applications to pseudorandom functions and thus it is attractive to (re)use the common pseudorandom modes as randomness extractors. Yet, the crucial difference between pseudorandom generation and randomness extraction is that the former uses random secret keys while the latter uses random but known keys. We show that under a variety of assumptions on the underlying primitives (block ciphers and compression functions), ranging from ideal randomness assumptions to realistic universalhashing properties, these modes induce good extractors. Hence, these schemes represent a more practical alternative to combinatorial extractors (that are seldom used in practice), and a betteranalyzed alternative to the common practice of using SHA1 or MD5 (as a single unkeyed function) for randomness extraction. In particular, our results serve to validate the method of key extraction and key derivation from DiffieHellman values used in the IKE (IPsec’s Key Exchange) protocol.
CBC MAC for RealTime Data Sources
 JOURNAL OF CRYPTOLOGY
, 1997
"... The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice. It is well known that the naive use of CBC MAC for variable length messages is not secure, and a few rules of thumb for the correct use of CBC MAC are known by folklore. ..."
Abstract

Cited by 47 (0 self)
 Add to MetaCart
The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice. It is well known that the naive use of CBC MAC for variable length messages is not secure, and a few rules of thumb for the correct use of CBC MAC are known by folklore. The first rigorous proof of the security of CBC MAC, when used on fixed length messages, was given only recently by Bellare, Kilian and Rogaway [3]. They also suggested variants of CBC MAC that handle variable length messages but in these variants the length of the message has to be known in advance (i.e., before the message is processed). We study CBC authentication of real time applications in which the length of the message is not known until the message ends, and furthermore, since the application is realtime, it is not possible to start processing the authentication only after the message ends. We first present a variant of CBC MAC, called double MAC (DMAC) which handles messages of variable unknown lengths. Computing DMAC on a message is virtually as simple and as efficient as computing the standard CBC MAC on the message. We provide a rigorous proof that its security is implied by the security of the underlying block cipher. Next, we argue that the basic CBC MAC is secure when applied to prefix free message space. A message space can be made prefix free by authenticating also the (usually hidden) last character which marks the end of the message.
Pathquality monitoring in the presence of adversaries
 In ACM SIGMETRICS
, 2008
"... Edge networks connected to the Internet need effective monitoring techniques to drive routing decisions and detect violations of Service Level Agreements (SLAs). However, existing measurement tools, like ping, traceroute, and trajectory sampling, are vulnerable to attacks that make a path look bette ..."
Abstract

Cited by 35 (9 self)
 Add to MetaCart
Edge networks connected to the Internet need effective monitoring techniques to drive routing decisions and detect violations of Service Level Agreements (SLAs). However, existing measurement tools, like ping, traceroute, and trajectory sampling, are vulnerable to attacks that make a path look better than it really is. In this paper, we design and analyze pathquality monitoring protocols that robustly raise an alarm when packetloss rate and delay exceeds a threshold, even when adversary tries to bias monitoring results by selectively delaying, dropping, modifying, injecting, or preferentially treating packets. Despite the strong threat model we consider in this paper, our protocols are efficient enough to run at line rate on highspeed routers. We present a secure sketching protocol for identifying when packet loss and delay degrade beyond a threshold. This protocol is extremely lightweight, requiring only 250–600 bytes of storage and periodic transmission of a comparably sized IP packet. We also present secure sampling protocols that provide faster feedback and more accurate roundtrip delay estimates, at the expense of somewhat higher storage and communication costs. We prove that all our protocols satisfy a precise definition of secure pathquality monitoring and derive analytic expressions for the tradeoff between statistical accuracy and system overhead. We also compare how our protocols perform in the clientserver setting, when paths are asymmetric, and when packet marking is not permitted. 1.
On the (Non)Universality of the OneTime Pad
 In Proc. 43rd FOCS
, 2002
"... Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. As a common abstraction, it is assumed that there is a source of truly random bits available to all the participants of the system. While conve ..."
Abstract

Cited by 34 (14 self)
 Add to MetaCart
(Show Context)
Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. As a common abstraction, it is assumed that there is a source of truly random bits available to all the participants of the system. While convenient, this assumption is often highly unrealistic, and cryptographic systems have to be built based on imperfect sources of randomness. Remarkably, this fundamental problem has received little or no attention so far, despite the fact that a related question of simulating probabilistic (BPP) algorithms with imperfect random sources has a long and rich history.
Unconditional authenticity and privacy from an arbitrarily weak secret
 In Proc. CRYPTO’03
, 2003
"... Abstract. Unconditional cryptographic security cannot be generated simply from scratch, but must be based on some given primitive to start with (such as, most typically, a private key). Whether or not this implies that such a high level of security is necessarily impractical depends on how weak thes ..."
Abstract

Cited by 33 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Unconditional cryptographic security cannot be generated simply from scratch, but must be based on some given primitive to start with (such as, most typically, a private key). Whether or not this implies that such a high level of security is necessarily impractical depends on how weak these basic primitives can be, and how realistic it is therefore to realize or find them in—classical or quantum—reality. A natural way of minimizing the required resources for informationtheoretic security is to reduce the length of the private key. In this paper, we focus on the level of its secrecy instead and show that even if the communication channel is completely insecure, a shared string of which an arbitrarily large fraction is known to the adversary can be used for achieving fundamental cryptographic goals such as message authentication and encryption. More precisely, we give protocols—using such a weakly secret key—allowing for both the exchange of authenticated messages and the extraction of the key’s entire amount of privacy into a shorter virtually secret key. Our schemes, which are highly interactive, show the power of twoway communication in this context: Under the given conditions, the same objectives cannot be achieved by oneway communication only. Keywords. Informationtheoretic security, authentication, privacy amplification, extractors, quantum key agreement.