S. Bengio, G. Brassard, Y.G. Desmedt, C. Cloutier, and J.-J. Quisquater, "Secure implementation of identification system", J. Cryptology 4 (3), 1991, pp. 175-183.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....described in Section 4. Since our protocols are public key based, the signature scheme can be easily implemented using ElGamal signatures [12] for example. Note that the solution above works assuming that C is not able to falsify Z s signature. A possible attack to this assumption occurs in [4]. Here, the authors present a so called Middleperson Attack. Suppose we have Protocol 1, consisting of users A, B and C and Protocol 2 consisting of users B, C and Z. The attack involves C sitting in the middle of the two simultaneous protocols. C would impersonate Z in Protocol 1 and impersonate ....

....attack above, C would be unable to compute the key on his own as he is really only acting as a wire between the two protocols, and passing along messages. Once again, he would require a collusion with B to obtain K (for the attack to be of any real use) The solution presented to the attack in [4] was a hardware one rather than a crytographic one. Also note that the property of key authentication was never really violated since that principal attacker C was never able to compute the key on his own. Depending upon the application, the practicality of such attacks must be individually ....

S. Bengio, G. Brassard, Y. Desmedt, C. Goutier, J. Quisquater, "Secure Implementation of Identification Systems", Journal of Cryptology, Vol. 4, 1991, pp. 175-183.

....described in Section 4. Since our protocols are public key based, the signature scheme can be easily implemented using ElGamal signatures [8] for example. Note that the solution above works assuming that C is not able to falsify Z s signature. A possible attack to this assumption occurs in [3]. Here, the authors present a so called Middleperson Attack. Suppose we have Protocol 1, consisting of users A, B and C and Protocol 2 consisting of users B, C and Z. The attack involves C sitting in the middle of the two simultaneous protocols. C would impersonate Z in Protocol 1 and impersonate ....

....attack above, C would be unable to compute the key on his own as he is really only acting as a wire between the two protocols, and passing along messages. Once again, he would require a collusion with B to obtain K (for the attack to be of any real use) The solution presented to the attack in [3] was a hardware one rather than a crytographic one. Also note that the property of key authentication was never really violated since that principal attacker C was never able to compute the key on his own. Depending upon the application, the practicality of such attacks must be individually ....

S. Bengio, G. Brassard, Y. Desmedt, C. Goutier, J. Quisquater, "Secure Implementation of Identification Systems", Journal of Cryptology, Vol. 4, 1991, pp. 175-183.

....no errors in the remaining uncompared data, and that little or none of it is known to any eavesdropper. The assumption that the public messages cannot be corrupted by Eve is necessary, because otherwise it is clear that Eve could sit between Alice and Bob and impersonate each of them to the other [1]. As a result, Eve would end up with a string shared with Alice and another one shared with Bob, whereas Alice and Bob would be none the wiser. This crucial property of the public channel can be implemented in practice either by using an inherently unjammable public channel or by using an ....

Bengio, S., G. Brassard, Y. Desmedt, C. Goutier and J.--J. Quisquater, "Secure implementation of identification systems", Journal of Cryptology , Vol. 4, no. 3, 1991.

....a prover and the Diffie Hellman scheme is applied to user j when he is acting as a prover. It is of great importance to take proper precautions for preventing the middleperson attack or the divertibility which is known as a major problem in most schemes based on zero knowledge technique [DGB] OO2][BBDGQ]. In this point of view it is essential in the above protocol that user j s random challenge in step ii) should be dependent not only on the number he chooses randomly by himself but also on the number user i transmitted in step i) The number D i computed by D i = h(K ij ; R j ) plays both the ....

S.Bengio, G.Brassard, T.G.Desmedt, C.Goutier and J.J.Quisquater, "Secure implementation of identification systems," J. Cryptology, 4, 3, 1991, pp.175-183.

....that it would be absurd for a prover known for her unbounded computing power to convince a verifier that she knows those factors: of course she knows them since she can compute them whenever she wishes. These proofs of knowledge play a crucial role in modern identification schemes [FFS] but read [BBDGQ]) You may wonder at this point why we call them proofs of knowledge rather than arguments of knowledge even though the prover s computing power is limited. For one thing, this terminology is well established. More importantly, they are GMR proofs since no assumptions are needed for the ....

Bengio, S., Brassard, G., Desmedt, Y., Goutier, C. and Quisquater, J.-J., "Secure implementation of identification systems", in preparation.

No context found.

S. Bengio, G. Brassard, Y.G. Desmedt, C. Cloutier, and J.-J. Quisquater, "Secure implementation of identification system", J. Cryptology 4 (3), 1991, pp. 175-183.

No context found.

S. Bengio, G. Brassard, Y. G. Desmedt, C. Goutier, and J.-J. Quisquater. Secure implementation of identification systems. Journal of Cryptology, 4(3):175--183, 1991.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC