J.H. Moore, "Protocol failures in cryptosystems", Proc. of the IEEE 76 No.5 (May 1988), 594-602.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....must suspect everything. The use of strong cryptoalgorithms is not su#cient to guarantee the security of a protocol. In some situations, a protocol may be completely subverted without compromising the security of the underpinning cryptoalgorithm. Such situations are called protocol failures [11]. Protocols are for example designed in order to establish a session key, to authenticate a transaction, to sign a document, etc. This is usually achieved by exchanging some messages between two or several people. In the sequel, we will show a failure on the most widely used public key ....

J. H. Moore. Protocol failures in cryptosystems. In G. Simmons, editor, Contemporary Cryptology, pages 541--558. IEEE Press, 1992.

....information. Their attack, the so1 called cycling attack, relies on the cycle detection of the ciphertext. This was later generalized by Williams and Schmid [31] see also [7, 1] There are basically two ways to compromise the security of cryptosystems. The rst one is to nd protocol failures [20] and the other one is to directly attack the underpinning crypto algorithm. The cycling attack and its generalizations fall into the second category. So, it is important to carefully analyze the signi cance of this attack. For RSA, Rivest and Silverman [25] see also [16] concluded that the ....

J.H. Moore. Protocol failures in cryptosystems. In G. Simmons, editor, Contemporary Cryptology, pages 541-558. IEEE Press, 1992.

....(see, for example, 6, 12] In many cases, the attacks do not presuppose any weakness in the cryptosystem being used, and would be just as harmful with an ideal cryptosystem. In other cases, characteristics of the cryptosystem and characteristics of the protocol combine to cause protocol failure [19, 5, 21]. Analyzing security protocols consists mainly of two complementary activities. The rst is to nd aws in those protocols that are not correct, and the second is to establish convincingly the correctness of those that are. These activities are interrelated, because the discovery of a aw may ....

Judy H. Moore. Protocol failures in cryptosystems. Proceedings of the IEEE, 76(5), May 1988.

....attacks enable the recovery of plaintext messages from their ciphertexts and a known polynomial relationship among the messages, provided that the ciphertexts were created using the same RSA public key with low encrypting exponent. Our attacks di er from the low exponent attacks described by Moore [6] and Hastad [5] and the common modulus attack identi ed by Simmons [10] which pertain only to ciphertexts encrypted under di erent public keys. Given encryptions of k messages under the same RSA public key with exponent e, together with knowledge of a polynomial relation of degree among the ....

J. H. Moore. Protocol failures in cryptosystems. Proceedings of the IEEE 76(5), May 1988.

.... MAFT architecture for aircraft flight control [15] Sophisticated cryptographic and other attacks are a given in the first class of applications, so our concern about the security of authentication needs no further justification here (the literature is replete with broken cryptographic protocols [1, 21]) Intelligent malicious attack is not considered a serious possibility in embedded systems, and the argument in these cases is a little different. Byzantineresilient architectures are attractive in these contexts because they simplify the case for assurance and certification: instead of a ....

Judy H. Moore. Protocol failures in cryptosystems. Proceedings of the IEEE, 76(5):594--602, May 1988.

....contents of another principal s address space are, which further weakens our reasoning ability. The significance of the problem of dynamic evaluation of cryptographic protocols is emphasized in research into the nature of attacks on cryptographic protocols such as in [AN94] BIRD92] BIRD93] [MOORE88], SYV93a] SYV93b] By detailing the simple attack given above and other various attacks, these works highlight the variety and subtle nature of active attacks. Bird, Gopal, et al. and Abadi and Needham extend this research to offer guidelines for creating protocols which are not vulnerable to ....

Judy H. Moore, "Protocol Failures in Cryptosystems", Proceedings of the IEEE, Vol. 76, No. 5, May 1988 Bibliography 190

....Failures do not usually occur from the complete break of an algorithm but are more often the result of a poor implementation, i.e. a poor protocol design. The literature is filled with examples of protocols designed using strong cryptographic primitives yet susceptible to the simplest of attacks [Moor88, AnNe95]. The use of a notary is currently receiving a great amount of attention for its application to digital communications. Timestamping is the simplest form of a notary, essentially involving only an authentic appendage of time to a document. 1 Just as with other protocols, a timestamping protocol ....

J. Moore, "Protocol Failures in Cryptosystems", Proceedings of the IEEE, Vol. 76, No. 5, pp. 594-601, May 1988.

....occur from the complete break of an underlying algorithm but are more often the result of poorly implementing the algorithms, i.e. a poor protocol design. The literature is filled with examples of protocols designed using strong cryptographic primitives yet susceptible to the simplest of attacks [12, 4]. The use of a notary is currently receiving a great deal of attention for its application to digital communications, e.g. 2, 3] Timestamping is the simplest form of a notary, E mail: just scs.carleton.ca. Partially supported by a NSERC grant. Part of this research was completed while visiting ....

J. Moore, "Protocol Failures in Cryptosystems", Proceedings of the IEEE, Vol. 76, No. 5, pp. 594-601, May 1988.

....or authentication requirements. A specific implementation may satisfy all properties required by the algorithm and the protocol specification, but exhibit additional properties that compromise the confidentiality or authentication requirements. In that case cryptosystem related flaws [24] [25] [1] are said to occur. Often a poor implementation of a given cryptosystem is all that is needed in order to compromise it. 25] details a number of protocols based either on public key algorithms (e.g. the low entropy protocol) or on secret key algorithms (e.g. the single key protocol) that ....

....specification, but exhibit additional properties that compromise the confidentiality or authentication requirements. In that case cryptosystem related flaws [24] 25] 1] are said to occur. Often a poor implementation of a given cryptosystem is all that is needed in order to compromise it. [25] details a number of protocols based either on public key algorithms (e.g. the low entropy protocol) or on secret key algorithms (e.g. the single key protocol) that exhibit such flaws. 3 FORMAL CRYPTOGRAPHIC PROTOCOL ANALYSIS AND DOCUMENTATION METHODS 3.1 Introduction In the last decade a ....

Moore J. Protocol Failures in Cryptosystems. In: Proceedings of the IEEE. IEEE Computer Society Press, 1988, Vol. 76, No. 5, pp. 594-602

....must suspect everything. The use of strong cryptoalgorithms is not sufficient to guarantee the security of a protocol. In some situations, a protocol may be completely subverted without compromising the security of the underpinning cryptoalgorithm. Such situations are called protocol failures [11]. Protocols are for example designed in order to establish a session key, to authenticate a transaction, to sign a document, etc. This is usually achieved by exchanging some messages between two or several people. In the sequel, we will show a failure on the most widely used public key ....

J. H. Moore. Protocol failures in cryptosystems. In G. Simmons, editor, Contemporary Cryptology, pages 541--558. IEEE Press, 1992.

....to be made to identify when conflicting beliefs actually occur. Section III. Attacks on protocols While Nessett showed that obviously flawed protocols can pass BAN Logic protocol evaluation, others have identified types of active attacks by intruders that protocols may be vulnerable to [BIRD92] [MOORE88], SYV93a] SYV93b] In [BIRD92] the authors extend this evaluation to suggest guidelines for developing protocols that can reduce vulnerability of protocols to certain types of attacks. One of the key points they make is that different fields in each message should be cryp 1 This was pointed ....

Judy H. Moore, "Protocol Failures in Cryptosystems", Proceedings of the IEEE, Vol. 76, No. 5, May 1988

.... to prove (Simmons (1994) Numerous cryptographic protocols have been published and later found to contain security flaws, see, e.g. Needham and Schroeder (1978) Denning and Sacco (1981) Needham and Schroeder (1987) Tatebayashi, Matsuzaki and Newman (1989) Simmons (1985) Meadows (1991) Moore (1988), Burrows, Abadi and Needham (1990) These often subtle failures do not require eroding the integrity of the underlying cryptoalgorithm and hence are weaknesses of the protocols. They clearly demonstrate the need for formal methods to verify cryptographic properties of protocols, such as the ....

Moore, J. (1988), Protocol failures in cryptosystems, Proceedings of the IEEE, 76(5):594-- 602.

....Universitat Darmstadt November called cycling attack, relies on the cycle detection of the ciphertext. This was later generalized by Williams and Schmid [31] see also [7, 1] There are basically two ways to compromise the security of cryptosystems. The first one is to find protocol failures [20] and the other one is to directly attack the underpinning crypto algorithm. The cycling attack and its generalizations fall into the second category. So, it is important to carefully analyze the significance of this attack. For RSA, Rivest and Silverman [25] see also [16] concluded that the ....

J.H. Moore. Protocol failures in cryptosystems. In G. Simmons, editor, Contemporary Cryptology, pages 541--558. IEEE Press, 1992.

No context found.

J.H. Moore, "Protocol failures in cryptosystems", Proc. of the IEEE 76 No.5 (May 1988), 594-602.

No context found.

J.H. Moore. Protocol failures in cryptosystems. In G. Simmons, editor, Contemporary Cryptology, pages 541--558. IEEE Press, 1992. Marc Joye, Jean-Jacques Quisquater, and Tsuyoshi Takagi

No context found.

J.H. Moore. Protocol failures in cryptosystems. In G. Simmons, editor, Contemporary Cryptology, pages 541--558. IEEE Press, 1992. Marc Joye, Jean-Jacques Quisquater, and Tsuyoshi Takagi

No context found.

J.H. Moore. Protocol failures in cryptosystems. In G. Simmons, editor, Contemporary Cryptology, pages 541--558. IEEE Press, 1992. Marc Joye, Jean-Jacques Quisquater, and Tsuyoshi Takagi

No context found.

J. H. Moore. Protocol failures in cryptosystems. Proceedings of the IEEE, 76(5):594--602, 1988.

No context found.

J.H. Moore. Protocol failures in cryptosystems. In G. Simmons, editor, Contemporary Cryptology, pages 541--558. IEEE Press, 1992.

No context found.

J. H. Moore, Protocol failures in cryptosystems, Contemporary Cryptology (G. Simmons, ed.), IEEE Press, 1992, pp. 541--558.

No context found.

J. Moore, #Protocol Failures in Cryptosystems", Proceedings of the IEEE,Vol. 76, No. 5, pp. 594-601, May 1988.

No context found.

Moore, J.H., "Protocol Failures in Cryptosystems", Proceedings of the IEEE, Volume 76, Number 5, May 1988, pp. 594-602.

No context found.

Judy H. Moore, "Protocol Failures in Cryptosystems", Proceedings of the IEEE, Vol. 76, No. 5, May 1988

No context found.

Judy H. Moore, "Protocol Failures in Cryptosystems", Proceedings of the IEEE, Vol. 76, No. 5, May 1988

No context found.

Judy H. Moore, "Protocol failures in cryptosystems", Proceedings of the IEEE, 76(5), pp. 594-602, May 1988.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC