S. Stubblebine and V. Gligor, On message integrity in cryptographic protocols, Proceedings of the 1992.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....of this) Thus, it appears to be well worth our while to take our analysis to a lower level of abstraction. Some work in this direction already exists. For example, work on the analysis of modes of encryption and chosen and known plaintext has been successful both in finding new problems [76] and reproducing known attacks [77] Work also exists on extending standard protocol analysis techniques to include Diffie Hellman, including belief logics [83] 79] and modelchecking techniques [47] 64] Another approach is to attempt to wed formal methods with the proofs of security provided ....

S. Stubblebine and V. Gligor. On message integrity in cryptographic protocols. In Proceedings of the 1992.

....develop inductive techniques to deal with this problem. Another, more longterm goal, is to extend this work to deal with confusion, not only about the content of messages, but the way in which they are encrypted or authenticated. As we see from the work of Bellovin [3] and Stubblebine and Gligor [13] such type confusion, in particular involving modes of encryption, can have serious effects on the security of a system. In an analogy to our experience with type confusion of GDOI, we were able to use the NRL Protocol Analyzer to reproduce some of Bellovin s attacks on the Encapsulating Security ....

S. Stubblebine and V. Gligor. On message integrity in cryptographic protocols. In IEEE Computer Society pages 85--104. IEEE Computer Society Press, 1992.

....C 0 =I (Initialisation bloc) and C i = C i 1 P i K . It can be noticed that they present the following interesting particularity: If C 0 C 1 C 2 . C i C i 1 . C n = P 1 P 2 . P i P i 1 . P n K Then C 0 C 1 C 2 . C i = P 1 P 2 . P i K This property can be exploited (see [Boy90] or [SG92] for other instances) to flaw the Needham Schroeder symmetric key authentication protocol [NS78] This protocol intends to permit Alice to establish a shared secret key K ab with Bob and to obtain mutual conviction of the possession of the key by each other. The key is provided by a trusted server ....

S. Stubblebine, V. Gligor. On Message Integrity in Cryptographic Protocols. In IEEE Symposium on research in Security and Privacy, pages 85-104, May 1992.

....Public review is also of great importance. If WEP had been examined by the cryptographic community before it was enacted into an international standard, many of the flaws would have been almost surely eliminated. For example, the dangers of using a CRC to ensure message integrity are well known [9, 21, 6]. While we applaud the fact that the standard is open, there are still barriers to public review. A security researcher is faced with a financial burden to even attempt to examine the standard the cost of the document is in the hundreds of dollars. This is the opposite of what should be a ....

S. G. Stubblebine and V. D. Gligor. On message integrity in cryptographic protocols. In Proc. IEEE Symposium on Research in Security and Privacy, pages 85--105, 1992.

....review is also of great importance. If WEP had been examined by the cryptographic community before it was enacted into an international standard, many of the flaws would have been almost surely eliminated. For example, the dangers of using a CRC to ensure message integrity are well known, see [15]. While we applaud the fact that the standard is open, there are still barriers to public review. A security researcher is faced with a financial burden to even attempt to examine the standard the cost of the document is in the hundreds of dollars. This is the opposite of what should be a ....

S. G. Stubblebine and V. D. Gligor. On message integrity in cryptographic protocols. In Proc. IEEE Symposium on Research in Security and Privacy, pages 85--105, 1992.

....can use information learned by observing the key being used for one function to carry out an attack on the other function using the same key. This commonly occurs when the same key is used for both confidentiality and integrity. An example of this situation has been described by Stubblebine [33]. The existence of this type of attack provides an additional motivation for distinguishing integrity and confidentiality keys: we need to avoid the possibility of this type of attack, so we need to take care never to use the same key with both sorts of mechanism. 9 Weak Integrity weakens ....

S. G. Stubblebine and V. D. Gligor. On message integrity in cryptographic protocols. In Proceedings of the IEEE Symposium on Research in Security and Privacy, May 1992.

....Public review is also of great importance. If WEP had been examined by the cryptographic community before it was enacted into an international standard, many of the flaws would have been almost surely eliminated. For example, the dangers of using a CRC to ensure message integrity are well known [9, 21, 6]. While we applaud the fact that the standard is open, there are still barriers to public review. A security researcher is faced with a financial burden to even attempt to examine the standard the cost of the document is in the hundreds of dollars. This is the opposite of what should be a ....

S. G. Stubblebine and V. D. Gligor. On message integrity in cryptographic protocols. In Proc. IEEE Symposium on Research in Security and Privacy, pages 85--105, 1992.

....chaining pass, both confidentiality and authentication are assured. Many such attempts have been made, which essentially use a simple checksum or manipulation detection code (MDC) in the chaining mode ( 9, 10, 13] Unfortunately, all such previous schemes are susceptible to attacks (see e.g. [14], Appendix B) In this paper, we present a new variant of CBC mode, which in a single pass achieves both confidentiality and authentication. To encrypt a message of length m blocks, it requires a total of (m log m) block encryptions. All other operations are simple operations, like ....

S.G. Stubblebine and V.D. Gligor, "On message integrity in cryptographic protocols", Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, 1992. 12 Appendix A Here, we prove the lower bound on the number of block encryptions required in a scheme as modeled

....Public review is also of great importance. If WEP had been examined by the cryptographic community before it was enacted into an international standard, many of the flaws would have been almost surely eliminated. For example, the dangers of using a CRC to ensure message integrity are well known [9, 21, 6]. While we applaud the fact that the standard is open, there are still barriers to public review. A security researcher is faced with a financial burden to even attempt to examine the standard the cost of the document is in the hundreds of dollars. This is the opposite of what should be a ....

S. G. Stubblebine and V. D. Gligor. On message integrity in cryptographic protocols. In Proc. IEEE Symposium on Research in Security and Privacy, pages 85--105, 1992.

....can use information learned by observing the key being used for one function to carry out an attack on the other function using the same key. This commonly occurs when the same key is used for both confidentiality and integrity. An example of this situation has been described by Stubblebine [33]. The existence of this type of attack provides an additional motivation for distinguishing integrity and confidentiality keys: we need to avoid the possibility of this type of attack, so we need to take care never to use the same key with both sorts of mechanism. 9 Weak Integrity weakens ....

S. G. Stubblebine and V. D. Gligor. On message integrity in cryptographic protocols. In Proceedings of the IEEE Symposium on Research in Security and Privacy, May 1992.

....in another way. Thus, it appears to be well worth our while to take our analysis to a lower level of abstraction. Some work in this direction already exists. For example, work on the analysis of modes of encryption and chosen and known plaintext has been successful both in finding new problems [45] and reproducing known attacks [46] From an entirely different angle, work has also been ongoing on introducing some of the polynomial time reduction techniques used by cryptographers into the framework used by formal methods, making it possible to reason more precisely about the interaction of a ....

S. Stubblebine and V. Gligor. On Message Integrity in Cryptographic Protocols. In Proceedings of the 1992 Symposium on Security and Privacy, pages 85--104. IEEE Computer Society Press, May 1992.

....directly attacks the CBC MAC based on details of the underlying block cipher F . Refer to [13] for an attempt to directly attack the DES CBC MAC using differential cryptanalysis. Another approach to studying MACs is rooted in the examination of protocols which use them. Stubblebine and Gligor [16] find flaws in the use of the CBC MAC in some well known protocols. But as the authors make clear, it is not the CBC MAC itself which is at fault for the indicated protocol failures it is the manner in which the containing protocols incorrectly embed the CBC MAC. The authors go on to correct ....

S. Stubblebine and V. Gligor, "On message integrity in cryptographic protocols," Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy. May 1992.

.... dominance relation [14] we show that most integrity notions form a lattice. This enables us to characterize the relative strengths of both integrity notions and authenticated encryption schemes supporting them, such as those used in Kerberos V5 and Distributed Computing Environment (DCE) [21, 20, 23]. We show that interactions between confidentiality and integrity properties arise in some compositions of confidentiality secure schemes with MDC functions and produce authenticated encryption schemes that can be successfully attacked by a typical adversary using polynomially bounded resources. ....

....cyclic redundancy code, or CRC) functions to obtain authenticated encryption have been known for at least a quarter of a century [26] They have been used extensively for the past decade (viz. Kerberos V5 and DCE specification of CBCCRC compositions) despite their vulnerability to EF CPA attacks [23]. Does extensive use of such legacy schemes in sensitive applications, such as those found in business and millitary, mean that these applications are vulnerable to integrity attacks The answer to this question depends as much on the application characteristics as on the strength of the ....

[Article contains additional citation context not shown here]

S. G. Stubblebine and V. D. Gligor, "On message integrity in cryptographic protocols", Proceedings of the 1992.

....check passes only if this value matches that obtained by applying the MDC function to the remaining plaintext [5, 7, 15] If the integrity check is not passed, a special failure indicator, denoted by Null herein, is returned. This method 1 has been used in commercial systems such as Kerberos V5 [17, 21] and DCE 1 Note that other methods for protecting the integrity of encrypted messages exist; e.g. encrypting the message with a secret key and then taking the separately keyed MAC of the ciphertext [15, 3] These methods require two passes over the 2 [6, 21] among others. The encryption ....

.... systems such as Kerberos V5 [17, 21] and DCE 1 Note that other methods for protecting the integrity of encrypted messages exist; e.g. encrypting the message with a secret key and then taking the separately keyed MAC of the ciphertext [15, 3] These methods require two passes over the 2 [6, 21], among others. The encryption scheme obtained by using this method is denoted by Pi g = E g,Dg, KG) where Pi is said to be composed with MDC function g. In this mode, we denote the use of the key K in the encryption of a plaintext string x by (E FK g) x) and in the decryption of ....

S. G. Stubblebine and V. D. Gligor, "On message integrity in cryptographic protocols", Proceedings of the

....mode encrypts the plaintext P into the ciphertext C as follows [1] Encrypt(P 1 , P j ) 1. Set checksum = 0. 2. For i = 1, j, do: 3. Set x i = f(x i 1 ) 4. Set C i = E(P i # x i ) # x i . 5. Set checksum = checksum # P i . 1 Chosen plaintext attacks are quite practical [5]. In fact, they are some of the oldest known attacks in modern cryptography; viz. the gardening attacks of British cryptographers during WWII. 3] 3 6. Set x j 1 = f(x j ) 7. Set C j 1 = E(checksum # x j 1 ) # x 0 . In this definition, the plaintext contains j blocks, P = #P 1 , ....

S. G. Stubblebine and V. D. Gligor, "On message integrity in cryptographic protocols ", Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, 85-104, 1992.

....1 The encryption scheme obtained by using this method is denoted by Pi o g = E o g; D o g; KG) where Pi is said to be composed with the MDC function g. In this mode, we denote the use of the key K in the encryption 1 This method has been used in commercial systems such as Kerberos V5 [22, 23] and DCE [21, 23] among many others. Note that other methods for protecting the integrity of encrypted messages exist; e.g. encrypting the message with a secret key and then taking the keyed MAC of the ciphertext with a separate key [19, 7] 2 of a plaintext string x by (E FK o g) x) and in ....

....scheme obtained by using this method is denoted by Pi o g = E o g; D o g; KG) where Pi is said to be composed with the MDC function g. In this mode, we denote the use of the key K in the encryption 1 This method has been used in commercial systems such as Kerberos V5 [22, 23] and DCE [21, 23], among many others. Note that other methods for protecting the integrity of encrypted messages exist; e.g. encrypting the message with a secret key and then taking the keyed MAC of the ciphertext with a separate key [19, 7] 2 of a plaintext string x by (E FK o g) x) and in the decryption ....

[Article contains additional citation context not shown here]

S. G. Stubblebine and V. D. Gligor, "On message integrity in cryptographic protocols", Proceedings of the 1992 IEEE Symposium on Research in Security and Privacy, 85-104, 1992.

....the key K in the encryption of a plaintext string x by (E FK o g) x) and in the decryption of ciphertext string y by (D FK o g) y) The passing of the integrity check at decryption is denoted by (D FK o g) y) 6= Null. 1 This method has been used in commercial systems such as Kerberos V5 [20, 21] and DCE [19, 21] among many others. Note that other methods for protecting the integrity of encrypted messages exist; i.e. taking the keyed MAC of a message using a secret key and encrypting the message with a separate secret key [17, 6] 2 For any key K, a forgery is any ciphertext message ....

....encryption of a plaintext string x by (E FK o g) x) and in the decryption of ciphertext string y by (D FK o g) y) The passing of the integrity check at decryption is denoted by (D FK o g) y) 6= Null. 1 This method has been used in commercial systems such as Kerberos V5 [20, 21] and DCE [19, 21], among many others. Note that other methods for protecting the integrity of encrypted messages exist; i.e. taking the keyed MAC of a message using a secret key and encrypting the message with a separate secret key [17, 6] 2 For any key K, a forgery is any ciphertext message that is not the ....

[Article contains additional citation context not shown here]

S. G. Stubblebine and V. D. Gligor, "On message integrity in cryptographic protocols", Proceedings of the 1992 IEEE Symposium on Research in Security and Privacy, 85-104, 1992.

....passes only if this value matches that obtained by applying the MDC function to the remaining plaintext [9, 34, 12, 24] If the integrity check is not passed, a special failure indicator, denoted by Null herein, is returned. This method 1 has been used in commercial systems such as Kerberos V5 [28, 30] and DCE [10, 30] among others. The encryption scheme obtained by using this method is denoted by Pi g = E g,D g,KG) where Pi is said to be composed with MDC function g. In this mode, we denote the use of the key K in the encryption of a plaintext string x by (E FK g) x) and in the ....

....value matches that obtained by applying the MDC function to the remaining plaintext [9, 34, 12, 24] If the integrity check is not passed, a special failure indicator, denoted by Null herein, is returned. This method 1 has been used in commercial systems such as Kerberos V5 [28, 30] and DCE [10, 30], among others. The encryption scheme obtained by using this method is denoted by Pi g = E g,D g,KG) where Pi is said to be composed with MDC function g. In this mode, we denote the use of the key K in the encryption of a plaintext string x by (E FK g) x) and in the decryption of ....

S. G. Stubblebine and V. D. Gligor, "On message integrity in cryptographic protocols", Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, 85-104, 1992.

....However, the presence of confounding text cannot prevent the intruder from obtaining known plaintext and ciphertext block pairs in the second attack. This is true because the presence of a confounder in the plaintext only affects its neighboring ciphertext block in Cipher Block Chaining mode [17]. However, from the complexity of the encryption algorithm and the size of the block cipher (i.e. those of DES in this case) a limit may be derived on N , the number of known plaintextciphertext block pairs required to uniquely determine the encryption key. If the protocol does not limit the ....

....secrecy of messages which lack integrity may not be a concern. Unfortunately, this may not always be the case. For instance, in cipher block chaining, message portions of known plaintext ciphertext pairs can be spliced together to form new messages which pass checksum tests with high probability [17]. The contents of such spliced messages are not secret. Hence, secrecy is a function of whether integrity is preserved or not. 2. Non derivability of plaintext: from the knowledge of ciphertext, without knowing the encryption key. 3. Honesty of session members: This property can be enforced by ....

S.G. Stubblebine and V.D. Gligor. On message integrity in cryptographic protocols. IEEE Symposium on Research and Privacy, 1992.

.... suffix to signal that the integrity of statements received after this time have an unacceptably high threshold of being compromised. For a description of analysis and design methods for message integrity thresholds in cryptographic protocols, the reader is referred to the literature [24,25]. Message contents cached prior to integrity time outs might still be usable. Such techniques enable cached certificates to be used past these periods and enable computational efficiencies due to choices in key sizes. Of course, such techniques require careful analysis. Acknowledgments I would ....

Stubblebine, S., and Gligor, V. On Message Integrity in Cryptographic Protocols. Proc. IEEE Symposium on Security and Privacy, Oakland, 1992.

No context found.

S. Stubblebine and V. Gligor, On message integrity in cryptographic protocols, Proceedings of the 1992.

No context found.

Stubblebine S., and V. Gligor, "On Message Integrity in Cryptographic Protocols", in Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California, May 1992.

No context found.

Stubblebine S., and V. Gligor, "On Message Integrity in Cryptographic Protocols", in Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California, May 1992.

No context found.

Stubblebine S., and V. Gligor, "On Message Integrity in Cryptographic Protocols", in Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California, May 1992.

No context found.

Stubblebine, Stuart G., and Gligor, Virgil D., "On Message Integrity in Cryptographic Protocols", Proceedings of the 1992 IEEE Symposium On Research in Security and Privacy, pp. 85-104.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC