Results 1  10
of
171
Keying hash functions for message authentication
, 1996
"... The use of cryptographic hash functions like MD5 or SHA for message authentication has become a standard approach inmanyInternet applications and protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis. We present new cons ..."
Abstract

Cited by 611 (39 self)
 Add to MetaCart
The use of cryptographic hash functions like MD5 or SHA for message authentication has become a standard approach inmanyInternet applications and protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis. We present new constructions of message authentication schemes based on a cryptographic hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths. Moreover we show, in a quantitativeway, that the schemes retain almost all the security of the underlying hash function. In addition our schemes are e cient and practical. Their performance is essentially that of the underlying hash function. Moreover they use the hash function (or its compression function) as a black box, so that widely available library code or hardware can be used to implement them in a simple way, and replaceability of the underlying hash function is easily supported.
A Concrete Security Treatment of Symmetric Encryption
 Proceedings of the 38th Symposium on Foundations of Computer Science, IEEE
, 1997
"... We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight ..."
Abstract

Cited by 421 (65 self)
 Add to MetaCart
We study notions and schemes for symmetric (ie. private key) encryption in a concrete security framework. We give four di erent notions of security against chosen plaintext attack and analyze the concrete complexity ofreductions among them, providing both upper and lower bounds, and obtaining tight relations. In this way we classify notions (even though polynomially reducible to each other) as stronger or weaker in terms of concrete security. Next we provide concrete security analyses of methods to encrypt using a block cipher, including the most popular encryption method, CBC. We establish tight bounds (meaning
Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)
, 2000
"... Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. ..."
Abstract

Cited by 378 (11 self)
 Add to MetaCart
Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability.
Efficient authentication and signing of multicast streams over lossy channels
 In IEEE Symposium on Security and Privacy
, 2000
"... Multicast stream authentication and signing is an important and challenging problem. Applications include the continuous authentication of radio and TV Internet broadcasts, and authenticated data distribution by satellite. The main challenges are fourfold. First, authenticity must be guaranteed even ..."
Abstract

Cited by 334 (8 self)
 Add to MetaCart
Multicast stream authentication and signing is an important and challenging problem. Applications include the continuous authentication of radio and TV Internet broadcasts, and authenticated data distribution by satellite. The main challenges are fourfold. First, authenticity must be guaranteed even when only the sender of the data is trusted. Second, the scheme needs to scale to potentially millions of receivers. Third, streamed media distribution can have high packet loss. Finally, the system needs to be efficient to support fast packet rates. We propose two efficient schemes, TESLA and EMSS, for secure lossy multicast streams. TESLA, short for Timed Efficient Stream Losstolerant Authentication, offers sender authentication, strong loss robustness, high scalability, and minimal overhead, at the cost of loose initial time synchronization and slightly delayed authentication. EMSS, short for Efficient Multichained Stream Signature, provides nonrepudiation of origin, high loss resistance, and low overhead, at the cost of slightly delayed verification.
Optimal Asymmetric Encryption – How to Encrypt with RSA
, 1995
"... Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme ..."
Abstract

Cited by 224 (21 self)
 Add to MetaCart
Given an arbitrary kbit to kbit trapdoor permutation f and a hash function, we exhibit an encryption scheme for which (i) any string x of length slightly less than k bits can be encrypted as f(rx), where rx is a simple probabilistic encoding of x depending on the hash function; and (ii) the scheme can be proven semantically secure assuming the hash function is \ideal. &quot; Moreover, a slightly enhanced scheme is shown to have the property that the adversary can create ciphertexts only of strings for which she \knows &quot; the corresponding plaintextssuch ascheme is not only semantically secure but also nonmalleable and secure against chosenciphertext attack.
Key Agreement Protocols and their Security Analysis
, 1997
"... This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (publickey) setting. A formal ..."
Abstract

Cited by 166 (6 self)
 Add to MetaCart
This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (publickey) setting. A formal
The order of encryption and authentication for protecting communications (or: how Secure is SSL?)
, 2001
"... We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chose ..."
Abstract

Cited by 152 (7 self)
 Add to MetaCart
(Show Context)
We study the question of how to generically compose symmetric encryption and authentication when building “secure channels” for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encryptthenauthenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticatethenencrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon’s) perfect secrecy but when combined with any MAC function under the authenticatethenencrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encryptandauthenticate method used in SSH. On the positive side we show that the authenticatethenencrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current practical implementations of the protocol that use the above modes of encryption are safe.
UMAC: Fast and secure message authentication.
 In Advances in Cryptology – CRYPTO
, 1999
"... Abstract We describe a message authentication algorithm, UMAC, which authenticates messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as previously reported times for the universal hashfunction famil ..."
Abstract

Cited by 146 (13 self)
 Add to MetaCart
(Show Context)
Abstract We describe a message authentication algorithm, UMAC, which authenticates messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMACSHA1), and about twice as fast as previously reported times for the universal hashfunction family MMH. To achieve such speeds, UMAC uses a new universal hashfunction family, NH, and a design which allows effective exploitation of SIMD parallelism. The "cryptographic" work of UMAC is done using standard primitives of the user's choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMACauthenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have everfaster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for nextgeneration message authentication.
Parallelizable Encryption Mode with Almost Free Message Integrity
, 2000
"... this documentwe propose a new mode of operation for symmetric key block cipher algorithms. The main feature distinguishing the proposed mode from existing modes is that along with providing confidentiality of the message, it also provides message integrity. In other words, the new mode is not just a ..."
Abstract

Cited by 134 (4 self)
 Add to MetaCart
this documentwe propose a new mode of operation for symmetric key block cipher algorithms. The main feature distinguishing the proposed mode from existing modes is that along with providing confidentiality of the message, it also provides message integrity. In other words, the new mode is not just a mode of operation for encryption, but a mode of operation for authenticated encryption. As the title of the document suggests, the new mode achieves the additional property with little extra overhead, as will be explained below. The new mode is also highly parallelizable. In fact, it has critical path of only two block cipher invocations. By one estimate, a hardware implementation of this mode on a single board (housing 1000 block cipher units) achieves terabits/sec (10 12 bits/sec) of authenticated encryption. Moreover, there is no penalty for doing a serial implementation of this mode. The new mode also comes with proofs of security, assuming that the underlying block ciphers are secure. For confidentiality,themode achieves the same provable security bound as CBC. For authentication, the mode achieves the same provable security bound as CBCMAC. The new parallelizable mode removes chaining from the well known CBC mode, and instead does an input whitening (as well an output whitening) with a pairwise independent sequence. Thus, it becomes similar to the ECB mode. However, with the input whitening with the pairwise independent sequence the new mode has provable security similar to CBC (Note: ECB does not have security guarantees like CBC). Also, the output whitening with the pairwise independent sequence guarantees message integrity. The pairwise independent sequence can be generated with little overhead. In fact, the input and output whitening sequence need only be pairwi...
On the Construction of PseudoRandom Permutations: LubyRackoff Revisited
 JOURNAL OF CRYPTOLOGY
, 1997
"... Luby and Rackoff [27] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewh ..."
Abstract

Cited by 128 (8 self)
 Add to MetaCart
Luby and Rackoff [27] showed a method for constructing a pseudorandom permutation from a pseudorandom function. The method is based on composing four (or three for weakened security) so called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are sufficient together with initial and final pairwise independent permutations. The revised construction and proof provide a framework in which similar constructions may be brought up and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following:  Reduce the success probability of the adversary.  Provide a construction of pseudorandom permutations with large input size using pseudorandom functions with small input size.