From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.

Handbook of Applied Cryptography

This paper describes a new replication algorithm that is able to tolerate Byzantine faults. We believe that Byzantinefault-tolerant algorithms will be increasingly important in the future because malicious attacks and software errors are increasingly common and can cause faulty nodes to exhibit arbitrary behavior. Whereas previous algorithms assumed a synchronous system or were too slow to be used in practice, the algorithm described in this paper is practical: it works in asynchronous environments like the Internet and incorporates several important optimizations that improve the response time of previous algorithms by more than an order of magnitude. We implemented a Byzantine-fault-tolerant NFS service using our algorithm and measured its performance. The results show that our service is only 3% slower than a standard unreplicated NFS.

/pdf/practical-byzantine-fault-tolerance-58gb0de0hd.pdf

Practical Byzantine fault tolerance

Our growing reliance on online services accessible on the Internet demands highly available systems that provide correct service without interruptions. Software bugs, operator mistakes, and malicious attacks are a major cause of service interruptions and they can cause arbitrary behavior, that is, Byzantine faults. This article describes a new replication algorithm, BFT, that can be used to build highly available systems that tolerate Byzantine faults. BFT can be used in practice to implement real services: it performs well, it is safe in asynchronous environments such as the Internet, it incorporates mechanisms to defend against Byzantine-faulty clients, and it recovers replicas proactively. The recovery mechanism allows the algorithm to tolerate any number of faults over the lifetime of the system provided fewer than 1/3 of the replicas become faulty within a small window of vulnerability. BFT has been implemented as a generic program library with a simple interface. We used the library to implement the first Byzantine-fault-tolerant NFS file system, BFS. The BFT library and BFS perform well because the library incorporates several important optimizations, the most important of which is the use of symmetric cryptography to authenticate messages. The performance results show that BFS performs 2p faster to 24p slower than production implementations of the NFS protocol that are not replicated. This supports our claim that the BFT library can be used to build practical systems that tolerate Byzantine faults.

/pdf/practical-byzantine-fault-tolerance-and-proactive-recovery-41bx19pxe1.pdf

Practical byzantine fault tolerance and proactive recovery

Classic cryptographic protocols based on user-chosen keys allow an attacker to mount password-guessing attacks. A combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network is introduced. In particular, a protocol relying on the counter-intuitive motion of using a secret key to encrypt a public key is presented. Such protocols are secure against active attacks, and have the property that the password is protected against offline dictionary attacks. >

/pdf/encrypted-key-exchange-password-based-protocols-secure-4zhvfjd0go.pdf

Encrypted key exchange: password-based protocols secure against dictionary attacks

Password-based protocols for authenticated key exchange (AKE) are designed to work despite the use of passwords drawn from a space so small that an adversary might well enumerate, off line, all possible passwords. While several such protocols have been suggested, the underlying theory has been lagging. We begin by defining a model for this problem, one rich enough to deal with password guessing, forward secrecy, server compromise, and loss of session keys. The one model can be used to define various goals. We take AKE (with "implicit" authentication) as the "basic" goal, and we give definitions for it, and for entity-authentication goals as well. Then we prove correctness for the idea at the center of the Encrypted Key-Exchange (EKE) protocol of Bellovin and Merritt: we prove security, in an ideal-cipher model, of the two-flow protocol at the core of EKE.

/pdf/authenticated-key-exchange-secure-against-dictionary-attacks-3e7gjz9v6y.pdf

Authenticated key exchange secure against dictionary attacks

In a security system that allows people to choose their own passwords, people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose secrets that are likely to be difficult for them to remember, solutions that maintain user convenience and a high level of security at the same time are proposed. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an offline verification of whether a guess is successful or not. Common forms of guessing attacks are examined, examples of cryptographic protocols that are immune to such attacks are developed, and a systematic way to examine protocols to detect vulnerabilities to such attacks is suggested. >

/pdf/protecting-poorly-chosen-secrets-from-guessing-attacks-4knmtlg4hf.pdf

Protecting poorly chosen secrets from guessing attacks

Many algorithms or protocols, in particular cryptographic protocols such as authentication protocols, use synchronized clocks and depend on them for correctness. This note describes a scenario where a clock synchronization failure renders a protocol vulnerable to an attack even after the faulty clock has been resynchronized. The attack exploits a postdated message by first suppressing it and replaying it later.

A security risk of depending on synchronized clocks

It is well-known that, left to themselves, people will choose passwords that can be rather readily guessed If this is done, they are usually vulnerable to an attack based on copying the content of messages forming part of an authentication protocol and experimenting, eg with a dictionary, offline The most usual counter to this threat is to require people to use passwords which are obscure, or even to insist on the system choosing their passwords for them In this paper we show alternatively how to construct an authentication protocol in which offline experimentation is impracticable; any attack based on experiment must involve the real authentication server and is thus open to detection by the server noticing multiple attempts

Reducing risks from poorly chosen keys

The author introduces a form of attack, a verifiable-test attack, in which an attacker obtains secret information, such as a password used in a protocol, without breaking the underlying cryptosystem. An investigation is made of the essence of a verifiable-text attack, and an algorithm for examining protocols and searching for vulnerabilities to such an attack is developed. Caution has to be exercised in certifying that a protocol is not vulnerable because a healthy protocol may become vulnerable when it interacts with another vulnerable or even healthy protocol. >

Verifiable-text attacks in cryptographic protocols

Hogan in her recent paper presented the requirements and the characteristics of operating systems to realize the principle of complete mediation She states the principle of complete mediation requires that every access to every object be checked for authority This implies that a secure system must utilize a foolproof method of identifying the source of every request Wells argues in a later paper that Hogan s discussion does not apply to contemporary capability based system technology and her statement is not true in such systems Wells used the KeyKOS system as an example In our opinion Wells s argument holds for at most one special type of capability systems which we refer as fully armed systems In fact one can argue that in KeyKOS the utilization of a foolproof mechanism for identifying the source is implicitly embedded throughout the system design which is mixed with other issues and would naturally be more di cult to be foolproof Moreover it is hard to be convinced that an architecture like KeyKOS is suitable to support open system policy A simple question would be who will maintain those discernible external communications that run across geographical and organizational boundaries And do we trust them The aim of this note is to supply a more complete picture of security in capability based systems

/pdf/on-security-in-capability-based-systems-3koz52aqht.pdf

Li Gong

Papers

Protecting poorly chosen secrets from guessing attacks

A security risk of depending on synchronized clocks

Reducing risks from poorly chosen keys

Verifiable-text attacks in cryptographic protocols

On security in capability-based systems