Showing papers on "Attribute-based encryption published in 2000"

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm

Abstract: We consider two possible notions of authenticity for symmetric encryption schemes, namely integrity of plaintexts and integrity of ciphertexts, and relate them to the standard notions of privacy for symmetric encryption schemes by presenting implications and separations between all notions considered. We then analyze the security of authenticated encryption schemes designed by "generic composition," meaning making black-box use of a given symmetric encryption scheme and a given MAC. Three composition methods are considered, namely Encrypt-and-MAC plaintext, MAC-then-encrypt, and Encrypt-then-MAC. For each of these, and for each notion of security, we indicate whether or not the resulting scheme meets the notion in question assuming the given symmetric encryption scheme is secure against chosen-plaintext attack and the given MAC is unforgeable under chosen-message attack. We provide proofs for the cases where the answer is "yes" and counter-examples for the cases where the answer is "no."

Unforgeable Encryption and Chosen Ciphertext Secure Modes of Operation

Abstract: We find certain neglected issues in the study of private-key encryption schemes. For one, private-key encryption is generally held to the same standard of security as public-key encryption (i.e., indistinguishability) even though usage of the two is very different. Secondly, though the importance of secure encryption of single blocks is well known, the security of modes of encryption (used to encrypt multiple blocks) is often ignored. With this in mind, we present definitions of a new notion of security for private-key encryption called encryption unforgeability which captures an adversary's inability to generate valid ciphertexts. We show applications of this definition to authentication protocols and adaptive chosen ciphertext security. Additionally, we present and analyze a new mode of encryption, RPC (for Related Plaintext Chaining), which is unforgeable in the strongest sense of the above definition. This gives the first mode provably secure against chosen ciphertext attacks. Although RPC is slightly less efficient than, say, CBC mode (requiring about 33% more block cipher applications and having ciphertext expansion of the same amount when using a block cipher with 128-bit blocksize), it has highly parallelizable encryption and decryption operations.

Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes

Abstract: We generalize and improve the security and efficiency of the verifiable encryption scheme of Asokan et al, such that it can rely on more general assumptions, and can be proven secure without assuming random oracles We extend our basic protocol to a new primitive called verifiable group encryption We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use In particular, we achieve perfect separability for all these applications, ie, all participants can choose their signature and encryption schemes and the keys there of independent of each other, even without having these applications in mind

Long-Lived Broadcast Encryption

Abstract: In a broadcast encryption scheme, digital content is encrypted to ensure that only privileged users can recover the content from the encrypted broadcast. Key material is usually held in a "tamper-resistant," replaceable, smartcard. A coalition of users may attack such a system by breaking their smartcards open, extracting the keys, and building "pirate decoders" based on the decryption keys they extract. In this paper we suggest the notion of long-lived broadcast encryption as a way of adapting broadcast encryption to the presence of pirate decoders and maintaining the security of broadcasts to privileged users while rendering all pirate decoders useless. When a pirate decoder is detected in a long-lived encryption scheme, the keys it contains are viewed as compromised and are no longer used for encrypting content. We provide both empirical and theoretical evidence indicating that there is a long-lived broadcast encryption scheme that achieves a steady state in which only a small fraction of cards need to be replaced in each epoch. That is, for any fraction β, the parameter values may be chosen in such a way to ensure that eventually, at most β of the cards must be replaced in each epoch. Long-lived broadcast encryption schemes are a more comprehensive solution to piracy than traitor-tracing schemes, because the latter only seek to identify the makers of pirate decoders and don't deal with how to maintain secure broadcasts once keys have been compromised. In addition, long-lived schemes are a more efficient long-term solution than revocation schemes, because their primary goal is to minimize the amount of recarding that must be done in the long term.

Hidden Link Dynamic Key Manager for use in Computer Systems with Database Structure for Storage and Retrieval of Encrypted Data

Abstract: of Disclosure A computer system (20) with a security domain (22), at least one client business domain (26), and a plurality of client terminals (34) utilizes a hidden link dynamic key manager (24, 84) and a database structure including encrypted data entities (30C, 30D) and a security identification attribute (32) for storage of encrypted data. A method for encryption, storage, decryption, and retrieval of encrypted data operates on the computer system (20), which also includes an information database (62) and a key database (44). The key database (44) is isolated from the information database (62). The security domain (22) includes a system key manager (84) operable to generate system keys with system key common names and an encryption key manager (24) operable to generate encryption keys having encryption key identifications. The key managers (24, 84) operate on a key server (40), which is mirrored by a secondary key server (42). A general security manager (82) also operates on the key server (40) to control access to the security domain (22). The security information attribute (32) is stored with a persistent data entity (30A) that is associated with the other data entities (30C, 30D) by a database schema. The security information attribute (32) includes the encryption key identification (112) for the encryption key used to encrypt the data entities (30C, 30D). The encryption key identification is encrypted by the system key, and the system key common name hash value (114) is also stored in the security information attribute (32). The information data entities (30) are stored on the information database (62), but the encryption key identification (153), encryption key (154), system key common name hash value (156, 157), and system key common name (158) are stored in the key database (44) inside the security domain (22). The system key itself is stored on a Smart Card reader (56) inside the security domain.

Complete characterization of security notions for probabilistic private-key encryption

Abstract: Understanding the security of encryption methods has been a major area of research in both modern and tradit ional cryptography. We investigate the relation between notions of security for symmetric (private) key encryption. The security goals of both indistinguishabili ty and non-malleabili ty are considered, each under all possible combinations of adaptive or n0n-adaptive chosen-plaintext and chosen-ciphertext attacks. We are thus able to construct a complete hierarchy of private-key security notions indicating equivalences, separations, and incomparabilities. Perhaps the most surprising result, which has no analogue in the public-key setting, is that adaptive access to an encryption oracle does not help the adversary. That is, any scheme which can be broken (in polynomial time) with an adaptive chosen plaintext at tack can be broken (in polynomial time) with a non-adaptive chosen plaintext attack. This holds under all security notions.

Method and apparatus for secure authentication and sensitive data management

Abstract: A method and apparatus for improved data management are described. In one embodiment, the method comprises generating a first key component, generating an encryption key using the first key component, a token key and a personal identification number (PIN), encrypting data using the encryption key, and sending the data encrypted with the encryption key to a server along with the first key component.

Dual encryption protocol for scalable secure group communication

Abstract: A logical tree structure (10) and method for managing membership in a multicast group provides scalability and security from internal attacks. The structure defines key groups (20) and subgroups (24, 22), with each subgroup having a subgroup manager (12, 14, 18). Dual encryption allows the sender (12) of the multicast data to manage distribution of a first set of encryption keys whereas the individual subgroup managers (12, 14, 18) manage the distribution of a second set of encryption keys. The two key sets allow the sender (12) to delegate much of the group management responsibilities without compromising security because a key from each set is required to access the multicast data. Security is further maintained via a method in which subgroup managers (12, 14, 18) can be either members (18) or participants (14). Access to both keys is provided to members (18) whereas access to only one key is provided to participants (14). Nodes can be added without generating a new encryption key at the top level which provides improved scalability.

Efficient multi-layer coding and encryption of MPEG video streams

Abstract: This paper introduces a novel, light-weight video encryption algorithm that supports light-weight, multi-layered encryption. The objectives of this encryption algorithm are to reduce the total amount of data encrypted (while providing reasonable privacy and security) and to allow for the playback of the encrypted stream in the presence of network packet loss and bit-errors. The latter property allows for the easy adaptation of encrypted video over best-effort networks, such as the Internet. This algorithm partitions the stream into three layers and provides encryption on the lower two layers. An adaptive algorithm is provided that shows how to adaptively partition the video data so that the user can ensure a maximum peak signal to noise ratio in the base layer. Our results show that we can provide security by encrypting only a fraction of the data depending on the level of security the user requires.

The Security of All-or-Nothing Encryption: Protecting against Exhaustive Key Search

Abstract: We investigate the all-or-nothing encryption paradigm which was introduced by Rivest as a new mode of operation for block ciphers. The paradigm involves composing an all-or-nothing transform (AONT) with an ordinary encryption mode. The goal is to have secure encryption modes with the additional property that exhaustive key-search attacks on them are slowed down by a factor equal to the number of blocks in the ciphertext. We give a new notion concerned with the privacy of keys that provably captures this key-search resistance property. We suggest a new characterization of AONTs and establish that the resulting all-or-nothing encryption paradigm yields secure encryption modes that also meet this notion of key privacy. A consequence of our new characterization is that we get more efficient ways of instantiating the all-or-nothing encryption paradigm. We describe a simple block-cipher-based AONT and prove it secure in the Shannon Model of a block cipher. We also give attacks against alternate paradigms that were believed to have the above keysearch resistance property.

Combined hardware and software based encryption of databases

Abstract: A relational database system for encryption of individual data elements comprising a encryption devices of at least two different types, the types being tamper-proof hardware and software implemented. The encryption processes of the system are of at least two different security levels, differing in the type of encryption device holding the process keys for at least one of the process key categories and also differing in which type of device executing the algorithm of the process. Each data element to be protected is assigned an attribute indicating the usage of encryption process of a certain security level.

Method for reencryption of a database

Abstract: The present invention relates to a method for encryption of the content in a database, for accomplishing increased protection against unauthorised access to the data. The method assures that every row and item is re-encrypted with a valid key. More specifically this process, the so-called KeyLife process, is executed every time a row is inserted, updated or retrieved after a scanning operation. The key life value, defining the number of days a key is valid for each item, could differ for the items, and could typically be between 30 and 90 days. The scanning operation, checking the validity of the presently used keys, the so-called KeyLife checking, is executed each time a new key generation is created.

Why Textbook ElGamal and RSA Encryption Are Insecure

Abstract: We present an attack on plain ElGamal and plain RSA encryption. The attack shows that without proper preprocessing of the plaintexts, both ElGamal and RSA encryption are fundamentally insecure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing messages prior to encryption is an essential part of both systems.

Secure voice communication system

Abstract: A secure real time voice communication system 70 is provided that allows for the secure transmission of voice communications between a sending device 72 and a receiving device 78 through the public switch telephone network 76 . The device 72 uses an encryption decryption engine 30 which is capable of executing a number of encryption algorithms which are selected using an encryption selection table 80 . An encryption key can be calculated from a periodic key value and a public variable key value. Further, the encryption algorithm used can be periodically changed during a voice communication session so that multiple encryption techniques can be used within the same communication session.

Why Textbook ElGamal and RSA Encryption Are Insecure (Extended Abstract)

Abstract: We present an attack on plain ElGamal and plain RSA en- cryption. The attack shows that without proper preprocessing of the plaintexts, bothElGamal and RSA encryption are fundamentally inse- cure. Namely, when one uses these systems to encrypt a (short) secret key of a symmetric cipher it is often possible to recover the secret key from the ciphertext. Our results demonstrate that preprocessing mes- sages prior to encryption is an essential part of bothsystems.

Method and system for restricting access to the private key of a user in a public key infrastructure

Abstract: An encryption/decryption system for providing restricted use of each key in a plurality of keys to preserve confidentiality of the plurality of keys. Each key is usable by an associated user in a public key infrastructure to encrypt and decrypt data. The encryption/decryption system comprises a key storage means for storing a plurality of keys, user authentication means for determining whether a prospective user of a key in the plurality of keys is the associated user of the key, and an encryption/decryption means for encrypting and decrypting data using the plurality of keys when the user authentication means authenticates the prospective user. The encryption/decryption means is operable in a browser on a client computer.

Fair encryption of RSA keys

Abstract: Cryptography is more and more concerned with elaborate protocols involving many participants. In some cases, it is crucial to be sure that players behave fairly especially when they use public key encryption. Accordingly, mechanisms are needed to check the correctness of encrypted data, without compromising secrecy. We consider an optimistic scenario in which users have pairs of public and private keys and give an encryption of their secret key with the public key of a third party. In this setting we wish to provide a publicly verifiable proof that the third party is able to recover the secret key if needed. Our emphasis is on size; we believe that the proof should be of the same length as the original key. In this paper, we propose such proofs of fair encryption for El Gamal and RSA keys, using the Paillier cryptosystem. Our proofs are really efficient since in practical terms they are only a few hundred bytes long. As an application, we design a very simple and efficient key recovery system.

Secure internet user state creation method and system with user supplied key and seeding

Abstract: A method and system for creating secure Internet user states between one or more servers and one or more users. The invention is carried out by a server receiving over the Internet from a user private data relating to the user and a user key; creating an encryption key from the user key; encrypting the private data with the encryption key; assigning the encrypted private data to the data field of a cookie; and sending the cookie back to the user's computer for storage, so that when the user later requests data from the server or a related server, the cookie is sent back by the user's computer to the server or related server, which extracts the encrypted private data; receives the user key; recreates the encryption key; decrypts the encrypted private data with the encryption key and uses the decrypted private data to establish an Internet state between that server and the user. Optionally, the private data may be seeded by a server prior to encryption and assignment.

Method of updating encryption keys in a data communication system

Abstract: The invention discloses a method of updating, in nodes on both ends of a secure link, the encryption key they share to encrypt and decrypt data When having to transmit data from one of the nodes towards its peer remote node, a data base in the forwarding node, is first updated from the data to be transmitted Then, encryption is performed and data transmitted to the peer remote node while a next-to-use encryption key is derived from the new contents of the data base When received, data are decrypted with the current value of the encryption key and the peer remote node data base is updated identically from the received decrypted data after which a next-to-use encryption key is derived, thereby obtaining in the peer remote node, a next-to-use identical key The data base is preferably the dictionary of a data compression/decompression system used simultaneously with encryption/decryption to transmit data over the secure link While keys are frequently updated, for improved security, the invention does not require that key updates need to be actually distributed

Systems and methods for encryption key archival and auditing in a quantum-cryptographic communications network

Abstract: A system archives encryption keys used for encrypting information in a network (105). The system includes a plurality of nodes configured to collect one or more encryption keys generated at each node and to transmit the one or more collected encryption keys to a key archive (110) for storage in a database associated with the key archive (110). The key archive (110) is configured to receive encryption keys transmitted from nodes in the network and to store the encryption keys in a database of the key archive.

New paradigms for constructing symmetric encryption schemes secure against chosen-ciphertext attack

Abstract: The paradigms currently used to realize symmetric encryption schemes secure against adaptive chosen ciphertext attack (CCA) try to make it infeasible for an attacker to forge valid ciphertexts. This is achieved by either encoding the plaintext with some redundancy before encrypting or by appending a MAC to the ciphertext. We suggest schemes which are provably secure against CCA, and yet every string is a valid ciphertext. Consequently, our schemes have a smaller ciphertext expansion than any other scheme known to be secure against CCA. Our most efficient scheme is based on a novel use of variable-length pseudo-random functions and can be efficiently implemented using block ciphers. We relate the difficulty of breaking our schemes to that of breaking the underlying primitives in a precise and quantitative way.

Public key encryption with digital signature scheme

Abstract: An improved encryption and digital signature system and method in accordance with the invention reuses an encryption ephemeral key pair from an encryption process in a digital signature process. The reuse of the encryption ephemeral key pair in the digital signature process advantageously results in reduced byte size of the digital signature and reduction of costly computation overhead. In a preferred embodiment, the invention is based on the El Gamal encryption scheme and the Nyberg-Rueppel signature scheme. The present invention is particularly useful for operation in conjunction with small communication devices having limited processing and storage, wherein such devices may communicate via bandwidth sensitive RF links.

Super encrypted storage and retrieval of media programs with modified conditional access functionality

Abstract: A method and apparatus for storing and retrieving program material for subsequent replay is disclosed. The apparatus comprises a conditional access module, for accepting encrypted access control information and the program material encrypted according to a first encryption key, the encrypted access control information including a first encryption key and temporally-variant control data; the conditional access module having a first decryptor module, for decrypting the encrypted access control information to produce the temporally variant control data; a conversion module for modifying the temporally-variant control data to produce temporally-invariant control data; a re-encryptor module, for re-encrypting the decrypted access control information; a second decryptor module for decrypting the re-encrypted access control information to produce the first encryption key; a copy protection encryption module, communicatively coupleable to the conditional access module and a media storage device, the copy protection encryption module for further encrypting the encrypted program material according to a second encryption key and for encrypting the second encryption key according to a third encryption key to produce a fourth encryption key; and a copy protection decryption module, communicatively coupleable to the conditional access module and the media storage device, the copy protection decryption module for decrypting the encrypted fourth encryption key to produce the second encryption key using the third encryption key.

Secure Length-Saving ElGamal Encryption under the Computational Diffie-Hellman Assumption

Abstract: A design of secure and efficient public key encryption schemes under weaker computational assumptions has been regarded as an important and challenging task. As far as the ElGamal-type encryption is concerned, some variants of the original ElGamal encryption scheme whose security depends on weaker computational assumption have been proposed: Although the security of the original ElGamal encryption is based on the decisional Diffie-Hellman assumption (DDH-A), the security of a recent scheme, such as Pointcheval’s ElGamal encryption variant, is based on the weaker assumption, the computational Diffie-Hellman assumption (CDH-A). In this paper, we propose a length-saving ElGamal encryption variant whose security is based on CDH-A and analyze its security in the random oracle model. The proposed scheme is length-efficient which provides a shorter ciphertext than that of Pointcheval’s scheme and provably secure against the chosen-ciphertext attack.

Network compromise recovery methods and apparatus

Abstract: A secure communications system (100, FIG. 1) with a compromised communications node can quickly recover from the compromised condition by sending re-keying messages using a key encryption key hierarchy (200, FIG. 2). Each communications node (330, FIG. 3) includes a memory (300, FIG. 3) with a list of tier-group specific key encryption keys, and whenever a message arrives that is encrypted with a key encryption key in the list, the communications node decrypts the message. When the message includes a new traffic encryption key, the communications node has been re-keyed. Key encryption keys are managed hierarchically such that many communications nodes can be re-keyed with very few broadcast messages, thereby saving communications resources.

Encryption key management system using multiple smart cards

Abstract: Initially, a key range variable is created by concatenating the card group value, card number and reference number for an encryption key to be generated. A hashing algorithm generates an encryption key from a master key and the variable key range variable. The encryption key and the key range variable are output to the caller who requested the key. The encryption key is used to encrypt the information, while the variable key range is stored with the encrypted data. Generation of a decryption key requires a user call for a decryption key and includes the key range variable from the encrypted data. A hashing algorithm generates a decryption key from the master key and the key range variable. The decryption key is used to decrypt the information.

Key escrow systems

Abstract: The storage and retrieval of cryptographic key materials from a storage database utilizes a limited one-way function to create computational barriers. The limited one-way function is asymmetric in nature, in terms of work to compute and work to invert, to store and retrieve encryption keys. The limited one-way function is not intractable, but alternatively, there is some measurable difference in the amount of work required to invert a stored encryption key, compared to the work required for a calculation of the output of the one-way function for storage of an encryption key in a database.

Self authentication ciphertext chaining

Abstract: Existing key encryption approaches are extended by using overlapping portions of encrypted information. Another provision inserts one or more bits of data to ensure correct encryption/decryption. The inserted data can also be used for authentication.

Encryption display card

Abstract: There is provided an easy-to-carry encryption display card which can generate and store a random encryption and display the encryption when the user wishes to check the encryption. The encryption display card has a main body of a thin plate and includes: a control circuit 2 for switching between two modes including an encryption registration mode and an encryption search mode; input keys 7 for accepting an input of label data; an encryption generating unit 22 for, upon input of the label data in the encryption registration mode, generating a random encryption for a label equivalent to the label data; a RAM 3 for storing the encryption in a one-to-one correspondence with the label; and a display panel 6 for, upon input of the label data in the encryption search mode, displaying the encryption for the label equivalent to the label data. A random encryption is generated by merely inputting the label data when registering an encryption, and the target encryption is displayed by merely inputting the label data when searching the encryption.

Encryption key exchange protocol

Abstract: The calculation of encryption keys is a processor intensive undertaking that is not suited for “thin client” terminal devices typically used for session applications in an Internet Protocol network. The present invention provides an encryption scheme for use with such terminal devices for the secure transmission of session data that minimizes session set-up delays associated with the exchange of encryption keys. First, keys are negotiated between network elements using prior art techniques (e.g. shared secret, IKE, Diffie-Hellman, RSA). Then, security is maintained by refreshing symmetric keys after each session under cover of an existing key. Perfect Forward Security (PFS) can be provided by “breaking the chain” through periodic key refreshes during system idle times.