Showing papers on "Message authentication code published in 1987"

Optimal clock synchronization

Abstract: We present a simple, efficient, and unified solution to the problems of synchronizing, initializing, and integrating clocks for systems with different types of failures: crash, omission, and arbitrary failures with and without message authentication. This is the first known solution that achieves optimal accuracy—the accuracy of synchronized clocks (with respect to real time) is as good as that specified for the underlying hardware clocks. The solution is also optimal with respect to the number of faulty processes that can be tolerated to achieve this accuracy.

Simulating authenticated broadcasts to derive simple fault-tolerant algorithms*

Abstract: Fault-tolerant algorithms for distributed systems with arbitrary failures are simpler to develop and prove correct if messages can be authenticated. However, using digital signatures for message authentication usually incurs substantial overhead in communication and computation. To exploit the simplicity provided by authentication without this overhead, we present a broadcast primitive that provides properties of authenticated broadcasts. This gives a methodology for deriving non-authenticated algorithms. Starting with an authenticated algorithm, we replace signed communication with the broadcast primitive to obtain an equivalent non-authenticated algorithm. We have applied this approach to various problems and in each case obtained simpler and more efficient solutions than those previously known.

Data authentication using modification detection codes based on a public one way encryption function

Abstract: A cryptographic method and apparatus are disclosed which transform a message or arbitrary length into a block of fixed length (128 bits) defined modification detection code (MDC). Although there are a large number of messages which result in the same MDC, because the MDC is a many-to-one function of the input, it is required that it is practically not feasible for an opponent to find them. In analyzing the methods, a distinction is made between two types of attacks, i.e., insiders (who have access to the system) and outsiders (who do not). The first method employs four encryption steps per DEA block and provides the higher degree of security. Coupling between the different DEA operations is provided by using the input keys also as data in two of the four encryption steps. In addition, there is cross coupling by interchanging half of the internal keys. Although this second coupling operation does not add to security in this scheme, it is mandatory in the second method, which employs only two encryption steps per DEA block to trade off security for performance. By providing key cross coupling in both schemes, an identical kernel is established for both methods. This has an implementation advantage since the first method can be achieved by applying the second method twice. The MDC, when loaded into a secure device, authorizes one and only one data set to be authenticated by the MDC, whereas methods based on message authentication codes or digital signatures involving a public key algorithm authorize a plurality of data sets to be authenticated. The MDC therefore provides for greater security control.

Transaction security system

Abstract: An electronic funds transfer system (EFT) is described in which retail terminals located in stores are connected through a public switched telecommunication system to card issuing agencies data processing centers. Users of the system are issued with intelligent secure bank cards, which include a microprocessor, ROS and RAM stores. The POS includes a personal key (KP) and an account number (PAN) stored on the card when the issuer issues it to the user. Users also have a personal identity number (PIN) which is stored or remembered separately. A transaction is initiated at a retail terminal when a card is inserted in an EFT module connected to the terminal. A request message including the PAN and a session key (KS) is transmitted to the issuers data processing center. The issuer generates an authentication parameter (TAP) based upon its stored version of KP and PIN and a time variant parameter received from the terminal. The TAP is then returned to the terminal in a response message, and based upon an imputed PIN, partial processing of the input PIN and KP on the card a derived TAP is compared with the received TAP in the terminal. A correct comparison indicating that the entered PIN is valid. The request message includes the PAN encoded under the KS and KS encoded under a cross-domain key. Message authentication codes (MAC) are attached to each message and the correct reception and regeneration of a MAC on a message including a term encoded under KS indicates that the received KS is valid and that the message originated at a valid terminal or card.

Transaction security system using time variant parameter

Abstract: An electronic funds transfer system (EFT) is described in which retail terminals located in stores are connected through a public switched telecommunication system to card issuing agencies data processing centers. Users of the system are issued with intelligent secure bank cards, which include a microprocessor, ROS and RAM stores. The ROS includes a personal key (KP) and an account number (PAN) stored on the card when the issuer issues it to the user. Users also have a personal identity numbe (PIN) which is stored or remembered separately. A transaction is initiated at a retail terminal when a card is inserted in an EPT module connected to the terminal. A request message including the PAN and a session key (KS) is transmitted to the issuers data processing center. The issuer generates an authentication parameter (TAP) based upon its stored version of KP and PIN and a time variant parameter received from the terminal. The TAP is then returned to the terminal in a response message, and based upon an inputed PIN, partial processing of the input PIN and KP on the card a derived TAP is compared with the received TAP in the terminal. A correct comparison indicating that the entered PIN is valid. The request message includes the PAN encoded under the KS and KS encoded under a cross-domain key. Message authentication codes (MAC) are attached to each message and the correct reception and regeneration of a MAC on a message including a term encoded under KS indicates that the received KS is valid and that the message originated at a valid terminal or card.

Message authentication with arbitration of transmitter/receiver disputes

Abstract: In the most general model of message authentication, there are four essential participants: a transmitter who observes an information source, such as a coin toss, and wishes to communicate these observations to a remotely located receiver over a publicly exposed, noiseless, communications channel; a receiver who wishes to not only learn the state of the source (as observed by the transmitter) but also to assure himself that the communications (messages) he accepts actually were sent by the transmitter and that no alterations have been made to them subsequent to the transmitter having sent them, and two other parties, the opponent and the arbiter. The opponent wishes to deceive the receiver into accepting a message that will misinform him as to the state of the source. We assume, in accordance with Kerckhoffs' criteria in cryptography, that the opponent is fully knowledgeable of the authentication system and that in addition he is able to both eavesdrop on legitimate communications in the channel and to introduce fraudulent communications of his own choice. We also assume that he has unlimited computing power, i.e., that any computation which can be done in principal can in fact be done in practice. Given this, the opponent can achieve his objective in either of two ways: 1) he can impersonate the transmitter and send a fraudulent message when in fact no message was sent by the transmitter, or 2) he can wait to intercept a legitimate message from the transmitter and substitute in its stead some other message of his own devising.

Some constructions and bounds for authentication codes

Abstract: We investigate authentication codes, using the model described by Simmons. We review and generalize bounds on the probability that an opponent can deceive the transmitter/receiver by means of impersonation or substitution. Also, we give several constructions for authentication codes that meet one or more of these bounds with equality. These constructions use combinatorial designs, such as transversal designs, group-divisible designs, and BIBDs (balanced incomplete block designs).

Data communication systems and methods

Abstract: In order to improve the security of message transmission from a terminal apparatus in an electronic banking or other data communications system a check-sum or MAC is computed from the data within the message in dependence upon a cryptographic key. This MAC is issued as a "challenge" to the user who is also equipped with a separate portable token for computing a "response" in dependence upon a second cryptographic key which is unique to his token. This "response" is then entered into the terminal and appended to the message as its authentication code before transmission. A recipient of the message and authentication code equipped with the same cryptographic keys can therefore check both the contents of the message and the correct identity of the sender by computing an expected authentication code from the received message and comparing it with the code received.

A high speed manipulation detection code

Abstract: Manipulation Detection Codes (MDC) are defined as a class of checksum algorithms which can detect both accidental and malicious modifications of an electronic message or document. Although the MDC result must be protected by encryption to prevent an attacker from succeeding in substituting his own Manipulation Detection Code (MDC) along with the modified text, MDC algorithms do not require the use of secret information such as a cryptographic key. Such techniques are therefore highly useful in allowing encryption and message authentication to be implemented in different protocol layers in a communication system without key management difficulties, as well as in implementing digital signature schemes. It is shown that cryptographic checksums that are intended to detect fraudulant messages should be on the order of 128 bits in length, and the ANSI X9.9-1986 Message Authentication Standard is criticized on that basis. A revised 128-bit MDC algorithm is presented which overcomes the so-called Triple Birthday Attck introduced by Coppersmith. A fast, efficient implementation is discussed which makes use of the Intel 8087/80287 Numeric Data Processor coprocessor chip for the IBM PC/XT/AT and similar microcomputers.

Electronic document authentication

Abstract: Digital signature techniques such as the Rivest-Shamir-Adleman (RSA) scheme can be used to establish both the authenticity of a document and the identity of its originator. However, because of the computationally-intensive nature of the RSA algorithm, most digital signature schemes make use of a checksum technique to summarize or represent the document, and then digitally sign the checksum. Message authentication codes (MACs), based on the Data Encryption Standard (DES), are often used for this purpose. It is shown that cryptographic checksums that are intended to detect fraudulent messages must be on the order of 128 bits in length, and the ANSI X9.9-1986 message authentication standard is criticized on that basis. In addition, architectural arguments are advanced to illustrate the advantages of a checksum algorithm that is not based on the use of cryptography and does not require the use of a secret key. Manipulation detection codes (MDC) are defined as a class of checksum algorithms that can detect both accidental and malicious modifications of an electronic message or document, without requiring the use of a cryptographic key.

A Natural Taxonomy for Digital Information Authentication Schemes

Abstract: There are two objectives that prompt the authentication of information; one is to verify that the information was, in all probability, actually originated by the pur- ported originator, i.e., source identification, the other is to verify the integrity of the information, i.e., to establish that even if the message was originated by the authorized source, that it hasn’t been subsequently altered, repeated, delayed, etc. These two objectives are normally treated in the theory of authentication as though they are inseparable, and will also be treated in that way here, although recent results by Cham [l] demonstrating message integrity with source anonymity and by Fiat and Shamir [Z], by Goldreich, Micali and Wigderson [3], and by others demon- strating verification of source identity with no additional information exchange show that the functions can in some instances be separated. The relevance of this comment to the subject matter of this paper is that it suggests that there may be a fourth independent coordinate in information authentication besides the three that will be discussed here. In spite of considerable effort, we have been unable to produce a convincing argument for or against this being the case, so we only mention the possibility for completeness.

Security considerations in the design and implementation of a new DES chip

Abstract: This paper describes the impact of cryptographic requirements on the design of a new highly performant DES chip implementation. Actual cryptogaphical applications demand for both high security and high speed. It is the aim of this contribution to show how both can be combined.

Perfect and essentially perfect authentication schemes

Abstract: Suppose that A wants to send a message M to B It is important that B receives the message without any alteration On the other hand, a bad guy X looks for his chance to alter M in his favour In order t o make the bad guy's life difficult, A authenticates the message M For this, A and B have to agree on an authentication function f and a secret key K The function f has M and K as its input, and the authenticator (also called message authentication code) f(M,K) as its output

A Protocol for Secure Communication in Large Distributed Systems

Abstract: A mechanism for secure communication in large distributed systems is proposed. The mechanism, called Authenticated Datagram Protocol (ADP provides message authentication and optionally, privacy of data. ADP is a host-to-host datagram protocol, positioned below the transport layer; it uses public-key encryptions to establish secure channels between hosts and to authenticate owners, and single-key encryption for communication over a channel and to ensure privacy of the messages. ADP is shown to satisfy the main security requirements of large distributed systems, to provide end-to-end security mechanisms are at a higher level. The results of a trace-driven measurement study of ADP performance show that its throughput and latency are acceptable even within the limitations of today''s technology, provided single-key encryption-decryption can be done in hardware.

Modes of blockcipher algorithms and their protection against active eavesdropping

Abstract: Blockcipher algorithms are used in a variety of modes for message encryption or message authentication The different modes not all offer the same protection against active eavesdropping In this paper an overview of a number of modes and their protection against active eavesdropping is presented

Message authentication and dynamic passwords

Abstract: The security of transactions flowing across a communications network is of ever increasing importance. In many such circumstances it is important not only to protect the messages from passive interception but also, and often of greater importance, to be able to detect any active attack against messages. An active attack may take the form of an interceptor tampering with the message: altering it, adding information, removing information and so on. While it is almost impossible to prevent an active attack there are many mechanisms to ensure, with a high probability, that such an attack may be detected and hence rendered harmless. The techniques to allow detection and thus audit take many forms of which the most common are normally cryptographically based and depend upon the generation, before transmission of the message, of a check-sum which is then appended to the message. The theory underlying this approach works on the basis that if a would-be fraudster changes any part of the message in any way then the check-sum will no longer be correct and thus the recipient of such message can compute, for himself, the expected check-sum, compare it with that received in the message and if they disagree will know the message has been altered. If on the other hand the expected and received check-sums agree then he knows with a high probability that the message has not been altered. This probability is dependent upon the amount of information within the check-sum (i.e. the longer it is) the lower the probability of an undetected alteration.