Showing papers on "Message authentication code published in 1995"

Secure Hash Standard

Abstract: : This standard specifies a Secure Hash Algorithm (SHA-1) which can be used to generate a condensed representation of a message called a message digest. The SHA-1 is required for use with the Digital Signature Algorithm (DSA) as specified in the Digital Signature Standard (DSS) and whenever a secure hash algorithm is required for federal applications. The SHA-1 is used by both the transmitter and intended receiver of a message in computing and verifying a digital signature.

XOR MACs: New Methods for Message Authentication Using Finite Pseudorandom Functions

Abstract: We describe a new approach for authenticating a message using a finite pseudorandom function (PRF). Our "XOR MACs" have several nice features, including parallelisability, incrementality, and provable security. The finite PRF can be "instantiated" via DES (yielding an alternative to the CBC MAC), via the compression function of MD5 (yielding an alternative to various "keyed MD5" constructions), or in a variety of other ways. The proven security is quantitative, expressing the adversary's inability to forge in terms of her (presumed) inability to break the underlying finite PRF. This is backed by attacks showing the analysis is tight. Our proofs exploit linear algebraic techniques.

Incremental cryptography and application to virus protection

Abstract: The goal ofincremental cryptography is to design cryptographic algorithms with the property that having applied the algorithm to a document, it is possible to quickly update the result of the algorithm for a modifled document, rather than having to re-compute it from scratch. In settings where cryptographic algorithms such as encryption or signatures are frequently applied to changing documents, dramatic e‐ciency improvements can be achieved. One such setting is the use of authentication tags for virus protection. We consider documents that can be modifled by powerful (and realistic) document modiflcation operations such as insertion and deletion of character-strings (or equivalently cut and paste of text). We provide e‐cient incremental signature and message authentication schemes supporting the above document modiflcation operations. They meet a strong notion of tamper-proof security which is appropriate for the virus protection setting. We initiate a study of incremental encryption, providing deflnitions as well as solutions. Finally, we raise the novel issue of \privacy" of incremental authentication schemes.

Bucket Hashing and its Application to Fast Message Authentication

Abstract: We introduce a new technique for generating a message authentication code (MAC). At its center is a simple metaphor: to (noncryptographically) hash a string x, cast each of its words into a small number of buckets; xor the contents of each bucket; then collect up all the buckets' contents. Used in the context of Wegman-Carter authentication, this style of hash function provides the fastest known approach to software message authentication.

New hash functions for message authentication

Abstract: We show that Toeplitz matrices generated by sequences drawn from small biased distributions provide hashing schemes applicable to secure message authentication. This work extends our previous results from Crypto'94 [4] where an authentication scheme based on Toeplitz matrices generated by linear feedback shift registers was presented. Our new results have as special case the LFSR-based construction but extend to a much wider and general family of sequences, including several simple and efficient constructions with close to optimal security. Examples of the new constructions include Toeplitz matrices generated by the Legendre symbols of consecutive integers modulo a prime (of size significantly shorter than required by public-key modular arithmetic) as well as other algebraic constructions. The interest of these schemes extends beyond the proposed cryptographic applications to other uses of universal hashing (including other cryptographic applications).

The KryptoKnight family of light-weight protocols for authentication and key distribution

Abstract: An essential function for achieving security in computer networks is reliable authentication of communicating parties and network components. Such authentication typically relies on exchanges of cryptographic messages between the involved parties, which in turn implies that these parties be able to acquire shared secret keys or certified public keys. Provision of authentication and key distribution functions in the primitive and resource-constrained environments of low-function networking mechanisms, portable, or wireless devices presents challenges in terms of resource usage, system management, ease of use, efficiency, and flexibility that are beyond the capabilities of previous designs such as Kerberos or X.509. This paper presents a family of light-weight authentication and key distribution protocols suitable for use in the low layers of network architectures. All the protocols are built around a common two-way authentication protocol. The paper argues that key distribution may require substantially different approaches in different network environments and shows that the proposed family of protocols offers a flexible palette of compatible solutions addressing many different networking scenarios. The mechanisms are minimal in cryptographic processing and message size, yet they are strong enough to meet the needs of secure key distribution for network entity authentication. The protocols presented have been implemented as part of comprehensive security subsystem prototype called KryptoKnight. >

A mobile host protocol supporting route optimization and authentication

Abstract: Host mobility is becoming an important issue due to the recent proliferation of notebook and palmtop computers, the development of wireless network interfaces, and the growth in global internetworking. This paper describes the design and implementation of a mobile host protocol, called the Internet mobile host protocol (IMHP), that is compatible with the TCP/IP protocol suite, and allows a mobile host to move around the Internet without changing its identity, In particular, IMHP provides host mobility over both the local and wide area, while remaining transparent to the user and to other hosts communicating with the mobile host. IMHP features route optimization and integrated authentication of all management packets. Route optimization allows a node to cache the location of a mobile host and to send future packets directly to that mobile host. By authenticating all management packets, IMHP guards against possible attacks on packet routing to mobile hosts, including the interception or redirection of arbitrary packets within the network. A simple new authentication mechanism is introduced that preserves the level of security found in the Internet today, while accommodating the transition to stronger authentication based on public key cryptography or shared keys that may either be manually administered or provided by a future Internet key management protocol. >

Method of building fast MACS from hash functions

Abstract: Hash functions are important in modern cryptography. Main applications are their use in conjunction with digital signature schemes and message authentication. Hash functions, commonly known as message authentication codes (MACs), have received widespread use in practice for data integrity and data origin authentication. New and inventive ways of building fast MACs from hash functions involve keyed hash functions in which secret keys are used at certain locations of the compression process and the keys are also hashed.

Conference key distribution schemes for secure digital mobile communications

Abstract: We propose a new service for digital mobile communication systems. The service enables two or more users to hold a secure conference. Two requirements must be considered: privacy and authentication. Privacy involves ensuring that an eavesdropper cannot intercept the conversations of the parties holding the conference. Authentication involves ensuring that service is not obtained fraudulently in order to avoid usage charges. We present two new conference key distribution schemes for digital mobile communication systems. In these schemes, a group of users can generate a common secret keg over a public channel so that they may hold a secure conference. >

Method and apparatus for calculating message signatures in advance

Abstract: The present invention provides an improved method and apparatus for authenticating message packets to prevent forgery thereof. A server processes a client request and generates a response message. A message signature, which is generated using the session key and the message itself, is appended to the message to create an appended message. The server sends the appended message to the client. At the same time that the server works on the client request, the client predicts the response message and calculates a predicted message signature based on the session key and the predicted message. After receiving the appended message, the client strips the message signature from the appended message and compares it to the predicted message signature. If the two signatures match, the received message packet is authenticated.

A new approach to the X.509 framework: allowing a global authentication infrastructure without a global trust model

Abstract: Isolated network are currently being integrated in order to create a universal and virtual inter-network. In this context, the existence of a common authentication infrastructure is extremely important. CCITT Recommendation X.509 defines a public key-based "Authentication Framework" in which the Directory Service can be used to provide key management facilities for open applications. We propose a new approach to X.509 comprising a modular reorganization of the overall system and mechanisms allowing the realization of a global infrastructure for the deployment of authentication-based secure services. These mechanisms aim to complete the X.509 framework so as to rectify some open issues of the approach in order to allow the support of a multitude of trust models while respecting each security domain's certificates validation criteria. We first discuss aspects related to authentication data retrieval and validation with respect to X.509. Then we give an overview of the overall approach, and emphasize its more relevant aspects and mechanisms while describing the applicability of our approach with respect to security architectures and current trust models. Finally, we conclude the paper describing the applicability of our approach in a open and heterogeneous environment. >

Efficient protocols secure against guessing and replay attacks

Abstract: To establish secure network communications, a common practice requires that users authenticate one another and establish a temporary session key based on their passwords. Since users often use passwords that are easy to remember, attackers can correctly guess the passwords simply by searching through a relatively small space of "weak" passwords. In this paper, we present a new set of efficient protocols that can establish secure communications while protecting passwords from any feasible guessing and replay attacks. Our protocols avoid the use of timestamps altogether and minimize the use of nonces (random numbers). We examine some common attacks to existing protocols, and show how our protocols can be secure against such attacks. Our protocols apply to both secure peer-to-peer and multicast communications.

On the Matsumoto and Imai human identification scheme

Abstract: At Eurocrypt'91, Matsumoto and Imai presented a human identification scheme suitable for the human ability of memorising and processing a short secret. It protects against an intruder peeping as a user enters authentication information on a terminal connected to the authentication server. In this paper several attacks are discussed to investigate the security of their scheme. A modified scheme is proposed to avoid these attacks.

Authenticated key distribution and secure broadcast using no conventional encryption: a unified approach based on block codes

Abstract: To eliminate the use of conventional encryption and to improve protocol efficiency, one-way hash function based authenticated key distribution protocols have appeared in the literature following two distinct approaches: the first approach employs one-way hash function and bit-wise XOR operation; while the second approach makes use of one-way hash function and polynomial interpolation. In this paper, we present a new technique for constructing one-way hash function based protocols for authenticated key distribution. The technique makes use of systematic linear block codes in error-control coding theory, results in more efficient protocols compared with their counterparts in the literature, and in effect, unifies the above two approaches in designing such protocols. As a by product, a secure broadcast protocol is also given which is capable of distributing a data message of any size in one broadcast protocol message.

Crypto in Europe - Markets, Law and Policy

Abstract: The public debate on cryptography policy assumes that the issue is between the state's desire for effective policing and the privacy of the individual. We show that this is misguided.

Key distribution without individual trusted authentification servers

Abstract: Some recent research on key distribution systems has focussed on analysing trust in authentication servers, and constructing key distribution protocols which operate using a number of authentication servers, which have the property that a minority of them may be untrustworthy. This paper proposes two key distribution protocols with multiple authentication servers using a cross checksum scheme. Both protocol are based on the use of symmetric encryption for verifying the origin and integrity of messages. In these protocols it is not necessary for clients to trust an individual authentication server. A minority of malicious and colluding servers cannot compromise security and can be detected. The first 'parallel' protocol can prevent a minority of servers disrupting the service. The second 'cascade' protocol has to work with other security mechanisms in order to prevent a server breaking the procedure by refusing to cooperate. As compared with other proposed protocols with similar properties these two protocols require less exchanged messages.

A user authentication protocol for digital mobile communication network

Abstract: A new public-key user authentication protocol for mobile communication network is presented based on Harn (see Electronics Letters, vol.30, no.5, p.396, 1994) proposed modified ElGa-mal signature system and Rabin cryptosystem. It overcomes the shortcomings of secret-key authentication protocol used in GSM and CT-2 systems, and a has lower computational complexity and a higher security.

Message authentication using quadratic residues

Abstract: This paper shows a method for authenticating messages based on quadratic residues. The method will detect accidental or deliberate changes to a message, and will verify the sender of the message, both with near certainty. It does not require any preliminary exchange of messages, and does not require publishing any additional data besides each user's public key.

New digital multisignature scheme in electronic contract systems

Abstract: The electronic contract system needs to replace hand written signatures with digital signatures, digital multisignature might also be needed in such environments where several persons might sign the same digital message This paper analyzes risks and presents the requirements of a digital multisignature scheme in electronic contract systems A new digital multisignature scheme suitable for contract systems is proposed and the efficiency of the scheme is discussed

Advances in cryptology, EUROCRYPT '95 : International Conference on the Theory and Application of Cryptographic Techniques, Saint-Malo, France, May 21-25, 1995 : proceedings

Abstract: Cryptanalysis.- Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction.- Convergence in Differential Distributions.- A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-up Lemma.- Signatures.- On the Efficiency of Group Signatures Providing Information-Theoretic Anonymity.- Verifiable Signature Sharing.- Server(Prover/Signer)-Aided Verification of Identity Proofs and Signatures.- Number Theory.- Counting the number of points on elliptic curves over finite fields: strategies and performances.- An Implementation of the General Number Field Sieve to Compute Discrete Logarithms mod p.- A Block Lanczos Algorithm for Finding Dependencies over GF(2).- Protocol Aspects.- How to Break Another "Provably Secure" Payment System.- Quantum Oblivious Mutual Identification.- Securing Traceability of Ciphertexts - Towards a Secure Software Key Escrow System.- Secure Multiround Authentication Protocols.- Secret Sharing.- Verifiable Secret Sharing as Secure Computation.- Efficient Secret Sharing Without a Mutually Trusted Authority.- General Short Computational Secret Sharing Schemes.- Electronic Cash.- Fair Blind Signatures.- Ripping Coins for a Fair Exchange.- Restrictive Binding of Secret-Key Certificates.- Shift Registers and Boolean Functions.- Towards Fast Correlation Attacks on Irregularly Clocked Shift Registers.- Large Period Nearly deBruijn FCSR Sequences.- On Nonlinear Resilient Functions.- Authentication Codes.- Combinatorial Bounds for Authentication Codes with Arbitration.- New Hash Functions for Message Authentication.- A 2-codes from universal hash classes.- New Schemes.- A New Identification Scheme Based on the Perceptrons Problem.- Fast RSA-type Schemes Based on Singular Cubic Curves y 2 + axy ? x 3 (mod n).- Complexity Aspects.- Relationships among the Computational Powers of Breaking Discrete Log Cryptosystems.- Universal Hash Functions & Hard Core Bits.- Recycling Random Bits in Composed Perfect Zero-Knowledge.- Implementation Aspects.- On the Matsumoto and Imai's Human Identification Scheme.- Receipt-Free Mix-Type Voting Scheme.- Are Crypto-Accelerators Really Inevitable?.- Rump Session.- Anonymous NIZK Proofs of Knowledge with Preprocessing.

Procedure for data file authentication

Abstract: Proposed is a procedure for the subsequent demonstrable initial electronic storage, particularly of a digitizable document insensitive to computer fraud, such as a computer file established on a given date. The object is to lend legal probative value to such electronically established and stored documents, by comparison to the original. As a result, unauthorized changes made later are detected immediately. This is achieved/calculated by means of a computer program which in accordance with a particular mathematical algorithm records a unique number for a document, by means of an unchanging so-called check sum, i.e. the Message Authentication Code.

Network impacts of privacy and authentication protocols for PCS

Abstract: This paper describes the message flow due to authentication, voice privacy, and signaling message encryption of two schemes that are expected to be incorporated in the EIA/TIA's cellular industry Interim Standard IS 41 Revision C. We compare the two schemes with the use of a simple mobility model for users and study their impact on the traffic to network databases. Defining user mobility rate as the number of registrations per hour per user, we show that as the user mobility rate increases from roughly 0.5 to 15, the effectiveness of one of the schemes (the one that shares the shared secret data or SSD with the visited system) as compared to the other (the one that does not share it with the visited system) varies from about 66% improvement to about 30% degradation, clearly implying that the mobility characteristics of the user population dictate the choice of the authentication scheme.

Addressing weaknesses in two cryptographic protocols of Bull, Gong and Sollins

Abstract: The authors demonstrate replay attacks on two authentication and key distribution protocols proposed by Bull, Gong and Sollins (1992). The observations leading to the attacks are used intuitively to arrive at more robust versions of the protocols.

Selective call radio receiver with display device

Abstract: PURPOSE: To improve the confidentiality of a content of a message when it is received and read. CONSTITUTION: When a message is received by a radio section 2 via an antenna 1, a code discrimination section 3 discriminates whether or not a specific code is added to the message. When the specific code is added, a secret setting release section 5 applies secret processing (replacing the message with other symbol) by a secret setting release section 5 and the message subject to secret processing is displayed on a display section 7. Furthermore, a symbol indicating that the message is subject to secret processing is displayed. In the case of reading the message, the secret is released when a password is coincident through the entry of the password and the message is displayed on the display section 7. COPYRIGHT: (C)1996,JPO

Method and means for processing combination of individual collation with encipherment of message authentication to network transmission

Abstract: PURPOSE: To improve reliability in a message from node to node by using one session key for encrypting a personal identification number(PIN) together with a message authentication code(MAC), random number, message and continuous numbers. CONSTITUTION: When a user inputs his own PIN 37 at a starting node 31, the PIN is transformed into a block, together with additional data bits and the PIN of reference bit length is formed. Furthermore, transaction data or a message 41 is linked with continuous numbers 43. These linked message and continuous numbers are encrypted by an ordinary DES module 45 by the PIN and one field 53 in these data is operated as a MAC. The field 53 of selected MAC is encrypted by an ordinary encryption module 55 together with the random number, while using a session key K1 as an encryption key 50. Moreover, a PIN 39 is encrypted by a DES encryption module 60, while using the session key K1 as the encryption key 50.

The CASS Shell

Abstract: The goal of the Computer Architecture for Secure Systems (CASS) project [1] is to develop an architecture and tools to ensure the security and integrity of software in distributed systems. CASS makes use of various cryptographic techniques at the operating system kernel level to authenticate software integrity. The CASS shell, the work described in this paper, is on the other hand a secure shell implemented on top of UNIX1 System V Release 4.2 (UNIX SVR4.2) to achieve the same purpose but in an operating system independent manner. The CASS shell carries out cryptographic authentication of executable files based on the MD5 Message-Digest algorithm [2] and presents a closed computing environment in which system utilities are safeguarded against unauthorised alteration and users are prevented from executing unsafe commands. In order to provide cryptographic authentication and other cryptographic functions such as public-key based signatures, in hardware, the work has also involved the incorporation of an encryption hardware sub-system into SVR4.2 operating on an Intel 80×86 hardware platform. The paper describes the structure and features of the CASS shell and the development and performance of both the hardware and software implementations of the cryptographic functions it uses.

Authentication codes: An area where coding and cryptology meet

Abstract: Among many applications of cryptography, the use of authentication schemes is of great practical importance. The purpose of authentication schemes [3], [10] is to add proof to a message that the message is authentic, i.e. it was not sent by an imposter and it has not been altered on its way to the receiver. The imposter may replace an authenticated message by another message (substitution) or may just try to send his own message (impersonation). The aspect of secrecy could also be introduced here, but in many cases the receiver just wants to be sure that the message is genuine. Think for instance of offices that are communicating with each other.

Information-theoretic bounds in authentication theory

Abstract: This paper gives a simplified treatment of, and new results on, information-theoretic lower bounds on an opponent's cheating probability in an authentication system with a given key entropy.

Authentische und zuverlässige Mobilkommunikation für sicherheitsrelevante Anwendungen Teil II: Systemarchitektur und Einbettung in GSM

Abstract: A communication system for train control based on the GSM mobile radio standard was introduced in Part I. Cryptographical and error control mechanisms are required to ensure integrity and authentica-tion and have to be developed in accordance with the transmission standard, communication network and service definition. The message authentication code as the main security component for a single data block was analyzed and dimensioned by means of information theory in Part I. Methods for the security of the entire communication process including link management are discussed in Part II. Topics are the integration of the system components to achieve a generaI concept in the form of a layered architecture, an appropriate key management and cryptographical protocols as well as the adaptation to the GSM system

G3 facsimile security option-UK proposal for ITU-TS recommendation

Abstract: The presented facsimile security proposal, made from the British Facsimile Industry Consultative Committee, addresses both the security aspect of the transmission and the parallel requirements for message integrity and authentication. The proposal uses two cypher algorithms: HFX40, which is used for the secure transfer of the main facsimile message, and HKM, which is used for secure key management. This G3 facsimile security option, which is being considered by the ITU-TS (International Telecommunication Union-Telecommunication Standards Sector) for the international standard, fulfils market requirements with current facsimile technology, existing transmission principles, negligible additional hardware and minimal software change. It is the only detailed proposal to be made, it has no known limitations and will hopefully be agreed for implementation in 1996.