Showing papers on "Message authentication code published in 1996"

A robust content based digital signature for image authentication

Abstract: A methodology for designing content based digital signatures which can be used to authenticate images is presented. A continuous measure of authenticity is presented which forms the basis of this methodology. Using this methodology signature systems can be designed which allow certain types of image modification (e.g. lossy compression) but which prevent other types of manipulation. Some experience with content based signatures is also presented. The idea of signature based authentication is extended to video, and a system to generate signatures for video sequences is presented. This signature also allows smaller segments of the secured video to be verified as unmanipulated.

Pocket encrypting and authenticating communications device

Abstract: A portable security device is disclosed which can be carried by an individual and connected directly to telephone circuits to both authenticate that individual and encrypt data communications. The invention can operate as an electronic "token" to uniquely identify the user to a network, to a computer system or to an application program. The "token" contains the complete network interface, such as a modem, which modulates the data and provides the circuitry required for direct connection to the network. Furthermore, this "token" will not permit communications to proceed until the device, and optionally the user, have been identified by the proper authentication. The token also contains all of the cryptographic processing required to protect the data using data encryption or message authentication or digital signatures or any combination thereof. Thus, the present invention provides the user with all of the communications and security equipment needed for use with personal computers and electronic notebooks and eliminates the need for any other security measures and/or devices.

On Fast and Provably Secure Message Authentication Based on Universal Hashing

Abstract: There are well-known techniques for message authentication using universal hash functions. This approach seems very promising, as it provides schemes that, are: both efficient and provably secure under reasonable assumptions. This paper contributes to this line of research in two ways. First, it analyzes the basic construction and some variants under more realistic and practical assumptions. Second, it shows how these schemes can be efficiently implemented, and it reports on the results of empirical performance tests that demonstrate that these schemes arc competitive with other commonly employed schemes whose security is less well-established.

What do we mean by entity authentication

Abstract: The design of authentication protocols has proven to be surprisingly error-prone. We suggest that this is partly due to a language problem. The objectives of entity authentication are usually given in terms of human encounters while we actually implement message passing protocols. We propose various translations of the high-level objectives into a language appropriate for communication protocols. In addition, protocols are often specified at too low a level of abstraction. We argue that encryption should not be used as a general primitive as it does not capture the specific purpose for using a cryptographic function in aparticular protocol.

On the security of two MAC algorithms

Abstract: The security of two message authentication code (MAC) algorithms is considered: the MD5-based envelope method (RFC 1828), and the banking standard MAA (ISO 8731-2). Customization of a general MAC forgery attack allows improvements in both cases. For the envelope method, the forgery attack is extended to allow key recovery; for example, a 128-bit key can be recovered using 267 known text-MAC pairs and time plus 213 chosen texts. For MAA, internal collisions are feud with fewer and shorter messages than previously by exploiting the algorithm's internal structure; consequently, the number of chosen texts (each 256 Kbyte long) for a forgery can be reduced by two orders of magnitude, e.g. from 224 to 217. This attack can be extended to one requiring only short messages (224 messages shorter than 1 Kbyte) to circumvent the special MAA mode for long messages. Moreover, certain internal collisions allow key recovery, and weak keys for MAA are identified.

A HOL extension of GNY for automatically analyzing cryptographic protocols

Abstract: This paper describes a Higher Order Logic (HOL) theory formalizing an extended version of the Gong, Needham, Yahalom (GNY) belief logic, a theory used by software that automatically proves authentication properties of cryptographic protocols. The theory's extensions to the GNY logic include being able to specify protocol properties at intermediate stages and being able to specify protocols that use multiple encryption and hash operations, message authentication codes, computed values (e.g., hash codes) as keys, and key-exchange algorithms.

Message routing in control area network (CAN) protocol

Abstract: A hierarchial elevator control system (FIG. 2) utilizes standard Control Area Network (CAN) hardware and message protocols. A broadcast message format includes priority bits and source address bits in subfields within the standard CAN message identifier field, to separate priority levels from message type information, while maintaining collision avoidance by means of the source addresses. In a unicast message format, message response by individual receiving nodes is accomplished with simple standard CAN hardware filtering by providing, within the standard CAN message identifier field, a multi-bit destination address field to identify a unique receiving node to which the message is directed. In the unicast format, remote transmission requests are identified by a control bit in the standard CAN data field, and responded to utilizing a message-type field that is also in the data field portion of the message.

Universal Hashing and Multiple Authentication

Abstract: In this paper, we study unconditionally secure codes that provide authentication without secrecy. Our point of view is the universal hashing approach pioneered by Wegman and Carter in 1981. We first compare several recent universal-hashing based constructions for authentication codes. Then we generalize the theory of universal hashing in order to accommodate the situation where we would like to authenticate a sequence of messages with the same key. Unlike previous methods for doing this, we do not require that each message in the sequence have a "counter" attached to it.

On the cardinality of systematic authentication codes via error-correcting codes

Abstract: In both open and private communication the participants face potential threats from a malicious enemy who has access to the communication channel and can insert messages (impersonation attack) or alter already transmitted messages (substitution attack). Authentication codes (A-codes) have been developed to provide protection against these threats. In this paper we introduce a new distance, called the authentication distance (A-distance), and show that an A-code can be described as a code for the A-distance. The A-distance is directly related to the probability P/sub S/ of success in a substitution attack. We show how to transform an error-correcting code into an A-code and vice versa. We further use these transformations to provide both upper and lower bounds on the size of the information to be authenticated, and study their asymptotic behavior. As examples of obtained results, we prove that the cardinality of the source state space grows exponentially with the number of keys provided P/sub S/>P/sub I/, we generalize the square-root bound given by Gilbert, MacWilliams, and Sloane in 1979, and we provide very efficient constructions using concatenated Reed-Solomon codes.

A Unified and Generalized Treatment of Authentification Theory

Abstract: This paper provides a unified and generalized treatment of information-theoretic lower bounds on an opponent's probability of cheating in one-way message authentication. It extends and generalizes, in a number of directions, the substantial body of known results, each of which holds only for a certain restricted scenario. At the same time the treatment of unconditionally-secure authentication is simplified considerably.

What do we mean by entity authentication

Abstract: The design of authentication protocols has proven to be surprisingly error-prone. We suggest that this is partly due to a language problem. The objectives of entity authentication are usually given in terms of human encounters while we actually implement message passing protocols. We propose various translations of the high-level objectives into a language appropriate for communication protocols. In addition, protocols are often specified at too low a level of abstraction. We argue that encryption should not be used as a general primitive as it does not capture the specific purpose for using a cryptographic function in aparticular protocol.

Privacy and authentication protocols for PCS

Abstract: This article describes the message flow due to authentication, voice privacy, and signaling message encryption expected to be incorporated in the EIA/TIA's cellular industry Interim Standard IS 41 Revision C. The algorithm for authentication and generation of voice privacy mask and signalling message encryption keys employed by the standard is based on private key cryptographic techniques that use a secret key (also known as shared secret data, or SSD) for authentication. Two schemes have been proposed in the standard. In the first one, the SSD is shared only between the handset and the authentication center. In the second, the SSD is also shared with the visited system. Compared to the first scheme, the second scheme requires a considerably reduced rate of accesses to network databases for authentication during call origination determination, thereby reducing call setup time. However, during registration, the second scheme requires additional database accesses compared to the first due to the need to get an up-to-date call history count from the previous visited system. We compare the two schemes with the use of a simple mobility model for users and study their impact on the traffic to network databases. Defining the user mobility rule as the number of registrations per hour per user, we show that as the user mobility rate increases from roughly 0.5 to 15, the effectiveness of the second scheme compared to the first varies from about a 66 percent improvement to about a 30 percent degradation, clearly implying that the mobility characteristics of the user population dictate the choice of the authentication scheme.

Key recovery attack on ANSI X9.19 retail MAC

Abstract: The authors present a new divide and conquer key recovery attack on the retail MAC based on DES, which is a widely used algorithm to compute a message authentication code (MAC). The attack requires 232.5 known text-MAC pairs and 3·256 off-line computations to find the 112 bit key.

MPI on the I-WAY: a wide-area, multimethod implementation of the Message Passing Interface

Abstract: High-speed wide-area networks enable innovative applications that integrate geographically distributed computing, database, graphics, and networking resources. The Message Passing Interface (MPI) can be used as a portable, high-performance programming model for such systems. However, the wide-area environment introduces challenging problems for the MPI implementor, because of the heterogeneity of both the underlying physical infrastructure and the authentication and software environment at different sites. We describe an MPI implementation that incorporates solutions to these problems. This implementation, which was developed for the I-WAY distributed-computing experiment, was constructed by layering MPICH on the Nexus multithreaded runtime system. Nexus provides automatic configuration mechanisms that can be used to select and configure authentication, process creation, and communication mechanisms in heterogeneous systems.

Levels of authentication in distributed agreement

Abstract: Reaching agreement in the presence of Byzantine (arbitrary) faults is a fundamental problem in distributed systems It has been shown that message authentication is a useful tool in designing protocols with high fault tolerance, but it imposes the additional problem of key distribution

Security in enterprise networking: A quick tour

Abstract: Enterprise networks are complex environments that involve the interconnection of a wide variety of computer systems such as portable PCs and personal digital assistants (PDAs), desktop PCs and workstations, servers, and mainframes, with a wide variety of communication channels such as dial-in and mobile access via modems, local area networks (LANs), wide area networks (WANs), and the Internet. The authors provide an overview of the major areas in the security of enterprise networks to show the variety of issues and techniques developed to address them. Our focus is on the ideas behind these techniques, which can be combined in many ways to create solutions that apply to different situations. The following areas are covered: confidentiality, preventing the disclosure of transmitted data to unauthorized parties; integrity, detecting modification, insertion, deletion, or replay of transmitted data; data-origin authentication, demonstrating that the origin of transmitted data is as claimed; nonrepudiation, preventing either the sender or receiver in a communication from denying their participation; user authentication, demonstrating that the identity of a user or system is as claimed; and access control, guarding against unauthorized use of resources, including the use of resources in an improper manner. We also look at some of the considerations that come into play in designing security solutions for the enterprise networking environment.

Deciding Cryptographic Protocol Adequacy with HOL: The Implementation

Abstract: Cryptographic protocols are sequences of message exchanges, usually involving encryption, intended to establish secure communication over insecure networks. Whether they actually do so is a notoriously subtle question. This paper describes a proof procedure that automatically proves desired properties of cryptographic protocols, using a HOL formalization of a “belief logic” extending that of Gong, Needham, and Yahalom [9], or precisely identifies where these proof attempts fail. This proof procedure is not a full decision procedure for the belief logic, but it proves all theorems that have been of interest. This proof procedure has quickly shown potential deficiencies in published protocols, and is a significant application for HOL90 and SML.

Designing a virtual access control configuration protocol for implementation over ISDN and shared-media networks

Abstract: The encroachment of digital technology into our lifestyle and corporate environment has given rise to the need for individuals to safeguard personal information, and for organizations to protect trade-secret information either stored in computers or transmitted over LANs and WANs. A secure network and communication environment requires the services of encryption mechanisms, user password authentication, and network and user-interface based access control schemes that prevent unauthorised access to application programs and operating systems. While various encryption and authentication security mechanisms have garnered a lot of development effort, access control schemes using a virtual dedicated-media network system have not been fully developed. A dedicated-media network enables the authorization of access based on non-repudiate authenticity of the source. This capability presently cannot be implemented in shared-media networks. The paper introduces a a virtual access control configuration protocol (VACCP) which provides a dynamic security access authorization mechanism. The VACCP performs token-basad access security control to an application's user-interface resources. The VACCP security program is designed to control remote access for both the shared-media and dedicated-media mode of communication. The VACCP security measures are implemented as a network session-layer protocol which governs the access capability and assigns access authorization to each application program on a per-user-basis.

Advances in cryptology, CRYPTO '96 : 16th annual International Cryptology Conference Santa Barbara, California, USA, August 18-22, 1996 : proceedings

Abstract: Hashing and Authentication I.- Keying Hash Functions for Message Authentication.- Universal Hashing and Multiple Authentication.- Universal Hash Functions from Exponential Sums over Finite Fields and Galois Rings.- New Systems.- Asymmetric Cryptography with a Hidden Monomial.- Anonymous Communication and Anonymous Cash.- Asymmetric Systems.- Weaknesses in Some Threshold Cryptosystems.- Hidden Collisions on DSS.- The Dark Side of "Black-Box" Cryptography or: Should We Trust Capstone?.- Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems.- Hard Bits.- All Bits in ax + b mod p are Hard.- Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes.- Signatures.- Security of 2t-Root Identification and Signatures.- Robust and Efficient Sharing of RSA Functions.- New Generation of Secure and Practical RSA-Based Signatures.- Zero Knowledge.- Proving Without Knowing: On Oblivious, Agnostic and Blindfolded Provers.- Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing.- Symmetric Systems.- Improved Differential Attacks on RC5.- Improving Implementable Meet-in-the-Middle Attacks by Orders of Magnitude.- More on Symmetric Systems.- Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES.- How to Protect DES Against Exhaustive Key Search.- Diffie-Hellman Oracle.- Diffie-Hellman Oracles.- Algorithms for Black-Box Fields and their Application to Cryptography.- Hashing and Authentication II.- Fast Hashing on the Pentium.- On Fast and Provably Secure Message Authentication Based on Universal Hashing.- Quantum Crypto.- Quantum Cryptography over Underground Optical Fibers.- Quantum Key Distribution and String Oblivious Transfer in Noisy Channels.- Stream Ciphers.- Linear Complexity of Periodic Sequences: A General Theory.- Generalization of Siegenthaler Inequality and Schnorr-Vaudenay Multipermutations.- Secret Sharing.- Trade-offs Between Communication and Storage in Unconditionally Secure Schemes for Broadcast Encryption and Interactive Key Distribution.- New Results on Visual Cryptography.

Design choices for symmetric key based inter-domain authentication protocols in distributed systems

Abstract: Authentication is a key requirement in the establishment of secure interactions between network entities. Several authentication and key establishment protocols have been proposed in recent years. Most of these protocols were designed for an intra-domain environment (i.e. one where the communicating parties reside in a single domain) and then extrapolated to the inter-domain environment. In this paper, the design of inter-domain protocols is investigated. We present the different design choices that need to be carefully considered when designing inter-domain protocols in large distributed systems. We propose three different inter-domain protocols with varying degrees of responsibility placed on the client and the trusted servers. In each case, the assumptions made in the design are explicitly stated. This helps to illustrate the rationale behind the choices made. The proposed protocols use symmetric key systems and are based on Kerberos. The arguments, rationales and designs presented in this paper are also applicable to OSF's Distributed Computing Environment (DCE).

Network security system and method therefor

Abstract: PROBLEM TO BE SOLVED: To transfer transmission information while securely protecting security by individually obtaining message authentication code information on a transmission side and a reception side, collating them and authenticating that the transmission information to be protect security is not altered fraudulently. SOLUTION: On the transmission and reception sides 100 and 200, communication control parts 102 and 202 mutually transfer various information through a network 1 and picture generation and storage devices 101 and 201 output and store medical pictures. Key management parts 103 and 203 manage key information which encryption processing parts 104 and 204 use at the time of extraction, collation and generation for mutual verification. A message authentication code(MAC) generation, processing and, authentication part 105 integrates information generated by the processing parts 104 and 105 to obtain final MAC information. Mutual authentication parts 106 and 206 authenticate that an opposite party is a regular terminal from information obtained from the control parts 102 and 202. Thus, forgery and fraudulent alteration can securely be detected by using a standard transmission system.

Collusion analysis of cryptographic protocols

Abstract: As network applications such as electronic commerce proliferate, complex communications protocols that employ cryptographic building blocks, such as encryption and authentication, will become more common. We view a cryptographic protocol as a process by which information is transferred among some users and hidden from others. The collusion problem determines whether a subset of users can discover, through collusion, the information that is designed to be hidden from them after a protocol is executed. Earlier we introduced a model for cryptographic protocols and its collusion analysis, and solved a special case of the collusion problem. In this paper we present an algorithm that solves the general case.

RIPEMD-160: A Strengthened Version of RIPEMD

Abstract: Cryptographic hash functions are an important tool in cryptography for applications such as digital fingerprinting of messages, message authentication, and key derivation During the last five years, several fast software hash functions have been proposed; most of them are based on the design principles of Ron Rivest's MD4 One such proposal was RIPEMD, which was developed in the framework of the EU project RIPE (Race Integrity Primitives Evaluation) Because of recent progress in the cryptanalysis of these hash functions, we propose a new version of RIPEMD with a 160-bit result, as well as a plug-in substitute for RIPEMD with a 128-bit result We also compare the software performance of several MD4-based algorithms, which is of independent interest

Efficient end-to-end authentication protocols for mobile networks

Abstract: For conventional authentication protocols, distribution of session keys and maintenance of large databases are serious problems especially for large-scale wireless networks. ID-based authentication protocol eliminates the problem while it contributes the heavy computation load. We propose a hybrid end-to-end authentication and key agreement (AKA) protocol which provides authentication and key exchange between both end entities. It not only eliminates the drawbacks of conventional protocols but also reduces the computation load. Services of message confidentiality, caller ID confidentiality, service request intractability, and fraud control are provided. Roaming and handover, are also taken into consideration here.

Distributed communication services in the Masix system

Abstract: Masix is a distributed multi-server operating system based on the Mach microkernel, with multiple personality support. Its main feature is a distributed generic layer (DGL), which offers distributed services to the personalities. The distributed multi-server architecture of Masix grants it a high modularity, but also raises many issues, such as transparency, security and performance, which cannot be solved without adequate communication services. To provide total transparency, we extend the traditional Mach communication model to a workstation network by interposing a generic network server (GNS) between the tasks and the microkernel. We defined a global name service, based on a name resolution protocol, which allows any pair of Mach remote tasks to communicate transparently, using the local Mach IPC semantics. Our name server also provides local and remote authentication mechanisms, based on digital signatures and a secret key algorithm. To prevent eavesdropping, all remote communications are transparently encrypted by the GNS, using a public key algorithm. These security measures can be easily merged into the name service, to yield a secure distributed name resolution protocol. Microkernel based-systems are traditionally criticized for their relatively poor performance. As far as network services are concerned, experiments show that a good performance level can be reached, provided that the distinctive features of microkernels are taken into account.

On the design of secure group-oriented communication channels in Internet environments

Abstract: This paper presents efficient protocols for establishing secure group-oriented communication channels in Internet environments based on a geometric method. Since the data encryption/decryption requires a common secret session key between two communicating parties, finding an efficient way to distribute the group-oriented secret session key in Internet environments has become a nontrivial task. We assume that the Internet environments consist of many hosts, and each host has many users attached to it. The scheme proposed in this paper incorporates the public-key distribution and the trigonometry concepts as the basic theory. Since this scheme does not need any trusted key distribution center to distribute the common secret session key between two groups, it is quite suitable to be used in Internet environments so that the key distribution is convenient, time-saving and reparable. Furthermore, an authentication protocol is also proposed. Such a protocol can not only identify both the sender and the receiver of a group correctly but also make sure that the transmitted message reaches its destination safely.