Showing papers on "Message authentication code published in 1997"

HMAC: Keyed-Hashing for Message Authentication

Abstract: This document describes HMAC, a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative cryptographic hash function, e.g., MD5, SHA-1, in combination with a secret shared key. The cryptographic strength of HMAC depends on the properties of the underlying hash function.

A hierarchy of authentication specifications

Abstract: Many security protocols have the aim of authenticating one agent to another. Yet there is no clear consensus in the academic literature about precisely what "authentication" means. We suggest that the appropriate authentication requirement will depend upon the use to which the protocol is put, and identify several possible definitions of "authentication". We formalize each definition using the process algebra CSP, use this formalism to study their relative strengths, and show how the model checker FDR can be used to test whether a system running the protocol meets such a specification.

Key encryption system and method, pager unit, and pager proxy for a two-way alphanumeric pager network

Abstract: A method and system allows encryption services can be added to an existing wireless two-way alphanumeric pager network by providing a pager proxy which is arranged to receive an encrypted message from a sending pager and re-packages it for re-transmission to the destination pager. The sending pager encrypts the message using a session key, and encrypts the session key so that it can only be recovered by a secret key of the pager proxy. The pager proxy, upon recovery of the session key, decrypts the message, generates a new session key, re-encrypts the message, and encrypts the new session key so that it can only be recovered by a secret key of the destination pager. Encryption of the session key can either be carried out by shared secret key encryption or encryption of the session key by a public key corresponding to a private key of the pager proxy or destination pager. Authentication of the sending pager and proxy server is provided by encryption of the session keys together with identifying data, and authentication of the message is provided by a message authentication code generated by computing a message authentication code based on the session key, identifying data, and the message.

MMH: Software Message Authentication in the Gbit/Second Rates

Abstract: We describe a construction of almost universal hash functions suitable for very fast software implementation and applicable to the hashing of variable size data and fast cryptographic message authentication. Our construction uses fast single precision arithmetic which is increasingly supported by modern processors due to the growing needs for fast arithmetic posed by multimedia applications.

Secure array of remotely encrypted storage devices

Abstract: A network storage device is disclosed for use in a secure array of such devices to support a distributed file system. Each device is an independent repository of remotely encrypted data objects to be accessed by authorized network clients. All encryption is done by the clients, rather than by the devices. In order for the system to revoke access to an object on the device, the object must be re-encrypted. Each storage device has a device owner for controlling access to the device's data. All data requests from the clients and responses to them are authenticated using keys derived from the owner key and hashed message authentication codes.

Watermarking of digital object

Abstract: A technique for identifying digital object using a digital watermark. The technique includes the steps of encrypting a message derived from source data on the digital object, to obtain an encrypted message digest (S); deriving a watermark from the encrypted message digest (S); and incorporating the watermark into the source data. The encryption is preferably done with a public key encryption system. The message to be encrypted can be obtained via performing a hash function on the source data on the digital object to obtain a message digest (M). The message digest (M) is the message encrypted with the signature encryption key to obtain the encrypted message digest (S). The watermark is resistant to cropping, scaling, and truncation.

Number theoretic attacks on secure password schemes

Abstract: Encrypted Key Exchange (EKE) (S. Bellovin and M. Merritt, 1992; 1993) allows two parties sharing a password to exchange authenticated information over an insecure network by using a combination of public and secret key cryptography. EKE promises security against active attacks and dictionary attacks. Other secure protocols have been proposed based on the use of randomized confounders (L. Gong et al., 1993). We use some basic results from number theory to present password guessing attacks on all versions of EKE discussed in the paper (S. Bellovin and M. Merritt, 1992) and we also offer countermeasures to the attacks. However for the RSA version of EKE, we show that simple modifications are not enough to rescue the protocol. Attacks are also presented on half encrypted versions of EKE. We also show how randomized confounders cannot protect Direct Authentication Protocol and Secret Public Key Protocol versions of a secure password scheme from attacks. We discuss why these attacks are possible against seemingly secure protocols and what is necessary to make secure protocols.

Distributed authentication in Kerberos using public key cryptography

Abstract: The authors describe a method for fully distributed authentication using public key cryptography within the Kerberos ticket framework. By distributing most of the authentication workload away from the trusted intermediary and to the communicating parties, significant enhancements to security and scalability can be achieved as compared to Kerberos V5. Privacy of Kerberos clients is also enhanced. A working implementation of this extended protocol has been developed, and a migration plan is proposed for a transition from traditional to public key based Kerberos.

An authentication technique based on distributed security management for the global mobility network

Abstract: This paper proposes an authentication technique for use in the global mobility network (GLOMONET), which provides a personal communication user with global roaming service. This technique is based on new distributed security management, where authentication management in roaming-service provision is conducted only by the roamed network (the visited network). The original security manager (OSM) administrates the original authentication key (OAK) acquired when a user makes contracts with the home network, while the temporary security manager (TSM) is generated for a roamer in the visited network in order to provide roaming services. The TSM generates and administrates the temporary authentication key (TAK) for a roamer, which key is confidential to the OSM, releases the TAK administration when a roamer moves to other networks, and then disappears. The proposed authentication technique consists of two phases. In the roaming-service-setup phase, triggered by the user's location registration request, authentication control to set up the roaming-service environment is negotiated by the TSM in the visited network, the OSM, and the roamer. In the roaming-service-provision phase, triggered by the user's service request, authentication control to provide the roaming service is negotiated (using the TAK acquired by the roamer in the first phase) only by the visited network and the roamer. This authentication control using the TAK provides a unified authentication procedure with a single logic to both subscribers and roamers. In addition, the security management of the whole GLOMONET is reinforced and the security responsibility is made clear by allocating the subscriber's/roamer's security administration to only the TSM.

Strategies against replay attacks

Abstract: The goal of the paper is to present a set of design principles for avoiding replay attacks in cryptographic protocols. The principles are easily applied to real protocols and they do not consume excessive computing power or communications bandwidth. In particular we describe how to type-tag messages with unique cryptographic functions, how to inexpensively implement the full information principle with hashes, and how to produce unique session keys without assuming mutual trust between the principals. The techniques do not guarantee security of protocols, but they are concrete ways for improving the robustness of the protocol design with relatively low cost.

Toward acceptable metrics of authentication

Abstract: Authentication using a path of trusted intermediaries, each able to authenticate the next one in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an effort to bolster authentication, but the success of this approach may be unclear in the face of intersecting paths, ambiguities in the meaning of certificates, and interdependencies in the use of different keys. Several authors have thus proposed metrics to evaluate the confidence afforded by a set of paths. In this paper, we develop a set of guiding principles for the design of such metrics. We motivate our principles by showing how previous approaches fail with respect to them and what the consequences to authentication might be. We then propose a direction for constructing metrics that come closer to meeting our principles and thus, we believe, to being satisfactory metrics for authentication.

Secure code distribution

Abstract: The Java Virtual Machine does not offer a way for code obtained from trusted sources to be granted extra rights. The article describes two approaches to authentification for code distribution: one extends the JVM to include a digital signature in applets; the other uses MIME encapsulation to take advantage of available security infrastructures. The signed-applet approach gives a programmer more flexibility because it addresses the security issues at a more fundamental level. However, signed-applet security mechanisms may vary for different code distribution schemes, making integration difficult. The MIME-based approach provides a unified security interface. It is more efficient in the sense that all classes can be encapsulated in one multipart attachment, and a single signature or verification operation will cover all classes. The approaches can also be combined and tailored to satisfy various requirements. Ultimately, operating systems must support the concept of a secure compartment so that separate resource management policies can be implemented for the secure compartment and the rest of the system.

Probable plaintext cryptanalysis of the IP security protocols

Abstract: The Internet Engineering Task Force (IETF) is in the process of adopting standards for IP-layer encryption and authentication (IPSEC). We describe how "probable plaintext" can be used to aid in cryptanalytic attacks, and analyze the protocol to show how much probable plaintext is available. We also show how traffic analysis is a powerful aid to the cryptanalyst. We conclude by outlining some likely changes to the underlying protocols that may strengthen them against these attacks.

Scalability and flexibility in authentication services: the KryptoKnight approach

Abstract: This paper studies the issues of flexibility and scalability in the context of network security. In particular, it concentrates on authentication and key distribution services suited for a variety of communication paradigms, network environments, and end-devices. We present the design criteria, specification, and step-by-step construction of authentication and key distribution services based on experience in the KryptoKnight project. The central goal of the KryptoKnight project was the construction of basic network security functions in a minimal, flexible (thus, versatile) and scalable manner. Protocol minimality (in terms of resource usage) and flexibility are not merely theoretical goals; they have clear advantages in environments where computational resources are limited and connectivity is restricted. KryptoKnight was aimed at such environments: small and anemic wireless devices, simple network and data-link entities, embedded micro-devices and other special-purpose communication equipment and configurations. Furthermore, scalability of protocols makes their deployment possible in the presence of rapid network growth and inter-domain communication.

System and method for encapsulating transaction messages with verifiable data generated identifiers

Abstract: A data structure and method are disclosed for encapsulating a message with a verifiable message ID and a verifiable identification of message interpretation information The encapsulated message includes a message set and a data generated message identifier The message set includes a message body that contains the content of a message and a data generated interpretation identifier that verifiably identifies an interpretation file that may be used to interpret the message body The data generated message identifier is a hash function of the message set that includes the message body and the data generated interpretation identifier The data generated message identifier is determined such that the data generated message identifier verifiably identifies the message set

Incremental cryptography and memory checkers

Abstract: We introduce the relationship between incremental cryptography and memory checkers. We present an incremental message authentication scheme based on the XOR MACs which supports insertion, deletion and other single block operations. Our scheme takes only a constant number of pseudorandom function evaluations for each update step and produces smaller authentication codes than the tree scheme presented in [BGG95]. Furthermore, it is secure against message substitution attacks, where the adversary is allowed to tamper messages before update steps, making it applicable to virus protection. From this scheme we derive memory checkers for data structures based on lists. Conversely, we use a lower bound for memory checkers to show that so-called message substitution detecting schemes produce signatures or authentication codes with size proportional to the message length.

Locking the e-safe

Abstract: A variety of cryptographic techniques are being used to minimize threats to electronic financial transactions. The explosion of the Internet has permitted even small merchants to sell goods and services to a worldwide market, yet it has also exposed them to the depredations of a large pool of attackers whose motives range from greed to boredom. Fear of these risks has created a demand for security features built directly into electronic commerce systems. The good news is that existing security mechanisms can be combined to minimize a wide range of threats to electronic commerce. Security isn't the only problem. European banks will soon have electronic stored value cards that are as good as cash. Forgetting the password for a stored value card could be as troublesome as losing a wallet. The mechanisms used to solve security problems can be divided into four areas-privacy, authentication, integrity, and scalability-though a single mechanism can often mitigate more than one kind of problem. The cornerstone of all privacy mechanisms is encryption. An encryption algorithm transforms a plaintext message into an unreadable ciphertext using a key. The correct key can reverse the process, permitting anyone who knows it to get the plaintext message.

Digital signature protocol

Abstract: A digital signature protocol generates a signature component using a hash of an encrypted message The component and encrypted message form a signature pair that is forwarded to a recipient The encryption message is used to retrieve the encryption key at the recipient and authenticate information in the message The signature pair may be applied to a data carrier as a bar code for use in mail delivery services By utilizing a hash of the message, a reduced message length is achieved as individual signatures are not required for each component of the message

Explicit communication revisited: two new attacks on authentication protocols

Abstract: SSH and AKA are recent, practical protocols for secure connections over an otherwise unprotected network. The paper shows that, despite the use of public-key cryptography, SSH and AKA do not provide authentication as intended. The flaws of SSH and AKA can be viewed as the result of their disregarding a basic principle for the design of sound authentication protocols: the principle that messages should be explicit.

Test Cases for HMAC-MD5 and HMAC-SHA-1

Abstract: This document provides two sets of test cases for HMAC-MD5 and HMAC- SHA-1, respectively. HMAC-MD5 and HMAC-SHA-1 are two constructs of the HMAC [HMAC] message authentication function using the MD5 [MD5] hash function and the SHA-1 [SHA] hash function. Both constructs are used by IPSEC [OG,CG] and other protocols to authenticate messages. The test cases and results provided in this document are meant to be used as a conformance test for HMAC-MD5 and HMAC-SHA-1 implementations.

An authentication protocol without trusted third party

Abstract: A secure authentication protocol which supports both the privacy of messages and the authenticity of communicating parties is proposed. The trusted third party (key information center) is not needed once the secure network system is set up. Mutual authentication and key distribution can be achieved with two messages merely between two parties involved.

Chosen-text attack on CBC-MAC

Abstract: The author presents a new chosen-text attack on the CBC-MAC, which based on DES, is a widely used algorithm to compute a message authentication code (MAC). Using DES with a MAC of size 32 bits, the attack requires /spl sim/2/sup 17/ chosen texts and two known texts.

An adaptable and reliable authentication protocol for communication networks

Abstract: We propose a new authentication and key distribution protocol which is adaptable and reliable for communication networks. The secrets for authentication, which are chosen from a relatively small space by common users, are easy to guess. Our protocol gives a solution to protect the weak secrets from guessing attacks. Compared with other related work, our protocol is more reliable because it is resistant to various kinds of attacks including guessing attacks, and more adaptable because it reduces several overheads which make the existing protocols more expensive. We show how to apply our protocol to the Q.931 calling sequences and to the World Wide Web model.

Fast Message Authentication Using Efficient Polynomial Evaluation

Abstract: Message authentication codes (MACs) using polynomial evaluation have the advantage of requiring a very short key even for very large messages. We describe a low complexity software polynomial evaluation procedure, that for large message sizes gives a MAC that has about the same low software complexity as for bucket hashing but requires only small keys and has better security characteristics.

A Message Authentication Code Based on Latin Squares

Abstract: This is a proposal on the construction of a Message Authentication Code (MAC) based on Latin Squares The design is inspired by Wegman-Carter construction which takes advantage of provable security The MAC is described and its security is examined It is also compared with other MACs and its advantages are shown

Formal automatic verification of authentication cryptographic protocols

Abstract: We address the formal analysis of authentication cryptographic protocols. We present a new verification algorithm that generates from the protocol description the set of possible flaws, if any, as well as the corresponding attack scenarios. This algorithm does not require any property or invariant specification. The algorithm involves three steps: extracting the protocol roles, modeling the intruder abilities and verification. In addition to the classical known intruder computational abilities such as encryption and decryption, we also consider those computations that result from different instrumentations of the protocol. The intruder abilities are modeled as a deductive system. The verification is based on the extracted roles as well as the deductive system. It consists in checking whether the intruder can answer all the challenges uttered by a particular role. If it is the case, an attack scenario is automatically constructed. The extracted proof system does not ensure the termination of deductions. For that purpose, we present a general transformation schema that allows one to automatically rewrite the non-terminating proof system into a terminating one. The transformation schema is shown to be correct. To exemplify the usefulness and efficiency of our approach, we illustrate it on the Woo and Lam (1992) authentication protocol. Abadi and Needham have shown that the protocol is insecure and they proposed a new corrected version. Thanks to this method we have discovered new unknown flaws in the Woo and Lam protocol and in the corrected version of Abadi and Needham.

Md2 is not Secure Without the Checksum Byte

Abstract: In 1989, Ron Rivest introduced the MD2 Message Digest Algorithm which takes as input a message of arbitrary length and produces as output a 128-bit message digest, by appending some redundancy to the message and then iteratively applying a 32 bytes to 16 bytes compression function. MD2 Message Digest Algorithm is one of the most frequently used hashing function with MD4, MD5, SHA, SHA-1. Some attacks against MD4 and MD5 have been presented by Dobbertin. Up to now, no attack against MD2 has been presented. This function has been updated in 1993 in the RFC 1423 document. It was conjectured that the number of operations needed to get two messages having the same message digest is on the order of 2^64 (using the birthday paradox), and that the complexity of inverting the hash function is on the order of 2^128 operations. No attack against this function has been published so far. In this paper, we propose a low complexity method to find collisions for the compression function of MD2. The easiness to find these collisions could imply that the first conjecture is false if these collisions can be used to make global collisions for MD2.

Implementation efficient encryption and message authentication

Abstract: Encryption and authentication techniques which can be implemented on inexpensive, e.g., 8-bit, microprocessors and micro-controllers, using very little of the microprocessor's memory, are described. While the described techniques require little system resources to implement they still provide a good degree of security. In accordance with the present invention, in order to avoid having to specifically dedicate a portion of the microprocessor's limited memory for use as a substitution box, a portion of the code stored in the microprocessor's memory, dedicated to performing another function, is selected to serve as an S-box. This memory saving technique is used to implement a block cipher. The block cipher is used in combination with a series of other data manipulation operations, including XOR operations and rotate operations, to provide a good degree of system security. The operations used to implement the techniques of the present invention are capable of being implemented using 8 bit instructions making the techniques of the present invention well suited for implementation on 8 bit systems such as those used in home and auto control applications. The message protocol and encryption scheme of the present invention involves the subtracting of current message payloads from previously received message payloads to distinguish between new messages and repeated messages which have already been acted upon. Messages are acted upon only once thereby rendering the recording and playing back of previous messages ineffective at defeating system security.

Misplaced trust: Kerberos 4 session keys

Abstract: One of the commonly accepted principles of software design for security is that making the source code openly available leads to better security. The presumption is that the open publication of source code will lead others to review the code for errors, however this openness is no guarantee of correctness. One of the most widely published and used pieces of security software in recent memory is the MIT implementation of the Kerberos authentication protocol. In the design of the protocol, random session keys are the basis for establishing the authenticity of service requests. Because of the way that the Kerberos Version 4 implementation selected its random keys, the secret keys could easily be guessed in a matter of seconds. This paper discusses the difficulty of generating good random numbers, the mistakes that were made in implementing Kerberos Version 4, and the breakdown of software engineering that allowed this flaw to remain unfixed for ten years. We discuss this as a particularly notable example of the need to examine security-critical code carefully, even when it is made publicly available.

Digital signature protocol with reduced bandwidth

Abstract: This invention discloses a method of authenticating a signature of a message m comprising the steps of determining a hash h(m) of the message by application of a hash function and deriving therefrom a first signature component. The signor then computes a function mathematically related to the hash of the message and applies the function to the message to obtain a second signature component, bound to the signatory. The signature components are forwarded to a recipient. The recipient then recovers from one of the signature components a message m' and computing a value of m' by applying the hash function, and determining if the value of m' and the hash h(m) embodied in the first signature component are identical whereby identity indicates an authentic signature of the message.