scispace - formally typeset
Search or ask a question

Showing papers on "Message authentication code published in 1998"


Proceedings ArticleDOI
Ping Wah Wong1
04 Oct 1998
TL;DR: A public key watermarking algorithm for image integrity verification that uses a public key as in public key cryptography, and hence it can be performed by any person without the secure exchange of a secret key.
Abstract: We propose a public key watermarking algorithm for image integrity verification. This watermark is capable of detecting any change made to an image, including changes in pixel values and image size. This watermark is important for several imaging applications, including trusted camera, legal usage of images, medical archiving of images, news reporting, commercial image transaction, and others. In each of these applications, it is important to verify that the image has not been manipulated and that the image was originated by either a specific camera or a specific user. The verification (the watermark extraction) procedure uses a public key as in public key cryptography, and hence it can be performed by any person without the secure exchange of a secret key. This is very important in many applications (e.g., trusted camera, news reporting) where the exchange of a secret key is either not possible or undesirable.

410 citations


Journal ArticleDOI
TL;DR: The paper aims to develop a specific theory appropriate to the analysis of authentication protocols, built on top of the general CSP semantic framework.
Abstract: This paper presents a general approach for analysis and verification of authentication properties using the theory of Communicating Sequential Processes (CSP). The paper aims to develop a specific theory appropriate to the analysis of authentication protocols, built on top of the general CSP semantic framework. This approach aims to combine the ability to express such protocols in a natural and precise way with the ability to reason formally about the properties they exhibit. The theory is illustrated by an examination of the Needham-Schroeder (1978) public key protocol. The protocol is first examined with respect to a single run and then more generally with respect to multiple concurrent runs.

238 citations


Patent
17 Sep 1998
TL;DR: A fast data transfer collection system using message authentication and contactless RF proximity card technology in non-contact storage and retrieval applications is described in this article. But the system is not suitable for the use of large numbers of tags.
Abstract: A fast data transfer collection system using message authentication and contactless RF proximity card technology in non-contact storage and retrieval applications. The system is generally comprised of Host computers (application computer systems), Target radio frequency (RF) terminals, and a plurality of portable Tags ('smart' or 'proximity' cards). A Host provides specific application functionality to a Tag holder, with a high degree of protection from fraudulent use. A Target provides control of the RF antenna and resolves collisions between multiple Tags in the RF field. A Tag provides reliable, high speed, and well authenticated secure exchanges of data/information with the Host resulting from the use of a custom ASIC design incorporating unique analog and digital circuits, nonvolatile memory, and state logic. Each Tag engages in a transaction with the Target in which a sequence of message exchanges allow data to be read (written) from (to) the Tag. These exchanges establish the RF communication link, resolve communication collisions with other Tags, authenticate both parties in the transaction, rapidly and robustly relay information through the link, and ensure the integrity and incorruptibility of the transaction. The system architecture provides capabilities to ensure the integrity of the data transferred thus eliminating the major problem of corrupting data on the card and in the system. The architecture and protocol are designed to allow simple and efficient integration of the transaction product system into data/information processing installations.

201 citations


Journal ArticleDOI
TL;DR: A related family of authentication and digital signature protocols based on symmetric cryptographic primitives which perform substantially better than previous constructions are presented, and raise interesting questions about the definition of a digital signature, and the relationship between integrity and authenticity.
Abstract: We present a related family of authentication and digital signature protocols based on symmetric cryptographic primitives which perform substantially better than previous constructions. Previously, one-time digital signatures based on hash functions involved hundreds of hash function computations for each signature; we show that given online access to a timestamping service, we can sign messages using only two computations of a hash function. Previously, techniques to sign infinite streams involved one such one-time signature for each message block; we show that in many realistic scenarios a small number of hash function computations is sufficient. Previously, the Diffie Hellman protocol enabled two principals to create a confidentiality key from scratch: we provide an equivalent protocol for integrity, which enables two people who do not share a secret to set up a securely serialised channel into which attackers cannot subsequently intrude. In addition to being of potential use in real applications, our constructions also raise interesting questions about the definition of a digital signature, and the relationship between integrity and authenticity.

185 citations


Patent
Boaz Feldbaum1
01 Apr 1998
TL;DR: In this article, a method and system for controlling access to a message queue in a message queuing system utilizes a certificate of a user who sends a message to authenticate the message and uses a directory service of the message queue system as a trusted entity in the authentication process.
Abstract: A method and system for controlling access to a message queue in a message queuing system utilizes a certificate of a user who sends a message to authenticate the message and uses a directory service of the message queuing system as a trusted entity in the authentication process. The certificate used for message authentication may be an internal certificate issued by the message queuing system or an external certificate issued by a certification authority. The certificate is registered with the directory service of the message queuing system and stored with a security identification (SID) of the user. When the user runs an application which sends a message to a target queue, the sending computer signs the message with a private key associated with the certificate and sends the message with the digital signature and the certificate to the receiving computer. When the receiving message queue (MQ) server receives the message packet, it verifies the digital signature of the message. If the signature is verified, the receiving MQ server queries the message queuing system to obtain the SID associated with the certificate. The MQ server then decides whether the message with the SID should be placed in the target queue by checking a security descriptor of the target queue.

93 citations


Journal ArticleDOI
TL;DR: Evidence that there are no efficient algorithms for locating maximum sets of paths with path independence properties is given and several approximation algorithms for these problems are proposed.
Abstract: Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating channels in a large distributed system. In this paper, we explore the use of multiple paths to redundantly authenticate a channel and focus on two notions of path independence-disjoint paths and connective paths-that seem to increase assurance in the authentication. We give evidence that there are no efficient algorithms for locating maximum sets of paths with these independence properties and propose several approximation algorithms for these problems. We also describe a service we have deployed, called PathServer, that makes use of our algorithms to find such sets of paths to support authentication in PGP applications.

87 citations


Journal ArticleDOI
TL;DR: Instead of verifying one signature at a time, it is proposed to batch verify RSA signatures simultaneously, which maintains the same computational load as verifying a single signature.
Abstract: A digital signature is analogous to an ordinary hand-written signature used in signing messages. RSA digital signatures have been adopted by Visa and Mastercard in the secure electronic transactions (SET) standard for providing security of electronic transfers of credit and payment information over the internet. In SET, signatures are used to provide certificates for public keys and to authenticate messages. The authors propose an efficient method of verifying RSA digital signatures. Instead of verifying one signature at a time, it is proposed to batch verify RSA signatures simultaneously. This approach maintains the same computational load as verifying a single signature. Thus, a significant reduction in signature verification time can be achieved.

76 citations


Journal ArticleDOI
TL;DR: A comprehensive network security plan must encompass all the elements that make up the network and provide five important services: access-providing users with the means to transmit and receive data to and from any network resources with which they are authorized to communicate; confidentiality-ensures that the information in the network remains private (usually through encryption); authentication-ensured that the sender of a message is who he claims to be; integrity-ensure that a message has not been modified in transit; non-repudiation-enforces that the originator of the message cannot deny that he
Abstract: "Network security is the most important thing on the planet". We have heard these words uttered with great conviction many times. However, the first time it causes any inconvenience to system owners, administrators, or users, the same people hasten to add "except when it impacts performance, system complexity, or cost". Let's face it. Security is usually discarded when it contends with performance. The reason is simple, and at one time it may have even been valid: performance directly contributes to the bottom line while security provides only indirect benefits. But as the world becomes more tightly interconnected, organizations are feeling a greater need to rediscover network security. A thread that spans most definitions of network security is the intent to consider the security of the network as a whole, rather than as an endpoint issue. A comprehensive network security plan must encompass all the elements that make up the network and provide five important services: access-provides users with the means to transmit and receive data to and from any network resources with which they are authorized to communicate; confidentiality-ensures that the information in the network remains private (usually through encryption); authentication-ensures that the sender of a message is who he claims to be; integrity-ensures that a message has not been modified in transit; nonrepudiation-ensures that the originator of the message cannot deny that he sent the message and this is useful for both commercial and legal reasons.

72 citations


Book ChapterDOI
31 May 1998
TL;DR: This paper generalizes a polynomial construction due to Desmedt, Frankel and Yung, to allow multiple messages be authenticated with each key, and proposes a new flexible construction for multi-receiver A- code by combining an A-code and an (n, m, k)-cover-free family.
Abstract: Multi-receiver authentication is an extension of traditional point-to-point message authentication in which a sender broadcasts a single authenticated message such that all the receivers can independently verify the authenticity of the message, and malicious groups of up to a given size of receivers can not successfully impersonate the transmitter, or substitute a transmitted message This paper presents some new results on unconditionally secure multi-receiver authentication codes First we generalize a polynomial construction due to Desmedt, Frankel and Yung, to allow multiple messages be authenticated with each key Second, we propose a new flexible construction for multi-receiver A-code by combining an A-code and an (n, m, k)-cover-free family Finally, we introduce the model of multi-receiver A-code with dynamic sender and present an efficient construction for that

71 citations


Journal Article
TL;DR: The first Deniable Authentication method is provably valid for any encryption scheme with minimal security properties, i.e. this method is generic, and the second method is Provably valid under the usual assumption that factorization is intractable.
Abstract: In electronic communications and in access to systems, the issue of authentication of the Sender S of a message M, as well as of the message itself, is of paramount importance. Recently S. Goldwasser has raised the additional issue of Deniable Authentication where the sender S authenticates the message M to the Receiver's (R) satisfaction, but can later deny his authorship of M even to an Inquisitor INQ who has listened to the exchange between S and R and who gains access to all of the the secret information used by S and R. We present two practical schemes for Deniable Authentication of messages M of arbitrary length n. In both schemes the Receiver R is assured with probability greater than 1 - 2 -k , where k is a chosen security parameter, that M originated with the Sender S. Deniability is absolute in the information theoretic sense. The first scheme requires 2.4kn XOR operations on bits and one public key encoding and decoding of a short message. The second scheme requires the same number of XOR operations and k multiplications mod N, where N is some fixed product of two large primes. A key new feature of our method is the use of a Shannon-style error correction code. Traditional authentication for a long message M starts by hashing M down to a standard word-size. We expand M through error correction. The first Deniable Authentication method is provably valid for any encryption scheme with minimal security properties, i.e. this method is generic. The second Deniable Authentication method is provably valid under the usual assumption that factorization is intractable.

60 citations


Book ChapterDOI
23 Aug 1998
TL;DR: In this paper, Goldwasser et al. presented two practical schemes for Deniable authentication of messages M of arbitrary length n, where the receiver R is assured with probability greater than 1 − 2−k, where k is a chosen security parameter, that M originated with the Sender S. The first scheme requires 2.4kn XOR operations on bits and one public key encoding and decoding of a short message.
Abstract: In electronic communications and in access to systems, the issue of authentication of the Sender S of a message M, as well as of the message itself, is of paramount importance. Recently S. Goldwasser has raised the additional issue of Deniable Authentication where the sender S authenticates the message M to the Receiver's (R) satisfaction, but can later deny his authorship of M even to an Inquisitor INQ who has listened to the exchange between S and R and who gains access to all of the the secret information used by S and R. We present two practical schemes for Deniable Authentication of messages M of arbitrary length n. In both schemes the Receiver R is assured with probability greater than 1 − 2−k , where k is a chosen security parameter, that M originated with the Sender S. Deniability is absolute in the information theoretic sense. The first scheme requires 2.4kn XOR operations on bits and one public key encoding and decoding of a short message. The second scheme requires the same number of XOR operations and k multiplications mod N, where N is some fixed product of two large primes. A key new feature of our method is the use of a Shannon-style error correction code. Traditional authentication for a long message M starts by hashing M down to a standard word-size. We expand M through error correction. The first Deniable Authentication method is provably valid for any encryption scheme with minimal security properties, i.e. this method is generic. The second Deniable Authentication method is provably valid under the usual assumption that factorization is intractable.

Journal Article
TL;DR: The state of the art for cryptographic primitives that are used for protecting the authenticity of information are described: cryptographic hash functions and digital signature schemes; the first class can be divided into Manipulation Detection Codes (MDCs) and Message Authentication Codes (or MACs).
Abstract: This paper describes the state of the art for cryptographic primitives that are used for protecting the authenticity of information: cryptographic hash functions and digital signature schemes; the first class can be divided into Manipulation Detection Codes (MDCs, also known as one-way and collision resistant hash functions) and Message Authentication Codes (or MACs). The theoretical background is sketched, but most attention is paid to overview the large number of practical constructions for hash functions and to the recent developments in their cryptanalysis. It is also explained to what extent the security of these primitives can be reduced in a provable way to realistic assumptions.

Patent
06 Jul 1998
TL;DR: In this article, a message processing apparatus processes inter-computer messages in one of three configurations including a first configuration for processing input messages from a communications port by controlling a message decoder to decode input messages and send the decoded input messages to a processor for manipulation by an application program.
Abstract: An inter-computer communication method and apparatus permits inter-computer communication of computer messages having a format easily defined by user in an ASCII configuration file. Instead of rewriting code to accommodate a differently formatted message, the invention utilizes an ASCII configuration file that can be easily created and changed to define various message formats. Message encodation involves inserting a unique header in the message identifying the message format and building a message according to the defined format. Message decodation parses this header to access the configuration file and determine message format. A message processing apparatus processes inter-computer messages in one of three configurations including a first configuration for processing input messages from a communications port by controlling a message decoder to decode input messages and send the decoded input messages to a processor for manipulation by an application program; a second configuration for playing back an input message from the message log and sending the read input message to the processor for manipulation by the application program; and a third configuration for logging inputs by routing input messages from the communications port to the message log.

Proceedings ArticleDOI
18 Oct 1998
TL;DR: A method of embedding information within digital images, called spread spectrum image steganography (SSIS), along with its payload capacity is presented and the performance of the technique is illustrated.
Abstract: We present a method of embedding information within digital images, called spread spectrum image steganography (SSIS) along with its payload capacity. Steganography is the science of communicating in a hidden manner. SSIS conceals a message of substantial length within digital imagery while maintaining the original image size and dynamic range. The hidden message can be recovered using the appropriate keys without any knowledge of the original image. The capacity of the steganographic channel is described and the performance of the technique is illustrated. Applications for such a data hiding scheme include in-band captioning, hidden communication, image tamperproofing, authentication, invisible map overlays, embedded control, and revision tracking.

Journal ArticleDOI
TL;DR: A new message authentication code (MAC) algorithm is proposed, which improves the popular retail MAC based on the data encryption standard: it has the same complexity, but provides better resistance against key recovery attacks.
Abstract: A new message authentication code (MAC) algorithm is proposed, which improves the popular retail MAC based on the data encryption standard: it has the same complexity, but provides better resistance against key recovery attacks In addition, a new key recovery attack on the retail MAC is presented, requiring a single known text-MAC pair and 2/sup 56/ online MAC verifications

Patent
04 Jun 1998
TL;DR: A data structure and method for encapsulating a message with verifiable message ID and a verifiable identification of message interpretation information is described in this paper. But the method is not described in detail.
Abstract: A data structure and method are disclosed for encapsulating a message with a verifiable message ID and a verifiable identification of message interpretation information. The encapsulated message (408) includes a message set and a data generated message identifier. The message set includes a message body that contains the content of a message and a data generated interpretation identifier that verifiably identifies (410) an interpretation file that may be used to interpret the message body. The data generated message identifier is a hash function of the message set that includes the message body and the data generated interpretation identifier. The data generated message identifier is determined such that the data generated message identifier verifiably identifies the message set.

Patent
David Dice1
14 Apr 1998
TL;DR: In this article, the hash function is used to determine whether a message packet was not tampered with during the transfer and that it originated from the one device, if the receiving device determines that the generated hash value corresponds to the hash value received in the message packet.
Abstract: A communication system includes communication devices which communicate during a communication session. During communication session establishment, the devices exchange a session key in an encrypted manner for privacy. When one device has information to transfer to the other device, the one device will append the session key to the information and apply a hash function thereto to generate a hash value, and generate a message packet for transfer to the other device that includes an information portion containing the information and a hash value portion containing the hash value. When the other device receives the message packet, it will append the session key to the information from the information portion of the packet that it receives, and generate a hash value therefrom. If the receiving device determines that the generated hash value corresponds to the hash value received in the message packet, properties of the hash function that is used to generate the hash values enable it to conclude that the message packet was not tampered with during the transfer and that it originated from the one device. The system avoids the necessity of computation-intensive encryption and decryption for message packet transfer during a communication session.

Book ChapterDOI
31 May 1998
TL;DR: A new scheme called universal block chaining with sum (or chain & sum primitive (C&S) for short) is presented, and its application to the problem of combined encryption and authentication of data is shown.
Abstract: We present a new scheme called universal block chaining with sum (or chain & sum primitive (C&S) for short), and show its application to the problem of combined encryption and authentication of data. The primitive is a weak CBC-type encryption along with a summing step, and can be used as a front end to stream ciphers to encrypt pages or blocks of data (e.g., in an encrypted file system or in a video stream). Under standard assumptions, the resulting encryption scheme provably acts as a random permutation on the blocks, and has message integrity features of standard CBC encryption. The primitive also yields a very fast message authentication code (MAC), which is a multivariate polynomial evaluation hash. The multivariate feature and the summing aspect are novel parts of the design. Our tests show that the chain & sum primitive adds approximately 20 percent overhead to the fastest stream ciphers.

Proceedings ArticleDOI
03 May 1998
TL;DR: New attacks against a user workstation's trusted path mechanism called Trojan horse non-persistence are presented, which can cause a user's password to leak bits and be combined with network authentication protocol brute-force attacks against the remainder of the key space.
Abstract: Presents new attacks against a user workstation's trusted path mechanism. These timing attacks can cause a user's password to leak bits. The timing attacks can then be combined with network authentication protocol brute-force attacks against the remainder of the key space to obtain the user's password. We present several countermeasures against this attack. We also define a property of user systems (workstations) called Trojan horse non-persistence. Workstations that fail to have this properly are more vulnerable to the timing attack and other Trojan horse attacks.

Book ChapterDOI
18 Oct 1998
TL;DR: This paper introduces the notion of strong protocols which protect each of the parties simultaneously and, in contrast to previous pessimism, it is shown that such protocols exist.
Abstract: The problem of unconditionally secure key agreement, in particular privacy amplification, by communication over an insecure and not even authentic channel, is investigated. The previous definitions of such protocols were weak in the sense that it was only required that after the communication not both parties falsely believe that the key agreement was successful. In such a protocol however it is possible that Eve deceives one of the legitimate partners, i.e., makes him accept the outcome of the protocol although no secret key has been generated. In this paper we introduce the notion of strong protocols which protect each of the parties simultaneously and, in contrast to previous pessimism, it is shown that such protocols exist. For the important special case of privacy amplification, a strong protocol is presented that is based on a new, interactive way of message authentication with an only partially secret key. The use of feedback in such authentication allows to reduce the size of the authenticator, hence of the additional information about the key leaked to the adversary, without increasing the success probability of an active attack. Finally, it is shown that in the scenario where the parties and the adversary have access to repeated realizations of a random experiment, previously derived criteria for the possibility of secret-key agreement against active opponents hold for the new, strong definition of robustness against active attacks rather than for the earlier definition.

Proceedings ArticleDOI
26 Aug 1998
TL;DR: This paper works out the authentication process and shows the advantages compared with related approaches, and presents several approaches with respect to different degrees of autonomy and heterogeneity.
Abstract: The aspect of security needs more consideration in the area of architectures for multidatabase systems. Particularly, the authentication of users which is a main prerequisite for a successful authorization is not considered sufficiently in current architectures. Due to the autonomy and heterogeneity of the component database systems, the problem of authentication in multidatabase systems is more complex than in traditional database systems. In this paper we discuss the foundations and prerequisites for architectures of authentication in multidatabase systems. We present several approaches with respect to different degrees of autonomy and heterogeneity. Especially, we work out the authentication process and show the advantages compared with related approaches.

Journal Article
TL;DR: In this article, the authors introduce the notion of strong protocols which protect each of the parties simultaneously and, in contrast to previous pessimism, it is shown that such protocols exist for the important special case of privacy amplification, a strong protocol is presented that is based on anew interactive way of message authentication with an only partially secret key.
Abstract: The problem of unconditionally secure key agreement, in particular privacy amplification, by communication over an insecure and not even authentic channel, is investigated The previous definitions of such protocols were weak in the sense that it was only required that after the communication not both parties falsely believe that the key agreement was successful In such a protocol however it is possible that Eve deceives one of the legitimate partners, ie, makes him accept the outcome of the protocol although no secret key has been generated In this paper we introduce the notion of strong protocols which protect each of the parties simultaneously and, in contrast to previous pessimism, it is shown that such protocols exist For the important special case of privacy amplification, a strong protocol is presented that is based on anew, interactive way of message authentication with an only partially secret key The use of feedback in such authentication allows to reduce the size of the authenticator, hence of the additional information about the key leaked to the adversary, without increasing the success probability of an active attack Finally, it is shown that in the scenario where the parties and the adversary have access to repeated realizations of a random experiment, previously derived criteria for the possibility of secret-key agreement against active opponents hold for the new, strong definition of robustness against active attacks rather than for the earlier definition

Proceedings ArticleDOI
08 Sep 1998
TL;DR: A security scheme for a medium access control protocol in a new wireless local area network TUTWLAN (Tampere University of Technology WLAN) that provides both privacy of wireless data communications and the authenticity of communicating parties.
Abstract: This paper presents a security scheme for a medium access control protocol in a new wireless local area network TUTWLAN (Tampere University of Technology WLAN). The design objective has been to develop a security scheme that will be scalable for various needs and offer high security for demanding applications. The designed security scheme provides both privacy of wireless data communications and the authenticity of communicating parties. Our authentication scheme allows also the communicating entities to establish a shared secret key for secure communication session. Data security schemes have also been introduced. There are three optional data security modes that offer flexible ciphering and data security level.

Journal ArticleDOI
TL;DR: The authors outline an attack on the Helsinki protocol for entity authentication and authenticated key exchanger which was proposed for standardisation within the ISO/7EC CD 11770-3 standard draft in 1995.
Abstract: The authors outline an attack on the Helsinki protocol for entity authentication and authenticated key exchanger which was proposed for standardisation within the ISO/7EC CD 11770-3 standard draft in 1995.

Proceedings ArticleDOI
07 Dec 1998
TL;DR: A new model that permits both the identity of the sender of a message, and the trustworthiness of the recipient of the message to be determined and can be implemented without changing the format of certificates that are currently in use.
Abstract: The PEM and PGP/X.509 authentication models and the Biba Integrity Model have limitations inherent in their design that diminish their practicality in real world applications. The ICE-TEL trust model addresses some of these difficulties, and introduces a few new limitations. The Common Security Services Manager's Trust Policy Interface Specification provides the guidelines with which new trust policies may be encoded, but does not implement an actual policy. This paper describes a new model that permits both the identity of the sender of a message, and the trustworthiness of the sender of the message to be determined. The model works regardless of whether or not the message was signed by a certificate authority with which the recipient has a relationship. The model can be implemented without changing the format of certificates that are currently in use, and could be used as a module in a broader security framework, such as the Common Security Services Manager.

Journal ArticleDOI
TL;DR: A new signature scheme with message recovery is proposed, based on the discrete logarithms problem and has the same efficiency as the HMP and its modified schemes, but is simpler.
Abstract: A new signature scheme with message recovery is proposed. The new scheme is based on the discrete logarithms problem and has the same efficiency as the HMP and its modified schemes, but is simpler.

Patent
22 Jul 1998
TL;DR: In this paper, a document or message is protected against forgery or repudiation by processing a selected part or parts of the text of the document and adding it to a hash.
Abstract: A document or message is protected against forgery or repudiation by processing a selected part or parts of the text of the document or message to form a hash, usually of fewer characters than the selected part or parts of the text. The processing comprises retrieving numerical values which define the respective characters of the selected part or parts of the text and making a calculation using the numerical values of the successive characters. Preferably the hash is added to the text.

Journal Article
TL;DR: In this article, a survey of attacks on MACs is presented, including generic forgery and key recovery attacks on CBC-MAC and its variants, the MAC algorithms derived from cryptographic hash functions, and the ISO banking standard Message Authenticator Algorithm also known as MAA.
Abstract: This paper gives a survey of attacks on Message Authentication Codes (MACs). First it defines the required security properties. Next it describes generic forgery and key recovery attacks on MACs. Subsequently an overview is presented of most MAC constructions and on attacks on these algorithms. The MACs described include CBC-MAC and its variants, the MAC algorithms derived from cryptographic hash functions, and the ISO banking standard Message Authenticator Algorithm, also known as MAA.

Book ChapterDOI
05 Feb 1998
TL;DR: A new hash function based on advantages of SHA-1, RIPEMD-160, and HAVAL, which keeps the maximum security of them and is more efficient in performance is proposed.
Abstract: Several fast software hash functions have been proposed since the hash function MD4 was introduced by R. Rivest in 1990. At the moment, SHA-1, RIPEMD-160, and HAVAL are known as secure dedicated hash functions in MDx-family hash functions. In this paper, we propose a new hash function based on advantages of these three hash functions, which keeps the maximum security of them and is more efficient in performance. The proposed hash function processes an arbitrary finite message by 512-bit block and outputs 160 bits digest. The key feature of the proposed hash function is data-dependent rotation. This feature guarantees the strength against existing known attacks. Moreover, we propose a new keyed MAC(Message Authentication Code) constructed using the proposed hash function. The proposed MAC uses a maximum keys of 160 bits and has a bitlength less than equal to the hash result. From the viewpoint of performance, the proposed MAC is only reduced about 10% comparing to the underlying hash function.

Proceedings ArticleDOI
07 Dec 1998
TL;DR: The design of the Mutual Authentication, Confidentiality, and Key MANagement (MACKMAN) system is presented to provide a more secure registration and authentication service for mobile computing and wireless communication.
Abstract: In any distributed networked environment, security systems for network access and communication are necessary to allow legitimate hosts on the network to access the network services while denying non-registered hosts. Ideally, such systems should ensure both confidentiality and integrity of messages exchanged over the network. We discuss the deficiencies with the registration and authentication services provided by Global System for Mobile Communication (GSM), Cellular Digital Packet Data (CDPD), and IS-41. Next, we present the design of the Mutual Authentication, Confidentiality, and Key MANagement (MACKMAN) system to provide a more secure registration and authentication service for mobile computing and wireless communication. The capabilities provided by MACKMAN include registration of legitimate hosts with the network, mutual authentication, and data confidentiality and integrity in a mobile and wireless environment. Data confidentiality and integrity are provided by using the public key Elliptic Curve RSA (ECRSA) cryptosystem in conjunction with a hierarchy of certification authorities for key distribution and management.