Showing papers on "Message authentication code published in 2000"

Efficient authentication and signing of multicast streams over lossy channels

Abstract: Multicast stream authentication and signing is an important and challenging problem. Applications include the continuous authentication of radio and TV Internet broadcasts, and authenticated data distribution by satellite. The main challenges are fourfold. First, authenticity must be guaranteed even when only the sender of the data is trusted. Second, the scheme needs to scale to potentially millions of receivers. Third, streamed media distribution can have high packet loss. Finally the system needs to be efficient to support fast packet rates. We propose two efficient schemes, TESLA and EMSS, for secure lossy multicast streams. TESLA (Timed Efficient Stream Loss-tolerant Authentication), offers sender authentication, strong loss robustness, high scalability and minimal overhead at the cost of loose initial time synchronization and slightly delayed authentication. EMSS (Efficient Multi-chained Stream Signature), provides nonrepudiation of origin, high loss resistance, and low overhead, at the cost of slightly delayed verification.

A new remote user authentication scheme using smart cards

Abstract: We propose a new remote user authentication scheme using smart cards. The scheme is based on the ElGamal's (1985) public key cryptosystem. Our scheme does not require a system to maintain a password table for verifying the legitimacy of the login users. In addition, our scheme can withstand message replaying attack.

Robust image hashing

Abstract: The proliferation of digital images creates problems for managing large image databases, indexing individual images, and protecting intellectual property. This paper introduces a novel image indexing technique that may be called an image hash function. The algorithm uses randomized signal processing strategies for a non-reversible compression of images into random binary strings, and is shown to be robust against image changes due to compression, geometric distortions, and other attacks. This algorithm brings to images a direct analog of message authentication codes (MACs) from cryptography, in which a main goal is to make hash values on a set of distinct inputs pairwise independent. This minimizes the probability that two hash values collide, even, when inputs are generated by an adversary.

An efficient remote use authentication scheme using smart cards

Abstract: Based on the discrete logarithm problem, Hwang and Li (see ibid., vol.46, no.1, p.28-30, Feb. 2000) proposed a remote user authentication scheme using smart cards. Their scheme is very novel because no password table is required to keep in a system. In this paper, we further propose an efficient and practical remote user authentication scheme using smart cards. The proposed scheme not only provides the same advantages as that of Hwang and Li's scheme, but also significantly reduces the communication and computation costs.

New multiparty authentication services and key agreement protocols

Abstract: Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing applications, and replicated servers are just a few examples. Given the openness of today's networks, communication among peers (group members) must be secure and, at the same time, efficient. This paper studies the problem of authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation, and integrity. It begins by considering two-party authenticated key agreement and extends the results to group Diffie-Hellman (1976) key agreement. In the process, some new security properties (unique to groups) are encountered and discussed.

A national-scale authentication infrastructure

Abstract: Participants in virtual organizations commonly need to share resources such as data archives, computer cycles, and networks, resources usually available only with restrictions based on the requested resource's nature and the user's identity. Thus, any sharing mechanism must have the ability to authenticate the user's identity and determine whether the user is authorized to request the resource. Virtual organizations tend to be fluid, however, so authentication mechanisms must be flexible and lightweight, allowing administrators to quickly establish and change resource-sharing arrangements. Nevertheless, because virtual organizations complement rather than replace existing institutions, sharing mechanisms cannot change local policies and must allow individual institutions to maintain control over their own resources. Our group has created and deployed an authentication and authorization infrastructure that meets these requirements: the Grid Security Infrastructure (I. Foster et al., 1998). GSI offers secure single sign-ons and preserves site control over access policies and local security. It provides its own versions of common applications, such as FTP and remote login, and a programming interface for creating secure applications. Dozens of supercomputers and storage systems already use GSI, a level of acceptance reached by few other security infrastructures.

Encode-Then-Encipher Encryption: How to Exploit Nonces or Redundancy in Plaintexts for Efficient Cryptography

Abstract: We investigate the following approach to symmetric encryption: first encode the message via some keyless transform, and then encipher the encoded message, meaning apply a permutation FK based on a shared key K. We provide conditions on the encoding functions and the cipher which ensure that the resulting encryption scheme meets strong privacy (eg. semantic security) and/or authenticity goals. The encoding can either be implemented in a simple way (eg. prepend a counter and append a checksum) or viewed as modeling existing redundancy or entropy already present in the messages, whereby encode-then-encipher encryption provides a way to exploit structured message spaces to achieve compact ciphertexts.

Secure disk drive comprising a secure drive key and a drive ID for implementing secure communication over a public network

Abstract: A secure disk drive is disclosed comprising a disk for storing data, and an input for receiving an encrypted message from a client disk drive, the encrypted message comprising ciphertext data and a client drive ID identifying the client disk drive. The secure disk drive comprises a secure drive key and an internal drive ID. A key generator within the secure disk drive generates a client drive key based on the client drive ID and the secure drive key, and an internal drive key based on the internal drive ID and the secure drive key. The secure disk drive further comprises an authenticator for verifying the authenticity of the encrypted message and generating an enable signal, the authenticator is responsive to the encrypted message and the client drive key. The secure disk drive further comprises a data processor comprising a message input for receiving the encrypted message from the client disk drive, and a data output for outputting the ciphertext data to be written to the disk. The data processor further comprises an enable input for receiving the enable signal for enabling the data processor, and a key input for receiving the internal drive key, the internal drive key for use in generating a message authentication code. The data processor outputs reply data comprising the message authentication code. The secure disk drive outputs a reply to the client disk drive, the reply comprising the reply data and the internal drive ID.

Cryptanalysis of a remote user authentication scheme using smart cards

Abstract: We present a cryptanalysis of a remote user authentication scheme proposed by Hwang and Li (see ibid., vol.46, no.1, p.28-31, 2000). We show that Hwang-Li's scheme is breakable. A legitimate user can impersonate other legal users and pass the system authentication.

Authentication theory and hypothesis testing

Abstract: By interpreting message authentication as a hypothesis testing problem, this paper provides a generalized treatment of information-theoretic lower bounds on an opponent's probability of cheating in one-way message authentication. We consider the authentication of an arbitrary sequence of messages, using the same secret key shared between sender and receiver. The adversary tries to deceive the receiver by forging one of the messages in the sequence. The classical two types of cheating are considered, impersonation and substitution attacks, and lower bounds on the cheating probability for any authentication system are derived for three types of goals the adversary might wish to achieve. These goals are: (1) that the fraudulent message should be accepted by the receiver, or, in addition, (2) that the adversary wishes to know or (3) wants to even choose the value of the plaintext message obtained by the legitimate receiver after decoding with the secret key.

New fragile authentication watermark for images

Abstract: We propose a new fragile watermark for image authentication. Based on the Yeung-Mintzer (see Proc. ICIP'97, Santa Barbara, California, 1997) scheme, the new watermark does not have certain security gaps common to many previously proposed fragile watermarks. A block cipher is used instead of binary look-up tables. Pixel values are perturbed by small quantities so that the cipher maps small pixel neighborhoods to a fixed binary logo. This process is further modified in order to embed image indices (time stamps) into disjoint blocks of every image. This is necessary for detection of collages from multiple authenticated images. We also formulate basic security requirements and investigate the security of the new scheme.

CBC MAC for Real-Time Data Sources

Abstract: The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an authentication method which is widely used in practice. It is well known that the use of the CBC MAC for variable length messages is not secure, and a few rules of thumb for the correct use of the CBC MAC are known by folklore. The first rigorous proof of the security of CBC MAC, when used on fixed length messages, was given only recently by Bellare et al.[3]. They also suggested variants of CBC MAC that handle variable-length messages but in these variants the length of the message has to be known in advance (i.e., before the message is processed). We study CBC authentication of real-time applications in which the length of the message is not known until the message ends, and furthermore, since the application is real-time, it is not possible to start processing the authentication until after the message ends. We first consider a variant of CBC MAC, that we call the encrypted CBC MAC (EMAC), which handles messages of variable unknown lengths. Computing EMAC on a message is virtually as simple and as efficient as computing the standard CBC MAC on the message. We provide a rigorous proof that its security is implied by the security of the underlying block cipher. Next, we argue that the basic CBC MAC is secure when applied to a prefix-free message space. A message space can be made prefix-free by also authenticating the (usually hidden) last character which marks the end of the message.

Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques

Abstract: Rather than use a shared key directly to cryptographically process (e.g. encrypt or authenticate) data one can use it as a master key to derive subkeys, and use the subkeys for the actual cryptographic processing. This popular paradigm is called re-keying, and the expectation is that it is good for security. In this paper we provide concrete security analyses of various re-keying mechanisms and their usage. We show that re-keying does indeed "increase" security, effectively extending the lifetime of the master key and bringing significant, provable security gains in practical situations. We quantify the security provided by different rekeying processes as a function of the security of the primitives they use, thereby enabling a user to choose between different re-keying processes given the constraints of some application.

A multi-technique approach for user identification through keystroke dynamics

Abstract: Legitimate user authentication is an important part of the problems related to computer and system security. The maintenance of security becomes even more difficult when an invalid user gets the system access information. The paper presents a suite of techniques for password authentication using neural networks, fuzzy logic, statistical methods, and several hybrid combinations of these approaches. The approaches presented in the paper use typing biometrics of a user, in addition to conventional login information, to identify a user.

A novel authentication scheme for ad hoc networks

Abstract: Ad hoc networks are a new generation of networks offering unrestricted mobility without any underlying infrastructure. In these kinds of networks, all the nodes share the responsibility of network formation and management. As their principle application is in catastrophic environments, security is critical. Authentication, integrity and encryption are key issues pertaining to network security. Traditional authentication schemes cannot be effectively used in such decentralized networks. We present an end-to-end data authentication scheme that relies on mutual trust between nodes. The basic strategy is to take advantage of the hierarchical architecture that is implemented for routing purposes. We have proposed an authentication scheme that uses TCP at the transport layer and a hierarchical architecture at the IP layer so that the number of encryptions needed is minimized, thereby reducing the computational overheads. This also results in substantial savings as each node has to maintain keys for fewer nodes.

Non Interference for the Analysis of Cryptographic Protocols

Abstract: Many security properties of cryptographic protocols can be all seen as specific instances of a general property, we called Non Deducibility on Composition (NDC), that we proposed a few years ago for studying information flow properties in computer systems The advantage of our unifying theory is that formal comparison among these properties is now easier and that the full generality of NDC has helped us in finding a few new attacks on cryptographic protocols

Looking for diamonds in the desert - extending automatic protocol generation to three-party authentication and key agreement protocols

Abstract: We describe our new results in developing and extending Automatic Protocol Generation (APG), an approach to automatically generate security protocols. We explore two-party mutual authentication and key agreement protocols, with a trusted third party (TTP) which shares a symmetric key with each of the two principals. During the process, we experienced the challenge of a gigantic protocol space. Facing this challenge, we develop more powerful reduction techniques for the protocol generator. We also develop new pruning theorems and probabilistic methods of picking goal orderings for the protocol screener, Athena, which greatly improve the efficiency and worst-case performance of Athena. In our first experiment, APG found new protocols for two-party mutual authentication with a TTP using symmetric keys. In our second experiment, APG also found new protocols for three different sets of security properties for two-party authentication and key agreement. Our new list of security properties for key agreement also uncovered an undocumented deficiency in the Yahalom protocol.

Authentication tests

Abstract: Suppose a principal in a cryptographic protocol creates and transmits a message containing a new value v, which it later receives back in cryptographically altered form. It can conclude that some principal possessing the relevant key has transformed the message containing v. In some circumstances, this must be a regular participant of the protocol, not the penetrator. An inference of this kind is an authentication test. We introduce two main kinds of authentication test. An outgoing test is one in which the new value v is transmitted in encrypted form, and only a regular participant can extract it from that form. An incoming test is one in which v is received back in encrypted form, and only a regular participant can put it in that form. We combine these two tests with a supplementary idea, the unsolicited test, and a related method for checking that certain values remain secret. Together they determine what authentication properties are achieved by a wide range of cryptographic protocols. We introduce authentication tests and illustrate their power giving new and straightforward proofs of security goals for several protocols. We also illustrate how to use the authentication tests as a heuristic for finding attacks against incorrect protocols. Finally we suggest a protocol design process. We express these ideas in the strand space formalism and prove them correct elsewhere (Gullman and Thayer Fabrega, 2000).

Content authentication and tamper detection in digital video

Abstract: We report on the development of a watermarking algorithm designed for video authentication and tamper detection. The objectives are to determine unauthorized cut-and-splice or cut-insert-splice operation and quantify the extent of such editing. We demonstrate that the proposed algorithm can identify cut start and duration down to single frame precision. The approach embeds a watermark with a strong timing content, violation of which can be traced back to the parameters of the editing operation.

Message authentication using message gates in a distributed computing environment

Abstract: Embodiments of a system and method using message authentication with message gates are described. A message gate is the message endpoint for a client or service in a distributed computing environment. A message gate may provide a secure endpoint that sends and receives type-safe messages. Gates may perform the sending and receiving of messages between clients and services using a protocol specified in a service advertisement. In one embodiment, the messages are eXtensible Markup Language (XML) messages. For a client, a message gate represents the authority to use some or all of a service's capabilities. Each capability may be expressed in terms of a message that may be sent to the service. Creation of a message gate may involve an authentication service that may authenticate the client and/or service and that generates an authentication credential. A message gate may perform verification of messages against a message schema to ensure that the messages are allowed. Message gates may embed the authentication credential in outgoing messages so that the receiving message gate may authenticate the message. Messages may also include information to allow the receiving gate to verify that the message has not been compromised prior to receipt.

On the Round Security of Symmetric-Key Cryptographic Primitives

Abstract: We put forward a new model for understanding the security of symmetric-key primitives, such as block ciphers. The model captures the fact that many such primitives often consist of iterating simpler constructs for a number of rounds, and may provide insight into the security of such designs. We completely characterize the security of four-round Luby-Rackoff ciphers in our model, and show that the ciphers remain secure even if the adversary is given black-box access to the middle two round functions. A similar result can be obtained for message authentication codes based on universal hash functions.

Media-independent watermarking classification and the need for combining digital video and audio watermarking for media authentication

Abstract: Watermarking has become a major topic to solve authentication problems and copyright protection as major security demands in digital marketplaces. A wide variety of watermarking techniques have been proposed in the literature. Most techniques have been developed for still images; currently the research community is also enforcing approaches for other multimedia data like video, audio and 3D models. In our paper we summarize the main watermarking parameters and introduce a media independent classification scheme. Our classification scheme is based on the application areas. We show the important parameters and possible attacks. Based on our proposed classification the quality of the watermarking techniques can be evaluated. Furthermore we address the need for combining digital video and audio watermarking for media authentication.

System and method for selectively authenticating data

Abstract: A high-speed, low-strength authentication mechanism is disclosed. This mechanism is based on a partial message authentication code, wherein a message authentication code is applied only to some portion of the message. By applying an authentication algorithm only to selected parts of the message, significant time can be saved while maintaining acceptable security.

Digital multisignature schemes for authenticating delegates in mobile code systems

Abstract: In this paper, we motivate the need for efficient multisignature schemes in delegated mobile services. With the schemes, delegates can be identified and delegated accesses can be controlled. First, we give a new digital signature scheme with message recovery. Based on the digital signature scheme, two digital multisignature schemes are proposed: the parallel multisignature scheme and the serial multisignature scheme. The parallel multisignature scheme allows each user to sign the same message separately and independently, and then combines all individual signatures into a multisignature. The serial multisignature scheme allows a group of users to sign the message serially, and does not need to predetermine the signing order. Both multisignature schemes can withstand the attacks that aim to forge the signatures or to get the private keys of the signers.

Content screening with end-to-end encryption

Abstract: One embodiment of the present invention provides a system that performs content screening on a message that is protected by end-to-end encryption. The system operates by receiving an encrypted message and an encrypted message key at a destination from a source; the encrypted message having been formed by encrypting the message with a message key; the encrypted message key having been formed by encrypting the message key. The destination forwards the message to a content screener in a secure manner, and allows the content screener to screen the message to determine whether the message satisfies a screening criterion. If the message satisfies the screening criterion, the destination receives a communication from the content screener that enables the destination to process the message. In one embodiment of the present invention, the system decrypts the encrypted message key at the destination to restore the message key, and forwards the message key along with the encrypted message to the content screener. This enables the content screener to decrypt the encrypted message using the message key. In one embodiment of the present invention, the system decrypts the encrypted message key at the destination to restore the message key, and then decrypts the encrypted message with the message key to restore the message before sending the message to the content screener.

Individual single source authentication on the MBONE

Abstract: Broadcast and multicast communications present new problems with respect to security. In particular the individual authentications of the senders to be efficient require novel solutions with respect to the unicast ones. The paper presents an efficient authentication protocol and discusses its implementation in an audio conferencing application.

A Multisignature Scheme with Message Flexibility, Order Flexibility and Order Verifiability

Abstract: Multisignature scheme realizes that plural users generate the signature on a message, and that the signature is verified. Various studies on multisignature have been proposed([4,13,11,8,1]). They are classified into two types: RSA([9])-based multisignature([4, 8]), and discrete logarithm problem(DLP) based multisignature([13,11,1]), all of which assume that a message is fixed beforehand. In a sense, these protocols do not have a feature of message flexibility. Furthermore all schemes which satisfy with order verifiability designate order of signers beforehand [13,1]. Therefore these protocols have a feature of order verifiability but not order flexibility.

Message authentication codes

Abstract: In this thesis, we explore a topic within cryptography called Message Authentication Codes (MACs). A MAC is a collection of algorithms which allows A to send a message to B in such a way that B can be certain (with very high probability) that A did in fact originate the message. Let's say A wants to send a message (string) M to B using a MAC. First A will run the “tag generation” algorithm on M to produce a string called the “tag.” Then A sends M along with the tag to B and B runs the “verification” algorithm to determine whether A was truly the author of M. The dominant method we use for creating MACs follows an approach first employed by Wegman and Carter [30]. For tag generation we first use a member randomly chosen from a set of hash functions called a “Universal Hash Function Family” to compress M into a smaller string, then we apply some cryptographic primitive to this smaller string to produce the tag. The verification algorithm repeats these steps on M and ensures that the tag generated matches the tag sent. We examine several known MACs using this paradigm, even when those MACs were not originally designed in this way. This approach often leads to simpler proofs of security for established algorithms. We then relate several new algorithms in the same spirit. The first set of algorithms extends the well-known CBC MAC to accept messages of varying lengths and still retain a high degree of proven security. And in the final chapter we look at a new Universal Hash Function Family called NH which leads to a MAC faster than any currently known.

Chained Stream Authentication

Abstract: We present a protocol for the exchange of individually authenticated data streams among N parties. Our authentication procedure is fast, because it only requires the computation of hash functions - we do not need digital signatures, that are substantially less efficient. The authentication information is also short: two hash values for every block of data. Since there are no shared secrets, this information does not grow with N, the number of parties.

Circuit for generating hash values

Abstract: A Message Digest Hardware Accelerator (MDHA) 10 for implementing multiple cryptographic hash algorithms such as the Secure Hashing Algorithm 1 (SHA-1), the Message Digest 4 (MD4) algorithm and the Message Digest 5 (MD5) algorithm. A register file (12) is initialized to different data values. A function circuit (22) performs logical operations based on the selected algorithm and provides a data value to a summing circuit (30) that is summed with mode dependent constant values selected from registers (34 and 36), round and step dependent data words generated by a register array block (32) to calculate the hash value for a text message stored in registers (100–115).