Category Index:
/pub/doc/cryptography Category Index:
/pub/doc/cryptography
No Pointing!Steven M. Bellovin, Michael Merritt,
Augmented Encrypted Key Exchange: a Password-Based Protocol
Secure Against Dictionary Attacks and Password File
Compromise
Abstract: The encrypted key exchange (EKE) protocol is
augmented so that hosts do not store cleartext passwords.
Consequently, adversaries who obtain the one-way encrypted
password file may (i) successfully mimic (spoof) the host to the
user, and (ii) mount dictionary attacks against the encrypted
passwords, but cannot mimic the user to the host. Moreover, the
im- portant security properties of EKE are preservedan active
network attacker obtains insufficient information to mount
dictionary attacks. Two ways to accomplish this are shown, one
using digital signatures and one that relies on a family of
commutative one-way functions.
Ernest F. Brickell, Dorothy E. Denning, Stephen T. Kent, David P. Maher, Walter Tuchman,
SKIPJACK Review - Interim Report - The SKIPJACK
Algorithm
Abstract: The objective of the SKIPJACK review was to
provide a mechanism whereby persons outside the government could
evaluate the strength of the classified encryption algorithm used
in the escrowed encryption devices and publicly report their
findings. Because SKIPJACK is but one component of a large,
complex system, and because the security of communications
encrypted with SKIPJACK depends on the security of the system as
a whole, the review was extended to encompass other components of
the system. The purpose of this Interim Report is to report on
our evaluation of the SKIPJACK algorithm. A later Final Report
will address the broader system issues.
Dorothy E. Denning,
Crime and Crypto on the Information Superhighway
Keywords: cryptography, crime, national information
infrastructure, encryption
Abstract: Although the information superhighway offers
many benefits to individuals and to society, it also can be
exploited to further crimes such as theft and sabotage of data,
embezzlement, fraud, child pornography, and defamation. Thus, a
challenge in designing and using the information superhighway is
to maximize its benefits while minimizing the harm associated
with criminal activity. Three types of mechanisms that help meet
this challenge are information security tools, ethics, and
laws.
Matt Blaze,
A Cryptographic File System for Unix
Abstract: Although cryptographic techniques are playing an
increasingly important role in modern computing system security,
user-level tools for encrypting file data are cumbersome and
suffer from a number of inherent vulnerabilities. The
Cryptographic File System (CFS) pushes encryption services into
the file system itself. CFS supports secure storage at the system
level through a standard Unix file system interface to encrypted
files. Users associate a cryptographic key with the directories
they wish to protect. Files in these directories (as well as
their pathname components) are transparently encrypted and
decrypted with the specified key without further user
intervention; cleartext is never stored on a disk or sent to a
remote file server. CFS can use any available file system for its
underlying storage without modification, including remote file
servers such as NFS. System management functions, such as file
backup, work in a normal manner and without knowledge of the key
. This paper describes the design and implementation of CFS under
Unix. Encryption techniques for file system-level encryption are
described, and general issues of cryptographic system interfaces
to support routine secure computing are discussed.
Bert-Jaap Koops,
Crypto Law Survey
Abstract: This survey of cryptography laws is based on
several reports and on replies to a posting on Internet
discussion lists. Only for France, The Netherlands, and Russia
have I consulted original texts of relevant regulations; for the
other countries, the reports listed below served as the only
source. These findings, therefore, do not pretend to be
exhaustive or fully reliable. I thank all who have provided me
with information for this survey. Please send comments,
corrections, updates, additional information, and questions to
E.J.Koops@kub.nl
Matt Blaze, Joan Feigenbaum, Jack Lacy, Murray Hill,
Decentralized Trust Management
Abstract: We identify the trust management problem as a
distinct and important component of security in network services.
Aspects of the trust management problem include formulating
security policies and security credentials, determining whether
particular sets of credentials satisfy the relevant policies and
deferring trust to third parties. Existing systems that support
security in networked applications including X and PGP address
only narrow subsets of the overall trust management problem and
often do so in a manner that is appropriate to only one
application. This paper presents a comprehensive approach to
trust management based on a simple language for specifying
trusted actions and trust relationships. It also describes a
prototype implementation of a new trust management system called
PolicyMakerthat will facilitate the development of security
features in a wide range of network services.
Matt Blaze,
Protocol Failure in the Escrowed Encryption
Standard
Abstract: The Escrowed Encryption Standard EES denotes a
US Government family of cryptographic processors popularly known
as Clipper chips intended to protect unclassied government and
private sector communications and data. A basic feature of key
setup between pairs of EES processors involves the exchange of a
Law Enforcement Access Field -- LEAF -- that contains an
encrypted copy of the current session key. The LEAF is intended
to facilitate government access to the cleartext of data
encrypted under the system. Several aspects of the design of the
EES which employs a classied cipher algorithm and tamper
resistant hardware attempt to make it infeasible to deploy the
system without transmitting the LEAF. We evaluated the publicly
released aspects of the EES protocols as well as a prototype
version of a PCMCIA based EES device. This paper outlines various
techniques that enable cryptographic communication among EES
processors without transmission of the valid LEAF. We identify
two classes of techniques. The simplest allow communication only
between pairs of rogue parties. The second interoperate with
legal EES users. We conclude with techniques that could make the
older EES architecture more robust against these failur
EFF, EFF
Files on Cryptography
Abstract: Cryptography issues and files from the
EFF.
Steven M. Bellovin, Michael Merritt,
Encrypted Key Exchange: Password-Based Protocols Secure Against
Dictionary Attacks
Abstract: Classic cryptographic protocols based on user
chosen keys allow an attacker to mount password-guessing attacks.
We introduce a novel combination of asymmetric (public-key) and
symmetric (secret-key) cryptography that allow two parties
sharing a common password to exchange confidential and
authenticated information over an insecure network. These
protocols are secure against active attacks, and have the
property that the password is protected against off-line
"dictionary" attacks. There are a number of other useful
applications as well, including secure public telephones.
Dorothy E. Denning,
KEY ESCROWING TODAY
Keywords: escrow, cryptography, key management
Abstract: This paper describes the U.S. Government's
Escrowed Encryption Standard (EES) and associated Key Escrow
System (KES) as of June 1994. The objective of the EES/KES is to
provide strong security for communications while simultaneously
allowing authorized government access to particular
communications for law enforcement and national security
purposes. To achieve these goals, the EES/KES is based on a
tamper-resistant hardware chip (the Clipper Chip), which
implements a strong encryption algorithm (SKIPJACK) and a method
for creating a Law Enforcement Access Field (LEAF). The LEAF
allows communications encrypted by the chip to be decrypted
through a Device Unique Key that is programmed onto the chip.
Pursuant to lawful authorization, a government agency can acquire
this key by obtaining two Key Components, each of which is held
by a separate Escrow Agent. The components and operation of the
KES are described, with particular attention to the safeguards
designed to ensure that the risk of unauthorized access to
combination of procedural and technical controls.
Matt Blaze,
Key Management in an Encrypting File System
Abstract: As distributed computing systems grow in size,
complexity and variety of application, the problem of protecting
sensitive data from unauthorized disclosure and tampering becomes
increasingly important. Cryptographic techniques can play an
important role in protecting communication links and file data,
since access to data can be limited to those who hold the proper
key. In the case of file data, however, the routine use of
encryption facilities often places the organizational
requirements of information security in opposition to those of
information management. Since strong encryption implies that only
the holders of the cryptographic key have access to the cleartext
data, an organization may be denied the use of its own critical
business records if the key used to encrypt these records becomes
unavailable (e.g., through the accidental death of the key
holder). This paper describes a system, based on cryptographic
"smartcards," for the temporary "escrow" of file encryption keys
for critical files in a cryptographic file system. Unlike
conventional escrow schemes, this system is bilaterally
auditable, in that the holder of an escrowed key can verify that,
in fact, he or she holds the key to a particular directory and
the owner of the key can verify, when the escrow period is ended,
that the escrow agent has neither used the key nor can use it in
the future. We describe a new algorithm, based on the DES cipher,
for the on-line encryption of file data in a secure and efficient
manner that is suitable for use in a smartcard.
Paul C. Kocher,
Cryptanalysis of Diffie-Hellman, RSA, DSS, and Other Systems
Using Timingg Attacks
Abstract: Cryptosystems often take slightly different
amounts of time to process different messages. With network based
cryptosystems, cryptographic tokens, and many other applications,
attackers can measure the amount of time used to complete
cryptographic operations. This abstract shows that timing
channels can, and often do, leak key material. The at tacks are
particularly alarming because they often require only known
ciphertext, work even if timing measurements are somewhat
inaccurate, are computationally easy and are difficult to detect.
This preliminary draft outlines attacks that can can find secret
exponents in Diffie-Hellman key exchange, factor RSA keys, and
find DSS secret parameters. Other symmetric and asymmetric
cryptographic functions are also at risk. A complete description
of the attack will be presented in a full paper to be released
later. I conclude by noting that closing timing channels is often
more difficult than might be expected
Matt Blaze, Bruce Schneier,
The MacGuffin Block Cipher Algorithm
Abstract: This paper introduces MacGuffin, a 64 bit
"codebook" block cipher. Many of its characteristics (block size,
application domain, performance, and implementation structure)
are similar to those of the US Data Encryption Standard (DES). It
is based on a Feistel network in which the cleartext is split
into 2 sides with one side repeatedly modified according to a
keyed function of the other. Previous block ciphers of this
design, such as DES, operate on equal length sides. MacGuffin is
unusual un that it is based on a generalized unbalanced Feistel
network (GUFN) in which each round of the cipher modifies only 16
bits according to a function of the other 48. We describe the
general characteristics of the MacGuffin Architecture and
implementation and give a complete specification for the 32
round, 128-bit key version of the cipher.
Matt Blaze, Joan Feigenbaum, F T Leighton,
Master Key Cryptosystems
Abstract: We initiate the study of a new class of
secretkey cryptosystems called Master Key Cryptosystems MKCSs in
which an authorized third party hereinafter called the government
although it need not literally be one possesses a master key that
allows efficient recovery of the cleartext without knowledge of
the session key. Otherwise an MKCS appears and is used by
ordinary users ie all users except the government exactly as any
secretkey cryptosystem is used. In particular pairs of ordinary
users must agree on a shared key before they can communicate.
MKCSs should be secure against ordinary attacks. Knowledge of
only the algorithm without either the session key or the master
key should not allow recovery of cleartext. Ciphers that are
merely weak however obscure the attack do not meet this last
requirement
Matt Blaze,
High Bandwidth Encryption with Low bandwidth
Smartcards
Abstract: This paper describes a simple protocol the
Remotely Keyed Encryption Protocol RKEP that enables a secure but
bandwidth limited cryptographic smartcard to function as a high
bandwidth secretkey encryption and decryption engine for an
insecure but fast host processor. The host processor assumes most
of the computational and bandwidth burden of each cryptographic
operation without ever learning the secret key stored on the
card. By varying the parameters of the protocol arbitrary size
blocks can be processed by the host with only a single small
message exchange with the card and minimal card computation. RKEP
works with any conventional block cipher and requires only
standard ECB mode block cipher operations on the smartcard
permitting its implementation with of the shelf components. There
is no storage overhead. Computational overhead is minimal and
includes the calculation of a cryptographic hash function as well
as a conventional cipher function on the host processor.
Erich Nahum, Sean O'Malley, Hilarie Orman, Richard Schroeppel,
Towards High Performance Cryptographic Software
Keywords: cryptography, high performance
Abstract: Current software implementations of current
cryptographic algorithms are orders of magnitude slower than
required to secure a gigabit network. This paper examines three
different approaches to improving the performance of
cryptographic software: new algorithm design, parallelization,
and algorithm independent hardware support. We believe that in
combination these approaches could go a long way to improving
cryptographic protocol performance without the inflexibility
required for the current generation of cryptographic hardware
support.
Richard Schroeppel, Hilarie Orman, Sean O'Malley,
Fast Key Exchange with Elliptic Curve Systems
Keywords: key exchange, cryptography, elliptic
curves
Abstract: The Diffie-Hellman key exchange algorithm can be
implemented using the group of points on an elliptic curve over
the field F(2^n). A software version of this using n = 155 can be
optimized to achieve computation rates that are significantly
faster than non-elliptic curve versions with a similar level of
security. The fast computation of reciprocals in F(2^n) is the
key to the highly efficient implementation described here
Matt Blaze, Steven M Bellovin,
Session Layer Encryption
Abstract: We describe mechanisms for practical session
layer security for Internet based terminal sessions. We discuss
the tradeoffs of providing security at various layers of
abstractions from the network to the session layer. We describe
two new mechanisms our encrypting authenticating telnet and our
encrypted session manager ESM.
Matt Blaze, Whitfield Diffie, Ronald L Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, Michael Wiener,
Minimal Key Lengths for Symmetric Ciphers
Abstract: Encryption plays an essential role in protecting
the privacy of electronic informa tion against threats from a
variety of potential attackers. In so doing modern cry ptography
employs a combination of conventional or symmetric cryptographic
systems for encrypting data and public key or asymmetric systems
for managing the keys us ed by the symmetric systems. Assessing
the strength required of the symmetric cryp tographic systems is
therefore an essential step in employing cryptography for com
puter and communication security. Technology readily available
today late makes br uteforce attacks against cryptographic
systems considered adequate for the past se veral years both fast
and cheap. General purpose computers can be used but a much more
efficient approach is to employ commercially available Field
Programmable Gat e Array FPGA technology. For attackers prepared
to make a higher initial investmen t custommade special purpose
chips make such calculations much faster and signicantly lower
the amortized cost per solution As a result cryptosystems with
bit keys offer virtually no protection at this poin t against
bruteforce attacks. Even the US Data Encryption Standard with bit
keys i s increasingly inadequate. As cryptosystems often succumb
to smarter attacks than bruteforce key search it is also
important to remember that the keylengths discuss ed here are the
minimum needed for security against the computational threats
cons idered. Fortunately the cost of very strong encryption is
not signicantly greater most serious threats well funded
commercial enterprises or government intelligenc e agencies keys
used to protect data today should be at least 75 bits long. To pr
otect information adequately for the next 20 years in the face of
expected advanc es in computing power keys in newly deployed
systems should be at least 90 bits.
Susan Landau, Stephen Kent, Clint Brooks, Scott Charney, Dorothy E. Denning, Whitfield Diffe, Anthony Lauck, Doug Miller, Peter G. Neumann, David Sobel,
Codes, Keys and Confilicts: Issues in U.S. Crypto
Policy
Abstract: In this report, the author attempt to remove teh
rhetotic, lay bare the facts, and frame teh issues. It examine
the issues of communication security from a variety of
viewponits: (I) explain the technical consideration of
communications security; (II) considers the dual-edged sword
cryptography presents to both law enforcment and national
security; (III) presents the history of wiretap law in the United
States; (IV) puts the current policy on crytopgraphy in the
context of decisions over the last twenty years.
Michael J. Wiener,
Efficient DES Key Search
Abstract: Despite recent improvements in analytic
techniques for attacking the Data Encryption Standard, exhaustive
key search remains the most practical and effcient attack. Key
search is becoming alarmingly practical. We show how to build an
exhaustive DES key search machine for $1 million that can f ind a
key in 3.5 hours on average. The design for such a machine is
described in detail for the purpose of assessing the resistance
of DES to an exhaustive attack. This design is based on mature
technology to avoid making guesses about future capabilities.
With this approach, DES keys can be found one to two orders of
magnitude faster than other recently proposed designs. The basic
machine design can be adapted to attack the standard DES modes of
operation for a small penalty in running time. The issues of
development cost and machine reliability are examined as well. In
light of this work, it would be prudent in many applications to
use DES in a triple-encryption mode.
Paul Fahn,
Answers To Frequently Asked Questions About Today's
Cryptography
Abstract: Paul Fahn's FAQ answers some of the most
frequently asked questions about cryptography today, including
questions about authentication, encryption, public-key
cryptography, export restrictions, RSA, DES, Key Management,
Digital Time stamping, PEM, and much, much more.
Lance J. Hoffman,
Balanced Key Escrow (A related
WWW homepage exists for this item)
Keywords: key escrow, law enforcement, civil
liberties
Abstract: This paper presents a framework for key escrow
encryption that satisfies most law enforcement and civil
liberties concerns. It provides users considerable autonomy in
deciding how and with whom information will be escrowed. It
relies on no specific technological solution but will accommodate
all of them, whether implemented in hardware, software, firmware,
or paper! Depending on the specific system, it may provide
real-time emergency access to information when requested by
authorized entities. Users, not governments, bear the costs of
the scheme.
Pau-Chen Cheng, Juan A. Garay, Amir Herzberg, Hugo Krawczyk,
Design and Implementation of Modular Key Management Protocol and
IP Secure Tunnel on AIX
Keywords: key management, cryptography, IP tunnel,
aix
Abstract: This paper presents the design principles,
architecture, implementation and performance of our modular key
management protocol MKMP, and an IP secure tunnel protocol IPST
which protects the secrecy and integrity of IP datagrams using
cryptographic functions. To use the existing IP infrastructure,
MKMP is built on top of UDP and the IPST protocol is built by
encapsulating IP datagrams.
Ross N. Williams,
Painless Guide To CRC Error Detection Algorithms
Abstract: This document explains CRCs (Cyclic Redundancy
Codes) and their table-driven implementations in full, precise
detail. Much of the literature on CRCs, and in particular on
their table-driven implementations, is a little obscure (or at
least seems so to me). This document is an attempt to provide a
clear and simple no-nonsense explanation of CRCs and to
absolutely nail down every detail of the operation of their
high-speed implementations. In addition to this, this document
presents a parameterized model CRC algorithm called the "Rocksoft
Model CRC Algorithm". The model algorithm can be parameterized to
behave like most of the CRC implementations around, and so acts
as a good reference for describing particular algorithms. A
low-speed implementation of the model CRC algorithm is provided
in the C programming language. Lastly there is a section giving
two forms of high-speed table driven implementations, and
providing a program that generates CRC lookup tables.
Jeremy Buhler, Towards
a Secure -AV system for PKZIP - A Proposed Public Key Scheme For
.ZIP Protection
Abstract: -AV protection has been problematical for PKZIP
ever since its inception. With the advent of public key digital
signatures, this problem may at last be solved. Public key should
provide excellent protection against modification of part of the
archive or random spoofing by average attackers and very good
protection against the same by determined attackers with great
resources (e.g., governments, large corporations, etc). While
protection against the worst case, whole-file spoofing with a
stolen key, is less effective, it does not demonstrate a loss of
security versus previous methods. The algorithm's lifetime may be
arbitrarily prolonged by increasing the key size, and the
decompression check code may be written so as not to penalize
operation unduly. This protection could make PKZIP the archiver
of choice for the distributor worried about file tampering within
.ZIP's.
Built by Mark Crosbie
and Ivan
Krsul.
Security Archive Homepage.
Purdue CS Dept page.
