Steven M. Bellovin, Michael Merritt,
Augmented Encrypted Key Exchange: a Password-Based Protocol
Secure Against Dictionary Attacks and Password File
Abstract: The encrypted key exchange (EKE) protocol is augmented so that hosts do not store cleartext passwords. Consequently, adversaries who obtain the one-way encrypted password file may (i) successfully mimic (spoof) the host to the user, and (ii) mount dictionary attacks against the encrypted passwords, but cannot mimic the user to the host. Moreover, the im- portant security properties of EKE are preservedan active network attacker obtains insufficient information to mount dictionary attacks. Two ways to accomplish this are shown, one using digital signatures and one that relies on a family of commutative one-way functions.
Ernest F. Brickell, Dorothy E. Denning, Stephen T. Kent, David P. Maher, Walter Tuchman,
SKIPJACK Review - Interim Report - The SKIPJACK
Abstract: The objective of the SKIPJACK review was to provide a mechanism whereby persons outside the government could evaluate the strength of the classified encryption algorithm used in the escrowed encryption devices and publicly report their findings. Because SKIPJACK is but one component of a large, complex system, and because the security of communications encrypted with SKIPJACK depends on the security of the system as a whole, the review was extended to encompass other components of the system. The purpose of this Interim Report is to report on our evaluation of the SKIPJACK algorithm. A later Final Report will address the broader system issues.
Dorothy E. Denning,
Crime and Crypto on the Information Superhighway
Keywords: cryptography, crime, national information infrastructure, encryption
Abstract: Although the information superhighway offers many benefits to individuals and to society, it also can be exploited to further crimes such as theft and sabotage of data, embezzlement, fraud, child pornography, and defamation. Thus, a challenge in designing and using the information superhighway is to maximize its benefits while minimizing the harm associated with criminal activity. Three types of mechanisms that help meet this challenge are information security tools, ethics, and laws.
A Cryptographic File System for Unix
Abstract: Although cryptographic techniques are playing an increasingly important role in modern computing system security, user-level tools for encrypting file data are cumbersome and suffer from a number of inherent vulnerabilities. The Cryptographic File System (CFS) pushes encryption services into the file system itself. CFS supports secure storage at the system level through a standard Unix file system interface to encrypted files. Users associate a cryptographic key with the directories they wish to protect. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. CFS can use any available file system for its underlying storage without modification, including remote file servers such as NFS. System management functions, such as file backup, work in a normal manner and without knowledge of the key . This paper describes the design and implementation of CFS under Unix. Encryption techniques for file system-level encryption are described, and general issues of cryptographic system interfaces to support routine secure computing are discussed.
Crypto Law Survey
Abstract: This survey of cryptography laws is based on several reports and on replies to a posting on Internet discussion lists. Only for France, The Netherlands, and Russia have I consulted original texts of relevant regulations; for the other countries, the reports listed below served as the only source. These findings, therefore, do not pretend to be exhaustive or fully reliable. I thank all who have provided me with information for this survey. Please send comments, corrections, updates, additional information, and questions to E.J.Koops@kub.nl
Matt Blaze, Joan Feigenbaum, Jack Lacy, Murray Hill,
Decentralized Trust Management
Abstract: We identify the trust management problem as a distinct and important component of security in network services. Aspects of the trust management problem include formulating security policies and security credentials, determining whether particular sets of credentials satisfy the relevant policies and deferring trust to third parties. Existing systems that support security in networked applications including X and PGP address only narrow subsets of the overall trust management problem and often do so in a manner that is appropriate to only one application. This paper presents a comprehensive approach to trust management based on a simple language for specifying trusted actions and trust relationships. It also describes a prototype implementation of a new trust management system called PolicyMakerthat will facilitate the development of security features in a wide range of network services.
Protocol Failure in the Escrowed Encryption
Abstract: The Escrowed Encryption Standard EES denotes a US Government family of cryptographic processors popularly known as Clipper chips intended to protect unclassied government and private sector communications and data. A basic feature of key setup between pairs of EES processors involves the exchange of a Law Enforcement Access Field -- LEAF -- that contains an encrypted copy of the current session key. The LEAF is intended to facilitate government access to the cleartext of data encrypted under the system. Several aspects of the design of the EES which employs a classied cipher algorithm and tamper resistant hardware attempt to make it infeasible to deploy the system without transmitting the LEAF. We evaluated the publicly released aspects of the EES protocols as well as a prototype version of a PCMCIA based EES device. This paper outlines various techniques that enable cryptographic communication among EES processors without transmission of the valid LEAF. We identify two classes of techniques. The simplest allow communication only between pairs of rogue parties. The second interoperate with legal EES users. We conclude with techniques that could make the older EES architecture more robust against these failur
Files on Cryptography
Abstract: Cryptography issues and files from the EFF.
Steven M. Bellovin, Michael Merritt,
Encrypted Key Exchange: Password-Based Protocols Secure Against
Abstract: Classic cryptographic protocols based on user chosen keys allow an attacker to mount password-guessing attacks. We introduce a novel combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network. These protocols are secure against active attacks, and have the property that the password is protected against off-line "dictionary" attacks. There are a number of other useful applications as well, including secure public telephones.
Dorothy E. Denning,
KEY ESCROWING TODAY
Keywords: escrow, cryptography, key management
Abstract: This paper describes the U.S. Government's Escrowed Encryption Standard (EES) and associated Key Escrow System (KES) as of June 1994. The objective of the EES/KES is to provide strong security for communications while simultaneously allowing authorized government access to particular communications for law enforcement and national security purposes. To achieve these goals, the EES/KES is based on a tamper-resistant hardware chip (the Clipper Chip), which implements a strong encryption algorithm (SKIPJACK) and a method for creating a Law Enforcement Access Field (LEAF). The LEAF allows communications encrypted by the chip to be decrypted through a Device Unique Key that is programmed onto the chip. Pursuant to lawful authorization, a government agency can acquire this key by obtaining two Key Components, each of which is held by a separate Escrow Agent. The components and operation of the KES are described, with particular attention to the safeguards designed to ensure that the risk of unauthorized access to combination of procedural and technical controls.
Key Management in an Encrypting File System
Abstract: As distributed computing systems grow in size, complexity and variety of application, the problem of protecting sensitive data from unauthorized disclosure and tampering becomes increasingly important. Cryptographic techniques can play an important role in protecting communication links and file data, since access to data can be limited to those who hold the proper key. In the case of file data, however, the routine use of encryption facilities often places the organizational requirements of information security in opposition to those of information management. Since strong encryption implies that only the holders of the cryptographic key have access to the cleartext data, an organization may be denied the use of its own critical business records if the key used to encrypt these records becomes unavailable (e.g., through the accidental death of the key holder). This paper describes a system, based on cryptographic "smartcards," for the temporary "escrow" of file encryption keys for critical files in a cryptographic file system. Unlike conventional escrow schemes, this system is bilaterally auditable, in that the holder of an escrowed key can verify that, in fact, he or she holds the key to a particular directory and the owner of the key can verify, when the escrow period is ended, that the escrow agent has neither used the key nor can use it in the future. We describe a new algorithm, based on the DES cipher, for the on-line encryption of file data in a secure and efficient manner that is suitable for use in a smartcard.
Paul C. Kocher,
Cryptanalysis of Diffie-Hellman, RSA, DSS, and Other Systems
Using Timingg Attacks
Abstract: Cryptosystems often take slightly different amounts of time to process different messages. With network based cryptosystems, cryptographic tokens, and many other applications, attackers can measure the amount of time used to complete cryptographic operations. This abstract shows that timing channels can, and often do, leak key material. The at tacks are particularly alarming because they often require only known ciphertext, work even if timing measurements are somewhat inaccurate, are computationally easy and are difficult to detect. This preliminary draft outlines attacks that can can find secret exponents in Diffie-Hellman key exchange, factor RSA keys, and find DSS secret parameters. Other symmetric and asymmetric cryptographic functions are also at risk. A complete description of the attack will be presented in a full paper to be released later. I conclude by noting that closing timing channels is often more difficult than might be expected
Matt Blaze, Bruce Schneier,
The MacGuffin Block Cipher Algorithm
Abstract: This paper introduces MacGuffin, a 64 bit "codebook" block cipher. Many of its characteristics (block size, application domain, performance, and implementation structure) are similar to those of the US Data Encryption Standard (DES). It is based on a Feistel network in which the cleartext is split into 2 sides with one side repeatedly modified according to a keyed function of the other. Previous block ciphers of this design, such as DES, operate on equal length sides. MacGuffin is unusual un that it is based on a generalized unbalanced Feistel network (GUFN) in which each round of the cipher modifies only 16 bits according to a function of the other 48. We describe the general characteristics of the MacGuffin Architecture and implementation and give a complete specification for the 32 round, 128-bit key version of the cipher.
Matt Blaze, Joan Feigenbaum, F T Leighton,
Master Key Cryptosystems
Abstract: We initiate the study of a new class of secretkey cryptosystems called Master Key Cryptosystems MKCSs in which an authorized third party hereinafter called the government although it need not literally be one possesses a master key that allows efficient recovery of the cleartext without knowledge of the session key. Otherwise an MKCS appears and is used by ordinary users ie all users except the government exactly as any secretkey cryptosystem is used. In particular pairs of ordinary users must agree on a shared key before they can communicate. MKCSs should be secure against ordinary attacks. Knowledge of only the algorithm without either the session key or the master key should not allow recovery of cleartext. Ciphers that are merely weak however obscure the attack do not meet this last requirement
High Bandwidth Encryption with Low bandwidth
Abstract: This paper describes a simple protocol the Remotely Keyed Encryption Protocol RKEP that enables a secure but bandwidth limited cryptographic smartcard to function as a high bandwidth secretkey encryption and decryption engine for an insecure but fast host processor. The host processor assumes most of the computational and bandwidth burden of each cryptographic operation without ever learning the secret key stored on the card. By varying the parameters of the protocol arbitrary size blocks can be processed by the host with only a single small message exchange with the card and minimal card computation. RKEP works with any conventional block cipher and requires only standard ECB mode block cipher operations on the smartcard permitting its implementation with of the shelf components. There is no storage overhead. Computational overhead is minimal and includes the calculation of a cryptographic hash function as well as a conventional cipher function on the host processor.
Erich Nahum, Sean O'Malley, Hilarie Orman, Richard Schroeppel,
Towards High Performance Cryptographic Software
Keywords: cryptography, high performance
Abstract: Current software implementations of current cryptographic algorithms are orders of magnitude slower than required to secure a gigabit network. This paper examines three different approaches to improving the performance of cryptographic software: new algorithm design, parallelization, and algorithm independent hardware support. We believe that in combination these approaches could go a long way to improving cryptographic protocol performance without the inflexibility required for the current generation of cryptographic hardware support.
Richard Schroeppel, Hilarie Orman, Sean O'Malley,
Fast Key Exchange with Elliptic Curve Systems
Keywords: key exchange, cryptography, elliptic curves
Abstract: The Diffie-Hellman key exchange algorithm can be implemented using the group of points on an elliptic curve over the field F(2^n). A software version of this using n = 155 can be optimized to achieve computation rates that are significantly faster than non-elliptic curve versions with a similar level of security. The fast computation of reciprocals in F(2^n) is the key to the highly efficient implementation described here
Matt Blaze, Steven M Bellovin,
Session Layer Encryption
Abstract: We describe mechanisms for practical session layer security for Internet based terminal sessions. We discuss the tradeoffs of providing security at various layers of abstractions from the network to the session layer. We describe two new mechanisms our encrypting authenticating telnet and our encrypted session manager ESM.
Matt Blaze, Whitfield Diffie, Ronald L Rivest, Bruce Schneier, Tsutomu Shimomura, Eric Thompson, Michael Wiener,
Minimal Key Lengths for Symmetric Ciphers
Abstract: Encryption plays an essential role in protecting the privacy of electronic informa tion against threats from a variety of potential attackers. In so doing modern cry ptography employs a combination of conventional or symmetric cryptographic systems for encrypting data and public key or asymmetric systems for managing the keys us ed by the symmetric systems. Assessing the strength required of the symmetric cryp tographic systems is therefore an essential step in employing cryptography for com puter and communication security. Technology readily available today late makes br uteforce attacks against cryptographic systems considered adequate for the past se veral years both fast and cheap. General purpose computers can be used but a much more efficient approach is to employ commercially available Field Programmable Gat e Array FPGA technology. For attackers prepared to make a higher initial investmen t custommade special purpose chips make such calculations much faster and signicantly lower the amortized cost per solution As a result cryptosystems with bit keys offer virtually no protection at this poin t against bruteforce attacks. Even the US Data Encryption Standard with bit keys i s increasingly inadequate. As cryptosystems often succumb to smarter attacks than bruteforce key search it is also important to remember that the keylengths discuss ed here are the minimum needed for security against the computational threats cons idered. Fortunately the cost of very strong encryption is not signicantly greater most serious threats well funded commercial enterprises or government intelligenc e agencies keys used to protect data today should be at least 75 bits long. To pr otect information adequately for the next 20 years in the face of expected advanc es in computing power keys in newly deployed systems should be at least 90 bits.
Susan Landau, Stephen Kent, Clint Brooks, Scott Charney, Dorothy E. Denning, Whitfield Diffe, Anthony Lauck, Doug Miller, Peter G. Neumann, David Sobel,
Codes, Keys and Confilicts: Issues in U.S. Crypto
Abstract: In this report, the author attempt to remove teh rhetotic, lay bare the facts, and frame teh issues. It examine the issues of communication security from a variety of viewponits: (I) explain the technical consideration of communications security; (II) considers the dual-edged sword cryptography presents to both law enforcment and national security; (III) presents the history of wiretap law in the United States; (IV) puts the current policy on crytopgraphy in the context of decisions over the last twenty years.
Michael J. Wiener,
Efficient DES Key Search
Abstract: Despite recent improvements in analytic techniques for attacking the Data Encryption Standard, exhaustive key search remains the most practical and effcient attack. Key search is becoming alarmingly practical. We show how to build an exhaustive DES key search machine for $1 million that can f ind a key in 3.5 hours on average. The design for such a machine is described in detail for the purpose of assessing the resistance of DES to an exhaustive attack. This design is based on mature technology to avoid making guesses about future capabilities. With this approach, DES keys can be found one to two orders of magnitude faster than other recently proposed designs. The basic machine design can be adapted to attack the standard DES modes of operation for a small penalty in running time. The issues of development cost and machine reliability are examined as well. In light of this work, it would be prudent in many applications to use DES in a triple-encryption mode.
Answers To Frequently Asked Questions About Today's
Abstract: Paul Fahn's FAQ answers some of the most frequently asked questions about cryptography today, including questions about authentication, encryption, public-key cryptography, export restrictions, RSA, DES, Key Management, Digital Time stamping, PEM, and much, much more.
Lance J. Hoffman,
Balanced Key Escrow (A related
WWW homepage exists for this item)
Keywords: key escrow, law enforcement, civil liberties
Abstract: This paper presents a framework for key escrow encryption that satisfies most law enforcement and civil liberties concerns. It provides users considerable autonomy in deciding how and with whom information will be escrowed. It relies on no specific technological solution but will accommodate all of them, whether implemented in hardware, software, firmware, or paper! Depending on the specific system, it may provide real-time emergency access to information when requested by authorized entities. Users, not governments, bear the costs of the scheme.
Pau-Chen Cheng, Juan A. Garay, Amir Herzberg, Hugo Krawczyk,
Design and Implementation of Modular Key Management Protocol and
IP Secure Tunnel on AIX
Keywords: key management, cryptography, IP tunnel, aix
Abstract: This paper presents the design principles, architecture, implementation and performance of our modular key management protocol MKMP, and an IP secure tunnel protocol IPST which protects the secrecy and integrity of IP datagrams using cryptographic functions. To use the existing IP infrastructure, MKMP is built on top of UDP and the IPST protocol is built by encapsulating IP datagrams.
Ross N. Williams,
Painless Guide To CRC Error Detection Algorithms
Abstract: This document explains CRCs (Cyclic Redundancy Codes) and their table-driven implementations in full, precise detail. Much of the literature on CRCs, and in particular on their table-driven implementations, is a little obscure (or at least seems so to me). This document is an attempt to provide a clear and simple no-nonsense explanation of CRCs and to absolutely nail down every detail of the operation of their high-speed implementations. In addition to this, this document presents a parameterized model CRC algorithm called the "Rocksoft Model CRC Algorithm". The model algorithm can be parameterized to behave like most of the CRC implementations around, and so acts as a good reference for describing particular algorithms. A low-speed implementation of the model CRC algorithm is provided in the C programming language. Lastly there is a section giving two forms of high-speed table driven implementations, and providing a program that generates CRC lookup tables.
Jeremy Buhler, Towards
a Secure -AV system for PKZIP - A Proposed Public Key Scheme For
Abstract: -AV protection has been problematical for PKZIP ever since its inception. With the advent of public key digital signatures, this problem may at last be solved. Public key should provide excellent protection against modification of part of the archive or random spoofing by average attackers and very good protection against the same by determined attackers with great resources (e.g., governments, large corporations, etc). While protection against the worst case, whole-file spoofing with a stolen key, is less effective, it does not demonstrate a loss of security versus previous methods. The algorithm's lifetime may be arbitrarily prolonged by increasing the key size, and the decompression check code may be written so as not to penalize operation unduly. This protection could make PKZIP the archiver of choice for the distributor worried about file tampering within .ZIP's.
Built by Mark Crosbie and Ivan Krsul.
Security Archive Homepage.
COAST Project (CERIAS)Page.
Purdue CS Dept page.