Abstract: We describe a complete protocol for bit commitment based on the transmission of polarized photons. We show that under the laws of quantum physics, this protocol cannot be cheated by either party except with exponentially small probability (exponential in the running time needed to implement the honest protocol). A more thorough analysis is required to adjust all the constants used in this paper to get the best performance from our construction. Better performances may probably be achieved by using a third conjugate transmission-reception basis of circular polarization. >

Abstract: Most existing designs for two-way cryptographic authentication protocols suffer from one or more limitations. Among other things, they require synchronization of local clocks, they are subject to export restrictions because of the way they use cryptographic functions, and they are not amenable to use in lower layers of network protocols because of the size and complexity of messages they use. Designing suitable cryptographic protocols that cater to large and dynamic network communities but do not suffer from these problems presents substantial problems. It is shown how a few simple protocols, including one proposed by ISO, can easily be broken, and properties that authentication protocols should exhibit are derived. A methodology for systematically building and testing the security of a family of cryptographic two-way authentication protocols that are as simple as possible yet resistant to a wide class of attacks, efficient, easy to implement and use, and amenable to many different networking environments is described. Examples of protocols of that family that presents various advantages in specific distributed system scenarios are discussed. >

Abstract: Several security definitions proposed in the literature are reformulated over the general model of labelled transition systems, frequently used as a suitable semantic domain for abstract concurrent languages, such as CCS. A classification of these security properties is provided.

Abstract: The pioneering and well-known work of M. Burrows, M. Abadi and R. Needham (1989), (the BAN logic) which dominates the area of security protocol analysis is shown to take an approach which is not fully formal and which consequently permits approval of dangerous protocols. Measures to make the BAN logic formal are then proposed. The formalisation is found to be desirable not only for its potential in providing rigorous analysis of security protocols, but also for its readiness for supporting a computer-aided fashion of analysis. >

Abstract: A cryptographic communication system is disclosed which permits computer users to authenticate themselves to a computer system without requiring that the computer system keep confidential the password files used to authenticate the respective user's identities. The invention is useful in that it prevents a compromised password file from being leveraged by crafty hackers to penetrate the computer system.

Abstract: The invention described herein suggests methods of cryptographic key management based on control vectors in which the control vectors are generated or derived internal to a cryptographic facility implementing a set of cryptographic operations. The methods of alternate control vector enforcement described in the present application provide a high-integrity facility to ensure that cryptographic keys are used in a manner consistent with the type and usage attributes assigned to the keys by the originator of those keys. Since the control vectors are generated or derived internal to the cryptographic facility on the basis of data contained in each cryptographic service request to the cryptographic facility, control vectors need not be stored or managed outside the cryptographic facility.

Abstract: Security services based on cryptographic mechanisms assume keys to be distributed prior to secure communications. The secure management of these keys is one of the most critical elements when integrating cryptographic functions into a system, since any security concept will be ineffective if the key management is weak. This work approaches the problem of key management in a modular and hierarchical manner. It discusses key management security requirements, deals with generic key management concepts and design criteria, describes key management services and building blocks, as well as key management facilities, key management units, and their interrelationship. >

Abstract: From the Publisher: This book provides a practical introduction to cryptographic principles and algorithms for communication security and data privacy-both commercial and military-written by one of the world's leading authorities on encryption and coding. Covering the latest developments in cryptography for all data communication professionals who need an understanding of cryptographic technology,the book explains the Data Encryption Standard,stream ciphers,public-key cryptosystems,arithmetic operating circuits,important classes of BCH and Reed-Solomon codes for multiple-error correction,ciphertext protection against illegal deletion or injection of information,practical cryptographic applications,and more.

Abstract: A formal language is presented for specifying and reasoning about cryptographic protocol requirements Examples of simple sets of requirements in that language are given The authors examine two versions of a protocol that might meet those requirements and show how to specify them in the language of the NRL Protocol Analyzer They also show how to map one of the sets of formal requirements to the language of the NRL Protocol Analyzer and use the Analyzer to show that one version of the protocol meets those requirements The Analyzer is used as a model checker to assess the validity of the formulas that make up the requirements >

Abstract: A survey is given of the variations on the choice and the usage of freshness identifiers, and the various forms of replay attack. Besides helping to clarify the important concepts of freshness and replay, this exercise demonstrates the potential complexity in devising formal methods to analyze cryptographic protocols. >

Abstract: A model describing secure communications architectures is developed using the formal language Z. The model is based on fundamental cryptographic properties. Some basic constraints are derived for the design of secure architectures which allow problems to be identified prior to the design of security protocols. A simple criterion is derived for ensuring that all pairs of users can set up secure communications channels. >

Abstract: The authors present a succint and efficient randomized distributed agreement (DA) protocol for asynchronous networks that works for n > 5t processors, where n is the size of the network. The protocol has low communication complexity (/spl Theta/(log n) message size) and does not require any cryptographic assumption. The protocol belongs to the class of protocols that require a "trusted dealer", who is in charge of a suitable network initialization, and represents an improvement in terms of number of processors to some previous solutions. The authors contrast their approach to the class of protocols that are currently able to perform randomized agreement from scratch, an unlimited number of times, but have a communication cost that might be infeasible in many cases.

Abstract: Communications security is increasing in importance as a result of the use of electronic communications in more and more business activities. Cryptography is the only practical means to provide security services in many applications. Research into cryptography has exploded in the last 18 years and a variety of cryptographic algorithms and techniques have emerged.Cryptographic algorithms may be classified as either symmetric, if the same key is shared by the sender and receiver, or asymmetric, if they use different keys. Symmetric algorithms have been dominated by the Data Encryption Standard since 1976, but a number of replacements are now being proposed. Asymmetric, or public key, algorithms allow provision of new security services such as digital signatures. The RSA algorithm is the most widely known of these, but a recently proposed standard for digital signatures is also of intense current interest.

Abstract: A system comprises at least, two parts, connected to each other by the means of a common communication interface wherein a first communicating apparatus A, having data processing means, communication means, memory means and random or pseudo-random generation means relies of the computational power of a second communicating apparatus B having data processing means, communication means and memory means in order to compute the inverse of a first number x modulo a second number n and use the resulting modular inverse in an encryption, decryption, key exchange, identification or digital signature cryptographic protocol

Abstract: One of the most important functions performed by security protocols is to transfer trust from where it exists to where it is needed. As a result , all protocols enforce a set of restrictions as to who may exercise them-either spelled out explicitly or left implicit in the protocol specification. In addition, there may be unanticipated-even unacceptable-groupings of participants who can also exercise the protocol as a result of trusts existing among some of them. Formal methods are developed to analyze trust as a fundamental dimension in security protocol analysis and proof. >

Abstract: An existing formal software development method called B is used to build and verify specifications of a communication channel, cryptographic functions and security properties. The authors show on an example how these basic specifications may be combined in order to write abstract specifications of cryptographic protocols and to verify their security. >

Abstract: Vulnerabilities may be introduced at all stages of cryptographic protocol design. Reasoning about a protocol at a functional level does not unveil flaws which are inherently implementation-dependent. This document uncovers a potential implementation-dependent flaw in a previously published protocol. Formal techniques should be able to analyse protocols with respect to such flaws. The epidemic logic CKT5 is modified and shown to operate at a suficiently detailed level to capture implementation-dependent flaws.

Abstract: A formal method for analyzing the security of cryptographic protocols is presented. This method is based on an original representation of the participants' knowledge. The author proves the probabilistic properties of the cryptographic protocols and models the possible attacks on these protocols. This method is applied to well-known protocols like the Kerberos authentication protocol and the X.509 standard. >

Abstract: Vulnerabilities may be introduced at all stages of cryptographic protocol design. Reasoning about a protocol at a functional level does not unveil flaws which are inherently implementation-dependent. This paper uncovers a potential implementation-dependent flaw in a previously published protocol. Formal techniques should be able to analyse protocols with respect to such flaws. The epistemic logic CKT5 is modified and shown to operate at a sufficiently detailed bevel to capture implementation-dependent flaws. >

Abstract: This paper describes the design of a protocol stack implemented in Standard ML. Standard ML''s signatures are a language construct which can be used to specify or constrain the interface of a module. The design includes both a generic signature which generalizes all the protocol modules, and individual signatures specific to each protocol module. The specific signatures all inherit from the generic signature. The implementation of each protocol is parametrized, so protocols can be composed into custom protocol stacks. The parameter to each protocol is constrained only by the generic signature, and this lets any protocol instance satisfying a specific signature be used as the parameter to any other protocol. As a result, the design and implementation are highly modular, and syntactic compatibility between modules is checked by the compiler. To provide some context for the discussion of the signatures, some of the details of the implementation are also presented.

Abstract: The authors present a design method for message integrity protection. They illustrate the use of the method by designing large classes of message types whose integrity is provably preserved and by applying the method to the symmetric key option of the privacy-enhanced electronic mail protocol to help discover and eliminate an integrity vulnerability. The method is independent of the specific encryption system and checksum/digest functions used. It expresses desirable requirements for message integrity protection in terms of abstract encryption and checksum/digest properties, and relates these properties to the message type representation, and lifetime of the protocol run and keys used. The use of the method is illustrated by the design of a large class of message types whose integrity is provably preserved in the face of active intruder attacks. In particular, the method is used to help discover and eliminate a vulnerability in the symmetric-key option of the privacy-enhanced electronic mail (PEM) protocol for the internet. >

Abstract: In a cryptographic module, a User Defined Function (UDF) facility is provided which provides users with the capability of defining and creating custom functions to meet their cryptographic processing needs. The cryptographic module is contained within a physically and logically secure environment and comprises a processing unit and memory connected to the processing unit. The memory includes code for translating User Defined Functions (UDFs) into a machine-readable form and at least one command for operating on the UDFs. The UDFs are loaded into and executed in the secure area of the cryptographic module without compromising the total security of the transaction security system.

Abstract: Cryptographic Protocol (CP) analysis is a topic of intense research. Meadows describes four approaches for CP verification under investigation in [MEA92] and several authors have categorized protocols based on types of errors they are subject to [BIRD92], [SYV93a],[SYV93b]. This paper addresses the weakness injected into protocols when information is passed in the clear or encrypted only under the private key of a public/private key pair. We also propose a method for logically analyzing protocols based on action list analysis of valid and compromised protocol runs and of valid protocol runs interleaved with action lists of intruders conducting known attacks. Section

Abstract: As PCS evolves secure communication and authentication will become increasingly important. The authors propose a cryptographic scheme that allows to ensure the ongoing authenticity and security of connections in a wireless network. This is achieved by combining a zero-knowledge authentication scheme and a public key exchange protocol in a novel way. Due to the combination, both protocols gain additional security against attacks that would otherwise be successful. The scheme is applied to EIA/TIA-IS-41, the proposed standard for networking between mobile carriers.

Abstract: A lot of discussions for smart card based identification and digital signature schemes have been considered in the literature. In this paper, a novel approach is proposed for smart cards to perform signature validation and identification verification efficiently with the help of the powerful signature signer and the identity prover.

Abstract: A new method for extending the IBM Common Cryptographic Architecture (CCA) to include public key cryptography is presented. The public key extension provides nonrepudiation via digital signatures and an electronic means to distribute Data Encryption Algorithm (DEA) key-encrypting keys in a hybrid Data Encryption Algorithm. Public Key Algorithm (DEA-PKA) cryptographic system. The improvements are based on a novel method for extending the control vector concept used in the IBM Common Cryptographic Architecture. Four new key types that separate the public and private key pairs into four classes according to their broad uses within the cryptographic system are defined. The public key extension to the CCA is implemented in the IBM Transaction Security System (TSS). This paper discusses both the public key extension to the CCA and the TSS implementation of this architectural extension.

Abstract: In this lecture examples will be given of key distribution protocols that distribute keys to unintended recipients, secrecy protocols that publicly reveal the contents of (supposedly) secret communications, digital signature protocols that make forgery easy — all based on cryptoalgorithms that are sound so far as is known. In at least one case the cryptographic algorithm that is employed is Vernam encryption/decryption with a properly chosen one time key which is well known to be unconditionally secure; in spite of which the protocol fails totally.From the standpoint of applications there is scarcely any topic of greater importance than the cryptanalysis of protocols, since protocols are — in the vernacular of advertising — “where the rubber meets the road”, i.e. where the principles of cryptography get applied to the practice of insuring the integrity of information. The design and/or analysis of cryptographic algorithms is the domain of the mathematician and the cryptographer and can be carried out in large part without regard to applications. The design and analysis of protocols, however, is inextricably linked to the system in which the protocol is to be used, and originates with an application: the function of the protocol being to realize the integrity properties required by the application. Cryptographic algorithms are simply component elements in the design of protocols — and as we've indicated, the security of the one does not necessarily imply the security of the other. When expressed in this way, protocol failures do not seem so improbable or surprising as they do when described as defined above. In real life though, almost every example of a true protocol failure is also an example of what can aptly be characterized as “Well I'll be damned” discoveries, since this describes the reaction of most people when they first have such a failure pointed out to them.Similiarly, if a protocol calls for one of the participants — who may be a “trusted” key generation bureau for example — to start by constructing a composite number as the product of two primes, chosen so as to make the factorization of their product be computationally infeasible, the suspicion must be that the product is not of this form. It is easy to verify in probability that a number is not a prime, and computationally feasible for numbers of a few hundred decimal digits in size to do so deterministically. It is generally believed by computational number theorists, however, that it just as difficult to test whether a composite number is the product of more than two factors as it is to factor it. Consequently, if a protocol calls for such a composite number to be generated by one of the participants, it is essential in the cryptanalysis to examine whether there are any exploitable consequences of it being the product of more than two prime numbers. For example, it is easy to conceal a covert channel in a signature protocol that calls for the use of a modulus which is the product of two primes, if the modulus is the product of three primes instead.There is a long list — too long for a single paper and much too long for an abstract — of examples of protocol failures that derive from a quantity not being what it is supposed to be, or what it is advertised to be. The two examples above should give the reader a feeling for what is involved in protocol analysis.The cryptanalysis of protocols consists of three steps:Carefully enumerate all of the properties of all of the quantities involved; both those explicitly stated in the protocol and those implicitly assumed in the setting.Take nothing for granted. In other words go through the list of properties assuming that none of them are as they are claimed or tacitly assumed to be unless a proof technique exists to verify their nature. For each such violation of property, critically examine the protocol to see if this makes any difference in the outcome of the execution of the protocol. Combinations of parameters as well as single parameters must be considered.Finally, if the outcome can be influenced as a result of a violation of one or more of the assumed properties, it is essential to then determine whether this can be exploited to advance some meaningful deception. There are several well known protocols in which it is possible to influence the outcome by violating the assumed properties of one or more of the parameters involved, but in which no known meaningful deception can be worked or furthered as a result. Protocol failures occur whenever the function of the protocol can be subverted as a consequence of the violations.This lecture will illustrate the application of these rules for the cryptanalysis of protocols with several examples of pure protocol failures discovered using them.