Abstract: A cryptography system architecture provides cryptographic functionality to support an application requiring encryption, decryption, signing, and verification of electronic messages. The cryptography system has a cryptographic application program interface (CAPI) which interfaces with the application to receive requests for cryptographic functions. The cryptographic system further includes at least one cryptography service provider (CSP) that is independent from, but dynamically accessible by, the CAPI. The CSP provides the cryptographic functionality and manages the secret cryptographic keys. In particular, the CSP prevents exposure of the encryption keys in a non-encrypted form to the CAPI or application. The cryptographic system also has a private application program interface (PAPI) to provide direct access between the CSP and the user. The PAPI enables the user to confirm or reject certain requested cryptographic functions, such as digitally signing the messages or exportation of keys.

Abstract: A system and method provide transparent integration of a smart card private key operations with an existing set of encryption services and system applications. A key store manager manages user key data, and handles requests for key operations from the system applications. A user information file stores user data, including user private keys for users that do not have smart cards, and an indication of those users that have smart cards. A set of system applications interfaces with the key store manager through encryption protocol specific application programming interfaces. Users connect to the system through terminals or remote computers that may be equipped with smart card readers. For users having smart cards, the key store manager forwards to the smart cards requests for private key operations, such as encryption or decryption with the user's private key, from the system applications. In this manner the user's private key cannot be compromised by exposure to the computer system. For users without smart cards the key store manager forwards the request for private key operation to an encryption service for handling. The key store manager may handle only requests for private key operations, with the system applications identifying and handling directly public key operations, or the key store manager may handle both private key and public key operations.

Abstract: The Kerberos authentication system is based on the trusted third-party Needham-Schroeder (1978) authentication protocol. The system is one of the few industry standards for authentication systems and its use is becoming fairly widespread. The system has some limitations, many of which are traceable to the decision of the Kerberos designers to solely use symmetric key cryptosystems. Using asymmetric (public-key) cryptosystems in an authentication protocol would prevent some of the shortcomings. Several such protocols have been proposed and some have been implemented. However, all these designs are either completely different from the Kerberos system, or require major changes to the basic system. Any attempts to improve Kerberos would do so with only minimal impact to the protocol and the source tree. In this work, we describe Yaksha, a new approach to achieving these goals. Yaksha uses as its building block an RSA (Rivest, Shamir & Adelman, 1978) algorithm variant independently invented by Boyd (1989) and by Ganesan and Yacobi (1994), in which the RSA private key is split into two portions. One portion becomes a user's Yaksha password, and the other the Yaksha server's password for that user. Using this simple but useful primitive, we show how we can blend the Kerberos system with a public-key infrastructure to create Yaksha, a more secure version of Kerberos, with minimal changes to the protocol. >

Abstract: An essential function for achieving security in computer networks is reliable authentication of communicating parties and network components. Such authentication typically relies on exchanges of cryptographic messages between the involved parties, which in turn implies that these parties be able to acquire shared secret keys or certified public keys. Provision of authentication and key distribution functions in the primitive and resource-constrained environments of low-function networking mechanisms, portable, or wireless devices presents challenges in terms of resource usage, system management, ease of use, efficiency, and flexibility that are beyond the capabilities of previous designs such as Kerberos or X.509. This paper presents a family of light-weight authentication and key distribution protocols suitable for use in the low layers of network architectures. All the protocols are built around a common two-way authentication protocol. The paper argues that key distribution may require substantially different approaches in different network environments and shows that the proposed family of protocols offers a flexible palette of compatible solutions addressing many different networking scenarios. The mechanisms are minimal in cryptographic processing and message size, yet they are strong enough to meet the needs of secure key distribution for network entity authentication. The protocols presented have been implemented as part of comprehensive security subsystem prototype called KryptoKnight. >

Abstract: A paging device includes a cryptographic function and a password accessed cryptographic key look-up table associating each stored key with a password. When an cryptographic message is collected by the paging device, the user can select a relatively long cryptographic key by entering a relatively shorter password. The paging device then applies a cryptographic function to a received message using a selected relatively long cryptographic key, the selection being a function of user entry of a relatively short password. Overall, paging messages in transit, i.e., while broadcast by radio signal, enjoy a high level of security by encryption with a relatively long cryptographic key by a message source. As accessed by the user, however, the cryptographic messages are reviewed in readable form by use of a relatively short password designating a relatively long stored cryptographic key.

Abstract: : We present a methodology to facilitate the design and analysis of secure cryptographic protocols. We advocate the general approach, and a new avenue for research, of restricting protocol designs to well-defined practices, instead of ever increasing the complexity of protocol security analysis mechanisms to deal with every newly discovered attack and the endless variations in protocol construction. In particular, we propose a novel notion of a fail-stop protocol, which automatically halts in response to any active attack that interferes with protocol execution, thus reducing protocol security analysis to that of passive attacks only. We suggest types of protocols that are fail-stop, outline some proof techniques for them, and use examples to illustrate how the notion of a fail-stop protocol can make protocol design easier and can provide a more solid basis for some available protocol analysis methods.

Abstract: An internal state machine controller in an integrated circuit containing a cryptographic implementation independently tests and verifies each of the encryption and decryption algorithms and modes within the implementation with minimal processor intervention. The cryptographic implementation automatically generates all input data and exercises all feedback modes independent of the core processor. Eliminating external test vectors results in a device less expensive to manufacture and verify. Since the cryptographic implementation tests are performed independent of the processor, other parts of the integrated circuit may be tested simultaneously with the testing of the cryptographic implementation. The processor loads in a single set of predetermined test vectors and then signals the state machine to start the testing of all the algorithms contained in the module. The output of each algorithm is used as the input of the next algorithm. The encrypted output from each algorithm is then fed back into the algorithms in reverse order and decrypted. At the end of this cycle the data returned should match the original data exactly. This is considered a cycle. The number of cycles is programmable depending on the test requirements and or fault coverage desired. In the preferred embodiment, the cryptographic implementation includes a cryptographic engine having encryption and decryption modes. Output Feedback (OFB), Electronic Codebook (ECB), Cipher Block Chaining (CBC), and Cipher Feedback (CFB) modes are supported in the preferred embodiment of the present invention.

Abstract: We use standard linear-time temporal logic to specify cryptographic protocols, model the system penetrator, and specify correctness requirements. The requirements are specified as standard safety properties, for which standard proof techniques apply. In particular, we are able to prove that the system penetrator cannot obtain a session key by any logical or algebraic techniques. We compare our work to Meadows' method. We argue that using standard temporal logic provides greater flexibility and generality, firmer foundations, easier integration with other formal methods, and greater confidence in the verification results.

Abstract: The paper describes an experimental key agile cryptographic system under design at MCNC. The system is compatible with ATM local- and wide-area networks. The system establishes and manages secure connections between hosts in a manner which is transparent to the end users and compatible with existing public network standards. A Cryptographic Unit supports hardware encryption and decryption at the ATM protocol layer. The system is SONET compatible and operates full duplex at the OC-12c rate (622 Mbps). Separate encryption keys are negotiated for each secure connection. Each Cryptographic Unit can manage more than 65,000 active secure connections. The Cryptographic Unit can be connected either in a security gateway mode referred to as a 'bump-in-the-fiber' or as a direct ATM host interface. Authentication and access control are implemented through a certificate-based system. The current status of the system is that hardware and software detail designs have been completed. An early version of the key management software has been completed and demonstrated. Hardware fabrication and systems integration are expected to take place over the next several months. Once completed the proof-of concept system will be used to explore issues of privacy, access control and authentication in relation to communications over emerging public networks. >

Abstract: We present new cryptographic protocols for multi-authority secret ballot elections that guarantee privacy, robustness, and universal verifiability. Application of some novel techniques, in particular the construction of witness hiding/indistinguishable protocols from Cramer, Damgaard and Schoenmakers, and the verifiable secret sharing scheme of Pedersen, reduce the work required by the voter or an authority to a linear number of cryptographic operations in the population size (compared to quadratic in previous schemes). Thus we get significantly closer to a practical election scheme.

Abstract: A data processing system has a security infrastructure, including a first cryptographic support facility, a security service for user data, including a further cryptographic support facility, and a number of cryptographic algorithms, usable by said cryptographic support facilities. In order to protect against a user replacing weak algorithms intended for the protection of data with strong algorithms intended for use by the security infrastructure, a challenge/response mechanism is provided, which enables the cryptographic support facilities to verify authenticity of the algorithms. The challenge/response mechanism is as follows. First, the cryptographic support facility sends a challenge to the algorithm. The algorithm then generates a response by applying a cryptographic function to the challenge, and returns the response to the cryptographic support facility. The cryptographic support facility then checks whether the response has an expected value. Only upon successful authentication does the algorithm reveal a pointer to a function table. The pointer is encrypted under a shared secret key to prevent an "attacker in the middle" attack.

Abstract: A cryptographic system enables a secure, but low-bandwidth, cryptographic module, such as a smartcard or PCMCIA device, to serve as a high-bandwidth secret-key encryption decryption engine which uses the processing power of an untrusted, but fast, host processor without revealing the secret key to that host processor.

Abstract: Some recent research on key distribution systems has focussed on analysing trust in authentication servers, and constructing key distribution protocols which operate using a number of authentication servers, which have the property that a minority of them may be untrustworthy. This paper proposes two key distribution protocols with multiple authentication servers using a cross checksum scheme. Both protocol are based on the use of symmetric encryption for verifying the origin and integrity of messages. In these protocols it is not necessary for clients to trust an individual authentication server. A minority of malicious and colluding servers cannot compromise security and can be detected. The first 'parallel' protocol can prevent a minority of servers disrupting the service. The second 'cascade' protocol has to work with other security mechanisms in order to prevent a server breaking the procedure by refusing to cooperate. As compared with other proposed protocols with similar properties these two protocols require less exchanged messages.

Abstract: We introduce the notion of security effectiveness, illustrate its use in the context of cryptographic protocol analysis, and argue that it requires analysis of protocol property dependencies. We provide examples to show that, without dependency analysis, the use of some logics for cryptographic protocol analysis yields results that are inconsistent or unrealistic in practice. We identify several types of property dependencies whose use in protocol analysis methods can yield realistic analyses.

Abstract: We propose a voting protocol that satisfies the requirements of secure voting in computer networks. By using the IC card, this protocol can be much more practical. Since the data is processed in advance by the CPU of the IC card, it reduces the loading of a voting system and the congestion of networks. We handle the voter's authentication with the Diffie-Hellman (1976) public key distribution (PKD) concept.

Abstract: Design of cryptographic protocols for authentication and key management is known to be a difficult problem. Although much research has been devoted to analysis techniques there remains a lack of basic design principles. In the paper a common method of protocol design is identified which contributes to protocol problems in a number of ways. This is the practice of encrypting all relevant fields using a reversible cryptographic transformation. A new design principle and a complementary notation are introduced which help protocol designers to identify what form of encryption is really required. Several examples are used to illustrate the problems and to show how the design principle and notation may be used in practice.

Abstract: Many cryptographic protocols depend on one and only problem, the one of factoring. This paper presents a new identification scheme whose security depends on an NP-complete problem from the theory of error correcting codes: the syndrome decoding problem. The computation complexity of the proposed scheme is smaller than those of the other schemes based on SD problem. Moreover the amount of memory needed by the prover is very small.

Abstract: History tells us that Julius Cesar shifted each letter in his messages to his generals by three places in the alphabet. The generals knew to shift back by three letters to read the message. Securing information for transfer between entities requires an agreement on how the information will be protected. Modern science and technology has brought more advanced methods of protecting information, but the basic need for an agreement between entities desiring to communicate securely still exists. In modern terms this agreement is a security association (SA). There are varying definitions of a security association in current standards and this paper attempts to clarify, these definitions. Security protocols requiring security associations as well as emerging protocols that establish and manage security associations are presented. If future global interoperability is to be provided securely one of the first building blocks will be the ability to negotiate and establish security associations. Therefore, issues that must be resolved for future global interoperability are discussed. Our work to create a network security research environment for future global needs is also presented.

Abstract: This paper presents extensions to a technique for specifying and analyzing nonmonotonic cryptographic protocols (NCP) that use asymmetric keys. We introduce new actions and inference rules, as well as slight modifications to the update function. An important observation is that reasoning about the origin of messages is quite different when dealing with asymmetric key protocols. We also introduce the notion that keys in certificates should be bound to the principals receiving them. We extend the technique to meet the binding requirements and show how the flaw in the Denning and Sacco (1981) public key protocol, that was discovered by Abadi and Needham (1994), is revealed. We demonstrate the extended technique using one protocol of our own and the Needham and Schroeder (1978) public key protocol. Finally, we introduce and analyze a fix to a known weakness in Needham and Schroeder's protocol using our extended technique.

Abstract: This informational RFC describes the basic mechanisms and functions of an identity based system for the secure authenticated exchange of cryptographic keys, the generation of signatures, and the authentic distribution of public keys.

Abstract: Reasoning about key escrow protocols has increasingly become an important issue. The Escrowed Encryption Standard (EES) has been proposed as a US government standard for the encryption of unclassified telecommunications. One unique feature of this system is key escrow. The purpose of key escrow is to allow government access to session keys shared by EES devices. We develop a framework to formally specify and verify the correctness of key escrow protocols that we mechanize within the HOL theorem proving system. Our logic closely follows the logic, SVO, used for analyzing cryptographic protocols which was developed by Syverson and vanOorschot [13]. Using the HOL mechanization of SVO, we formally demonstrate the failure of the EES key escrow system by showing that it does not insure that the escrow agent receives correct information. This was previously shown experimentally [2]. Last, we offer an alternative escrow protocol and demonstrate its correctness.

Abstract: A cryptographic protocol is an algorithm involving exchanges of encrypted information carried out by principals in a distributed environment. It is intended to produce secure communications, even if every message can be read by, or originate with, every principal. This paper gives a definitional HOL formalization of a “belief logic” based on the full Gong, Needham, and Yahalom [2] logic for analyzing whether protocols achieve desired communication conditions. This gives the “belief logic” a sound formal basis. The paper also sketches the algorithm for a possible HOL tactic automatically constructing proofs that protocols achieve desired communication conditions if they do achieve them.

Abstract: The Spanish broadband program (PLANBA) coordinates several research projects in broadband communications. This paper is focused on one of these projects, called Cripto, designed to provide secure communications between multimedia terminals joined to the PLANBA (B-ISDN) network. The architecture of the security system, as well as the logical placement of the security services, has been chosen according to the multimedia terminal architecture. We also present the key-management protocol proposed as a result of our work in the Cripto project. The threats to be protected against, the number of users in the network, their behaviour and the cost that we are willing to assume are the main considerations to correctly devise these protocols. The definition of the most suitable protocol has been closely related with the cryptographic operator previously selected.

Abstract: The authors demonstrate replay attacks on two authentication and key distribution protocols proposed by Bull, Gong and Sollins (1992). The observations leading to the attacks are used intuitively to arrive at more robust versions of the protocols.

Abstract: A new protection boundary model for internetwork security is presented, and a security protocol suitable for the model proposed. Intermediate systems of the model do not fulfill security of service or confidentiality but authentication and integrity. The system does not require that the intermediate systems be fully secure, thus it is practical and can be easily implemented. Data between destination hosts are also protected through the confidentiality service, for which session keys are distributed under the proposed protocol with peer entity authentication.

Abstract: This paper discusses a cryptographic protocol to evaluate an and-gate such that a party can keep his or her input bit secret from the other party. Such a protocol is of interest, because it can be generalized to any logical circuit for any number of participants. A formal statement of this generalization reads as follows: n participants want to compute together a function f(x1; x2; :::; xn) with xi being their inputs; nobody wants to reveal information about his or her input except what can be logically be deduced from one's input and the output. The paper contains no new results but provides an illustration of a sub-eld of cryptography, and describes several interesting protocols and protocol design techniques.

Abstract: This paper presents a new approach for secure IN internetworking. Based on a threat analysis, an adequate cryptographic protocol is proposed to address the derived security concerns. The cryptographic protocol presented is based on the recently published standardization framework ISO/IEC CD11770-3.