Abstract: Private information retrieval (PIR) schemes allow a user to retrieve the ith bit of an n-bit data string x, replicated in k?2 databases (in the information-theoretic setting) or in k?1 databases (in the computational setting), while keeping the value of i private. The main cost measure for such a scheme is its communication complexity. In this paper we introduce a model of symmetrically-private information retrieval (SPIR), where the privacy of the data, as well as the privacy of the user, is guaranteed. That is, in every invocation of a SPIR protocol, the user learns only a single physical bit of x and no other information about the data. Previously known PIR schemes severely fail to meet this goal. We show how to transform PIR schemes into SPIR schemes (with information-theoretic privacy), paying a constant factor in communication complexity. To this end, we introduce and utilize a new cryptographic primitive, called conditional disclosure of secrets, which we believe may be a useful building block for the design of other cryptographic protocols. In particular, we get a k-database SPIR scheme of complexity O(n1/(2k?1)) for every constant k?2 and an O(logn)-database SPIR scheme of complexity O(log2n·loglogn). All our schemes require only a single round of interaction, and are resilient to any dishonest behavior of the user. These results also yield the first implementation of a distributed version of (n1)-OT (1-out-of-n oblivious transfer) with information-theoretic security and sublinear communication complexity.

Abstract: A strand is a sequence of events; it represents either the execution of an action by a legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol correctness claims may be expressed in terms of the connections between strands of different kinds. In this paper, we develop the notion of a strand space. We then prove a generally useful lemma, as a sample result giving a general bound on the abilities of the penetrator in any protocol. We apply the strand space formalism to prove the correctness of the Needham-Schroeder-Lowe protocol (G. Lowe, 1995, 1996). Our approach gives a detailed view of the conditions under which the protocol achieves authentication and protects the secrecy of the values exchanged. We also use our proof methods to explain why the original Needham-Schroeder (1978) protocol fails. We believe that our approach is distinguished from other work on protocol verification by the simplicity of the model and the ease of producing intelligible and reliable proofs of protocol correctness even without automated support.

Abstract: We present protocols for fair exchange of electronic data (digital signatures, payment and confidential data) between two parties A and B. Novel properties of the proposed protocols include: 1) offline trusted third party (TTP), i.e., TTP does not take part in the exchange unless one of the parties behaves improperly; 2) only three message exchanges are required in the normal situation; 3) true fair exchange, i.e., either A and B obtain each other's data or no party receives anything useful; no loss can be incurred to a party no matter how maliciously the other party behaves during the exchange. This last property is in contrast to previously proposed protocols with offline TTP ([1] and [21]), where a misbehaving party may get another party's data while refusing to send his document to the other party, and the TTP can provide affidavits attesting to what happened during the exchange. To our knowledge, the protocols presented here are the first exchange protocols which use offline TTP and at the same time guarantee true fair exchange of digital messages. We introduce a novel cryptographic primitive, called the Certificate of Encrypted Message Being a Signature (CEMBS), as the basic building block of the fair exchange protocols. It is used to prove that an encrypted message is a certain party's signature on a public file, without revealing the signature. We also give two examples to show in detail how the certificate can be constructed.

Abstract: The present invention provides a method and apparatus for securing cryptographic devices against attacks involving external monitoring and analysis. A 'self-healing' property is introduced, enabling security to be continually re-established following partial compromises. In addition to producing useful cryptographic results, a typical leak-resistant cryptographic operation modifies or updates (330) secret key material in a manner designed to render useless any information about the secrets that may have previously leaked from the system. Exemplary leak-proof and leak-resistant implementations of the invention are shown for symmetric authentication (350), certified Diffie-Hellman (when either one or both users have certificates), RSA, ElGamal public key decryption (303).

Abstract: A secure communication platform on an integrated circuit is a highly integrated security processor which incorporates a general purpose digital signal processor (DSP) (62), along with a number of high performance cryptographic function elements, as well as a PCI and PCMCIA (14) interface. The secure communications platform is integrated with an off-the-shelf DSP so that a vendor who is interested in digital signal processing could also receive built-in security functions which cooperate with the DSP. The integrated circuit includes a callable library of cryptographic commands and encryption algorithms. An encryption processor is included to perform key and data encryption, as well as a high performance hash processor and a public key accelerator (28).

Abstract: A method and apparatus for secure processing of cryptographic keys, wherein a cryptographic key stored on a token is processed in a secure processor mode using a secure memory. A main system processor is initialized into a secure processing mode, which cannot be interrupted by other interrupts, during a power-on sequence. A user enters a Personal Identification Number (PIN) to unlock the cryptographic key stored on the token. The cryptographic key and associated cryptographic program are then loaded into the secure memory. The secure memory is locked to prevent access to the stored data from any other processes. The user is then prompted to remove the token and the processor exits the secure mode and the system continues normal boot-up operations. When an application requests security processing, the cryptographic program is executed by the processor in the secure mode such that no other programs or processes can observe the execution of the program. Two-factor authentication is thus obtained without the need for any additional hardware.

Abstract: Model checking approaches to the analysis of security protocols have proved remarkably successful. The basic approach is to produce a model of a small system running the protocol, together with a model of the most general intruder who can interact with the protocol, and then to use a state exploration tool to search for attacks. This has led to a number of new attacks upon protocols being discovered. However if no attack is found, this only tells one that there is no attack upon the small system modelled; there may be an attack upon some larger system. This is the question considered in the paper: the author presents sufficient conditions on the protocol and its environment such that if there is no attack upon a particular small system (with one honest agent for each role of the protocol) leading to a breach of secrecy (using a fairly strong definition of secrecy), then there is no attack on any larger system leading to a breach of secrecy (using a more general definition of secrecy).

Abstract: As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious adversaries becomes paramount. Many researchers have proposed the use of security protocols to provide these security guarantees. In this paper, we develop a method of verifying these protocols using a special purpose model checker which executes an exhaustive state space search of a protocol model. Our tool also includes a natural deduction style derivation engine which models the capabilities of the adversary trying to attack the protocol. Because our models are necessarily abstractions, we cannot prove a protocol correct. However, our tool is extremely useful as a debugger. We have used our tool to analyze 14 different authentication protocols, and have found the previously reported attacks for them.

Abstract: An attempt to eavesdrop on a quantum cryptographic channel reveals itself through errors it inevitably introduces into the transmission. We investigate the relationship between the induced error rate and the maximum amount of information the eavesdropper can extract, in both the two-state B92 [B92 refers to the work of C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992)] and the four-state BB84 [BB84 refers to the work of C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India (IEEE, New York, 1984), pp. 175--179] quantum cryptographic protocols. In each case, the optimal eavesdropping method that on average yields the most information for a given error rate is explicitly constructed. Analysis is limited to eavesdropping strategies where each bit of the quantum transmission is attacked individually and independently from other bits. Subject to this restriction, however, we believe that all attacks not forbidden by physical laws are covered. Unlike previous work, the eavesdropper's advantage is measured in terms of Renyi (rather than Shannon) information, and with respect only to bits received error-free by Bob (rather than all bits). This alters both the maximum extractable information and the optimal eavesdropping attack. The result can be used directly at the privacy amplification stage of the protocol to accomplish secure communication over a noisy channel.

Abstract: This paper presents a new approach for the secure and robust copyright protection of digital images. A system for generating digital watermarks and for trading watermarked images is described. The system is based on a new watermarking technique, which is robust against image transformation techniques such as compression, rotation, translation, scaling and cropping. It uses modulation of the magnitude components in Fourier space to embed a watermark and an accompanying template and, during watermark extraction, reads a template in the log polar transform of the frequency domain. The template is used for analyzing scaling and rotation suffered by the watermarked stego-image. The detection of the watermarks is also possible without any need for the original cover-image. In addition, the system applies asymmetric cryptographic protocols for different purposes, namely embedding/detecting the watermark and transferring watermarked data. The public key technique is applied for the construction of a one-way watermark embedding and the verification function to identify and prove the uniqueness of the watermark. Legal dispute resolution is supported for the multiple watermarking of a digital image without revealing the confidential keying information.

Abstract: Cryptographic methods and systems are disclosed. The cryptographic methods provide transparent encryption and decryption of documents in an electronic document management system. The cryptographic system adds a software module to an electronic document management system which traps file I/O events and performs cryptographic functions on the relevant documents before passing control back to the electronic document management system.

Abstract: Most modern security protocols and security applications are defined to be algorithm independent, that is, they allow a choice from a set of cryptographic algorithms for the same function. Although an algorithm switch is rather difficult with traditional hardware, i.e., ASIC, implementations, Field Programmable Gate Arrays (FPGAs) offer a promising solution. Similarly, an ASIC-based key search machine is in general only applicable to one specific encryption algorithm. However, a key-search machine based on FPGAs can also be algorithm independent and thus be applicable to a wide variety of ciphers. We researched the feasibility of a universal key-search machine using the Data Encryption Standard (DES) as an example algorithm. We designed, implemented and compared various architecture options of DES with strong emphasis on high-speed performance. Techniques like pipelining and loop unrolling were used and their Effectiveness for DES on FPGAs investigated. The most interesting result is that we could achieve encryption rates beyond 400 Mbit/s using a standard Xilinx FPGA. This result is by a factor of about 30 faster than software implementations while we are still maintaining flexibility. A DES cracker chip based on this design could search 6.29 million keys per second.

Abstract: The recent surge in popularity of e-commerce prompted a lot of The recent surge in popularity of e-commerce prompted a lot of activity in the area of electronic payments. Solutions have been developed for cash, credit card and check-based electronic transactions. Much less attention has been paid to non-monetary commerce such as barter. In this paper we discuss the notion of “secure group barter” or multi-party fair exchange. We develop a classification of types of barter schemes and present new cryptographic protocols for multi-party exchange with fairness. These protocols assume the presence of a “semi-trusted neutral party”.

Abstract: Provable security is a very nice property for cryptographic protocols Unfortunately, in many cases, this is at the cost of a considerable loss in terms of efficiency More recently, a new approach to achieve some kind of provable security was explored using the so-called “random oracle model”

Abstract: An international cryptography framework (ICF) is provided that allows manufacturers to comply with varying national laws governing the distribution of cryptographic capabilities. In particular, such a framework makes it possible to ship worldwide cryptographic capabilities in all types of information processing devices (e.g. printers, palm-tops). The ICF comprises a set of service elements which allow applications to exercise cryptographic functions under the control of a policy. The four core elements of the ICF architecture, i.e. the host system, cryptographic unit, policy activation token, and network security server, comprise an infrastructure that provides cryptographic services to applications. Applications that request cryptographic services from various service elements within the ICF are identified through a certificate to protect against misuse of a granted level of cryptography. The host system comprises a set of system programs and services which provide the application with an execution environment. The host system's role within the ICF is twofold. First, the host system provides services to the application in the form of programming interfaces to access the functions offered by the cryptographic unit. Second, the host system provides support for the cryptographic unit in building trust relationships to the host system elements, such as the cryptographic programming interfaces, operating systems drivers, and memory management subsystems.

Abstract: Payment transactions in the SET (Secure Electronic Transaction) protocol are described. Requirements for SET are discussed and formally represented in a version of NPATRL (the NRL Protocol Analyzer Temporal Requirements Language). NPATRL is language for expressing generic requirements, heretofore applied to key distribution or key agreement protocols. Transaction vectors and other new constructs added to NPATRL for reasoning about SET payment transactions are described along with properties of their representation.

Abstract: The authors describe two state reduction techniques for finite-state models of security protocols. The techniques exploit certain protocol properties that they have identified as characteristic of security protocols. They prove the soundness of the techniques by demonstrating that any violation of protocol invariants is preserved in the reduced state graph. In addition, they describe an optimization method for evaluating parameterized rule conditions, which are common in models of security protocols. All three techniques have been implemented in the Mur/spl phi/ verifier.

Abstract: The Internet Engineering Task Force is standardizing security protocols (IPsec protocols) that are compatible with IPv6 and can be retrofitted into IPv4. The protocols are transparent to both applications and users and can be implemented without modifying application programs. The current protocol versions were published as Internet drafts in March 1998. The article overviews the proposed security architecture and the two main protocols-the IP Security Protocol and the Internet Key Management Protocol-describes the risks they address, and touches on some implementation requirements. IPsec's major advantage is that it can provide security services transparently to both applications and users. Also, the application programs using IPsec need not be modified in any way. This is particularly important when securing application programs that are not available in source code, which is common today. This transparency sets IPsec apart from security protocols that operate above the Internet layer. At present, IPsec is likely to be used in conjunction with and complemented by other security technologies, mechanisms, and protocols. Examples include firewalls and strong authentication mechanisms for access control, and higher layer security protocols for end-to-end communication security. In the near future, however, as virtual private networking and corporate intranets and extranets mature, IPsec is likely to be deployed on a larger scale.

Abstract: Communication in distributed systems often relies on useful abstractions such as channels, remote procedure calls, and remote method invocations. The implementations of these abstractions sometimes provide security properties, in particular through encryption. In this paper we study those security properties, focusing on channel abstractions. We introduce a simple high-level language that includes constructs for creating and using secure channels. The language is a variant of the join-calculus and belongs to the same family as the pi-calculus. We show how to translate the high-level language into a lower-level language that includes cryptographic primitives. In this translation, we map communication on secure channels to encrypted communication on public channels. We obtain a correctness theorem for our translation; this theorem implies that one can reason about programs in the high-level language without mentioning the subtle cryptographic protocols used in their lower-level implementation.

Abstract: This paper describes the state of the art for cryptographic primitives that are used for protecting the authenticity of information: cryptographic hash functions and digital signature schemes; the first class can be divided into Manipulation Detection Codes (MDCs, also known as one-way and collision resistant hash functions) and Message Authentication Codes (or MACs). The theoretical background is sketched, but most attention is paid to overview the large number of practical constructions for hash functions and to the recent developments in their cryptanalysis. It is also explained to what extent the security of these primitives can be reduced in a provable way to realistic assumptions.

Abstract: A method is provided for communicating digital content between a content provider and a data processing system which is under the control of a content consumer, utilizing an insecure communication channel, such as the internet. A security processor is provided. The security processor is communicative coupled to the data processing system of the consumer. The security processor receives and preprocesses encrypted digital content received from the insecure communication channel. The security processor includes a central processing unit for executing program instructions contained in digital content. The security processor includes a shared-secret decryption engine for receiving encrypted content and for utilizing a shared-secret key for producing decrypted digital content. Furthermore, the security processor includes a memory means for maintaining securely the shared-secret key within the security processor. This memory means is preferably secure from reverse engineering, whether electrical reverse engineering or mechanical reverse engineering. A security program is provided which is loaded onto the security processor and which is executable by the security processor. The security program includes a shared-secret encryption engine for receiving input and for utilizing the shared-secret key to produce cypheroutput based upon the input. The security program further includes a public key-private key decryption engine for receiving an encrypted input and utilizing a known public key and a private key to generate a decrypted output. Communications over the insecure communication channel between the content provider and the security processor are conducted utilizing the public key-private key algorithm, while communications between the security program and the security processor are conducted utilizing the shared-secret encryption protocol.

Abstract: A data management system and method for a limited cryptographic storage unit, such as a smartcard or other hardware token, includes a cryptographic data manager that interfaces with the limited capacity cryptographic storage unit and a data overflow memory coupled to the cryptographic data manager. The cryptographic data manager stores cryptographic data, such as decryption private keys or other secret cryptographic data, in the overflow memory from the limited capacity cryptographic storage unit based on a limited capacity storage unit data update condition. The cryptographic data manager may serve as a secondary cryptographic data manager that receives the cryptographic data from an original cryptographic data storage device, or primary storage device such as a server that generates the cryptographic data, that stores a history of the cryptographic data.

Abstract: Safety and security are two reliability properties of a system. A "safe" system provides protection against errors of trusted users, while a "secure" system protects against errors introduced by untrusted users. There is considerable overlap between mechanisms to support each property. Requirements for rapid service creation have stimulated the development of programmable network infrastructures, where end users or service providers can customize the properties of a network infrastructure while it continues to operate. A central concern of potential users of such systems is their reliability and, most specifically, their safety and security. In this article we explain the impact the network service model and architecture have on safety and security, and provide a model with which policies can be translated into restrictions of a general system. We illustrate these ideas with the Secure Active Network Environment (SANE) architecture, which provides a means of controlling access to the functions provided by any programmable infrastructure.

Abstract: Security of distributed systems requires both technical and administrative foundations. Technical foundation is based on cryptographic measures and access control models, and is well understood. Administrative foundation is based on several non-technical layers added on top of technical communication protocols. Several models for secure interconnection of information systems suggest common ethics to be the uppermost layer and base for legal, managerial and operational procedures. Ethics as a foundation of secure interconnection of systems is critically analysed and several problems of ethical layer are identified. Considering this analysis, a new group and social contract layer is suggested on top of ethical layer. The new approach can be enforced within current technology, supports social behaviour of human beings, and is iterative allowing forming of larger secure communities by interconnecting existing secure groups.

Abstract: This paper describes security protocols that use anonymous channels as primitive, much in the way that key distribution protocols take encryption as primitive. This abstraction allows us to focus on high level anonymity goals of these protocols much as abstracting away from encryption clarifies and emphasizes high level security goals of key distribution protocols. The contributions of this paper are (1) a notation for describing such protocols, and (2) two protocols for location protected communication over a public infrastructure.

Abstract: A probabilistic algorithm for general decoding, with application to several cryptographic problems, is presented .

Abstract: Several approaches have been developed for analyzing security protocols. These include specialized logics that formalize notions such as secrecy and belief, special-purpose automated tools for cryptographic protocol analysis, and methods that apply general theoremproving or model-checking tools to security protocols. This short document, written to accompany the author's invited lecture, provide background information and references on finite-state methods that use standard model-checking tools.

Abstract: A cryptographic protocol establishes shared secrets such as encryption/decryption keys by exchanging public signals generated from transformations of private signals and one or more authentication factors including 'what you know', 'what you have' and 'what you are' factors. A novel use of the authentication factors provides resistance against various types of cryptanalysis including dictionary attacks and man-in-the-middle attacks, allows detection of prior occurrences of unauthorized parties successfully masquerading as an authorized party, and provides enhanced security in cryptosystems that rely on 'what you know' authentication factors such as passwords which are often weak in a cryptographic sense.