Abstract: FIG. 7 of the drawings depicts an overall view of this invention which relates to a new method or process for a system used to do digital media distribution in an architecture of public key cryptography called the digital media distribution cryptography architecture ( 100 ) which is implemented in computer hardware, computer software, and communications protocols, furthermore, the hardware components involved are media ticket smart cards ( 880 ), media ticket smart card readers ( 900 ), local area networks ( 924 ) (LAN's), internet protocol (IP) wide area networks ( 928 ) (WAN's), personal computers ( 820 ) (PC's), world wide web servers ( 824 ) (WWW), cryptographic media players (e.g. crypto-MP 3 players) with built-in media ticket smart card readers ( 880 ), ( 900 ), ( 1004 ), cryptographic digital signal processors ( 932 ) (C-DSP's), furthermore, the software components involved are cryptographic key distribution programs, cryptographic mathematics algorithms, and cryptographic protocols.

Abstract: This document describes a key management scheme that can be used for real-time applications (both for peer-to-peer communication and group communication) In particular, its use to support the Secure Real-time Transport Protocol is described in detail Security protocols for real-time multimedia applications have started to appear This has brought forward the need for a key management solution to support these protocols [STANDARDS-TRACK]

Abstract: Security is a critical issue in a mobile ad hoc network (MANET). We propose and investigate a novel scheme, security protocol for reliable data delivery (SPREAD), to enhance the data confidentiality service in a mobile ad hoc network. The proposed SPREAD scheme aims to provide further protection to secret messages from being compromised (or eavesdropped) when they are delivered across the insecure network. The basic idea is to transform a secret message into multiple shares by secret sharing schemes and then deliver the shares via multiple independent paths to the destination so that even if a small number of nodes that are used to relay the message shares are compromised, the secret message as a whole is not compromised. We present the overall system architecture and investigate the major design issues. We first describe how to obtain message shares using the secret sharing schemes. Then we study the appropriate choice of the secret sharing schemes and the optimal allocation of the message shares onto each path in order to maximize the security. The results show that the SPREAD is more secure and also provides a certain degree of reliability without sacrificing the security. Thirdly, the multipath routing techniques are discussed and the path set optimization algorithm is developed to find the multiple paths with the desired property, i.e., the overall path set providing maximum security. Finally, we present the simulation results to justify the feasibility and evaluate the effectiveness of SPREAD.

Abstract: We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a Dolev-Yao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network.

Abstract: The bilinear pairing such as Weil pairing or Tate pairing on elliptic and hyperelliptic curves have recently been found applications in design of cryptographic protocols. In this survey, we have tried to cover different cryptographic protocols based on bilinear pairings which possess, to the best of our knowledge, proper security proofs in the existing security models.

Abstract: An electronic message transport protocol applies two distinct sub-protocols, a message transport protocol and an encryption key management protocol, which operate in tandem to provide enhanced security. The protocol may employ an existing SMTP infrastructure to transport secure email messages, and a key server implementing the key management protocol to transport key packets associated with the secure email message. However, the protocol need not be limited to email, and may be applicable to other electronic message applications. The message transport protocol permits communicating parties to obscure their identities to enhance security. The key management protocol supports message security, and allows senders to control access to messages even after they have been transmitted. The message transport protocol permits the sender to encrypt the entire message and utilizes the key management protocol for exchange of necessary keys. The message transport protocol relies on a group addressing scheme to obscure individual sender and recipient identities.

Abstract: Instead of using PINs and passwords as cryptographic keys that are either easy to forget or vulnerable to dictionary attacks, easy-to-carry and difficult-to-transfer keys can be generated based on user-specific biometric information. A framework is proposed to generate stable cryptographic keys from biometric data that is unstable in nature. The proposed framework differs from prior work in that user-dependent transforms are utilized to generate more compact and distinguishable features. Thereby, a longer and more stable bitstream can be generated as the cryptographic key. Experiments are performed on a face database to verify the feasibility of the proposed framework. The preliminary result is very encouraging.

Abstract: We present a new automatic technique for proving strong secrecy for security protocols. Strong secrecy means that an adversary cannot see any difference when the value of the secret changes. Our technique relies on an automatic translation of the protocol into Horn clauses, and a resolution algorithm on the clauses. It requires important extensions with respect to previous work for the proof of (standard) secrecy and authenticity. This technique can handle a wide range of cryptographic primitives, and yields proofs valid for an unbounded number of sessions and an unbounded message space; it is also flexible and efficient. We have proved its correctness, implemented it, and tested it on several examples of protocols including JFK by W. Aiello et al. (2002).

Abstract: Much work on security-typed languages lacks a satisfactory account of intentional information release. In the context of confidentiality, a typical security guarantee provided by security type systems is noninterference, which allows no information flow from secret inputs to public outputs. However, many intuitively secure programs do allow some release, or declassification, of secret information (e.g., password checking, information purchase, and spreadsheet computation). Noninterference fails to recognize such programs as secure. In this respect, many security type systems enforcing noninterference are impractical. On the other side of the spectrum are type systems designed to accommodate some information leakage. However, there is often little or no guarantee about what is actually being leaked. As a consequence, such type systems are vulnerable to laundering attacks, which exploit declassification mechanisms to reveal more secret data than intended. To bridge this gap, this paper introduces a new security property, delimited release, an end-to-end guarantee that declassification cannot be exploited to construct laundering attacks. In addition, a security type system is given that straightforwardly and provably enforces delimited release.

Abstract: In recent years, collaborative and group-oriented applications and protocols have gained popularity. These applications typically involve communication over open networks; security thus is naturally an important requirement. Group key management is one of the basic building blocks in securing group communication. Most prior research in group key management focused on minimizing computation overhead, in particular minimizing expensive cryptographic operations. However, continued advances in computing power have not been matched by a decrease in network communication delay. Thus, communication latency, especially in high-delay long-haul networks, increasingly dominates the key setup latency, replacing computation delay as the main latency contributor. Hence, there is a need to minimize the size of messages and, especially, the number of rounds in cryptographic protocols. Since most previously proposed group key management techniques optimize computational (cryptographic) overhead, they are particularly impacted by high communication delay. In this work, we discuss and analyze a specific group key agreement technique which supports dynamic group membership and handles network failures, such as group partitions and merges. This technique is very communication-efficient and provably secure against hostile eavesdroppers as well as various other attacks specific to group settings. Furthermore, it is simple, fault-tolerant, and well-suited for high-delay networks.

Abstract: We show that superselection rules do not enhance the information-theoretic security of quantum cryptographic protocols. Our analysis employs two quite different methods. The first method uses the concept of a reference system—in a world subject to a superselection rule, unrestricted operations can be simulated by parties who share access to a reference system with suitable properties. By this method, we prove that if an n-party protocol is secure in a world subject to a superselection rule, then the security is maintained even if the superselection rule is relaxed. However, the proof applies only to a limited class of superselection rules, those in which the superselection sectors are labeled by unitary irreducible representations of a compact symmetry group. The second method uses the concept of the format of a message sent between parties—by verifying the format, the recipient of a message can check whether the message could have been sent by a party who performed charge-conserving operations. By this method, we prove that protocols subject to general superselection rules (including those pertaining to non-Abelian anyons in two dimensions) are no more secure than protocols in the unrestricted world. However, the proof applies only to two-party protocols. Our results show in particular that, if no assumptions are made about the computational power of the cheater, then secure quantum bit commitment and strong quantum coin flipping with arbitrarily small bias are impossible in a world subject to superselection rules.

Abstract: This paper presents HLPSL, a high level protocol specification language for the modelling of security-sensitive cryptographic protocols. This language enjoys a formal semantics based on Lamport's Temporal Logic of Actions. HLPSL is modular and allows for the specification of control flow patterns, data-structures, alternative intruder models, and complex security properties. It is sufficiently high-level to be accessible to protocol engineers (themselves not necessarily formal methods experts), yet easily translatable into a lower-level term-rewriting based language well-suited to model-checking tools. The accommodation of these contrasting features makes HLPSL able to easily specify modern, industrial-scale protocols on which existing specification languages only partially succeed.

Abstract: Recently we showed how to justify a Dolev-Yao type model of cryptography as used in virtually all automated protocol provers under active attacks and in arbitrary protocol environments. The justification was done by defining an ideal system handling Dolev-Yao-style terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and property-preservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives. A major primitive missing in that library so far is symmetric encryption. We show why symmetric encryption is harder to idealize in a way that allows general composition than existing primitives in this library. We discuss several approaches to overcome these problems. For our favorite approach we provide a detailed provably secure idealization of symmetric encryption within the given framework for constructing nested terms.

Abstract: Contributory group key agreement protocols generate group keys based on contributions of all group members. Particularly appropriate for relatively small collaborative peer groups, these protocols are resilient to many types of attacks. Unlike most group key distribution protocols, contributory group key agreement protocols offer strong security properties such as key independence and perfect forward secrecy. We present the first robust contributory key agreement protocol resilient to any sequence of group changes. The protocol, based on the Group Diffie-Hellman contributory key agreement, uses the services of a group communication system supporting virtual synchrony semantics. We prove that it provides both virtual synchrony and the security properties of Group Diffie-Hellman, in the presence of any sequence of (potentially cascading) node failures, recoveries, network partitions, and heals. We implemented a secure group communication service, Secure Spread, based on our robust key agreement protocol and Spread group communication system. To illustrate its practicality, we compare the costs of establishing a secure group with the proposed protocol and a protocol based on centralized group key management, adapted to offer equivalent security properties.

Abstract: We present the first type and effect system for proving authenticity properties of security protocols based on asymmetric cryptography. The most significant new features of our type system are: (1) a separation of public types (for data possibly sent to the opponent) from tainted types (for data possibly received from the opponent) via a subtype relation; (2) trust effects, to guarantee that tainted data does not, in fact, originate from the opponent; and (3) challenge/response types to support a variety of idioms used to guarantee message freshness. We illustrate the applicability of our system via protocol examples. This material is based upon work supported by the National Science Foundation under Grant No. 0208549.

Abstract: JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. In this paper, we formally analyze this protocol in the applied pi calculus (partly in terms of observational equivalences and partly with the assistance of an automatic protocol verifier). We treat JFK's core security properties and also other properties that are rarely articulated and rigorously studied, such as plausible deniability and resistance to denial-of-service attacks. In the course of this analysis, we found some ambiguities and minor problems, such as limitations in identity protection, but we mostly obtain positive results about JFK. For this purpose, we develop ideas and techniques that should be more generally useful in the specification and verification of security protocols.

Abstract: The method employs interrelated cryptographic processes and protocols to provide reliability to vote casting, ballots recount, and verification of vote or poll results. These cryptographic processes and protocols jointly constitute a cryptographic voting scheme capable of meeting the specific reliability requirements of an electronic voting where voters remotely cast their votes. These reliability requirements include voter authentication and privacy; accurate results, the impossibility of coercion and sale of votes, verifying the final results and, if necessary, the secrecy of intermediate results before completing the vote or poll. The cryptographic voting method minimizes the confidence level to be placed on any of the electronic voting individual party and participants.

Abstract: Cryptographic protocol design in a two-party setting has often ignored the possibility of simultaneous message transmission by each of the two parties (i.e., using a duplex channel). In particular, most protocols for two-party key exchange have been designed assuming that parties alternate sending their messages (i.e., assuming a bidirectional half-duplex channel). However, by taking advantage of the communication characteristics of the network it may be possible to design protocols with improved latency. This is the focus of the present work.

Abstract: In this article we present a technique for static analysis, correct with respect to complexity-theoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway - we define patterns for cryptographic protocols (they did it for formal expressions), such that the protocol is secure iff the patterns are. We then statically analyse the patterns, they should be easier to analyse than the protocols themselves. We consider symmetric encryption as the cryptographic primitive in protocols. Handling this primitive has so far received comparatively less attention in approaches striving to unite the formal and computational models of cryptography.

Abstract: The secure shell (SSH) protocol is one of the most popular cryptographic protocols on the Internet. Unfortunately, the current SSH authenticated encryption mechanism is insecure. In this paper, we propose several fixes to the SSH protocol and, using techniques from modern cryptography, we prove that our modified versions of SSH meet strong new chosen-ciphertext privacy and integrity requirements. Furthermore, our proposed fixes will require relatively little modification to the SSH protocol and to SSH implementations. We believe that our new notions of privacy and integrity for encryption schemes with stateful decryption algorithms will be of independent interest.

Abstract: A mix-net is a cryptographic protocol executed by a set of mix-servers that provides anonymity for a group of senders. The main application is electronic voting.

Abstract: JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. In this paper, we analyze it formally in the applied pi calculus (partly in terms of observational equivalences, partly with the assistance of an automatic protocol verifier). We treat JFK’s core security properties, and also other properties that are rarely articulated and studied rigorously, such as resistance to denial-of-service attacks. In the course of this analysis we found some ambiguities and minor problems, but we mostly obtain positive results about JFK. For this purpose, we develop ideas and techniques that should be useful more generally in the specification and verification of security protocols.

Abstract: In wireless networks, an attacker can tune a receiver and tap the communication between two nodes. Whether or not some meaningful information is obtained by tapping a wireless connection depends the security protocols used. One may use cryptographic techniques to secure the communications. In this article we discuss an alternate way of securing the communication between two nodes. We provide a simple security protocol against a wiretapping attack based on the network topology. Although we study the problem from a theoretical perspective, our protocol is easily implementable. Our protocol is at least as secure as any other protocol against these attacks. We show that an attacker can get any meaningful information only by wiretapping those links that are necessary for the communication between the sender and the receiver. We use techniques from network encoding. Our protocol works for any network topology, including cycle networks. We note here that acyclicity is the main assumption in much of the network encoding literature.

Abstract: Cryptographic protocols and methods of employing the same are described. The described protocols advantageously enable two or more identical encryptable objects that are coded for encryption with different keys to be identified as identical without access to either the unencrypted objects or the keys that are used in the encryption process. Additionally, the protocols enable two or more identical encryptable objects to be processed with different encryption keys, yet be stored in a manner so that the total required storage space is proportional to the space that is required to store a single encryptable object, plus a constant amount for each distinct encryption key. In various embodiments, the encryptable objects comprise files and the cryptographic protocols enable encrypted files to be used in connection with single instance store (SIS) systems.

Abstract: We consider the problem of specifying and verifying cryptographic security protocols for XML web services. The security specification WS-Security describes a range of XML security tokens, such as username tokens, public-key certificates, and digital signature blocks, amounting to a flexible vocabulary for expressing protocols. To describe the syntax of these tokens, we extend the usual XML data model with symbolic representations of cryptographic values. We use predicates on this data model to describe the semantics of security tokens and of sample protocols distributed with the Microsoft WSE implementation of WS-Security. By embedding our data model within Abadi and Fournet's applied pi calculus, we formulate and prove security properties with respect to the standard Dolev-Yao threat model. Moreover, we informally discuss issues not addressed by the formal model. To the best of our knowledge, this is the first approach to the specification and verification of security protocols based on a faithful account of the XML wire format.

Abstract: We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire considered object into its knowledge set. Cryptographic secrecy essentially means computational indistinguishability between the real object and a random one, given the view of a much more general adversary. In spite of recent advances in linking symbolic and computational models of cryptography, no relation for secrecy under active attacks is known yet. For exchanged keys, we show that a certain strict symbolic secrecy definition over a specific Dolev-Yao-style cryptographic library implies cryptographic key secrecy for a real implementation of this cryptographic library. For payload messages, we present the first general cryptographic secrecy definition for a reactive scenario. The main challenge is to separate secrecy violations by the protocol under consideration from secrecy violations by the protocol users in a general way. For this definition we show a general secrecy preservation theorem under reactive simulatability, the cryptographic notion of secure implementation. This theorem is of independent cryptographic interest. We then show that symbolic secrecy implies cryptographic payload secrecy for the same cryptographic library as used in key secrecy. Our results thus enable existing formal proof techniques to establish cryptographically sound proofs of secrecy for payload messages and exchanged keys.

Abstract: Security for sensor networks is challenging due to the resource-constrained nature of individual nodes, particularly their energy limitations. However, designing merely for energy savings may not result in a suitable security architecture. This paper investigates the inherent tradeoffs involved between energy, memory, and security robustness in distributed sensor networks. As a driver for the investigation, we introduce an energy-scalable key establishment protocol called cluster key grouping, which takes into account resource limitations in sensor nodes. We then define a metric (the security leakage factor) to quantify security robustness in a system. Finally, a framework called the security-memory-energy (SME) curve is presented that is used to evaluate and quantify the multi-metric tradeoffs involved in security design.

Abstract: We present a cryptographically sound security proof of the well-known Needham-Schroeder-Lowe public-key protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Nevertheless, our proof does not have to deal with the probabilistic aspects of cryptography and is, hence, in the scope of current automated proof tools. We achieve this by exploiting a recently proposed Dolev-Yao-style cryptographic library with a provably secure cryptographic implementation. Besides establishing the cryptographic security of the Needham-Schroeder-Lowe protocol, our result exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.

Abstract: With the scope and frequency of attacks on valuable corporate data growing enormously in recent years, a solid understanding of cryptography is essential for anyone working in the computer/network security field. This timely book delivers the hands-on knowledge you need, offering comprehensive coverage on the latest and most-important standardized cryptographic techniques to help you protect your data and computing resources to the fullest. Rather than focusing on theory like other books on the market, this unique resource describes cryptography from an end-user perspective, presenting in-depth, highly practical comparisons of standards and techniques. You learn, in detail, what cryptography can achieve and discover how to choose cryptographic standards that ensure state-of-the-art protection and maximum interoperability. Moreover, the book explains how to select standardized techniques that are most suitable for your specific needs. From encryption, cryptographic hash-functions, and message authentication codes, to digital signatures, authentication protocols, and public key infrastructures, this authoritative reference gives you complete working knowledge of the critical cryptographic tools being utilized world-wide. The book concludes with a look at the future of cryptography, including discussions on crypto-modules and biometrics.