[ Search ] [ What's New? ] [ About ] [ Bugs ] [ Misc ] [ Mailing Lists ] [ Newgroups ] [ NewsWire ] [ Papers ] [ People ] [ Pictures ] [ Publications ] [ Responce Teams ] [ Tools ] [ Upcoming Events ] [ Web Sites ]
Cryptography
Title: A Class Of Weak Keys In The RC4 Stream Cipher Authors: Andrew Roos (andrewr@vironix.co.za) Abstract: This paper discusses a class of weak keys in RSA's RC4 stream cipher. It shows that for at least 1 out of every 256 possible keys the initial byte of the pseudo-random stream generated by RC4 is strongly correlated with only a few bytes of the key, which effecitively reduces the work required to exhaustively search RC4 key spaces. Title: Answers To Frequently Asked Questions About Today's Cryptography Authors: Abstract: Paul Fahn's FAQ answers some of the most frequently asked questions about cryptography today, including questions abou authentication, encryption, public-key cryptography, export restrictions, RSA, DES, Key Management, Digital Time Stamping, PEM, and much more. Title: Augmented Encrypted Key Exchange Authors: Steven M. Bellovin and Michael Merrit Abstract: The encrypted key exchange (EKE) protocol is augmented so that hosts do not store cleartext passwords. Consequently, adversaries who obtain the one-way encrypted password file may (i) successfully mimic (spoof) the host to the user, and (ii) mount dictionary attacks against the encrypted passwords, but cannot mimic the user to the host. Moreover, the im- portant security properties of EKE are preservedan active network attacker obtains insufficient information to mount dictionary attacks. Two ways to accomplish this are shown, one using digital signatures and one that relies on a family of commutative one-way functions. Title: Codes, Keys and Confilicts: Issues in U.S. Crypto Policy Authors: Susan Landau Stephen Kent Clint Brooks Scott Charney Dorothy Denning Whitfield Diffe Anthony Lauck Doug Miller Peter Neumann David Sobel Abstract: In this report, the author attempts to remove the rhetotic, lay bare the facts, and frame the issues. It examine the issues of communication security from a variety of viewponits: (I) explain the technical consideration of communications security; (II) considers the dual-edged sword cryptography presents to both law enforcment and national security; (III) presents the history of wiretap law in the United States; (IV) puts the current policy on crytopgraphy in the context of decisions over the last twenty years. Title: Crime and Crypto on the Information Superhighway Authors: Dorothy E. Denning Abstract: Although the information superhighway offers many benefits to individuals and to society, it also can be exploited to further crimes such as theft and sabotage of data, embezzlement, fraud, child pornography, and defamation. Thus, a challenge in designing and using the information superhighway is to maximize its benefits while minimizing the harm associated with criminal activity. Three types of mechanisms that help meet this challenge are information security tools, ethics, and laws. One information security tool that is particularly useful against crime is encryption, the scrambling of data in such manner that it can be unscrambled only with knowledge of a secret key. Encryption can protect against espionage, sabotage, and fraud. But it is a dual edged sword in that it also can enable criminal activity and interfere with foreign intelligence operations. Thus, the role of encryption on the information superhighway poses a major dilemma. This dilemma has been the topic of considerable dialogue and debate ever since the Clinton Administration announced the Clipper Chip, a special purpose encryption chip designed to meet the needs of individuals and society both for communications security and privacy protection and for law enforcement and national security. The outcome of the debate is likely to have considerable implications for criminal justice. In order to put the debate in context, we will first describe some of the criminal activities made possible by computer networks and how cryptography fits into a range of information security tools. We will then review the encryption dilemma and Clipper controversy. Title: Crypto Laq Survey Authores: Bert-Jaap Koops Abstract: This survey of cryptography laws is based on several reports and on replies to a posting on Internet discussion lists. Only for France, The Netherlands, and Russia have I consulted original texts of relevant regulations; for the other countries, the reports listed below served as the only source. These findings, therefore, do not pretend to be exhaustive or fully reliable. I thank all who have provided me with information for this survey. Please send comments, corrections, updates, additional information, and questions to E.J.Koops@kub.nl Title: A Cryptographic File System for Unix Authors: Matt Blaze Abstract: Although cryptographic techniques are playing an increasingly important role in modern computing system security, user-level tools for encrypting file data are cumbersome and suffer from a number of inherent vulnerabilities. The Cryptographic File System (CFS) pushes encryption services into the file system itself. CFS supports secure storage at the system level through a standard Unix file system interface to encrypted files. Users associate a cryptographic key with the directories they wish to protect. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. CFS can use any available file system for its underlying storage without modification, including remote file servers such as NFS. System management functions, such as file backup, work in a normal manner and without knowledge of the key . This paper describes the design and implementation of CFS under Unix. Encryption techniques for file system-level encryption are described, and general issues of cryptographic system interfaces to support routine secure computing are discussed. Title: Efficient DES Key Search Authors: Michael J. Wiener Abstract: Despite recent improvements in analytic techniques for attacking the Data Encryption Standard, exhaustive key search remains the most practical and effcient attack. Key search is becoming alarmingly practical. We show how to build an exhaustive DES key search machine for $1 million that can f ind a key in 3.5 hours on average. The design for such a machine is described in detail for the purpose of assessing the resistance of DES to an exhaustive attack. This design is based on mature technology to avoid making guesses about future capabilities. With this approach, DES keys can be found one to two orders of magnitude faster than other recently proposed designs. The basic machine design can be adapted to attack the standard DES modes of operation for a small penalty in running time. The issues of development cost and machine reliability are examined as well. In light of this work, it would be prudent in many applications to use DES in a triple-encryption mode. Title: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks Authors: Steven M. Bellovin Michael Merritt Abstract: Classic cryptographic protocols based on user chosen keys allow an attacker to mount password-guessing attacks. We introduce a novel combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network. These protocols are secure against active attacks, and have the property that the password is protected against off-line "dictionary" attacks. There are a number of other useful applications as well, including secure public telephones. Title: Jey Escrowing Today Authores: Dorothy E. Denning Abstract: This paper describes the U.S. Government's Escrowed Encryption Standard (EES) and associated Key Escrow System (KES) as of June 1994. The objective of the EES/KES is to provide strong security for communications while simultaneously allowing authorized government access to particular communications for law enforcement and national security purposes. To achieve these goals, the EES/KES is based on a tamper-resistant hardware chip (the Clipper Chip), which implements a strong encryption algorithm (SKIPJACK) and a method for creating a Law Enforcement Access Field (LEAF). The LEAF allows communications encrypted by the chip to be decrypted through a Device Unique Key that is programmed onto the chip. Pursuant to lawful authorization, a government agency can acquire this key by obtaining two Key Components, each of which is held by a separate Escrow Agent. The components and operation of the KES are described, with particular attention to the safeguards designed to ensure that the risk of unauthorized access to EES-encrypted communications is negligible. These safeguards are a combination of procedural and technical controls. Title: Key Management in an Encrypting File System Authors: Matt Blaze Abstract: As distributed computing systems grow in size, complexity and variety of application, the problem of protecting sensitive data from unauthorized disclosure and tampering becomes increasingly important. Cryptographic techniques can play an important role in protecting communication links and file data, since access to data can be limited to those who hold the proper key. In the case of file data, however, the routine use of encryption facilities often places the organizational requirements of information security in opposition to those of information management. Since strong encryption implies that only the holders of the cryptographic key have access to the cleartext data, an organization may be denied the use of its own critical business records if the key used to encrypt these records becomes unavailable (e.g., through the accidental death of the key holder). This paper describes a system, based on cryptographic "smartcards," for the temporary "escrow" of file encryption keys for critical files in a cryptographic file system. Unlike conventional escrow schemes, this system is bilaterally auditable, in that the holder of an escrowed key can verify that, in fact, he or she holds the key to a particular directory and the owner of the key can verify, when the escrow period is ended, that the escrow agent has neither used the key nor can use it in the future. We describe a new algorithm, based on the DES cipher, for the on-line encryption of file data in a secure and efficient manner that is suitable for use in a smartcard. Title: Painless Guide To CRC Error Detection Algorithms Authors: Ross N. Williams Abstract: This document explains CRCs (Cyclic Redundancy Codes) and their table-driven implementations in full, precise detail. Much of the literature on CRCs, and in particular on their table-driven implementations, is a little obscure (or at least seems so to me). This document is an attempt to provide a clear and simple no-nonsense explanation of CRCs and to absolutely nail down every detail of the operation of their high-speed implementations. In addition to this, this document presents a parameterized model CRC algorithm called the "Rocksoft Model CRC Algorithm". The model algorithm can be parameterized to behave like most of the CRC implementations around, and so acts as a good reference for describing particular algorithms. A low-speed implementation of the model CRC algorithm is provided in the C programming language. Lastly there is a section giving two forms of high-speed table driven implementations, and providing a program that generates CRC lookup tables. Title: SKIPJACK Review - Interim Report - The SKIPJACK Algorithm Authors: Ernest F. Brickell Dorothy E. Denning Stephen T. Kent David P. Maher Walter Tuchman Abstract: The objective of the SKIPJACK review was to provide a mechanism whereby persons outside the government could evaluate the strength of the classified encryption algorithm used in the escrowed encryption devices and publicly report their findings. Because SKIPJACK is but one component of a large, complex system, and because the security of communications encrypted with SKIPJACK depends on the security of the system as a whole, the review was extended to encompass other components of the system. The purpose of this Interim Report is to report on our evaluation of the SKIPJACK algorithm. A later Final Report will address the broader system issues. Title: Towards a Secure -AV system for PKZIP -- A Proposed Public Key Scheme For .ZIP Protection Authors: Jeremy Buhler Abstract: -AV protection has been problematical for PKZIP ever since its inception. With the advent of public key digital signatures, this problem may at last be solved. Public key should provide excellent protection against modification of part of the archive or random spoofing by average attackers and very good protection against the same by determined attackers with great resources (e.g., governments, large corporations, etc). While protection against the worst case, whole-file spoofing with a stolen key, is less effective, it does not demonstrate a loss of security versus previous methods. The algorithm's lifetime may be arbitrarily prolonged by increasing the key size, and the decompression check code may be written so as not to penalize operation unduly. This protection could make PKZIP the archiver of choice for the distributor worried about file tampering within .ZIP's.
Aleph One / aleph1@underground.org Copyright © 1996 Computer Underground Society. All rights reserved.

[ Search ] [ What's New? ] [ About ]
[ Bugs ] [ Misc ] [ Mailing Lists ] [ Newgroups ] [ NewsWire ] [ Papers ] [ People ]
[ Pictures ] [ Publications ] [ Responce Teams ] [ Tools ] [ Upcoming Events ] [ Web Sites ]

Cryptography

Title: A Class Of Weak Keys In The RC4 Stream Cipher

Authors: Andrew Roos (andrewr@vironix.co.za)

Abstract:

This paper discusses a class of weak keys in RSA's RC4 stream cipher. It shows that for at least 1 out of every 256 possible keys the initial byte of the pseudo-random stream generated by RC4 is strongly correlated with only a few bytes of the key, which effecitively reduces the work required to exhaustively search RC4 key spaces.

Title: Answers To Frequently Asked Questions About Today's Cryptography

Authors:

Abstract:

Paul Fahn's FAQ answers some of the most frequently asked questions about cryptography today, including questions abou authentication, encryption, public-key cryptography, export restrictions, RSA, DES, Key Management, Digital Time Stamping, PEM, and much more.

Title: Augmented Encrypted Key Exchange

Authors: Steven M. Bellovin and Michael Merrit

Abstract:

The encrypted key exchange (EKE) protocol is augmented so that hosts do not store cleartext passwords. Consequently, adversaries who obtain the one-way encrypted password file may (i) successfully mimic (spoof) the host to the user, and (ii) mount dictionary attacks against the encrypted passwords, but cannot mimic the user to the host. Moreover, the im- portant security properties of EKE are preservedan active network attacker obtains insufficient information to mount dictionary attacks. Two ways to accomplish this are shown, one using digital signatures and one that relies on a family of commutative one-way functions.

Title: Codes, Keys and Confilicts: Issues in U.S. Crypto Policy

Authors: Susan Landau Stephen Kent Clint Brooks Scott Charney Dorothy Denning Whitfield Diffe Anthony Lauck Doug Miller Peter Neumann David Sobel

Abstract:

In this report, the author attempts to remove the rhetotic, lay bare the facts, and frame the issues. It examine the issues of communication security from a variety of viewponits: (I) explain the technical consideration of communications security; (II) considers the dual-edged sword cryptography presents to both law enforcment and national security; (III) presents the history of wiretap law in the United States; (IV) puts the current policy on crytopgraphy in the context of decisions over the last twenty years.

Title: Crime and Crypto on the Information Superhighway

Authors: Dorothy E. Denning

Abstract:

Although the information superhighway offers many benefits to individuals and to society, it also can be exploited to further crimes such as theft and sabotage of data, embezzlement, fraud, child pornography, and defamation. Thus, a challenge in designing and using the information superhighway is to maximize its benefits while minimizing the harm associated with criminal activity. Three types of mechanisms that help meet this challenge are information security tools, ethics, and laws. One information security tool that is particularly useful against crime is encryption, the scrambling of data in such manner that it can be unscrambled only with knowledge of a secret key. Encryption can protect against espionage, sabotage, and fraud. But it is a dual edged sword in that it also can enable criminal activity and interfere with foreign intelligence operations. Thus, the role of encryption on the information superhighway poses a major dilemma. This dilemma has been the topic of considerable dialogue and debate ever since the Clinton Administration announced the Clipper Chip, a special purpose encryption chip designed to meet the needs of individuals and society both for communications security and privacy protection and for law enforcement and national security. The outcome of the debate is likely to have considerable implications for criminal justice. In order to put the debate in context, we will first describe some of the criminal activities made possible by computer networks and how cryptography fits into a range of information security tools. We will then review the encryption dilemma and Clipper controversy.

Title: Crypto Laq Survey

Authores: Bert-Jaap Koops

Abstract:

This survey of cryptography laws is based on several reports and on replies to a posting on Internet discussion lists. Only for France, The Netherlands, and Russia have I consulted original texts of relevant regulations; for the other countries, the reports listed below served as the only source. These findings, therefore, do not pretend to be exhaustive or fully reliable. I thank all who have provided me with information for this survey. Please send comments, corrections, updates, additional information, and questions to E.J.Koops@kub.nl

Title: A Cryptographic File System for Unix

Authors: Matt Blaze

Abstract:

Although cryptographic techniques are playing an increasingly important role in modern computing system security, user-level tools for encrypting file data are cumbersome and suffer from a number of inherent vulnerabilities. The Cryptographic File System (CFS) pushes encryption services into the file system itself. CFS supports secure storage at the system level through a standard Unix file system interface to encrypted files. Users associate a cryptographic key with the directories they wish to protect. Files in these directories (as well as their pathname components) are transparently encrypted and decrypted with the specified key without further user intervention; cleartext is never stored on a disk or sent to a remote file server. CFS can use any available file system for its underlying storage without modification, including remote file servers such as NFS. System management functions, such as file backup, work in a normal manner and without knowledge of the key . This paper describes the design and implementation of CFS under Unix. Encryption techniques for file system-level encryption are described, and general issues of cryptographic system interfaces to support routine secure computing are discussed.

Title: Efficient DES Key Search

Authors: Michael J. Wiener

Abstract:

Despite recent improvements in analytic techniques for attacking the Data Encryption Standard, exhaustive key search remains the most practical and effcient attack. Key search is becoming alarmingly practical. We show how to build an exhaustive DES key search machine for $1 million that can f ind a key in 3.5 hours on average. The design for such a machine is described in detail for the purpose of assessing the resistance of DES to an exhaustive attack. This design is based on mature technology to avoid making guesses about future capabilities. With this approach, DES keys can be found one to two orders of magnitude faster than other recently proposed designs. The basic machine design can be adapted to attack the standard DES modes of operation for a small penalty in running time. The issues of development cost and machine reliability are examined as well. In light of this work, it would be prudent in many applications to use DES in a triple-encryption mode.

Title: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks

Authors: Steven M. Bellovin Michael Merritt

Abstract:

Classic cryptographic protocols based on user chosen keys allow an attacker to mount password-guessing attacks. We introduce a novel combination of asymmetric (public-key) and symmetric (secret-key) cryptography that allow two parties sharing a common password to exchange confidential and authenticated information over an insecure network. These protocols are secure against active attacks, and have the property that the password is protected against off-line "dictionary" attacks. There are a number of other useful applications as well, including secure public telephones.

Title: Jey Escrowing Today

Authores: Dorothy E. Denning

Abstract:

This paper describes the U.S. Government's Escrowed Encryption Standard (EES) and associated Key Escrow System (KES) as of June 1994. The objective of the EES/KES is to provide strong security for communications while simultaneously allowing authorized government access to particular communications for law enforcement and national security purposes. To achieve these goals, the EES/KES is based on a tamper-resistant hardware chip (the Clipper Chip), which implements a strong encryption algorithm (SKIPJACK) and a method for creating a Law Enforcement Access Field (LEAF). The LEAF allows communications encrypted by the chip to be decrypted through a Device Unique Key that is programmed onto the chip. Pursuant to lawful authorization, a government agency can acquire this key by obtaining two Key Components, each of which is held by a separate Escrow Agent. The components and operation of the KES are described, with particular attention to the safeguards designed to ensure that the risk of unauthorized access to EES-encrypted communications is negligible. These safeguards are a combination of procedural and technical controls.

Title: Key Management in an Encrypting File System

Authors: Matt Blaze

Abstract:

As distributed computing systems grow in size, complexity and variety of application, the problem of protecting sensitive data from unauthorized disclosure and tampering becomes increasingly important. Cryptographic techniques can play an important role in protecting communication links and file data, since access to data can be limited to those who hold the proper key. In the case of file data, however, the routine use of encryption facilities often places the organizational requirements of information security in opposition to those of information management. Since strong encryption implies that only the holders of the cryptographic key have access to the cleartext data, an organization may be denied the use of its own critical business records if the key used to encrypt these records becomes unavailable (e.g., through the accidental death of the key holder). This paper describes a system, based on cryptographic "smartcards," for the temporary "escrow" of file encryption keys for critical files in a cryptographic file system. Unlike conventional escrow schemes, this system is bilaterally auditable, in that the holder of an escrowed key can verify that, in fact, he or she holds the key to a particular directory and the owner of the key can verify, when the escrow period is ended, that the escrow agent has neither used the key nor can use it in the future. We describe a new algorithm, based on the DES cipher, for the on-line encryption of file data in a secure and efficient manner that is suitable for use in a smartcard.

Title: Painless Guide To CRC Error Detection Algorithms

Authors: Ross N. Williams

Abstract:

This document explains CRCs (Cyclic Redundancy Codes) and their table-driven implementations in full, precise detail. Much of the literature on CRCs, and in particular on their table-driven implementations, is a little obscure (or at least seems so to me). This document is an attempt to provide a clear and simple no-nonsense explanation of CRCs and to absolutely nail down every detail of the operation of their high-speed implementations. In addition to this, this document presents a parameterized model CRC algorithm called the "Rocksoft Model CRC Algorithm". The model algorithm can be parameterized to behave like most of the CRC implementations around, and so acts as a good reference for describing particular algorithms. A low-speed implementation of the model CRC algorithm is provided in the C programming language. Lastly there is a section giving two forms of high-speed table driven implementations, and providing a program that generates CRC lookup tables.

Title: SKIPJACK Review - Interim Report - The SKIPJACK Algorithm

Authors: Ernest F. Brickell Dorothy E. Denning Stephen T. Kent David P. Maher Walter Tuchman

Abstract:

The objective of the SKIPJACK review was to provide a mechanism whereby persons outside the government could evaluate the strength of the classified encryption algorithm used in the escrowed encryption devices and publicly report their findings. Because SKIPJACK is but one component of a large, complex system, and because the security of communications encrypted with SKIPJACK depends on the security of the system as a whole, the review was extended to encompass other components of the system. The purpose of this Interim Report is to report on our evaluation of the SKIPJACK algorithm. A later Final Report will address the broader system issues.

Title: Towards a Secure -AV system for PKZIP -- A Proposed Public Key Scheme For .ZIP Protection

Authors: Jeremy Buhler

Abstract:

-AV protection has been problematical for PKZIP ever since its inception. With the advent of public key digital signatures, this problem may at last be solved. Public key should provide excellent protection against modification of part of the archive or random spoofing by average attackers and very good protection against the same by determined attackers with great resources (e.g., governments, large corporations, etc). While protection against the worst case, whole-file spoofing with a stolen key, is less effective, it does not demonstrate a loss of security versus previous methods. The algorithm's lifetime may be arbitrarily prolonged by increasing the key size, and the decompression check code may be written so as not to penalize operation unduly. This protection could make PKZIP the archiver of choice for the distributor worried about file tampering within .ZIP's.

Aleph One / aleph1@underground.org