McOE: A Foolproof On-Line Authenticated Encryption Scheme

McOE: A Foolproof On-Line Authenticated Encryption Scheme

Abstract: On-Line Authenticated Encryption (OAE) combines confidentiality with data integrity and is on-line computable. Most block cipher-based schemes for Authenticated Encryption can be run online and are provably secure against nonce-respecting adversaries. But they fail badly for more general adversaries. This is not a theoretical observation only – in practice, the reuse of nonces is a frequent issue. In recent years, cryptographers developed misuse-resistant schemes for Authenticated Encryption. These guarantee excellent security even against general adversaries which are allowed to reuse nonces. Their disadvantage is that encryption can be performed in an off-line way, only. This paper considers OAE schemes dealing both with nonce-respecting and with general adversaries. It introduces McOE, an efficient design for OAE schemes. The construction is based on a ’simple’ block cipher and is on-line computable. It provably guarantees reasonable security against general adversaries as well as standard security against nonce-respecting adversaries.

On-Line Authenticated Encryption (OAE). Application software often requires a network channel that guarantees the privacy and authenticity of data being communicated between two parties. Cryptographic schemes able to meet both of these goals are commonly referred to as Authenticated Encryption (AE) schemes. The ISO/IEC 19772:2009 standard for AE [16] defines generic composition (Encrypt-then-MAC [3]) and five dedicated AE schemes: OCB2 [33], SIV [36] (denoted as “Key Wrap” in [16]), CCM [10], EAX [5], and GCM [29]. To integrate an AE-secure channel most seamlessly into a typical software architecture, application developers expect it to encrypt in an
on-line manner meaning that the i-th ciphertext block can be written before the (i+1)-th plaintext block has to be read. A restriction to off-line encryption, where usually the entire plaintext must be known in advance (or read more than once) is an encumbrance to software architects.

Category : secret-key cryptography / authenticated encryption, online encryption, provable security, misuse resistant.

[non commercial cryptographers] – Download this Papers


Some Words About Cryptographic Key Recognition In Data Streams

Some Words About Cryptographic Key Recognition In Data Streams

Abstract: Search for cryptographic keys in RAM is a new and prospective technology which can be used, primarily, in the computer forensics. In order to use it, a cryptanalyst must solve, at least, two problems: to create a memory dump from target machine and to distinguish target cryptographic keys from other data. The latter leads to a new mathematical task: <<recognition of cryptographic keys in the (random) data stream>>. The complexity of this task significantly depends on target cryptoalgorithm. For some algorithms (i.e. AES or Serpent) this task is trivial but for other ones it may be very hard. In this work we present effective algorithms of expanded key recognition for Blowfish and Twofish. As far as we know this task for these algorithms has never been considered before.

Author : Alexey Chilikov and Evgeny Alekseev

Category : side-channel attacks, live-memory analysis, digital forensics, blowfish, twofish. [non commercial cryptographers]

Download this Papers

Security of Multiple-Key Agreement Protocols and Propose an Enhanced Protocol

Security of Multiple-Key Agreement Protocols and Propose an Enhanced Protocol

Abstract: Multiple key agreement protocols produce several session keys instead of one session key. Most of the multiple key agreement protocols do not utilize the hash functions in the signature schemes used for identification. Not using hash function in these protocols causes that the protocols do not satisfy some requirement security properties. In this paper we review the multiple key agreement protocols and perform attacks on some of them. Then we introduce a new multiple key agreement protocol and show that the proposed protocol is more secure than the existent multiple key agreement protocols.

Cryptography helps us to make a secure communication in public networks. The secret key plays an essential role in the cryptosystems such that revealing the secret key causes the cryptographic system to be compromised. Therefore how to exchange the secret key is very important in cryptographic applications. One of the considerable methods for secret key exchanging is key agreement protocols. These protocols enable two or more users of any public
networks to share a secret common key together.

Download this Papers

Author : Department of Mathematics and Computer Sciences, Tarbiat Moallem University, Tehran, Iran
Faculty of Electrical and computer Engineering, K.N. Toosi University of Technology, Tehran, Iran

Proactive techniques to stop & squish a botnets: technically feasible but legal too?

Proactive Botnet Countermeasures An Offensive Approach

Abstract. Botnets, consisting of thousands of interconnected, remote-controlled computers, pose a big threat against the Internet. We have witnessed the involvement of such malicious infrastructures in politically motivated attacks more than once in recent years. Classical countermeasures are mostly reactive and conducted as part of incident response actions. This is often not sufficient. We argue that proactive measures are necessary to mitigate the botnet threat and demonstrate techniques based on a formalized view of botnet infrastructures. However, while being technically feasible, such actions raise legal and ethical questions.

A botnet is an alliance of interconnected computers infected with malicious software (a bot). Bots are commanded by an operator and can typically be advised to send Spam mails, harvest information such as license keys or banking data on compromised machines, or launch distributed denial-of-service (DDoS) attacks against arbitrary targets. What’s more, they often interfere with regular operation rendering infected machines unstable or unusable. Thousands of such botnets exists, with each containing thousands to millions of infected systems. The result are major direct and indirect consequences for economy as well as for the political life [2].

Download This Papers

Vega Web Security Scanner 1.0 Beta

Vega Web Security Scanner 1.0 Beta Windows 64 Bit

About Vega : Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: Javascript.

Download Version : Windows 64-bit, Windows 32-bit

Download Version : Linux 64-bit, Linux 32-bit

Read More In Here.

Hummingbird: Privacy at the time of Twitter

Hummingbird: Privacy at the time of Twitter

Abstract: In the last several years, micro-blogging Online Social Networks (OSNs), such as Twitter, have taken the world by storm, now boasting over 100 million subscribers. As an unparalleled stage for an enormous audience, they offer fast and reliable centralized diffusion of pithy tweets to great multitudes of information-hungry and always-connected followers. At the same time, this information gathering and dissemination paradigm prompts some important privacy concerns pertaining to relationships between tweeters and followers and interests of the latter.

In this paper, we assess the loss of privacy in today’s Twitter-like OSNs and describe an architecture and a trial implementation of a privacy-preserving service called Hummingbird. It is essentially a variation of Twitter that protects tweet contents, hashtags and follower interests from the (potentially) prying eyes of the centralized server. We argue that, although inherently limited by Twitter’s mission of scalable information-sharing, this degree of privacy is valuable. We demonstrate, via a working prototype, that its additional costs are tolerably low. We also sketch out some viable enhancements that might offer even better privacy in the long term.

[non commercial cryptographers] – Download this Papers

Google has published video detailing ‘The Evolution of Search’

Google has published video detailing ‘The Evolution of Search’.

Following up on our video on how we make improvements to search, we wanted to share with you a short history of the evolution of search, highlighting some of the most important milestones from the past decade-and a taste of what’s coming next.

Our goal is to get you to the answer you’re looking for faster and faster, creating a nearly seamless connection between your questions and the information you seek. For those of you looking to deepen your understanding of how search has evolved, this video highlights some important trends like universal results, quick answers and the future of search.

See The Evolution of Search Video’s.