Seminars for spring '96
Seminars for autumn '96
Abstracts for the seminars of autumn '96
Seminars for spring '97
Seminars for autumn '97
Seminars for spring '98
Seminars for autumn '98
Seminars for spring '99
Seminars for autumn '99
Seminars for spring 2000
Seminars for autumn 2000
The goal of this presentation is showing how smart cards are used in mobile applications.
First the main physical and computational characteristics of a smart card are resumed.
GSM introduced the use of smart cards, the SIM, achieving personal mobility. The functions of the SIM in the security mechanism are described. The GSM smart card followes the organization as described in the ISO standard: file structure, commands, application based protection mechanisms.
Also DECT defined a smart card: the DAM. The functions of the DAM are briefly resumed.
The US-PCS standard is defining a smart card: the UIM. This is in fact a multiapplication card, containing a GSM SIM and the security mechanisms for IS-41 based systems.
In this seminar we review the use of linear cryptanalysis in the analysis of block ciphers. As well as reviewing the current state of the art of this technique, we consider some proposed enhancements and potential improvements together with the implications of this technique on block cipher design.
In this seminar, we explain an attack on the compress function of MD5, which is based on similar methods as previous attacks on RIPEMD, MD4 and the 256-bit extension of MD4. It turns out that there are collisions for the compress function of MD5, i.e., two different inputs X and X' such that compress(IV;X)=compress(IV,X'). We think that this might be reason enough to substitute MD5 in future applications.
The course will be centred around public key schemes and how to build various systems using public key techniques. The underlying algorithms are RSA, ElGamal like systems (DSA) and elliptic curves, and we will put most emphasis on RSA at the beginning, less on DSA and some on elliptic curves as a possible alternative to RSA towards the end of the course.Although we will assume that everybody is familiar with the standard mathematical background of RSA and DSA, which will be reviewed the first half hour, we will introduce some of the more advanced tools, such as Gauss Reciprocity, properly, which is necessary to understand how to implement ISO 9796.
One of the most important technical aspects of the whole subject is how to generate secure keys. To understand this, we will review some factorisation algorithms, starting with the elementary methods which work if p-1 or p+1 is smooth (i.e. has small prime factors) for one of the factors p of the number to be factored but including as well more advanced methods such as quadratic forms and class groups, as well as elliptic curves, but without getting carried away with the mathematics behind. We will then look at effective probabilistic and deterministic prime generation algorithms, and discuss how to guarantee good uniform distribution of the keys. As a consequence of this we will deduce that one should not use strong primes any more. Proper generation of random primes is of course relevant for all public key schemes based on number theory.
Next the design principles behind ISO 9796-1 and 2 will be explained, which really is the theory of introducing adequate redundancy schemes in order to prevent attacks using the mathematical structure of RSA.
We will then discuss how to build various protocols using public key algorithms, including identification (zero-knowledge), fair exchange of values, electronic cash and electronic negotiable documents.
Towards the end of the course we will introduce elliptic curves and how to build public key schemes based on that, and analyse how the mechanisms and protocols we have described previously may be realised using elliptic curves in stead.
We will assume the audience to be familiar with basic security concepts and cryptographic techniques, and to have some mathematical maturity, although only very elementary number theory, such as the Euler phi-function and the Chinese Remainder Theorem will be required as known tools.
Elliptic curve public key cryptosystems (ECPKCs) are rapidly gaining popularity. They offer several advantages compared to other public key systems, e.g., smaller block size, improved performance, few patents.We review public key algorithms based on the discrete logarithm and explain how they can be translated to other groups. We show that the set of points of an elliptic curve over a finite field can be turned into a group by defining an appropriate group operation. This particular group appears to have interesting cryptographic properties.
In an implementation of ECPKCs, the elements of the underlying field can be represented in a number of different ways. The two representations that show up in litterature are `standard basis' and `normal basis'. We compare different representations and add a third alternative.
Part of this work will be presented at Asiacrypt'96.
Ascom, the company who commercializes the block cipher IDEA, organizes a cryptanalysis contest for IDEA (more details can be found at http://www.ascom.ch/Web/systec/contest1.htm).After an examination of the internals of IDEA, we present two attacks that work on reduced versions of the cipher. Although the attacks are not good enough to win us the promised dinner, they are the best attacks currently known.
The first attack works on three rounds and uses linear and differential techniques. The second attack works on three and a half rounds, using truncated differentials.
The talk presents an overview of recent developments in the design of cryptographic algorithms. A short historical introduction sheds a ray of light on some events which contributed to the advancement of cryptology.Modern cryptology is intimately tied up to the fundamental Shannon's work on secrecy systems. First modern cryptographic algorithms (Lucifer and DES) are discussed in terms of their impact on the next generation of conventional crypto-algorithms. Next algebraic structures of both conventional and conditionally secure crypto-algorithms are investigated and an account of the results achieved is provided.
Later provably secure crypto-algorithms are explored including pseudorandom bit generators, one-way hashing and pseudorandom functions. The talk concludes with the review of main results in the design of S-boxes.
Thanks to the Internet, the use of e-mail has become common practice. More and more companies are using it as a primary means of communication. Unfortunately most people are not aware of the risks they are taking. If you send a regular letter you can count on the confidentiality of its content but not so with plain e-mail. Each message can be intercepted by a trained computer user connected anywhere on the net. In this lecture we will show how easy it is to read other people's e-mail, even change it without being caught. Thanks to an extensive use of cryptography, we can limit the risks. We will present and analyze an overview of the latest available standards and tools.
We will give an introduction to mathematical secret sharing. An emphasis will be made on describing on how to model secret sharing schemes, what types of research problems exist and what methods can be applied to solve them. Two BIG questions will be answered.
In this talk we will discuss the latest development in the design and analysis of cryptographic hash functions. First we give an overview of the definitions and discuss their relation. Then we summarize the most recent developments on constructions for hash functions based on block ciphers, hash functions based on modular arithmetic (including ISO/IEC DIS 10118-4) and the custom designed hash functions (such as RIPEMD-160 and SHA-1, which are included in ISO/IEC DIS 10118-3).
Current computer architectures tend to incorporate an increasing number of parallel execution units in their design. Algorithms will only benefit from this hardware parallelism if they contain enough instruction-level parallelism to keep these parallel execution units busy. In this talk we will investigate the available software parallelism of the MD4-like hash functions in general , and of the most recent family members (SHA-1, RIPEMD-128, RIPEMD-160) in particular. We wil also consider to which extent a superscalar processor like the Pentium is able to exploit this.
In this talk we give an overview of the state of the art of block ciphers. This includes a short review of the known attacks and a look into the future.
Most authentication protocols require the users to trust a single server. Li Gong devised a protocol which divides the need for trust amongst a group of servers, and which works correctly as long as more than 50% of the servers are trustworthy (where the identities of the trustworthy servers need not be known in advance to either party). Subsequently, an alternative more efficient protocol was devised to meet the same requirements by Chen, Gollmann and Mitchell.
In this talk we will show how it is possible to reduce the trust requirements for a group of servers even further, to the `minimum possible amount'. This is joint work with Liqun Chen and Dieter Gollmann.
First some basics of C++ are discussed: design principles, language features provided, strategies for software development. We compare with C and identify pros and cons, emphasizing the impact on performance, structure and maintainability. Then we discuss the design and implementation of a cryptographic library based on the C++ philosophy. The relation between the different kinds of objects is expressed in a class hierarchy. We show how this leads to a minimum of code duplication and a high modularity. A couple of small applications are given to illustrate how the library can be used. Needless to say, performance is an important criterion for the applicability of cryptographic software. We point out a number of coding principles for reducing overhead. The ultimate test is a comparison of the performance to a similar implementation in C.
In this paper we propose a coin-based electronic payment system suitable for small payments. It is derived from Brands' scheme proposed at Crypto'93, in the sense that the coins are built using the representation problem. The main contribution of our solution consists of the speedup of the withdrawal protocol. The gain of efficiency is achieved preserving the same level of integrity for user, shop and bank. A coin remains untraceable with respect to the user. This feature is fulfilled even if one assumes that the bank has unlimited computing power and colludes with shops in order to trace a coin to a specific user. However, a set of coins are linkable to a pseudonym of the user, restricting in this way his privacy. This drawback can be limited by ``rotating'' coins derived from different pseudonyms in a set of consecutive payment transactions.
The Discrete Fourier Transform (DFT) over finite fields has had interesting applications in cryptography, in particular in the theory of stream ciphers. The field DFT and its cryptographic applications will be briefly reviewed. The DFT over commutative rings will then be introduced and the conditions for its existence given. A DFT of length p-1 will be shown to exist in the ring of integers modulo any power n > 2 of any odd prime p. Potential applications of the DFT over rings will be pointed out.
The subject of this thesis is the study of iterated block ciphers. The first part deals with the cryptanalysis of block ciphers. Most attacks on block ciphers are variants of differential and linear cryptanalysis.
Firstly the principles of differential and linear cryptanalysis are explained. Afterwards a number of modifications are presented that allow these attacks to be extended. Techniques from probability theory allow the data processing phase of attacks to be improved in such a way that cryptanalysis of block ciphers used in special modes becomes possible. Attacks are then introduced that use relations that have key dependent probabilities, to cryptanalyse ciphers that rely on a nonlinear key addition (e.g.: IDEA, MAA). A new attack is presented and applied to the block cipher CAST. The second part of this thesis deals with the design of iterated block ciphers.
Further building upon the Wide Trail design strategy, construction methods for the building blocks of a round transformation are developed. Two new designs are presented, together with a first analysis of these designs.
Meer en meer informatie wordt verwerkt en opgeslagen door middel van computers en uitgewisseld via telecommunicatienetwerken. De papieren informatiestroom wordt langzamerhand vervangen door een elektronische gegevensstroom zodat het mogelijk wordt om grotere hoeveelheden gegevens, sneller en ruimer te verspreiden. Tevens kunnen deze elektronische gegevens op een efficiente wijze bewaard en geraadpleegd worden. Om de authenticiteit van auteur en informatie te waarborgen wordt vaak beroep gedaan op de techniek van digitale handtekeningen.Abstract (in English):
Tot nog toe had papier de bovenhand als drager van belangrijke informatie. Ons huidige juridisch kader is dan ook volledig gericht op "papieren procedures". De geldende regels kunnen voor problemen zorgen wanneer er plots gebruik wordt gemaakt van andere communicatiemiddelen en authenticatietechnieken.
Zo wordt de overgang van een papieren omgeving naar andere informatie- en communicatievormen afgeremd door de wettelijke verplichting om sommige gegevens op papier te bewaren. Deze verplichting komt het sterkst tot uiting bij de bewijsproblematiek waar aan bepaalde informatie slechts bewijskracht wordt toegekend indien zij op papier is vastgelegd.
Patrick Van Eecke, Lic. Iur., LL.M. is wetenschappelijk medewerker aan het Interdisciplinair Centrum voor Recht en Informatica (ICRI) van de K.U.Leuven. Hij is als onderzoeker betrokken bij diverse Europese projecten omtrent de juridische aspecten van Informatietechnologie en is tevens werkzaam op het kabinet van de Minister van Justitie. Patrick Van Eecke is de auteur van "Criminaliteit in Cyberspace" (Mys en Breesch, 1997).
More and more information is processed and stored by means of computers and exchanged via telecommunications networks. Gradually, the flow of paper information is being replaced by an electronic data stream, allowing more data to be disseminated, both at a faster rate and on a larger scale. It also allows for this electronic data to be stored and retrieved in an efficient way. One means of guaranteeing the authenticity of the origin and of the information is the use of digital signatures.
Until now most important information was transmitted on paper. As a consequence, our current judicial system focuses on ``paper procedures.'' The current rules may cause problems when new communication means and authentication techniques are rapidly introduced. The transition from a paper environment is being slowed down by the legal obligation to keep paper copies of certain data. This obligation is most prominent in the issue of proof, where conclusive evidence can only be extracted from certain information, if that information exists in paper format.
This thesis focuses on the analysis and design of Electronic Payment Systems. The importance of different forms of electronic money is demonstrated by their use in a growing number of applications: payments over the Internet, billing for GSM/UMTS services, Electronic Fee Collection (EFC) for transportation services, small payments for various purchases. The task of the Electronic Payment System designer is to guarantee both integrity and privacy for all the participants in the system, while efficiency is the main constraint towards the economical acceptance of the system. This is a challenging problem. In order to fulfill these requirements, the designer must choose the appropriate security services, security mechanisms and the cryptographic primitives that implement them. The main contribution of this thesis consists of developing a unified framework for the design of off-line electronic payment systems with various functional and security requirements. Three-step identification protocols and the associated signature schemes are extensively used to implement the majority of the necessary security services. A new restrictive blind signature scheme, derived from a witness hiding three-step identification protocol, is introduced. This cryptographic primitive is used in the design of a cash system, the security of which can be proved to a large extent. A new approach towards increasing the efficiency of the withdrawal transaction, which works for the majority of the existing privacy-protecting off-line payment schemes, is also proposed. The thesis includes the design of two payment schemes of practical importance for EFC on roadways. In this case, the main constraint is that the payment transaction between the On-Board Equipment of the user (driver) and the Road Side Equipment of the service provider must be completed in a very short time. The management of cryptographic parameters, which are a potential source of interoperability between roadway operators, is detailed for one of these EFC schemes.
There is an increasing amount of interest in providing security and privacy for communication networks, but in such a way that under certain conditions it is possible for other special parties to obtain access to communications. This is the concept of key escrow/recovery and is a subject of great current interest, with debate over the merits (or evils) often highly polarised. We will attempt to highlight some of the issues that cause such controversy, with a particular emphasis on technical aspects. Do practical key escrow/recovery schemes exist, and will anyone use them anyway?
Akelarre is a new 128-bit block cipher, that combines the structure of IDEA with operations from RC5. We show a ciphertext-only attack that breaks Akelarre.
Although RC2 is not a new cipher, there are no results published about it because its description used to be confidential. We show a (chosen-plaintext) differential attack on the cipher.
With the growing popularity of elliptic curve cryptosystems, the computation of modular inverses has become a speed-critical operation. In this talk, we examine various algorithms that have been proposed in the past, for both GF(p) and GF(2^n). We analyze their main properties, identify commonalities and explain differences in performance.
The objective of this seminar is to discuss some practical issues of World Wide Web security. We will explain the setup of a secure server, in particular the Apache server combined with the SSLeay library. A number of methods will be discussed for implementing access control on this server. Next to servers, the other participants in the system are clients. Solutions to provide export browsers with strong cryptography will be analyzed. Finally, the performance of the secured system is evaluated and compared to that of the regular http connection.
ICE is a new 64-bit block cipher that introduces the concept of a keyed permutation to improve the resistance against differential and linear cryptanalysis. We show however that we can use low Hamming weighted differences to perform a practical, key dependent, differential attack on ICE.
From the start of the GSM-standardization, the European answer to the evolving need for mobile communications, the vulnerability of the system was taken into account. Adequate measures were defined for the two basic security threats to an operator and the user: the interception of data on the air interface and the illegitimate use of a service.
Currently UMTS is defined, a third generation mobile telecommunications system, with as main objective offering a plethora of advanced mobile telecommunication services via a variety of public and private network operators in both outdoor and indoor environments. As a basis for the UMTS security, the GSM mechanisms are mentioned, but is this the right approach ? The UMTS security requirements are demanding more enhanced security mechanism, an example of mechanisms fulfilling the requirements will be presented.
In this talk we will share our experiences with implementing a scheme that enforces role based access control in a distributed, heterogeneous computing environment. This work was done in the framework of the EC-RACE project SESAME (A Secure European System in A Multi -vendor Environment). The SESAME project relies on the work done by ECMA (European Computer Manufacturers Association) to represent the credentials of the users and fully supports the GSS-API to help the application developers. We conclude that enforcing such a scheme is realistic and that writing applications, that benefit from the advantages of role based access control, is very feasible. We have built several demonstration applications.
The IEEE P1363 working group has been working on their standard for about four years now. The first official draft was released recently, and the plan is to have the standard approved in the near future.
In view of the purpose of the standard, we describe the structure and the contents of the current version. We indicate aspects of public key cryptography that are outside the scope of the standard, and we describe plans for P1363a, which is the addendum to P1363. Furthermore, similarities and differences with ANSI X9.62 and ANSI X9.63 are touched upon. We discuss some current issues, including the patent situation.
In 1980 Hellman introduced a cryptanalytic tradeoff method between exhaustive key search and table precomputation for block ciphers. This method has a lower processing complexity than needed for exhaustive key search and a lower memory complexity than needed for table precomputation.
In this talk we will describe this method and we will examine a different tradeoff method, which has as main advantage a reduction of the memory access time.
Both methods are applicable under (weak) assumptions. Under these assumptions the success probability and its relation to preprocessing, processing and memory complexity can be computed, using properties of random mappings.
Role Based Access Control (RBAC) is an area that has received increasing attention in recent years. RBAC provides a conceptually simple model for organizing and representing access control information where access authorizations are assigned to organizational roles rather than individual users. An important advantage of RBAC lies in facilitated administration and better overview of security information. RBAC is also better suited to express high level security polices than are the traditional paradigms of Mandatory Access Control (MAC) and Discretionary Access Control (DAC).
The talk gives an introduction to RBAC and also describes work in the area performed at the Laboratory for Intelligent Information Systems (IISLAB) at Linkoping University, Sweden. For instance, an NFS server has been modified to enforce role based access control rules. The talk will also introduce other projects in progress within the laboratory.
In English:
The subject of this thesis is the study of practical network security. The work is divided into three parts.
The first part gives a general overview of the cryptographic primitives and authentication mechanisms that are used to secure networks.
The second part deals with Internet security. The Internet has become a widespread success but at the same time it also remains extremely vulnerable. We describe and analyze the available security schemes for two of the most popular applications: electronic mail and the World Wide Web.
The third part discusses the SESAME architecture, a new approach to solve most of the problems discussed in the introductory chapters. We detail the design principles and the current implementation of SESAME. SESAME implements an authorization model based on role-based access control. The SESAME protocols were developed to be compatible with Kerberos but at the same time provide strong authentication and better inter-domain support using public-key technology. Finally it is shown how this technology can be applied to secure an existing Intranet.
In het Nederlands:
Deze thesis behandelt de vraag hoe men computer netwerken praktisch kan beveiligen. Het werk werd onderverdeeld in drie stukken.
In het eerste deel geven we een overzicht van de cryptografische primitieven en authentiseringsmechanismen die we gebruiken om netwerken te beveiligen.
Het tweede deel behandelt de beveiliging van het Internet. Het Internet mag nu wel erg populair geworden zijn; het blijft toch ook enorm kwetsbaar. We hebben de beveiligingssystemen voor twee populaire diensten bestudeerd en geanalyseerd: elektronische post en het World Wide Web.
In het derde deel behandelen we het beveiligen van Intranets. Hiertoe beschrijven we Kerberos en SESAME. SESAME is in dit opzicht een nieuwe aanpak. We geven een overzicht van de ontwerp-principes en de huidige implementatie. Met deze architectuur wordt eveneens een systeem van toegangscontrole ingevoerd. Tenslotte tonen we aan hoe deze nieuwe technologie kan gebruikt worden om een bestaand Intranet te beveiligen.
The cornerstone of electronic commerce over Internet is asymmetric cryptography which guarantees privacy and signature of information exchanged between parties. Asymmetric cryptography is based on a public key and a private key which MUST be kept secret. However, this private key is usually stored on a local Hard disk and protected by a password. Therefore this strong security scheme becomes as weak as a password based authentication. We will see how biometrics identification and authentication can be used to protect the access to the private key and compare it with the use of smartcards. The different biometric authentication methods will be presented.
The International Data Encryption Algorithm (IDEA) is a well known block cipher which is used, for example, in the Pretty Good Privacy (PGP) package. In this talk, the largest known weak key classes of IDEA and reduced-round IDEA are constructed. For some of these classes, membership is determined by a differential-linear test while encrypting with a single key. In particular, 8.5-round IDEA has a weak key class of 2^63 keys (one in every 2^65 keys) for which membership is determined in such a manner. A related-key differential-linear attack on 4-round IDEA is presented which is successful for all keys. Large weak key classes are found for 4.5- to 6.5-round and 8-round IDEA for which membership of these classes is determined by similar related-key differential-linear tests.
In this presentation we will survey the series of RC ciphers designed by Ron Rivest. In particular we will look at the design, security and performance of these ciphers in a comparison with others in the field. We will also consider some recent developments resulting from the call for submissions to the AES effort.
No abstract.
The goal of the presentation is to illustrate the use of a PKI and the different components who play a role in a PKI system. We will discuss the different components, the role, used standards and how the components work together.
When two parties communicate over a network (the Internet), their identity is more or less disclosed via their network address or via specific headers in the used communication protocol. However, anonymous communication is needed in certain applications: privacy protection on the World Wide Web, anonymous payment schemes, voting protocols, etc. In this seminar, we will discuss the different existing solutions that provide anonymous communication over a network.
This talk discusses new constructions for iterated hash functions. It proposes fast and secure nm-bit compression functions based on error-correcting codes and m-bit compression functions.
This leads to simple and practical hash function constructions based on block ciphers such as DES, where the key size is slightly smaller than the block size, IDEA, where the key size is twice the block size and to MD4-like hash functions. Under reasonable assumptions about the underlying compression function and/or block cipher, we prove that the new hash functions are collision resistant.
Also, some new attacks are presented that essentially match the lower bounds. The constructions allow for a large degree of internal parallelism. The limits of this approach are studied in relation to bounds derived in coding theory.
A comparison of the proposed algorithms
SESAMEV4 is a security architecture that supports role based access control with single sign-on facilities for heterogenous distributed network environments. Several vulnerabilities are identified in SESAMEV4's user authentication process. This talk proposes four options for enhancing this user authentication process by integrating smart cards into SESAMEV4. The proposals are shown to successfully increase the level of security of SESAMEV4 and will be shown to correctly operate with existing SESAMEV4 applications and servers, with no modifications required to the applications or servers.
Fingerprinting is a long established technique for physically marking objects in a way that allows them to be traced in the event that a forgery is made. We investigate some recently proposed methods of extending this concept to digital data and digital services. This is of considerable interest to applications such as multimedia publishing and pay-per-view television service provision, where the potential for easily making pirate copies of digital information is of great concern. This talk is a high level overview of some proposed ideas and an indicator of what research has already been done. Dangerous mathematics will be avoided, although some other dangerous things may not be. Prizes will be awarded.
In this paper we propose a pre-paid payment scheme suitable for Electronic Fee Collection applications. The payment instrument used is implemented as a pair secret key/public key of an identity-based version of the Guillou-Quisquater identification/signature scheme. This design choice allows for interoperability among issuers of payment instruments and road services providers in the system, while the payment transaction can be carried out in a short time. This is the main contribution of our paper. A payment instrument is untraceable in the sense that it cannot be linked to a user. The untraceability feature can be revoked under the decision of a court. The privacy mechanism is based on the concept of revocable pseudonyms, the withdrawal stage of which is realized with an original protocol.
We generalise and improve the security and efficiency of the verifiable encryption scheme of Asokan et al., such that it can rely on more general assumptions, and can be proven secure without relying on random oracles. We show a new application of verifiable encryption to group signatures with separability, these schemes do not need special purpose keys but can work with a wide range of signature and encryption schemes already in use. Finally, we extend our basic primitive to verifiable threshold encryption. By encrypting digital signatures this way, one gets solutions that are in many cases superior to those that can be achieved using verifiable signature sharing.
An instance of the Discrete Logarithm Problem (DLP) is the following: given a finite cyclic group G, of order n=|G|, and elements y, g in G, with g a generator of G, find the smallest non-negative integer x such that y = g^x (in case G is written multiplicatively), or y = xg (in case G is written additively). The number x is called the discrete logarithm of Y to the base g.
The presumed intractability of the DLP, for appropriate choices of G and its order, has made the DLP a basic building block of many cryptographic applications, like ElGamal's public-key algorithm and signature scheme, the Diffie-Hellman key agreement protocol, and some pseudo-random number generators. In this seminar, a brief overview of the evolution of research towards algorithms for solving the DLP will be presented.
The SmartMove concept provides a general purpose two-way communication system between a centralized dispatching center and mobile entities such as cars. The system makes it possible to obtain information about the car such as position, speed, emission quality, engine control information, etc. This information may be useful for a variety of applications comprising fleet management, recovery of stolen cars and navigation systems.
In this seminar we will define several key issues related to the design of a secure communications architecture in such a mobile environment:
- which cryptosystems may be suitable,
- which certificates may be applicable,
- which protocols may be applicable,...
During the past years Microsoft has made of "advanced security" a key feature for their business operating system: Windows NT. This trend will certainly continue in the next major release of Windows NT: Windows 2000. In this session we will focus on the way Microsoft has integrated public key security within the Windows NT/2000 operating system and its related products. Among the public-key solutions that will be addressed in this session are the following:
* Secure Messaging in an NT/Exchange environment;
* Secure web solutions with Microsoft's webserver IIS;
* Integration of PKI within Windows 2000;
* The Encrypting File System;
* Smartcard Authentication...
We present a novel scheme for electronic elections achieving universal verifiability. We do so by employing an efficient PVSS scheme. The resulting scheme is compared with existing alternatives, and we show in which cases our approach is clearly preferable to these alternatives.
Public Key and Token based authentication become more and more accepted as THE application independent mechanisms for authentication. Although they are an absolute requirement for bringing existing and new applications to a wider audience over the Internet, they are only a means and not a goal. Authentication is only the first step in the complex process of Internet Access Control or "who can do what with which information on the net?".
IntraVerse, the Internet authorisation backbone solution from Dascom (CA), allows an organisation to centrally enforce, manage and audit its access control policy for corporate Web, client/server and legacy applications. The access control policy is stored and managed centrally in a highly secure repository. This repository can automatically be replicated to create a high-availability access control cluster and to enhance the performance of the authorisation engine. IntraVerse supports a number of components which allows a seamless integration of the authorisation system into a company's new or existing applications: WebSEAL for fine-grained access control to the Web, NetSEAL for client/server, ObjectSEAL for Level 1 and Level 2 security for Corba , MessageSEAL for MQ based applications and the Authorisation API for integration in legacy applications.
At the same time, through the Credential Acquisition Service, IntraVerse leverages existing authentication systems and shields applications from the complexity of mechanisms based on LDAP, PKI or tokens. Last, but not least, IntraVerse's External Authorisation Service allows the integration of existing (e.g. RACF) or proprietary Access Control mechanisms.
We give an overview of the hardware design process, the different steps that it involves, and the software tools that may be used in each of the steps. We discuss different target technologies and how the choice of a technology influences some of the design steps.
As an application, we describe the development of the core of a processor for elliptic curve public key cryptosystemsi for an FPGA target technology. We explain design choices and compare them to the case of a software implementation. Although the design is far from finished, we can give some ideas and predictions about speed, resource requirements etc.
The presentation first briefly describes some of the key drivers of the converging information society, and some implicit dependencies in this society. Then risk is discussed in function of the role a person or an entity plays in such a society. The basic security measures are put into perspective, and discussed from the viewpoint of audit risk.
In the second part of the presentation, PwC is described as an organisation of which the GRMS (Global Risk Management Services) part is focused on Risk Management. The organisation's vision, structure and basic value chain are discussed.
The presentation moves on to outline how PwC clients operate in an economical context, and how this context influences all of their activities. Convergence of industry sectors and organisational changes lead to new requirements for information systems. This typically includes new requirements with regard to security as well. Obviously the new economy which is currently arising will have its winners and its losers. Different industry clusters are facing different risks. Organisations can be classified by the degree of sophistication in risk management they employ. Approaches used by some of our clients will be discussed.
PwC's approach for risk management fundamentally deals with two classes of risks: serving clients by helping them manage their risks, and our own internal risk. The focus of the presentation is on the former. The various mechanisms in use are reviewed. These include: accountability, competency pools, networks of Subject Matter Experts, and methodologies.
Finally, a short conclusion is presented.
DPA was invented by Paul C Kocher and caused last year quite a big shock in the smart card world. It is a statistical attack which allows to find the secret keys contained in the smart card by measuring and analyzing the card's power consumption.
In this seminar we will first give a background about smart cards and then explain how DPA works, how it can be used and which are its strong points and limitations.
In many situations there is a need to certify the date a document was created or last modified. We give an overview of this time-stamping problem. Several procedures have been proposed which make it infeasible to either back-date or forward-date documents, even with the collusion of a time-stamping service. We will focus on the techniques based on tree structures and one-way accumulators.
The Kerberos system is the Internet standard for application level security. It provides user and server authentication and session security. Kerberos may also be considered as the parent of several other security architectures. Kerberos is a shared secret key trusted third party based architecture. Kerberos users (principals) are authenticated by the use of a password. The use of only a password to authenticate users is a weak form of authentication. This seminar will present research into what options are available for the integration of smart cards into Kerberos. The integration of smart cards requires the user to hold both a token (the smart card) and a user secret (a PIN for the smart card). Hence two factor authentication is possible. Integration of smart cards is possible in each of the protocol groups of Kerberos (user to authentication server, user to ticket granting server and user to application server). In particular various options are identified to strengthen the user to authentication interface of Kerberos, which is vulnerable to several attacks including offline password guessing, even with the pre-authentication options from MIT.
HADES is a crypto chip which encrypts ATM data (Asynchronous Transfer Mode) with TripleDES in CBC mode at a data rate of 155 MBit/s. In the talk we will discuss the design, and in particular the process of designing this chip. Considering security adds a strange flavour to the usual set of folklore found in the systems' design community, problems of cryptanalysis, testing, secret backdoors, and the like make working on such a project real fun.
In this seminar, we talk about provably secure encryption algorithms. We discuss several definitions of cryptographic security and give examples of algorithms with different levels of security. In the second half of the talk, we discuss provable security aspects of several AES-candidates (DFC, SAFER+, Rijndael, Serpent, ...).
MS has implemented Kerberos as the new default authentication protocol for Windows 2000. In this session we'll review shortly the main characteristics of the Kerberos protocol. Next we'll look at the specific choices Microsoft made for their implementation, how it fits into Windows 2000, how it could interact with other implementations and how it interacts with other core Windows 2000 services such as access control.
The SEA-algorithm or Schoof-Elkies-Atkin-algorithm is used for counting the number of points on elliptic curves (EC) over finite fields. The importance of this algorithm can't be stressed enough because the security that an EC offers, is directly related to the prime factorisation of the group order (i.e. the number of points). In the seminar I will give a detailed overview of this algorithm in the characteristic 2 case, both theoretical and practical. A number of optimisations will be discussed, which enabled me to set a new WR in this area.
We describe theoretical and numerical results on the behaviour of the proportion c(q) of elliptic curves over finite field Fq having cyclic groups of points among all elliptic curves over this field. There are results of S.G.Vladat describing the cases when c(q)=1 in characteristic two (for example for q=2n-1 being a Mersenne prime) and there exists an asymptotic formula for general q. We consider the representatives of the isomorphism classes of elliptic curves over prime fields Fp and find numerically c(p) (it is about 0.8) for primes up to 8501 and for chosen primes p up to 500009 and for some amount of elliptic curves over Fp. There is calculated also the proportion of elliptic curves having the prime order (it is about 0.02-0.05).
Linear cryptanalysis is a probabilistic known-plaintext attack on block ciphers presented by M. Matsui in 1993 in an attack on DES. This seminar will focus on linear cryptanalysis applied to SAFER-K/-SK and SAFER+ ciphers. Some slightly better results, compared to what is known about SAFER, will be presented as well as the methodology used for the generation of linear relations.
In this seminar, we will discuss why unpredictable `random' numbers are important for cryptographic applications such as the one-time pad, key-generation, challenge-response systems,... Therefore, we will first introduce the basic concepts relevant to random and pseudorandom bit generation, and derive a criterion for a source of `good' randomness. Given this requirements, we will analyze the reliability of existing random bit generators based on physical phenomena (air turbulence in a disk drive, noise produced by microphones,...), dedicated hardware (thermal noise from a semiconductor diode or resistor), software (network statistics, system load,..., modular squaring,...), user-input (mouse movements, timing between key strokes,...), etc. Finally, we present some reliable sources of randomness.
The tools designed for public-key cryptography assume that there is only one sender and one receiver. Threshold cryptography tries to extend these tools in such a way that any subset of cardinality t+1 (called the threshold) out of a group of l members is able: in the case of signatures, to sign messages while only one person is needed to verify it; or in the case of encryption, to decrypt a message while only one person is needed to encrypt it. A threshold secret sharing scheme is the main tool used by threshold cryptography. It enables to share a secret by providing each member of the group with a share, in such a way that only subsets with at least t+1 members can recover the secret. In this talk, we present the Shamir secret sharing scheme and its use to transform the RSA signature scheme into a threshold signature scheme. The security of these schemes is discussed using zero-knowledge theory. In particular, the threshold signature scheme recently proposed by V. Shoup is described. Open problems are presented.
Recent years have seen numerous examples when designs play an important role in the study of such topics in cryptography as secrecy and authentication codes, secret sharing schemes, correlation-immune and resilient functions. In this talk we give applications of some methods and results from the design theory, especially bounding the optimal size of the designs and codes, to cryptography. We give a new bound for the parameter t, when (n,T,t)-resilient functions and correlation-immune functions of order t exist. In the last part we present an analogous bound for the parameter N of T-wise independent t-resilient functions.
In order to provide the basis towards chip migration of the classical debit/credit magnetic stripe payment instruments, while meeting the demand of interoperability, three major players in the field of financial services, namely Europay, Mastercard, and VISA, joined their efforts for elaborating a common set of specifications. This specification, known under the acronym EMV, became the de-facto standard in the field of debit/credit (or pay now/pay later) payment systems. All the issuers/acquirers that are willing to provide their cardholders/merchants with payment services branded by one of the aforesaid financial organisations must implement a subset of the EMV specifications in the card or terminal. The payment network operators have to adapt the authorisation and clearing message formats for accommodating the new data elements required by the chip operation. In this talk we briefly present the EMV protocols and we look at the design choices the issuer/acquirer has for customising these protocols according to their functional needs and security policies. As the main design criteria we have chosen the trade-off between the availability, at competitive prices, of the financial services offered for cardholders and merchants, while still providing an acceptable level of security for the issuers and acquirers.
Recent years have seen numerous examples when designs play an important role in the study of such topics in cryptography as secrecy and authentication codes, secret sharing schemes, correlation-immune and resilient functions. In this talk we give applications of some methods and results from the design theory, especially bounding the optimal size of the designs and codes, to cryptography. We give a new bound for the parameter t, when (n,T,t)-resilient functions and correlation-immune functions of order t exist. In the last part we present an analogous bound for the parameter N of T-wise independent t-resilient functions.
In this seminar we discuss the current status of the AES developments. Most of this seminar shall be a report on the 3rd AES conference, that will be held on 13 and 14 april in New York.
In 1997, the American National Institute of Standards and Technology (NIST) has initiated an open competition to replace the famous DES algorithm. DES was standardized in 1979, but has reached the end of its lifetime. Twenty-one teams of cryptographers from 11 countries submitted candidates. After an evaluation process of 2.5 years, Rijndael has been selected as the winner on October 2nd. We explain the use and importance of the AES and give an overview of the most important contenders and events in the AES selection process. We compare the design principles of the main candidates, and highlight the key advantages of Rijndael, which have lead to its selection. Rijndael has been designed by Vincent Rijmen (COSIC, Dept. Electrical Engineering-ESAT, K.U.Leuven) and Joan Daemen (ex-COSIC, ProtonWorld International). For more information, see http://www.esat.kuleuven.ac.be/cosic/, http://www.esat.kuleuven.ac.be/~rijmen/rijndael/ and http://www.nist.gov/aes/.
Linear Cryptanalysis (LC) is a known-plaintext attack on iterated block ciphers, introduced by Matsui and Yamaguishi, at Eurocrypt'92, against the FEAL cipher, and subsequently applied in 1993, by Matsui, against the DES cipher. A linear attack explores approximate linear relations that connect some plaintext, ciphertext and subkey bits across the cipher. Once this relation is established, maximum likelihood methods are used to discover the most probable subkey bits at the first and/or last rounds of the cipher. The idea of Non-Linear Cryptanalysis (NLC) is one of the many generalizations of LC. Instead of using purely linear relations, though, equations of higher degree are employed to model the behaviour of a block cipher. The main reference for this research comes from a paper by Knudsen and Robshaw, presented at Eurocrypt'96, which discusses advantages of non-linear approximations for cryptanalysis of reduced round versions of DES and LOKI91 ciphers. As a tentative analysis, quadratic equations will be explored, and the preliminary results of this analysis will be presented.
In this seminar, Eddy Van De Velde (Gemplus) will present Gemplus' security group and the way they deal with the need for security in smartcard based solutions. An overview will be given of smartcard based PKI-applications for use in a B2B and a B2C-environment.
This seminar will examine two different aspects of PKI. Firstly a PKI for future wireless networks will be presented. This will include both a security architecture and certificate design. Secondly weaknesses in current PKIs will be described including possible remedies.
This will be the first seminar with special focus on Algorithmic Number Theory. After reviewing addition and subtraction, we will focus on multiplication of integers and polynomials over various rings: the classical multiplication technique, Karatsuba multiplication, k-way Toom multiplication (give explicit formula's for k=3, 4) and finally the FFT-multiplication technique. All these techniques have been implemented and practical recommendations on their use will be given. We'll end the seminar with a practical example: counting points on elliptic curves.
PANAMA is a cryptographic module that was presented at the FSE Workshop in '98 by Joan Daemen and Craig Clapp. It can serve both as a cryptographic hash function and as a stream cipher, and achieves high performance (for large amounts of data) because of its inherent parallelism. In this seminar we analyse the security of PANAMA when used in hashing mode, and demonstrate an attack able to find collisions faster than by birthday attack.