Combining message encryption and authentication

• Autorzy: Oszywa W. , Gliwa R.
• Języki publikacji: EN

Abstrakty

EN

The first part of the paper explains the need for combining message encryption and authentication. We begin with the example to emphasize the fact that privacy‡ does not imply authenticity. Then we prove, one needs both privacy and authenticity, even if one's aim is just getting privacy. In the second part we present an overview of different methods for providing authenticated encryption (AE) i.e. generic compositions, single-pass modes and two-pass combined modes. We analyze what are the advantages and disadvantages of different AE constructions. In the third part of the paper we focus on nonce§ based authenticated encryption modes. Our motivation is the wish to know the methodology of designing authenticated encryption mode of operation. We take into consideration a few most important properties, e.g. parallelizability, memory requirements and pre-processing capability. We analyze possibilities of choice of underlying encryption and authentication components and their order in a message we also try to answer. What does single-key mode really mean? Finally we mention the importance of provable security theory in the security of authenticated encryption modes.

Słowa kluczowe

EN

message encryption; authentication; encryption; parallelization; memory requirements; pre-processing capability

• Wydawca: Wydawnictwo UMCS
• Czasopismo: Annales Universitatis Mariae Curie-Skłodowska. Sectio AI, Informatica
• Rocznik: 2011
• Tom: Vol. 11, no. 2
• Strony: 61--79
• Opis fizyczny: Bibliogr. 25 poz., rys.

Twórcy

autor

Oszywa W.

• Military Communication Institute, 05-130 Zegrze, Poland

autor

Gliwa R.

• Military Communication Institute, 05-130 Zegrze, Poland

Bibliografia

• [1] Menezes P., van Oorschot P., Vanstone S., Handbook of Applied Cryptography, CRC Press, New York (1997).
• [2] NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques (December 2001).
• [3] Bellovin S., Problem Areas for the IP Security Protocols, Proceedings of the Sixth USENIX Security Symposium (1996).
• [4] Borisov N., Goldberg I.,Wagner D., InterceptingMobile Communications: The Insecurity of 802.11, ACM Press (2001).
• [5] Vaudenay S., Security flaws induced by CBC padding - Applications to SSL, IPSEC, WTLS. Eurocrypt (2002).
• [6] Black J., Urtubia H., Side-channel attacks on symmetric encryption schemes: The case for authenticated encryption, 11th USENIX Sec. Symposium (2002).
• [7] Bellare M., Namprempre C., Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. Asiacrypt 2000, LNCS 1976, Springer-Verlag (2000).
• [8] Rogaway P., Authenticated-encryption with associated-data. In ACM Conference on Computer and Communications Security, ACM Press (2002).
• [9] Krawczyk H., The order of encryption and authentication for protecting communications (or: How secure is SSL?), In Advances in Cryptology - Crypto 2001, LNCS 2139, Springer-Verlag (2001).
• [10] Jutla C. S., Encryption modes with almost free message integrity, Eurocrypt 2001, LNCS 2045, Springer-Verlag (2001).
• [11] Gligor V., Donescu P., Fast encryption and authentication: XCBC encryption and XECB authentication modes, Fast Software Encryption 2001, 8th International Workshop, LNCS 2355, Springer-Verlag (2002).
• [12] Rogaway P., Bellare M., Black J., OCB: A block-cipher mode of operation for efficient authenticated encryption. ACM Transactions on Information and System Security (TISSEC) 6, 3 (2003).
• [13] NIST Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality (May 2004).
• [14] Bellare M., Rogaway P., Wagner D., The EAX mode of operation. FSE ’04, LNCS 3017, Springer-Verlag (2004).
• [15] Kohno T., Viega J., Whiting D., The CWC authenticated encryption (associated data) mode, http://eprint.iacr.org/2003/106/ (2003).
• [16] NIST Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007).
• [17] Iwata T., Yasuda K., HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption, LNCS 5665, Springer Berlin (2009).
• [18] Rogaway P., Shrimpton T., The SIV Mode of Operation for Deterministic Authenticated-Encryption (Key Wrap) and Misuse-Resistant Nonce-Based Authenticated-Encryption (2007).
• [19] Ferguson N., Whiting D., Schneier B., Kelsey J., Lucks S., Kohno T., Helix: Fast encryption and authentication in a single cryptographic primitive, In Fast Software Encryption, FSE 2003, LNCS 2887, Springer-Verlag (2003).
• [20] Rose G., Hawkes P., Paddon M., Primitive specification for SOBER-128, available from http://www.qualcomm.com.au/Sober128.html (2004).
• [21] Rompay B., Analysis and design of cryptographic hash functions, MAC algorithms and block ciphers. PhD Thesis, Catholic University Leuven (2004).
• [22] Black J., Message Authentication Codes, PhD Thesis (2000).
• [23] Carter L., Wegman M. N., New hash functions and their use in authentication and set equality, Journal of Computer and System Sciences 22 (1981).
• [24] Ferguson N., Authentication Weaknesses in GCM, http://csrc.nist.gov/groups/ ST/toolkit/BCM/comments.html (2005).
• [25] Bellare M., Practice-oriented provable-security, First International Workshop on Information Security, LNCS 1396, Springer-Verlag (1998).