Attacking the IPsec Standards in Encryption-only Configurations

Degabriele, Jean Paul; Paterson, Kenneth G.

doi:10.1109/sp.2007.8

Cited by 37 publications

(44 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If confidentiality is not needed, providing authentication can still be useful. Confidentiality without authentication is not effective [DP07] and therefore SHOULD NOT be used. We describe each of these cases in more detail below.…”

Section: Summary Of Changes From Rfc 4835mentioning

confidence: 99%

Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)

McGrew¹,

Hoffman²

2014

View full text Add to dashboard Cite

Section: Summary Of Changes From Rfc 4835mentioning

confidence: 99%

Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)

McGrew¹,

Hoffman²

2014

View full text Add to dashboard Cite

“…During the 10-15 years since the protocols of Section 2 largely took their present form, a large number number of security proofs, counter-proofs and attacks have been presented, starting with [38][39][40] and [23,[41][42][43][44] representing some of the more recent work.…”

Section: Rethinking Privacy and Authenticationmentioning

confidence: 99%

Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation

Saarinen

2014

Topics in Cryptology – CT-RSA 2014

View full text Add to dashboard Cite

Abstract. BLINKER is a light-weight cryptographic suite and record protocol built from a single permutation. Its design is based on the Sponge construction used by the SHA-3 algorithm KECCAK. We examine the SpongeWrap authenticated encryption mode and expand its padding mechanism to offer explicit domain separation and enhanced security for our specific requirements: shared secret half-duplex keying, encryption, and a MAC-and-continue mode. We motivate these enhancements by showing that unlike legacy protocols, the resulting record protocol is secure against a two-channel synchronization attack while also having a significantly smaller implementation footprint. The design facilitates security proofs directly from a single cryptographic primitive (a single security assumption) rather than via idealization of multitude of algorithms, paddings and modes of operation. The protocol is also uniquely suitable for an autonomous or semiautonomous hardware implementation of protocols where the secrets never leave the module, making it attractive for smart card and HSM designs.

show abstract

“…Their attacks work if an implementation does not follow the standard strictly. Later, Degabriele and Paterson [20] published another attack that works only if an implementation strictly follows the standard.…”

Section: Related Workmentioning

confidence: 99%

Towards Symbolic Encryption Schemes

Ahmed¹,

Jensen²,

Zenner

2012

Computer Security – ESORICS 2012

View full text Add to dashboard Cite

Abstract. Symbolic encryption, in the style of Dolev-Yao models, is ubiquitous in formal security models. In its common use, encryption on a whole message is specified as a single monolithic block. From a cryptographic perspective, however, this may require a resource-intensive cryptographic algorithm, namely an authenticated encryption scheme that is secure under chosen ciphertext attack. Therefore, many reasonable encryption schemes, such as AES in the CBC or CFB mode 1 , are not among the implementation options.In this paper, we report new attacks on CBC and CFB based implementations of the well-known Needham-Schroeder and Denning-Sacco protocols. To avoid such problems, we advocate the use of refined notions of symbolic encryption that have natural correspondence to standard cryptographic encryption schemes.

show abstract

Attacking the IPsec Standards in Encryption-only Configurations

Cited by 37 publications

References 8 publications

Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)

Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH)

Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation

Towards Symbolic Encryption Schemes

Contact Info

Product

Resources

About