论文信息 - Lost in translation: theory and practice in cryptography

Lost in translation: theory and practice in cryptography

The perils of using encryption without authentication or integrity protection are well known in the cryptographic research community. Yet its exactly the mandatory support for unauthenticated encryption that forms the basis of a serious security flaw in an IPsec implementation we recently discovered. In response, the UK's equivalent to CERT, the National Infrastructure Coordination Centre published a vulnerability advisory about the flaw. Vendors also issued updated recommendations to customers, and we saw a flurry of discussion on Slash-dot and the sci.crypt newsgroup. In the aftermath, we asked ourselves, how did this happen?

Kenneth G. Paterson | Arnold K. L. Yau

[1] Stephen T. Kent,et al. Security Architecture for the Internet Protocol , 1998, RFC.

[2] Chanathip Namprempre,et al. Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[3] Sam Hartman,et al. The Perils of Unauthenticated Encryption: Kerberos Version 4 , 2004, NDSS.

[4] John Black,et al. Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption , 2002, USENIX Security Symposium.

[5] Susan R. Harris,et al. The Tao of IETF - A Novice's Guide to the Internet Engineering Task Force , 2001, RFC.

[6] BellareMihir,et al. Breaking and provably repairing the SSH authenticated encryption scheme , 2004 .

[7] Kenneth G. Paterson,et al. Cryptography in Theory and Practice: The Case of Encryption in IPsec , 2006, EUROCRYPT.

[8] Chanathip Namprempre,et al. Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[9] Steven M. Bellovin,et al. Problem Areas for the IP Security Protocols , 1996, USENIX Security Symposium.

[10] Bruce Schneier,et al. Cryptanalysis of Microsoft's point-to-point tunneling protocol (PPTP) , 1998, CCS '98.