SlideShare una empresa de Scribd logo

Emerging key-recovery-service

Descargar como PPT, PDF
Bear Stern Lehman Brothers
Bear Stern Lehman Brothers
Relaciones con inversores
1 de 58
© RSA 1998 Why Standards? • Many reasons: – interoperability – stability – assurance • De facto or de jure?
RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography SEIKO INSTRUMENTS PAGER PAL
© RSA 1998 Introduction • As research matures, it can be made “standard” – ’70s and ’80s research in public-key cryptography leads to standards in ’90s • This talk is a snapshot of some of the standards efforts — and the interesting issues they raise
RSA Data Security, Inc. SEIKO INSTRUMENTS PAGER PAL Part I: Survey of Standards Efforts
© RSA 1998 Outline I. Survey of Standards Efforts II. A General Model for Public-Key Standards III. Strong Primes: A Recurring Technical Debate IV. Some Research Motivated by Standards
© RSA 1998 Some Public-Key Standards Efforts • ANSI X9F1 • IEEE P1363 • ISO/IEC JTC1 SC27 • US NIST
© RSA 1998 ANSI X9F1 Efforts • Some ANSI documents (drafts) – X9.30 DSA signatures – X9.31 RSA/RW signatures (rDSA) – X9.42 DH/MQV key agreement – X9.44 RSA key transport – X9.62 elliptic curve signatures – X9.63 EC key agreement / transport – X9.79 prime generation
© RSA 1998 ANSI X9F1 • Financial Services / Data and Information Security / Cryptographic Tools • Corporate membership • Quarterly meetings in North America • www.x9.org
© RSA 1998 IEEE P1363 • Standard Specifications for Public-Key Cryptography • Sponsored by IEEE Microprocessor Standards Committee • Individual participation • Meetings mostly in North America • grouper.ieee.org/groups/1363
SEIKO INSTRUMENTS PAGER PAL © RSA 1998
© RSA 1998 IEEE P1363 Coverage • Three types of technique: – key agreement, signature, encryption • From three families: – DL: discrete logarithm – EC: elliptic curve – IF: integer factorization • Also, number theory background, security considerations
SEIKO INSTRUMENTS PAGER PAL © RSA 1998
© RSA 1998 IEEE P1363a • Standard Specifications for Public-Key Cryptography: Additional Techniques • In preparation • More techniques, probably same families – identification likely to be added
SEIKO INSTRUMENTS PAGER PAL © RSA 1998
© RSA 1998 ISO/IEC JTC1 SC27 • International Organization for Standardization / International Electrotechnical Commission / Information Technology / IT Security Techniques • National representation, with experts • Meetings throughout the world • www.iso.ch
SEIKO INSTRUMENTS PAGER PAL © RSA 1998
© RSA 1998 SC27 Efforts • Some ISO/IEC documents – 9796 Signatures with message recovery – 9798 Entity authentication – 11770 Key management – 13888 Nonrepudiation – 14888 Signatures with appendix • Symmetric and public-key techniques
SEIKO INSTRUMENTS PAGER PAL © RSA 1998
© RSA 1998 U.S. NIST FIPS • National Institute of Standards and Technology – part of U.S. Department of Commerce • Federal Information Processing Standards (FIPS) • Computer Security Act (1987) gives charter for government cryptography standards • www.nist.gov
SEIKO INSTRUMENTS PAGER PAL © RSA 1998
© RSA 1998 NIST Efforts • Some FIPS: – 186 Digital Signature Standard – 196 Entity Authentication – new Key Exchange / Agreement • Others of interest: – 46-2 Data Encryption Standard – 180-1 Secure Hash Standard – new Advanced Encryption Standard
© RSA 1998 Comparing the Efforts • Different goals: – ISO, IEEE: general building blocks – ANSI: US banking requirements – NIST: US government, commercial • Coordination: – IEEE, ANSI technical convergence – NIST will accept ANSI signature standards for government purposes – ISO TC68 adopts ANSI X9F1
© RSA 1998 Application Standards of Interest • S/MIME: messaging • SSL / TLS: communications • SET: bank card payments • PKIX: public-key infrastructure
© RSA 1998 RSA Laboratories’ PKCS • Public-Key Cryptography Standards • Informal, intervendor effort coordinated by RSA Laboratories • Periodic workshops • www.rsa.com/rsalabs/pubs/PKCS/
© RSA 1998 PKCS Efforts • Revisions and new documents: – PKCS #1 RSA Cryptography • v2.0 draft in review, includes Bellare- Rogaway OAEP – PKCS #5 Password-Based Encryption – PKCS #13 Elliptic Curve Cryptography – PKCS #14 Pseudorandom Generation – PKCS #15(?) Smart Card File Formats
RSA Data Security, Inc. SEIKO INSTRUMENTS PAGER PAL Part II: A General Model for Public-Key Standards
© RSA 1998 A General Model • Framework with abstraction, generally following P1363 • Three levels: – primitives – schemes – protocols • … plus key management
© RSA 1998 P1363 Naming Convention • General form: – family type - instance • where – family is DL, EC, IF – type is one of: • SP: Signature Primitive • SSA: Signature Scheme with Appendix • etc. – instance is a particular algorithm, e.g., DSA, DH, RSA
© RSA 1998 Primitives • Basic mathematical operations • Low-level implementation – e.g., crypto-accelerator, software module • Computational security – enhanced when combined with additional techniques in a scheme
© RSA 1998 Types of Primitive • Secret value derivation – shared secret value from public key(s), party’s private key(s) • Signature and verification • Encryption and decryption
© RSA 1998 Example: DLSP-DSA / DLVP-DSA • DSA signature / verification primitives • DLSP-DSA ((p, q, g, x), m): – r = (gk mod p) mod q, k random – s = k-1 (m + xr) mod q • DLVP-DSA ((p, q, g, y), m, (r, s)) – r =? (gm/s yr/s mod p) mod q
© RSA 1998 Primitives in P1363 • Secret Value Derivation – DH, MQV in DL, EC families • Signature / Verification: – DSA, Nyberg-Rueppel in DL, EC families – RSA with and w/o absolute value – Rabin-Williams • Encryption / Decryption: – RSA
© RSA 1998 Schemes • Related operations combining primitives, additional techniques – a framework with options • Medium-level implementation – e.g., cryptographic service library • Complexity-theoretic security (ideally) – completed when appropriately applied in a protocol
© RSA 1998 Types of Scheme • Key agreement • Signature – with appendix – with message recovery • Encryption • Identification (in P1363a)
© RSA 1998 Additional Techniques • Encoding method – maps between message, data to be processed by primitive – for signatures, encryption schemes • Key derivation function – maps from shared secret value to key – for key agreement schemes
© RSA 1998 Example: DL/ECSSA • DL/EC signature scheme – options: SP / VP / encoding method • Signature operation (privKey, M): – S = SP (privKey, Encode (M)) • Verification operation (pubKey, M, S): – VP (pubKey, Encode (M), S) [DSA] – Encode (M) =? VP (pubKey, S) [NR]
© RSA 1998 Encoding Methods for Signatures • DL/EC signatures – Hash (M) • IF signatures with appendix – Pad || HashID || Hash (M) • IF signatures wit h message recovery – ISO9796-1 (M)
© RSA 1998 Related Scheme Operations • Domain parameter generation • Domain parameter validation • Key pair generation • Public key validation • Private key validation
© RSA 1998 Schemes in P1363 • Key agreement – three DL/EC generic: DH1, DH2, MQV • Signature with appendix – DL/EC generic – IF generic • Signature with message recovery – IF generic • Encryption – IF generic
© RSA 1998 Protocols • Sequence of operations to be performed by parties to achieve some security goal • High-level implementation – applications, services • “Real” security – but depends on implementation considerations • (No protocols in P1363)
© RSA 1998 Types of Protocol • Key establishment – key agreement – key transport • Entity authentication • Data origin authentication • Data confidentiality
RSA Data Security, Inc. SEIKO INSTRUMENTS PAGER PAL Part III: “Strong” Primes: A Recurring Technical Debate
© RSA 1998 What is a “Strong” Prime? • RSA key pair consists of – public key (n, e) – private key (n, d) – where n = pq, p and q are large primes, and ed ≡ 1 mod (p-1)(q-1) • A prime p is strong if p’, the largest factor of p-1, is large • Are strong primes necessary?
© RSA 1998 Early ’80s: Yes • Pollard’s p-1 method (1974) can factor n in about p’ operations, so p’ should be large • Gordon (1984) gives method for generating RSA keys efficiently with strong prime factors – X.509 (1988) also mentions conditions • Related conditions on p+1, p’-1, etc.
© RSA 1998 Late ’80s / Early ’90s: No • Lenstra’s ECM (1987) can factor n in O(exp (2 ln p ln ln p)1/2 ) operations, so p should be large • … but if p is large and random, then p’ will be large with high probability • Rivest (unpublished) argues that strong primes don’t help – but don’t hurt either
© RSA 1998 Late ’90s: Maybe • What about signature repudiation? – Dishonest user chooses n with weak prime – Later, disavows signature, claiming that someone factored n by p-1 method • ANSI X9.31 (1998) standardizes on strong primes for banking – also, generates primes as one-way function of seed • Still, are strong primes necessary?
RSA Data Security, Inc. SEIKO INSTRUMENTS PAGER PAL Part IV: Some Research Motivated By Standards
© RSA 1998 Standards and Research • Just as mature research is standardized, so standards efforts promote additional research • Areas of research: – efficient implementation – cryptanalysis – components in the “framework”
© RSA 1998 Authenticated Encryption Schemes • Problem: – Construct authenticated encryption schemes for DL, EC, IF families with similar properties to OAEP, but with variable message length • Several solutions proposed for P1363a
© RSA 1998 Model • C = Encrypt (pubKey, M, P) • M = Decrypt (privKey, C, P) – M message – C ciphertext – P encoding parameters • M, C, P arbitrary length
© RSA 1998 Desired Properties • One application of underlying primitive • Plaintext-aware encryption – no partial information about M – cannot generate C without M • hence, cannot modify M • Binding of P to M – cannot modify P • Weaker assumptions – i.e., not just random oracle model
© RSA 1998 OAEP for RSA • As in P1363 (and PKCS #1 v2.0 draft): • Encrypt (pubKey, M, P): – EM = Encode (M, P) – C = EP (pubKey, EM) • Decrypt (privKey, C, P): – EM = DP (privKey, C) – M = Decode (EM, P) • M, C bounded, P arbitrary length
© RSA 1998 OAEP Encoding • Encode (M, P) – EM = maskedSeed || maskedDB where • maskedSeed = seed ⊕ G (maskedDB) • maskedDB = DB ⊕ G (seed) • DB = H (P) || pad || M • seed random • H hash function, G mask generation function • Decode (C, P): an exercise
© RSA 1998 Limitations • EM must be shorter than RSA modulus, so length of M is bounded • Assumes encryption primitive — but DL/EC only has secret value derivation primitive • Relies on random oracle model for G
© RSA 1998 IF Encryption Ideas 1. Encrypt only part of EM (various) – removes bound on length of M – which part? 2. Construct G only partly from random oracle (Bellare, Rogaway 1996) 3. Add more “rounds” to OAEP (Johnson, Matyas, Peyravian 1996) – may reduce assumptions, need for seed
© RSA 1998 DL/EC Encryption Ideas • General: Generate shared secret value K as in key agreement scheme, combine with M, P 1. Encode M as in OAEP, exclusive-OR K with part of result (various) 2. Combine with MACs, reduced r.o. methods (Bellare, Rogaway 1996) 3. Combine with universal hash functions, mask generation (Zheng 1996)
© RSA 1998 Some Other Recent Results • Security of “unified model” of DH key agreement (Blake-Wilson, Johnson, Menezes 1997) • RSA key validation (Liskov, Silverman 1997) • Storage-efficient basis conversion (Kaliski, Yin 1998)
© RSA 1998 Conclusions • Research in cryptology and data security is leading to standards, and vice versa • Several standards efforts for different sectors, but coordinated • General model for public-key standards emerging • … and some technical debate continues

Recomendados

Beverly hills club
Beverly hills clubBeverly hills club
Beverly hills clubLehman Brothers European Mezzanine Leverage part 03-A LP
 
digital-signature- 3.pptx
digital-signature- 3.pptxdigital-signature- 3.pptx
digital-signature- 3.pptxTamar Das
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREAyanda Demilade
 
Peter Mell Cloud Standards 20090915
Peter Mell Cloud Standards 20090915Peter Mell Cloud Standards 20090915
Peter Mell Cloud Standards 20090915GovCloud Network
 
A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.Tuhin_Das
 
Information Exchange Collaboration across Technical/Operational/Policy Bounda...
Information Exchange Collaboration across Technical/Operational/Policy Bounda...Information Exchange Collaboration across Technical/Operational/Policy Bounda...
Information Exchange Collaboration across Technical/Operational/Policy Bounda...APNIC
 
PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
PRADS presentation (English) @ University of Oslo by Ebf0 and kwyPRADS presentation (English) @ University of Oslo by Ebf0 and kwy
PRADS presentation (English) @ University of Oslo by Ebf0 and kwyRubén Romero
 
Presentation
PresentationPresentation
Presentationrokham khawaja
 

Recomendados

Beverly hills club
Beverly hills clubBeverly hills club
Beverly hills clubLehman Brothers European Mezzanine Leverage part 03-A LP
 
digital-signature- 3.pptx
digital-signature- 3.pptxdigital-signature- 3.pptx
digital-signature- 3.pptxTamar Das
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREAyanda Demilade
 
Peter Mell Cloud Standards 20090915
Peter Mell Cloud Standards 20090915Peter Mell Cloud Standards 20090915
Peter Mell Cloud Standards 20090915GovCloud Network
 
A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.A NETWORK SECURITY APPROACH USING RSA.
A NETWORK SECURITY APPROACH USING RSA.Tuhin_Das
 
Information Exchange Collaboration across Technical/Operational/Policy Bounda...
Information Exchange Collaboration across Technical/Operational/Policy Bounda...Information Exchange Collaboration across Technical/Operational/Policy Bounda...
Information Exchange Collaboration across Technical/Operational/Policy Bounda...APNIC
 
PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
PRADS presentation (English) @ University of Oslo by Ebf0 and kwyPRADS presentation (English) @ University of Oslo by Ebf0 and kwy
PRADS presentation (English) @ University of Oslo by Ebf0 and kwyRubén Romero
 
Presentation
PresentationPresentation
Presentationrokham khawaja
 
Big Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon GershinskyBig Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon GershinskyGidonGershinsky
 
Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...CAS
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017FRSecure
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric CryptographyUTD Computer Security Group
 
Data security using rsa
Data security using rsaData security using rsa
Data security using rsaLAKSHMI TEJA SAYABARAPU
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
The Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
The Mainframe's Role in Enterprise Security Management - Jean-Marc DareesThe Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
The Mainframe's Role in Enterprise Security Management - Jean-Marc DareesNRB
 
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLDJack Kessler
 
BPM and SOA Are Going Mobile: An Architectural Perspective
BPM and SOA Are Going Mobile: An Architectural PerspectiveBPM and SOA Are Going Mobile: An Architectural Perspective
BPM and SOA Are Going Mobile: An Architectural PerspectiveGuido Schmutz
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSDeploy360 Programme (Internet Society)
 
HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran John Mulhall
 
Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky
Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky
Efficient Spark Analytics on Encrypted Data with Gidon GershinskyDatabricks
 
Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robotsJaime Martin Losa
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
I psec
I psecI psec
I psecahmad1986jor
 
The big picture films
The big picture filmsThe big picture films
The big picture filmsBear Stern Lehman Brothers
 
Ruthless entertainment
Ruthless entertainmentRuthless entertainment
Ruthless entertainmentBear Stern Lehman Brothers
 

Más contenido relacionado

Similar a Emerging key-recovery-service

Big Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon GershinskyBig Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon GershinskyGidonGershinsky
 
Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...CAS
 
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017FRSecure
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Ramesh Nagappan
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
The Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
The Mainframe's Role in Enterprise Security Management - Jean-Marc DareesThe Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
The Mainframe's Role in Enterprise Security Management - Jean-Marc DareesNRB
 
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLDJack Kessler
 
BPM and SOA Are Going Mobile: An Architectural Perspective
BPM and SOA Are Going Mobile: An Architectural PerspectiveBPM and SOA Are Going Mobile: An Architectural Perspective
BPM and SOA Are Going Mobile: An Architectural PerspectiveGuido Schmutz
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network SecurityKathirvel Ayyaswamy
 
HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran John Mulhall
 
Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky
Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky
Efficient Spark Analytics on Encrypted Data with Gidon GershinskyDatabricks
 
Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robotsJaime Martin Losa
 

Similar a Emerging key-recovery-service (20)

Big Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon GershinskyBig Data Security in Apache Projects by Gidon Gershinsky
Big Data Security in Apache Projects by Gidon Gershinsky
 
Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...Improved authentication & key agreement protocol using elliptic curve cryptog...
Improved authentication & key agreement protocol using elliptic curve cryptog...
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
Data security using rsa
Data security using rsaData security using rsa
Data security using rsa
 
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emph...
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
The Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
The Mainframe's Role in Enterprise Security Management - Jean-Marc DareesThe Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
The Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
 
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD
2015 NENA - SECURING 9-1-1 INFRASTRUCTURE IN THE NG9-1-1 WORLD
 
BPM and SOA Are Going Mobile: An Architectural Perspective
BPM and SOA Are Going Mobile: An Architectural PerspectiveBPM and SOA Are Going Mobile: An Architectural Perspective
BPM and SOA Are Going Mobile: An Architectural Perspective
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran HUG_Ireland_Apache_Arrow_Tomer_Shiran
HUG_Ireland_Apache_Arrow_Tomer_Shiran
 
Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky
Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky
Efficient Spark Analytics on Encrypted Data with Gidon Gershinsky
 
Fiware: Connecting to robots
Fiware: Connecting to robotsFiware: Connecting to robots
Fiware: Connecting to robots
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
I psec
I psecI psec
I psec
 

Más de Bear Stern Lehman Brothers

Más de Bear Stern Lehman Brothers (9)

The big picture films
The big picture filmsThe big picture films
The big picture films
 
Ruthless entertainment
Ruthless entertainmentRuthless entertainment
Ruthless entertainment
 
Eddie norward jr llc
Eddie norward jr llcEddie norward jr llc
Eddie norward jr llc
 
Lifestylez ov da poor&dangerous
Lifestylez ov da poor&dangerousLifestylez ov da poor&dangerous
Lifestylez ov da poor&dangerous
 
Clubglobal
ClubglobalClubglobal
Clubglobal
 
Flambayant entertainment
Flambayant entertainmentFlambayant entertainment
Flambayant entertainment
 
Jerrick Electronics
Jerrick ElectronicsJerrick Electronics
Jerrick Electronics
 
China exim bank
China exim bankChina exim bank
China exim bank
 
Norward nfl football_1995
Norward nfl football_1995Norward nfl football_1995
Norward nfl football_1995
 

Último

Financial Results for the Fiscal Year Ended March 2024
Financial Results for the Fiscal Year Ended March 2024Financial Results for the Fiscal Year Ended March 2024
Financial Results for the Fiscal Year Ended March 2024KDDI
 
Diligence Checklist for Early Stage Startups
Diligence Checklist for Early Stage StartupsDiligence Checklist for Early Stage Startups
Diligence Checklist for Early Stage StartupsTILDEN
 
Teekay Tankers Q1-24 Earnings Presentation
Teekay Tankers Q1-24 Earnings PresentationTeekay Tankers Q1-24 Earnings Presentation
Teekay Tankers Q1-24 Earnings PresentationTeekay Tankers Ltd
 
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024Osisko Gold Royalties Ltd - Corporate Presentation, May 2024
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024Osisko Gold Royalties Ltd
 
Osisko Development - Investor Presentation - May 2024
Osisko Development - Investor Presentation - May 2024Osisko Development - Investor Presentation - May 2024
Osisko Development - Investor Presentation - May 2024Philip Rabenok
 
Teck Supplemental Information, May 2, 2024
Teck Supplemental Information, May 2, 2024Teck Supplemental Information, May 2, 2024
Teck Supplemental Information, May 2, 2024TeckResourcesLtd
 
Terna - 1Q 2024 Consolidated Results Presentation
Terna - 1Q 2024 Consolidated Results PresentationTerna - 1Q 2024 Consolidated Results Presentation
Terna - 1Q 2024 Consolidated Results PresentationTerna SpA
 
Camil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCamil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCAMILRI
 
AMG Quarterly Investor Presentation May 2024
AMG Quarterly Investor Presentation May 2024AMG Quarterly Investor Presentation May 2024
AMG Quarterly Investor Presentation May 2024gstubel
 
Camil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCamil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCAMILRI
 
Corporate Presentation Probe Canaccord Conference 2024.pdf
Corporate Presentation Probe Canaccord Conference 2024.pdfCorporate Presentation Probe Canaccord Conference 2024.pdf
Corporate Presentation Probe Canaccord Conference 2024.pdfProbe Gold
 
The Leonardo 1Q 2024 Results Presentation
The Leonardo 1Q 2024 Results PresentationThe Leonardo 1Q 2024 Results Presentation
The Leonardo 1Q 2024 Results PresentationLeonardo
 
Western Copper and Gold - May 2024 Presentation
Western Copper and Gold - May 2024 PresentationWestern Copper and Gold - May 2024 Presentation
Western Copper and Gold - May 2024 PresentationPaul West-Sells
 
Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024CollectiveMining1
 
Nicola Mining Inc. Corporate Presentation May 2024
Nicola Mining Inc. Corporate Presentation May 2024Nicola Mining Inc. Corporate Presentation May 2024
Nicola Mining Inc. Corporate Presentation May 2024nicola_mining
 
Teekay Corporation Q1-24 Earnings Results
Teekay Corporation Q1-24 Earnings ResultsTeekay Corporation Q1-24 Earnings Results
Teekay Corporation Q1-24 Earnings ResultsTeekay Corporation
 
countries with the highest gold reserves in 2024
countries with the highest gold reserves in 2024countries with the highest gold reserves in 2024
countries with the highest gold reserves in 2024Kweku Zurek
 

Último (20)

ITAU EQUITY_STRATEGY_WARM_UP_20240505 DHG.pdf
ITAU EQUITY_STRATEGY_WARM_UP_20240505 DHG.pdfITAU EQUITY_STRATEGY_WARM_UP_20240505 DHG.pdf
ITAU EQUITY_STRATEGY_WARM_UP_20240505 DHG.pdf
 
Financial Results for the Fiscal Year Ended March 2024
Financial Results for the Fiscal Year Ended March 2024Financial Results for the Fiscal Year Ended March 2024
Financial Results for the Fiscal Year Ended March 2024
 
Diligence Checklist for Early Stage Startups
Diligence Checklist for Early Stage StartupsDiligence Checklist for Early Stage Startups
Diligence Checklist for Early Stage Startups
 
Teekay Tankers Q1-24 Earnings Presentation
Teekay Tankers Q1-24 Earnings PresentationTeekay Tankers Q1-24 Earnings Presentation
Teekay Tankers Q1-24 Earnings Presentation
 
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024Osisko Gold Royalties Ltd - Corporate Presentation, May 2024
Osisko Gold Royalties Ltd - Corporate Presentation, May 2024
 
Osisko Development - Investor Presentation - May 2024
Osisko Development - Investor Presentation - May 2024Osisko Development - Investor Presentation - May 2024
Osisko Development - Investor Presentation - May 2024
 
Teck Supplemental Information, May 2, 2024
Teck Supplemental Information, May 2, 2024Teck Supplemental Information, May 2, 2024
Teck Supplemental Information, May 2, 2024
 
Terna - 1Q 2024 Consolidated Results Presentation
Terna - 1Q 2024 Consolidated Results PresentationTerna - 1Q 2024 Consolidated Results Presentation
Terna - 1Q 2024 Consolidated Results Presentation
 
Camil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCamil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdf
 
AMG Quarterly Investor Presentation May 2024
AMG Quarterly Investor Presentation May 2024AMG Quarterly Investor Presentation May 2024
AMG Quarterly Investor Presentation May 2024
 
Camil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdfCamil Institutional Presentation_Mai24.pdf
Camil Institutional Presentation_Mai24.pdf
 
Corporate Presentation Probe Canaccord Conference 2024.pdf
Corporate Presentation Probe Canaccord Conference 2024.pdfCorporate Presentation Probe Canaccord Conference 2024.pdf
Corporate Presentation Probe Canaccord Conference 2024.pdf
 
The Leonardo 1Q 2024 Results Presentation
The Leonardo 1Q 2024 Results PresentationThe Leonardo 1Q 2024 Results Presentation
The Leonardo 1Q 2024 Results Presentation
 
Western Copper and Gold - May 2024 Presentation
Western Copper and Gold - May 2024 PresentationWestern Copper and Gold - May 2024 Presentation
Western Copper and Gold - May 2024 Presentation
 
Osisko Gold Royalties Ltd - Q1 2024 Results
Osisko Gold Royalties Ltd - Q1 2024 ResultsOsisko Gold Royalties Ltd - Q1 2024 Results
Osisko Gold Royalties Ltd - Q1 2024 Results
 
Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024Collective Mining | Corporate Presentation - May 2024
Collective Mining | Corporate Presentation - May 2024
 
SME IPO Opportunity and Trends of May 2024
SME IPO Opportunity and Trends of May 2024SME IPO Opportunity and Trends of May 2024
SME IPO Opportunity and Trends of May 2024
 
Nicola Mining Inc. Corporate Presentation May 2024
Nicola Mining Inc. Corporate Presentation May 2024Nicola Mining Inc. Corporate Presentation May 2024
Nicola Mining Inc. Corporate Presentation May 2024
 
Teekay Corporation Q1-24 Earnings Results
Teekay Corporation Q1-24 Earnings ResultsTeekay Corporation Q1-24 Earnings Results
Teekay Corporation Q1-24 Earnings Results
 
countries with the highest gold reserves in 2024
countries with the highest gold reserves in 2024countries with the highest gold reserves in 2024
countries with the highest gold reserves in 2024
 

Emerging key-recovery-service

  • 1. © RSA 1998 Why Standards? • Many reasons: – interoperability – stability – assurance • De facto or de jure?
  • 2. RSA Data Security, Inc. Emerging Standards for Public-Key Cryptography SEIKO INSTRUMENTS PAGER PAL
  • 3. © RSA 1998 Introduction • As research matures, it can be made “standard” – ’70s and ’80s research in public-key cryptography leads to standards in ’90s • This talk is a snapshot of some of the standards efforts — and the interesting issues they raise
  • 4. RSA Data Security, Inc. SEIKO INSTRUMENTS PAGER PAL Part I: Survey of Standards Efforts
  • 5. © RSA 1998 Outline I. Survey of Standards Efforts II. A General Model for Public-Key Standards III. Strong Primes: A Recurring Technical Debate IV. Some Research Motivated by Standards
  • 6. © RSA 1998 Some Public-Key Standards Efforts • ANSI X9F1 • IEEE P1363 • ISO/IEC JTC1 SC27 • US NIST
  • 7. © RSA 1998 ANSI X9F1 Efforts • Some ANSI documents (drafts) – X9.30 DSA signatures – X9.31 RSA/RW signatures (rDSA) – X9.42 DH/MQV key agreement – X9.44 RSA key transport – X9.62 elliptic curve signatures – X9.63 EC key agreement / transport – X9.79 prime generation
  • 8. © RSA 1998 ANSI X9F1 • Financial Services / Data and Information Security / Cryptographic Tools • Corporate membership • Quarterly meetings in North America • www.x9.org
  • 9. © RSA 1998 IEEE P1363 • Standard Specifications for Public-Key Cryptography • Sponsored by IEEE Microprocessor Standards Committee • Individual participation • Meetings mostly in North America • grouper.ieee.org/groups/1363
  • 10. SEIKO INSTRUMENTS PAGER PAL © RSA 1998
  • 11. © RSA 1998 IEEE P1363 Coverage • Three types of technique: – key agreement, signature, encryption • From three families: – DL: discrete logarithm – EC: elliptic curve – IF: integer factorization • Also, number theory background, security considerations
  • 12. SEIKO INSTRUMENTS PAGER PAL © RSA 1998
  • 13. © RSA 1998 IEEE P1363a • Standard Specifications for Public-Key Cryptography: Additional Techniques • In preparation • More techniques, probably same families – identification likely to be added
  • 14. SEIKO INSTRUMENTS PAGER PAL © RSA 1998
  • 15. © RSA 1998 ISO/IEC JTC1 SC27 • International Organization for Standardization / International Electrotechnical Commission / Information Technology / IT Security Techniques • National representation, with experts • Meetings throughout the world • www.iso.ch
  • 16. SEIKO INSTRUMENTS PAGER PAL © RSA 1998
  • 17. © RSA 1998 SC27 Efforts • Some ISO/IEC documents – 9796 Signatures with message recovery – 9798 Entity authentication – 11770 Key management – 13888 Nonrepudiation – 14888 Signatures with appendix • Symmetric and public-key techniques
  • 18. SEIKO INSTRUMENTS PAGER PAL © RSA 1998
  • 19. © RSA 1998 U.S. NIST FIPS • National Institute of Standards and Technology – part of U.S. Department of Commerce • Federal Information Processing Standards (FIPS) • Computer Security Act (1987) gives charter for government cryptography standards • www.nist.gov
  • 20. SEIKO INSTRUMENTS PAGER PAL © RSA 1998
  • 21. © RSA 1998 NIST Efforts • Some FIPS: – 186 Digital Signature Standard – 196 Entity Authentication – new Key Exchange / Agreement • Others of interest: – 46-2 Data Encryption Standard – 180-1 Secure Hash Standard – new Advanced Encryption Standard
  • 22. © RSA 1998 Comparing the Efforts • Different goals: – ISO, IEEE: general building blocks – ANSI: US banking requirements – NIST: US government, commercial • Coordination: – IEEE, ANSI technical convergence – NIST will accept ANSI signature standards for government purposes – ISO TC68 adopts ANSI X9F1
  • 23. © RSA 1998 Application Standards of Interest • S/MIME: messaging • SSL / TLS: communications • SET: bank card payments • PKIX: public-key infrastructure
  • 24. © RSA 1998 RSA Laboratories’ PKCS • Public-Key Cryptography Standards • Informal, intervendor effort coordinated by RSA Laboratories • Periodic workshops • www.rsa.com/rsalabs/pubs/PKCS/
  • 25. © RSA 1998 PKCS Efforts • Revisions and new documents: – PKCS #1 RSA Cryptography • v2.0 draft in review, includes Bellare- Rogaway OAEP – PKCS #5 Password-Based Encryption – PKCS #13 Elliptic Curve Cryptography – PKCS #14 Pseudorandom Generation – PKCS #15(?) Smart Card File Formats
  • 26. RSA Data Security, Inc. SEIKO INSTRUMENTS PAGER PAL Part II: A General Model for Public-Key Standards
  • 27. © RSA 1998 A General Model • Framework with abstraction, generally following P1363 • Three levels: – primitives – schemes – protocols • … plus key management
  • 28. © RSA 1998 P1363 Naming Convention • General form: – family type - instance • where – family is DL, EC, IF – type is one of: • SP: Signature Primitive • SSA: Signature Scheme with Appendix • etc. – instance is a particular algorithm, e.g., DSA, DH, RSA
  • 29. © RSA 1998 Primitives • Basic mathematical operations • Low-level implementation – e.g., crypto-accelerator, software module • Computational security – enhanced when combined with additional techniques in a scheme
  • 30. © RSA 1998 Types of Primitive • Secret value derivation – shared secret value from public key(s), party’s private key(s) • Signature and verification • Encryption and decryption
  • 31. © RSA 1998 Example: DLSP-DSA / DLVP-DSA • DSA signature / verification primitives • DLSP-DSA ((p, q, g, x), m): – r = (gk mod p) mod q, k random – s = k-1 (m + xr) mod q • DLVP-DSA ((p, q, g, y), m, (r, s)) – r =? (gm/s yr/s mod p) mod q
  • 32. © RSA 1998 Primitives in P1363 • Secret Value Derivation – DH, MQV in DL, EC families • Signature / Verification: – DSA, Nyberg-Rueppel in DL, EC families – RSA with and w/o absolute value – Rabin-Williams • Encryption / Decryption: – RSA
  • 33. © RSA 1998 Schemes • Related operations combining primitives, additional techniques – a framework with options • Medium-level implementation – e.g., cryptographic service library • Complexity-theoretic security (ideally) – completed when appropriately applied in a protocol
  • 34. © RSA 1998 Types of Scheme • Key agreement • Signature – with appendix – with message recovery • Encryption • Identification (in P1363a)
  • 35. © RSA 1998 Additional Techniques • Encoding method – maps between message, data to be processed by primitive – for signatures, encryption schemes • Key derivation function – maps from shared secret value to key – for key agreement schemes
  • 36. © RSA 1998 Example: DL/ECSSA • DL/EC signature scheme – options: SP / VP / encoding method • Signature operation (privKey, M): – S = SP (privKey, Encode (M)) • Verification operation (pubKey, M, S): – VP (pubKey, Encode (M), S) [DSA] – Encode (M) =? VP (pubKey, S) [NR]
  • 37. © RSA 1998 Encoding Methods for Signatures • DL/EC signatures – Hash (M) • IF signatures with appendix – Pad || HashID || Hash (M) • IF signatures wit h message recovery – ISO9796-1 (M)
  • 38. © RSA 1998 Related Scheme Operations • Domain parameter generation • Domain parameter validation • Key pair generation • Public key validation • Private key validation
  • 39. © RSA 1998 Schemes in P1363 • Key agreement – three DL/EC generic: DH1, DH2, MQV • Signature with appendix – DL/EC generic – IF generic • Signature with message recovery – IF generic • Encryption – IF generic
  • 40. © RSA 1998 Protocols • Sequence of operations to be performed by parties to achieve some security goal • High-level implementation – applications, services • “Real” security – but depends on implementation considerations • (No protocols in P1363)
  • 41. © RSA 1998 Types of Protocol • Key establishment – key agreement – key transport • Entity authentication • Data origin authentication • Data confidentiality
  • 42. RSA Data Security, Inc. SEIKO INSTRUMENTS PAGER PAL Part III: “Strong” Primes: A Recurring Technical Debate
  • 43. © RSA 1998 What is a “Strong” Prime? • RSA key pair consists of – public key (n, e) – private key (n, d) – where n = pq, p and q are large primes, and ed ≡ 1 mod (p-1)(q-1) • A prime p is strong if p’, the largest factor of p-1, is large • Are strong primes necessary?
  • 44. © RSA 1998 Early ’80s: Yes • Pollard’s p-1 method (1974) can factor n in about p’ operations, so p’ should be large • Gordon (1984) gives method for generating RSA keys efficiently with strong prime factors – X.509 (1988) also mentions conditions • Related conditions on p+1, p’-1, etc.
  • 45. © RSA 1998 Late ’80s / Early ’90s: No • Lenstra’s ECM (1987) can factor n in O(exp (2 ln p ln ln p)1/2 ) operations, so p should be large • … but if p is large and random, then p’ will be large with high probability • Rivest (unpublished) argues that strong primes don’t help – but don’t hurt either
  • 46. © RSA 1998 Late ’90s: Maybe • What about signature repudiation? – Dishonest user chooses n with weak prime – Later, disavows signature, claiming that someone factored n by p-1 method • ANSI X9.31 (1998) standardizes on strong primes for banking – also, generates primes as one-way function of seed • Still, are strong primes necessary?
  • 47. RSA Data Security, Inc. SEIKO INSTRUMENTS PAGER PAL Part IV: Some Research Motivated By Standards
  • 48. © RSA 1998 Standards and Research • Just as mature research is standardized, so standards efforts promote additional research • Areas of research: – efficient implementation – cryptanalysis – components in the “framework”
  • 49. © RSA 1998 Authenticated Encryption Schemes • Problem: – Construct authenticated encryption schemes for DL, EC, IF families with similar properties to OAEP, but with variable message length • Several solutions proposed for P1363a
  • 50. © RSA 1998 Model • C = Encrypt (pubKey, M, P) • M = Decrypt (privKey, C, P) – M message – C ciphertext – P encoding parameters • M, C, P arbitrary length
  • 51. © RSA 1998 Desired Properties • One application of underlying primitive • Plaintext-aware encryption – no partial information about M – cannot generate C without M • hence, cannot modify M • Binding of P to M – cannot modify P • Weaker assumptions – i.e., not just random oracle model
  • 52. © RSA 1998 OAEP for RSA • As in P1363 (and PKCS #1 v2.0 draft): • Encrypt (pubKey, M, P): – EM = Encode (M, P) – C = EP (pubKey, EM) • Decrypt (privKey, C, P): – EM = DP (privKey, C) – M = Decode (EM, P) • M, C bounded, P arbitrary length
  • 53. © RSA 1998 OAEP Encoding • Encode (M, P) – EM = maskedSeed || maskedDB where • maskedSeed = seed ⊕ G (maskedDB) • maskedDB = DB ⊕ G (seed) • DB = H (P) || pad || M • seed random • H hash function, G mask generation function • Decode (C, P): an exercise
  • 54. © RSA 1998 Limitations • EM must be shorter than RSA modulus, so length of M is bounded • Assumes encryption primitive — but DL/EC only has secret value derivation primitive • Relies on random oracle model for G
  • 55. © RSA 1998 IF Encryption Ideas 1. Encrypt only part of EM (various) – removes bound on length of M – which part? 2. Construct G only partly from random oracle (Bellare, Rogaway 1996) 3. Add more “rounds” to OAEP (Johnson, Matyas, Peyravian 1996) – may reduce assumptions, need for seed
  • 56. © RSA 1998 DL/EC Encryption Ideas • General: Generate shared secret value K as in key agreement scheme, combine with M, P 1. Encode M as in OAEP, exclusive-OR K with part of result (various) 2. Combine with MACs, reduced r.o. methods (Bellare, Rogaway 1996) 3. Combine with universal hash functions, mask generation (Zheng 1996)
  • 57. © RSA 1998 Some Other Recent Results • Security of “unified model” of DH key agreement (Blake-Wilson, Johnson, Menezes 1997) • RSA key validation (Liskov, Silverman 1997) • Storage-efficient basis conversion (Kaliski, Yin 1998)
  • 58. © RSA 1998 Conclusions • Research in cryptology and data security is leading to standards, and vice versa • Several standards efforts for different sectors, but coordinated • General model for public-key standards emerging • … and some technical debate continues