Practical Cryptography

Table of Contents

Preface
How to Read this Book
1 Our Design Philosophy
1.1 The Evils of Performance
1.2 The Evils of Features
2 The Context of Cryptography
2.1 The Role of Cryptography
2.2 The Weakest Link Property
2.3 The Adversarial Setting
2.4 Practical Paranoia
2.4.1 Attack
2.5 Threat Model
2.6 Cryptography Is Not the Solution
2.7 Cryptography Is Very Difficult
2.8 Cryptography Is the Easy Part
2.9 Background Reading
3 Introduction to Cryptography
3.1 Encryption
3.1.1 Kerckhoffs' Principle
3.2 Authentication
3.3 Public-Key Encryption
3.4 Digital Signatures
3.5 PKI
3.6 Attacks
3.6.1 Ciphertext-Only
3.6.2 Known Plaintext
3.6.3 Chosen Plaintext
3.6.4 Chosen Ciphertext
3.6.5 Distinguishing Attacks
3.6.6 Birthday
3.6.7 Meet in the Middle
3.6.8 Other Types of Attack
3.7 Security Level
3.8 Performance
3.9 Complexity
I Message Security
4 Block Ciphers
4.1 What Is a Block Cipher?
4.2 Types of Attack
4.3 The Ideal Block Cipher
4.4 Definition of Block Cipher Security
4.4.1 Parity of a Permutation
4.5 Real Block Ciphers
4.5.1 DES
4.5.2 AES
4.5.3 Serpent
4.5.4 Twofish
4.5.5 Other AES Finalists
4.5.6 Equation-Solving Attacks
4.5.7 Which Block Cipher Should I Choose?
4.5.8 What Key Size Should I Use?
5 Block Cipher Modes
5.1 Padding
5.2 ECB
5.3 CBC
5.3.1 Fixed IV
5.3.2 Counter IV
5.3.3 Random IV
5.3.4 Nonce-Generated IV
5.4 OFB
5.5 CTR
5.6 Newer Modes
5.7 Which Mode Should I Use?
5.8 Information Leakage
5.8.1 Chances of a Collision
5.8.2 How to Deal With Leakage
5.8.3 About Our Math
6 Hash Functions
6.1 Security of Hash Functions
6.2 Real Hash Functions
6.2.1 MD5
6.2.2 SHA-1
6.2.3 SHA-256, SHA-384, and SHA-512
6.3 Weaknesses of Hash Functions
6.3.1 Length Extensions
6.3.2 Partial-Message Collision
6.4 Fixing the Weaknesses
6.4.1 A Thorough Fix
6.4.2 A More Efficient Fix
6.5 Which Hash Function Should I Choose?
6.6 Future Work
7 Message Authentication Codes
7.1 What a MAC Does
7.2 The Ideal MAC
7.3 MAC Security
7.4 CBC-MAC
7.5 HMAC
7.5.1 HMAC versus SHAd
7.6 UMAC
7.6.1 Size of MAC
7.6.2 Which UMAC?
7.6.3 Platform Flexibility
7.6.4 Amount of Analysis
7.6.5 Why Mention UMAC at All?
7.7 Which MAC to Choose?
7.8 Using a MAC
8 The Secure Channel
8.1 Problem Statement
8.1.1 Roles
8.1.2 Key
8.1.3 Messages or Stream
8.1.4 Security Properties
8.2 Order of Authentication and Encryption
8.3 Outline
8.3.1 Message Numbers
8.3.2 Authentication
8.3.3 Encryption
8.3.4 Frame Format
8.4 Details
8.4.1 Initialization
8.4.2 Sending a Message
8.4.3 Receiving a Message
8.4.4 Message Order
8.5 Alternatives
8.6 Conclusion
9 Implementation Issues (I)
9.1 Creating Correct Programs
9.1.1 Specifications
9.1.2 Test and Fix
9.1.3 Lax Attitude
9.1.4 So How Do We Proceed?
9.2 Creating Secure Software
9.3 Keeping Secrets
9.3.1 Wiping State
9.3.2 Swap File
9.3.3 Caches
9.3.4 Data Retention by Memory
9.3.5 Access by Others
9.3.6 Data Integrity
9.3.7 What to Do
9.4 Quality of Code
9.4.1 Simplicity
9.4.2 Modularization
9.4.3 Assertions
9.4.4 Buffer Overflows
9.4.5 Testing
9.5 Side-Channel Attacks
9.6 Conclusion
II Key Negotiation
10 Generating Randomness
10.1 Real Random
10.1.1 Problems With Using Real Random Data
10.1.2 Pseudorandom Data
10.1.3 Real Random Data and PRNGs
10.2 Attack Models for a PRNG
10.3 Fortuna
10.4 The Generator
10.4.1 Initialization
10.4.2 Reseed
10.4.3 Generate Blocks
10.4.4 Generate Random Data
10.4.5 Generator Speed
10.5 Accumulator
10.5.1 Entropy Sources
10.5.2 Pools
10.5.3 Implementation Considerations
Distribution of Events Over Pools
Running Time of Event Passing
10.5.4 Initialization
10.5.5 Getting Random Data
10.5.6 Add an Event
10.6 Seed File Management
10.6.1 Write Seed File
10.6.2 Update Seed File
10.6.3 When to Read and Write the Seed File
10.6.4 Backups
10.6.5 Atomicity of File System Updates
10.6.6 First Boot
10.7 So What Should I Do?
10.8 Choosing Random Elements
11 Primes
11.1 Divisibility and Primes
11.2 Generating Small Primes
11.3 Computations Modulo a Prime
11.3.1 Addition and Subtraction
11.3.2 Multiplication
11.3.3 Groups and Finite Fields
11.3.4 The GCD Algorithm
11.3.5 The Extended Euclidean Algorithm
11.3.6 Working Modulo 2
11.4 Large Primes
11.4.1 Primality Testing
11.4.2 Evaluating Powers
12 Diffie-Hellman
12.1 Groups
12.2 Basic DH
12.3 Man in the Middle
12.4 Pitfalls
12.5 Safe Primes
12.6 Using a Smaller Subgroup
12.7 The Size of p
12.8 Practical Rules
12.9 What Could Go Wrong
13 RSA
13.1 Introduction
13.2 The Chinese Remainder Theorem
13.2.1 Garner's Formula
13.2.2 Generalizations
13.2.3 Uses
13.2.4 Conclusion
13.3 Multiplication Modulo n
13.4 RSA Defined
13.4.1 Digital Signatures with RSA
13.4.2 Public Exponents
13.4.3 The Private Key
13.4.4 The Size of n
13.4.5 Generating RSA Keys
13.5 Pitfalls Using RSA
13.6 Encryption
13.7 Signatures
14 Introduction to Cryptographic Protocols
14.1 Roles
14.2 Trust
14.2.1 Risk
14.3 Incentive
14.4 Trust in Cryptographic Protocols
14.5 Messages and Steps
14.5.1 The Transport Layer
14.5.2 Protocol and Message Identity
14.5.3 Message Encoding and Parsing
14.5.4 Protocol Execution States
14.5.5 Errors
14.5.6 Replay and Retries
15 Key Negotiation Protocol
15.1 The Setting
15.2 A First Try
15.3 Protocols Live Forever
15.4 An Authentication Convention
15.5 A Second Attempt
15.6 A Third Attempt
15.7 Our Final Protocol
15.8 Different Views of the Protocol
15.8.1 Alice's View
15.8.2 Bob's View
15.8.3 Attacker's View
15.8.4 Key Compromise
15.9 Computational Complexity of the Protocol
15.9.1 Optimization Tricks
15.10 Protocol Complexity
15.11 A Gentle Warning
15.12 Key Negotiation from a Password
16 Implementation Issues (II)
16.1 Large Integer Arithmetic
16.1.1 Wooping
16.1.2 Checking DH Computations
16.1.3 Checking RSA Encryption
16.1.4 Checking RSA Signatures
16.1.5 Conclusion
16.2 Faster Multiplication
16.3 Side-Channel Attacks
16.3.1 Countermeasures
16.4 Protocols
16.4.1 Protocols Over a Secure Channel
16.4.2 Receiving a Message
16.4.3 Timeouts
III Key Management
17 The Clock
17.1 Uses for a Clock
17.1.1 Expiration
17.1.2 Unique Value
17.1.3 Monotonicity
17.1.4 Real-Time Transactions
17.2 Using the Real-Time Clock Chip
17.3 Security Dangers
17.3.1 Setting the Clock Back
17.3.2 Stopping the Clock
17.3.3 Setting the Clock Forward
17.4 Creating a Reliable Clock
17.5 The Same-State Problem
17.6 Time
17.7 Conclusion
18 Key Servers
18.1 Basics
18.2 Kerberos
18.3 Simpler Solutions
18.3.1 Secure Connection
18.3.2 Setting Up a Key
18.3.3 Rekeying
18.3.4 Other Properties
18.4 What to Choose
19 The Dream of PKI
19.1 A Very Short PKI Overview
19.2 PKI Examples
19.2.1 The Universal PKI
19.2.2 VPN Access
19.2.3 Electronic Banking
19.2.4 Refinery Sensors
19.2.5 Credit Card Organization
19.3 Additional Details
19.3.1 Multilevel Certificates
19.3.2 Expiration
19.3.3 Separate Registration Authority
19.4 Conclusion
20 PKI Reality
20.1 Names
20.2 Authority
20.3 Trust
20.4 Indirect Authorization
20.5 Direct Authorization
20.6 Credential Systems
20.7 The Modified Dream
20.8 Revocation
20.8.1 Revocation List
20.8.2 Fast Expiration
20.8.3 Revocation Is Required
20.9 So What Is a PKI Good For?
20.10 What to Choose
21 PKI Practicalities
21.1 Certificate Format
21.1.1 Permission Language
21.1.2 The Root Key
21.2 The Life of a Key
21.3 Why Keys Wear Out
21.4 So What Should You Do?
22 Storing Secrets
22.1 Disk
22.2 Human Memory
22.2.1 Salting and Stretching
22.3 Portable Storage
22.4 Secure Token
22.5 Secure UI
22.6 Biometrics
22.7 Single Sign-On
22.8 Risk of Loss
22.9 Secret Sharing
22.10 Wiping Secrets
22.10.1 Paper
22.10.2 Magnetic Storage
22.10.3 Solid-State Storage
IV Miscellaneous
23 Standards
23.1 The Standards Process
23.1.1 The Standard
23.1.2 Functionality
23.1.3 Security
23.2 SSL
23.3 AES: Standardization by Competition
24 Patents
24.1 Prior Art
24.2 Continuations
24.3 Vagueness
24.4 Reading Patents
24.5 Licensing
24.6 Defensive Patents
24.7 Fixing the Patent System
24.8 Disclaimer
25 Involving Experts
Acknowledgments
Bibliography
Index

up to Practical Cryptography

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..