Table of Contents
- Preface
- How to Read this Book
- 1 Our Design Philosophy
- 1.1 The Evils of Performance
- 1.2 The Evils of Features
- 2 The Context of Cryptography
- 2.1 The Role of Cryptography
- 2.2 The Weakest Link Property
- 2.3 The Adversarial Setting
- 2.4 Practical Paranoia
- 2.4.1 Attack
- 2.5 Threat Model
- 2.6 Cryptography Is Not the Solution
- 2.7 Cryptography Is Very Difficult
- 2.8 Cryptography Is the Easy Part
- 2.9 Background Reading
- 3 Introduction to Cryptography
- 3.1 Encryption
- 3.1.1 Kerckhoffs’ Principle
- 3.2 Authentication
- 3.3 Public-Key Encryption
- 3.4 Digital Signatures
- 3.5 PKI
- 3.6 Attacks
- 3.6.1 Ciphertext-Only
- 3.6.2 Known Plaintext
- 3.6.3 Chosen Plaintext
- 3.6.4 Chosen Ciphertext
- 3.6.5 Distinguishing Attacks
- 3.6.6 Birthday
- 3.6.7 Meet in the Middle
- 3.6.8 Other Types of Attack
- 3.7 Security Level
- 3.8 Performance
- 3.9 Complexity
I Message Security
- 4 Block Ciphers
- 4.1 What Is a Block Cipher?
- 4.2 Types of Attack
- 4.3 The Ideal Block Cipher
- 4.4 Definition of Block Cipher Security
- 4.4.1 Parity of a Permutation
- 4.5 Real Block Ciphers
- 4.5.1 DES
- 4.5.2 AES
- 4.5.3 Serpent
- 4.5.4 Twofish
- 4.5.5 Other AES Finalists
- 4.5.6 Equation-Solving Attacks
- 4.5.7 Which Block Cipher Should I Choose?
- 4.5.8 What Key Size Should I Use?
- 5 Block Cipher Modes
- 5.1 Padding
- 5.2 ECB
- 5.3 CBC
- 5.3.1 Fixed IV
- 5.3.2 Counter IV
- 5.3.3 Random IV
- 5.3.4 Nonce-Generated IV
- 5.4 OFB
- 5.5 CTR
- 5.6 Newer Modes
- 5.7 Which Mode Should I Use?
- 5.8 Information Leakage
- 5.8.1 Chances of a Collision
- 5.8.2 How to Deal With Leakage
- 5.8.3 About Our Math
- 6 Hash Functions
- 6.1 Security of Hash Functions
- 6.2 Real Hash Functions
- 6.2.1 MD5
- 6.2.2 SHA-1
- 6.2.3 SHA-256, SHA-384, and SHA-512
- 6.3 Weaknesses of Hash Functions
- 6.3.1 Length Extensions
- 6.3.2 Partial-Message Collision
- 6.4 Fixing the Weaknesses
- 6.4.1 A Thorough Fix
- 6.4.2 A More Efficient Fix
- 6.5 Which Hash Function Should I Choose?
- 6.6 Future Work
- 7 Message Authentication Codes
- 7.1 What a MAC Does
- 7.2 The Ideal MAC
- 7.3 MAC Security
- 7.4 CBC-MAC
- 7.5 HMAC
- 7.5.1 HMAC versus SHAd
- 7.6 UMAC
- 7.6.1 Size of MAC
- 7.6.2 Which UMAC?
- 7.6.3 Platform Flexibility
- 7.6.4 Amount of Analysis
- 7.6.5 Why Mention UMAC at All?
- 7.7 Which MAC to Choose?
- 7.8 Using a MAC
- 8 The Secure Channel
- 8.1 Problem Statement
- 8.1.1 Roles
- 8.1.2 Key
- 8.1.3 Messages or Stream
- 8.1.4 Security Properties
- 8.2 Order of Authentication and Encryption
- 8.3 Outline
- 8.3.1 Message Numbers
- 8.3.2 Authentication
- 8.3.3 Encryption
- 8.3.4 Frame Format
- 8.4 Details
- 8.4.1 Initialization
- 8.4.2 Sending a Message
- 8.4.3 Receiving a Message
- 8.4.4 Message Order
- 8.5 Alternatives
- 8.6 Conclusion
- 9 Implementation Issues (I)
- 9.1 Creating Correct Programs
- 9.1.1 Specifications
- 9.1.2 Test and Fix
- 9.1.3 Lax Attitude
- 9.1.4 So How Do We Proceed?
- 9.2 Creating Secure Software
- 9.3 Keeping Secrets
- 9.3.1 Wiping State
- 9.3.2 Swap File
- 9.3.3 Caches
- 9.3.4 Data Retention by Memory
- 9.3.5 Access by Others
- 9.3.6 Data Integrity
- 9.3.7 What to Do
- 9.4 Quality of Code
- 9.4.1 Simplicity
- 9.4.2 Modularization
- 9.4.3 Assertions
- 9.4.4 Buffer Overflows
- 9.4.5 Testing
- 9.5 Side-Channel Attacks
- 9.6 Conclusion
II Key Negotiation
- 10 Generating Randomness
- 10.1 Real Random
- 10.1.1 Problems With Using Real Random Data
- 10.1.2 Pseudorandom Data
- 10.1.3 Real Random Data and PRNGs
- 10.2 Attack Models for a PRNG
- 10.3 Fortuna
- 10.4 The Generator
- 10.4.1 Initialization
- 10.4.2 Reseed
- 10.4.3 Generate Blocks
- 10.4.4 Generate Random Data
- 10.4.5 Generator Speed
- 10.5 Accumulator
- 10.5.1 Entropy Sources
- 10.5.2 Pools
- 10.5.3 Implementation Considerations
- Distribution of Events Over Pools
- Running Time of Event Passing
- 10.5.4 Initialization
- 10.5.5 Getting Random Data
- 10.5.6 Add an Event
- 10.6 Seed File Management
- 10.6.1 Write Seed File
- 10.6.2 Update Seed File
- 10.6.3 When to Read and Write the Seed File
- 10.6.4 Backups
- 10.6.5 Atomicity of File System Updates
- 10.6.6 First Boot
- 10.7 So What Should I Do?
- 10.8 Choosing Random Elements
- 11 Primes
- 11.1 Divisibility and Primes
- 11.2 Generating Small Primes
- 11.3 Computations Modulo a Prime
- 11.3.1 Addition and Subtraction
- 11.3.2 Multiplication
- 11.3.3 Groups and Finite Fields
- 11.3.4 The GCD Algorithm
- 11.3.5 The Extended Euclidean Algorithm
- 11.3.6 Working Modulo 2
- 11.4 Large Primes
- 11.4.1 Primality Testing
- 11.4.2 Evaluating Powers
- 12 Diffie-Hellman
- 12.1 Groups
- 12.2 Basic DH
- 12.3 Man in the Middle
- 12.4 Pitfalls
- 12.5 Safe Primes
- 12.6 Using a Smaller Subgroup
- 12.7 The Size of p
- 12.8 Practical Rules
- 12.9 What Could Go Wrong
- 13 RSA
- 13.1 Introduction
- 13.2 The Chinese Remainder Theorem
- 13.2.1 Garner’s Formula
- 13.2.2 Generalizations
- 13.2.3 Uses
- 13.2.4 Conclusion
- 13.3 Multiplication Modulo n
- 13.4 RSA Defined
- 13.4.1 Digital Signatures with RSA
- 13.4.2 Public Exponents
- 13.4.3 The Private Key
- 13.4.4 The Size of n
- 13.4.5 Generating RSA Keys
- 13.5 Pitfalls Using RSA
- 13.6 Encryption
- 13.7 Signatures
- 14 Introduction to Cryptographic Protocols
- 14.1 Roles
- 14.2 Trust
- 14.2.1 Risk
- 14.3 Incentive
- 14.4 Trust in Cryptographic Protocols
- 14.5 Messages and Steps
- 14.5.1 The Transport Layer
- 14.5.2 Protocol and Message Identity
- 14.5.3 Message Encoding and Parsing
- 14.5.4 Protocol Execution States
- 14.5.5 Errors
- 14.5.6 Replay and Retries
- 15 Key Negotiation Protocol
- 15.1 The Setting
- 15.2 A First Try
- 15.3 Protocols Live Forever
- 15.4 An Authentication Convention
- 15.5 A Second Attempt
- 15.6 A Third Attempt
- 15.7 Our Final Protocol
- 15.8 Different Views of the Protocol
- 15.8.1 Alice’s View
- 15.8.2 Bob’s View
- 15.8.3 Attacker’s View
- 15.8.4 Key Compromise
- 15.9 Computational Complexity of the Protocol
- 15.9.1 Optimization Tricks
- 15.10 Protocol Complexity
- 15.11 A Gentle Warning
- 15.12 Key Negotiation from a Password
- 16 Implementation Issues (II)
- 16.1 Large Integer Arithmetic
- 16.1.1 Wooping
- 16.1.2 Checking DH Computations
- 16.1.3 Checking RSA Encryption
- 16.1.4 Checking RSA Signatures
- 16.1.5 Conclusion
- 16.2 Faster Multiplication
- 16.3 Side-Channel Attacks
- 16.3.1 Countermeasures
- 16.4 Protocols
- 16.4.1 Protocols Over a Secure Channel
- 16.4.2 Receiving a Message
- 16.4.3 Timeouts
III Key Management
- 17 The Clock
- 17.1 Uses for a Clock
- 17.1.1 Expiration
- 17.1.2 Unique Value
- 17.1.3 Monotonicity
- 17.1.4 Real-Time Transactions
- 17.2 Using the Real-Time Clock Chip
- 17.3 Security Dangers
- 17.3.1 Setting the Clock Back
- 17.3.2 Stopping the Clock
- 17.3.3 Setting the Clock Forward
- 17.4 Creating a Reliable Clock
- 17.5 The Same-State Problem
- 17.6 Time
- 17.7 Conclusion
- 18 Key Servers
- 18.1 Basics
- 18.2 Kerberos
- 18.3 Simpler Solutions
- 18.3.1 Secure Connection
- 18.3.2 Setting Up a Key
- 18.3.3 Rekeying
- 18.3.4 Other Properties
- 18.4 What to Choose
- 19 The Dream of PKI
- 19.1 A Very Short PKI Overview
- 19.2 PKI Examples
- 19.2.1 The Universal PKI
- 19.2.2 VPN Access
- 19.2.3 Electronic Banking
- 19.2.4 Refinery Sensors
- 19.2.5 Credit Card Organization
- 19.3 Additional Details
- 19.3.1 Multilevel Certificates
- 19.3.2 Expiration
- 19.3.3 Separate Registration Authority
- 19.4 Conclusion
- 20 PKI Reality
- 20.1 Names
- 20.2 Authority
- 20.3 Trust
- 20.4 Indirect Authorization
- 20.5 Direct Authorization
- 20.6 Credential Systems
- 20.7 The Modified Dream
- 20.8 Revocation
- 20.8.1 Revocation List
- 20.8.2 Fast Expiration
- 20.8.3 Revocation Is Required
- 20.9 So What Is a PKI Good For?
- 20.10 What to Choose
- 21 PKI Practicalities
- 21.1 Certificate Format
- 21.1.1 Permission Language
- 21.1.2 The Root Key
- 21.2 The Life of a Key
- 21.3 Why Keys Wear Out
- 21.4 So What Should You Do?
- 22 Storing Secrets
- 22.1 Disk
- 22.2 Human Memory
- 22.2.1 Salting and Stretching
- 22.3 Portable Storage
- 22.4 Secure Token
- 22.5 Secure UI
- 22.6 Biometrics
- 22.7 Single Sign-On
- 22.8 Risk of Loss
- 22.9 Secret Sharing
- 22.10 Wiping Secrets
- 22.10.1 Paper
- 22.10.2 Magnetic Storage
- 22.10.3 Solid-State Storage
IV Miscellaneous
- 23 Standards
- 23.1 The Standards Process
- 23.1.1 The Standard
- 23.1.2 Functionality
- 23.1.3 Security
- 23.2 SSL
- 23.3 AES: Standardization by Competition
- 24 Patents
- 24.1 Prior Art
- 24.2 Continuations
- 24.3 Vagueness
- 24.4 Reading Patents
- 24.5 Licensing
- 24.6 Defensive Patents
- 24.7 Fixing the Patent System
- 24.8 Disclaimer
- 25 Involving Experts
- Acknowledgments
- Bibliography
- Index
up to Practical Cryptography
Sidebar photo of Bruce Schneier by Joe MacInnis.