book cover

2003
John Wiley & Sons
432 Pages

Hardcover
ISBN 047122894X

Paperback
ISBN 0471223573

Table of Contents

  • Preface
    • How to Read this Book
  • 1 Our Design Philosophy
    • 1.1 The Evils of Performance
    • 1.2 The Evils of Features
  • 2 The Context of Cryptography
    • 2.1 The Role of Cryptography
    • 2.2 The Weakest Link Property
    • 2.3 The Adversarial Setting
    • 2.4 Practical Paranoia
      • 2.4.1 Attack
    • 2.5 Threat Model
    • 2.6 Cryptography Is Not the Solution
    • 2.7 Cryptography Is Very Difficult
    • 2.8 Cryptography Is the Easy Part
    • 2.9 Background Reading
  • 3 Introduction to Cryptography
    • 3.1 Encryption
      • 3.1.1 Kerckhoffs' Principle
    • 3.2 Authentication
    • 3.3 Public-Key Encryption
    • 3.4 Digital Signatures
    • 3.5 PKI
    • 3.6 Attacks
      • 3.6.1 Ciphertext-Only
      • 3.6.2 Known Plaintext
      • 3.6.3 Chosen Plaintext
      • 3.6.4 Chosen Ciphertext
      • 3.6.5 Distinguishing Attacks
      • 3.6.6 Birthday
      • 3.6.7 Meet in the Middle
      • 3.6.8 Other Types of Attack
    • 3.7 Security Level
    • 3.8 Performance
    • 3.9 Complexity

I Message Security

  • 4 Block Ciphers
    • 4.1 What Is a Block Cipher?
    • 4.2 Types of Attack
    • 4.3 The Ideal Block Cipher
    • 4.4 Definition of Block Cipher Security
      • 4.4.1 Parity of a Permutation
    • 4.5 Real Block Ciphers
      • 4.5.1 DES
      • 4.5.2 AES
      • 4.5.3 Serpent
      • 4.5.4 Twofish
      • 4.5.5 Other AES Finalists
      • 4.5.6 Equation-Solving Attacks
      • 4.5.7 Which Block Cipher Should I Choose?
      • 4.5.8 What Key Size Should I Use?
  • 5 Block Cipher Modes
    • 5.1 Padding
    • 5.2 ECB
    • 5.3 CBC
      • 5.3.1 Fixed IV
      • 5.3.2 Counter IV
      • 5.3.3 Random IV
      • 5.3.4 Nonce-Generated IV
    • 5.4 OFB
    • 5.5 CTR
    • 5.6 Newer Modes
    • 5.7 Which Mode Should I Use?
    • 5.8 Information Leakage
      • 5.8.1 Chances of a Collision
      • 5.8.2 How to Deal With Leakage
      • 5.8.3 About Our Math
  • 6 Hash Functions
    • 6.1 Security of Hash Functions
    • 6.2 Real Hash Functions
      • 6.2.1 MD5
      • 6.2.2 SHA-1
      • 6.2.3 SHA-256, SHA-384, and SHA-512
    • 6.3 Weaknesses of Hash Functions
      • 6.3.1 Length Extensions
      • 6.3.2 Partial-Message Collision
    • 6.4 Fixing the Weaknesses
      • 6.4.1 A Thorough Fix
      • 6.4.2 A More Efficient Fix
    • 6.5 Which Hash Function Should I Choose?
    • 6.6 Future Work
  • 7 Message Authentication Codes
    • 7.1 What a MAC Does
    • 7.2 The Ideal MAC
    • 7.3 MAC Security
    • 7.4 CBC-MAC
    • 7.5 HMAC
      • 7.5.1 HMAC versus SHAd
    • 7.6 UMAC
      • 7.6.1 Size of MAC
      • 7.6.2 Which UMAC?
      • 7.6.3 Platform Flexibility
      • 7.6.4 Amount of Analysis
      • 7.6.5 Why Mention UMAC at All?
    • 7.7 Which MAC to Choose?
    • 7.8 Using a MAC
  • 8 The Secure Channel
    • 8.1 Problem Statement
      • 8.1.1 Roles
      • 8.1.2 Key
      • 8.1.3 Messages or Stream
      • 8.1.4 Security Properties
    • 8.2 Order of Authentication and Encryption
    • 8.3 Outline
      • 8.3.1 Message Numbers
      • 8.3.2 Authentication
      • 8.3.3 Encryption
      • 8.3.4 Frame Format
    • 8.4 Details
      • 8.4.1 Initialization
      • 8.4.2 Sending a Message
      • 8.4.3 Receiving a Message
      • 8.4.4 Message Order
    • 8.5 Alternatives
    • 8.6 Conclusion
  • 9 Implementation Issues (I)
    • 9.1 Creating Correct Programs
      • 9.1.1 Specifications
      • 9.1.2 Test and Fix
      • 9.1.3 Lax Attitude
      • 9.1.4 So How Do We Proceed?
    • 9.2 Creating Secure Software
    • 9.3 Keeping Secrets
      • 9.3.1 Wiping State
      • 9.3.2 Swap File
      • 9.3.3 Caches
      • 9.3.4 Data Retention by Memory
      • 9.3.5 Access by Others
      • 9.3.6 Data Integrity
      • 9.3.7 What to Do
    • 9.4 Quality of Code
      • 9.4.1 Simplicity
      • 9.4.2 Modularization
      • 9.4.3 Assertions
      • 9.4.4 Buffer Overflows
      • 9.4.5 Testing
    • 9.5 Side-Channel Attacks
    • 9.6 Conclusion

II Key Negotiation

  • 10 Generating Randomness
    • 10.1 Real Random
      • 10.1.1 Problems With Using Real Random Data
      • 10.1.2 Pseudorandom Data
      • 10.1.3 Real Random Data and PRNGs
    • 10.2 Attack Models for a PRNG
    • 10.3 Fortuna
    • 10.4 The Generator
      • 10.4.1 Initialization
      • 10.4.2 Reseed
      • 10.4.3 Generate Blocks
      • 10.4.4 Generate Random Data
      • 10.4.5 Generator Speed
    • 10.5 Accumulator
      • 10.5.1 Entropy Sources
      • 10.5.2 Pools
      • 10.5.3 Implementation Considerations
        • Distribution of Events Over Pools
        • Running Time of Event Passing
      • 10.5.4 Initialization
      • 10.5.5 Getting Random Data
      • 10.5.6 Add an Event
    • 10.6 Seed File Management
      • 10.6.1 Write Seed File
      • 10.6.2 Update Seed File
      • 10.6.3 When to Read and Write the Seed File
      • 10.6.4 Backups
      • 10.6.5 Atomicity of File System Updates
      • 10.6.6 First Boot
    • 10.7 So What Should I Do?
    • 10.8 Choosing Random Elements
  • 11 Primes
    • 11.1 Divisibility and Primes
    • 11.2 Generating Small Primes
    • 11.3 Computations Modulo a Prime
      • 11.3.1 Addition and Subtraction
      • 11.3.2 Multiplication
      • 11.3.3 Groups and Finite Fields
      • 11.3.4 The GCD Algorithm
      • 11.3.5 The Extended Euclidean Algorithm
      • 11.3.6 Working Modulo 2
    • 11.4 Large Primes
      • 11.4.1 Primality Testing
      • 11.4.2 Evaluating Powers
  • 12 Diffie-Hellman
    • 12.1 Groups
    • 12.2 Basic DH
    • 12.3 Man in the Middle
    • 12.4 Pitfalls
    • 12.5 Safe Primes
    • 12.6 Using a Smaller Subgroup
    • 12.7 The Size of p
    • 12.8 Practical Rules
    • 12.9 What Could Go Wrong
  • 13 RSA
    • 13.1 Introduction
    • 13.2 The Chinese Remainder Theorem
      • 13.2.1 Garner's Formula
      • 13.2.2 Generalizations
      • 13.2.3 Uses
      • 13.2.4 Conclusion
    • 13.3 Multiplication Modulo n
    • 13.4 RSA Defined
      • 13.4.1 Digital Signatures with RSA
      • 13.4.2 Public Exponents
      • 13.4.3 The Private Key
      • 13.4.4 The Size of n
      • 13.4.5 Generating RSA Keys
    • 13.5 Pitfalls Using RSA
    • 13.6 Encryption
    • 13.7 Signatures
  • 14 Introduction to Cryptographic Protocols
    • 14.1 Roles
    • 14.2 Trust
      • 14.2.1 Risk
    • 14.3 Incentive
    • 14.4 Trust in Cryptographic Protocols
    • 14.5 Messages and Steps
      • 14.5.1 The Transport Layer
      • 14.5.2 Protocol and Message Identity
      • 14.5.3 Message Encoding and Parsing
      • 14.5.4 Protocol Execution States
      • 14.5.5 Errors
      • 14.5.6 Replay and Retries
  • 15 Key Negotiation Protocol
    • 15.1 The Setting
    • 15.2 A First Try
    • 15.3 Protocols Live Forever
    • 15.4 An Authentication Convention
    • 15.5 A Second Attempt
    • 15.6 A Third Attempt
    • 15.7 Our Final Protocol
    • 15.8 Different Views of the Protocol
      • 15.8.1 Alice's View
      • 15.8.2 Bob's View
      • 15.8.3 Attacker's View
      • 15.8.4 Key Compromise
    • 15.9 Computational Complexity of the Protocol
      • 15.9.1 Optimization Tricks
    • 15.10 Protocol Complexity
    • 15.11 A Gentle Warning
    • 15.12 Key Negotiation from a Password
  • 16 Implementation Issues (II)
    • 16.1 Large Integer Arithmetic
      • 16.1.1 Wooping
      • 16.1.2 Checking DH Computations
      • 16.1.3 Checking RSA Encryption
      • 16.1.4 Checking RSA Signatures
      • 16.1.5 Conclusion
    • 16.2 Faster Multiplication
    • 16.3 Side-Channel Attacks
      • 16.3.1 Countermeasures
    • 16.4 Protocols
      • 16.4.1 Protocols Over a Secure Channel
      • 16.4.2 Receiving a Message
      • 16.4.3 Timeouts

III Key Management

  • 17 The Clock
    • 17.1 Uses for a Clock
      • 17.1.1 Expiration
      • 17.1.2 Unique Value
      • 17.1.3 Monotonicity
      • 17.1.4 Real-Time Transactions
    • 17.2 Using the Real-Time Clock Chip
    • 17.3 Security Dangers
      • 17.3.1 Setting the Clock Back
      • 17.3.2 Stopping the Clock
      • 17.3.3 Setting the Clock Forward
    • 17.4 Creating a Reliable Clock
    • 17.5 The Same-State Problem
    • 17.6 Time
    • 17.7 Conclusion
  • 18 Key Servers
    • 18.1 Basics
    • 18.2 Kerberos
    • 18.3 Simpler Solutions
      • 18.3.1 Secure Connection
      • 18.3.2 Setting Up a Key
      • 18.3.3 Rekeying
      • 18.3.4 Other Properties
    • 18.4 What to Choose
  • 19 The Dream of PKI
    • 19.1 A Very Short PKI Overview
    • 19.2 PKI Examples
      • 19.2.1 The Universal PKI
      • 19.2.2 VPN Access
      • 19.2.3 Electronic Banking
      • 19.2.4 Refinery Sensors
      • 19.2.5 Credit Card Organization
    • 19.3 Additional Details
      • 19.3.1 Multilevel Certificates
      • 19.3.2 Expiration
      • 19.3.3 Separate Registration Authority
    • 19.4 Conclusion
  • 20 PKI Reality
    • 20.1 Names
    • 20.2 Authority
    • 20.3 Trust
    • 20.4 Indirect Authorization
    • 20.5 Direct Authorization
    • 20.6 Credential Systems
    • 20.7 The Modified Dream
    • 20.8 Revocation
      • 20.8.1 Revocation List
      • 20.8.2 Fast Expiration
      • 20.8.3 Revocation Is Required
    • 20.9 So What Is a PKI Good For?
    • 20.10 What to Choose
  • 21 PKI Practicalities
    • 21.1 Certificate Format
      • 21.1.1 Permission Language
      • 21.1.2 The Root Key
    • 21.2 The Life of a Key
    • 21.3 Why Keys Wear Out
    • 21.4 So What Should You Do?
  • 22 Storing Secrets
    • 22.1 Disk
    • 22.2 Human Memory
      • 22.2.1 Salting and Stretching
    • 22.3 Portable Storage
    • 22.4 Secure Token
    • 22.5 Secure UI
    • 22.6 Biometrics
    • 22.7 Single Sign-On
    • 22.8 Risk of Loss
    • 22.9 Secret Sharing
    • 22.10 Wiping Secrets
      • 22.10.1 Paper
      • 22.10.2 Magnetic Storage
      • 22.10.3 Solid-State Storage

IV Miscellaneous

  • 23 Standards
    • 23.1 The Standards Process
      • 23.1.1 The Standard
      • 23.1.2 Functionality
      • 23.1.3 Security
    • 23.2 SSL
    • 23.3 AES: Standardization by Competition
  • 24 Patents
    • 24.1 Prior Art
    • 24.2 Continuations
    • 24.3 Vagueness
    • 24.4 Reading Patents
    • 24.5 Licensing
    • 24.6 Defensive Patents
    • 24.7 Fixing the Patent System
    • 24.8 Disclaimer
  • 25 Involving Experts
  • Acknowledgments
  • Bibliography
  • Index

up to Practical Cryptography

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.