Cryptographic Algorithms February 2018 Bart Preneel

Outline

Cryptographic algorithms • 1. Cryptology: concepts and algorithms – symmetric algorithms for confidentiality – symmetric algorithms for data authentication Prof. Bart Preneel – public-key cryptology imec-COSIC • 2. Cryptology: protocols Bart.Preneel(at)esatDOTkuleuven.be – identification/entity authentication http://homes.esat.kuleuven.be/~preneel – key establishment February 2018 • 3. Public-Key Infrastructure fundamentals

© Bart Preneel. All rights reserved

Outline (2) Definitions data entities

Confidentiality confidentiality encryption anonymity Integrity Availability authentication data authentication identification • 4. Network security protocols – web (SSL/TLS) and IPsec Authorisation • 5. Post-Snowden cryptography Non-repudiation of origin, receipt Don’t use the • 6. Cryptography best practices word Contract signing authentication without defining it Notarisation and Timestamping

4

Cryptology: basic principles Symmetric cryptology: confidentiality • old cipher systems: AliceEve Bob – transposition, substitution, rotor machines • the opponent and her power

CRYP • the Vernam scheme CRYP %^C& %^C& Clear Clear TOB TOB @&^( @&^( text OX OX text • DES and triple-DES •AES • RC4

1 Cryptographic Algorithms February 2018 Bart Preneel

Old cipher systems (pre 1900) Cryptanalysis example: TIPGK RERCP JZJZJ WLE GVCTX EREPC WMWMW JYR UJQHL SFSDQ KAKAK XMF HWDUY FSFQD XNXNX KZS • Caesar cipher: shift letters over k positions in VKRIM TGTER LBLBL YNG IXEVZ GTGRE YOYOY LAT the alphabet (k is the secret key) WLSJN UHUFS MCMCM ZOH JYFWA HUHSF ZPZPZ MBU XDTKO VOVGT NDNDN API KZGXB IVITG AQAQA NCV THIS IS THE CAESAR CIPHER YNULP WKWHU OEOEO BQJ LAHYC JWJUH BRBRB ODW ZOVMQ XKXIV PFPFP CRK MBIZD KXKVI CSCSC PEX WKLV LV WKH FDHVDU FLSKHU APWNR YLYJW QGQGQ DSL NCJAE LYLWJ DTDTD QFY BQXOS ZMXKX RHRHR ETM ODKBF MZMXK EUEUE RGZ • Julius Caesar never changed his key (k=3). CRYPT ANALY SISIS FUN PELCG NANYL FVFVF SHA DSZQU BOBMZ TJTJT GVO QFMDH OBOZM GWGWG TIB ETARV CPCNA UKUKU HWP RGNEI PCPAN HXHXH UJC FUBSW DQDOB VLVLV IXQ SHOFJ QDQBO IYIYI VKD 7 Plaintext? k = 17 8

Old cipher systems (pre 1900) (2) Security

• there are n! different substitutions on an alphabet • Substitutions with n letters – ABCDEFGHIJKLMNOPQRSTUVWXYZ ! Easy to break using • there are n! different transpositions of n letters – MZNJSOAXFQGYKHLUCTDVWBIRPE sttitiltatistical •n=26: n!= 403291461126605635584000000 = 4 . 1026 keys techniques • trying all possibilities at 1 nanosecond per key • Transpositions requires.... TRANS OIPSR 4.1026 /(109 . 105 . 4 102) = 1010 years POSIT NOTNT keys per seconds days per IONS OSAI second year 9 per day 10

Letter distributions Assumptions on Eve (the opponent) 12 • A scheme is broken if Eve can deduce the key 10 or obtain additional plaintext 8 • Eve can always try all keys till “meaningful” 6 plaintext appears: a brute force attack 4 – solution: large key space 2 • Eve will try to find shortcut attacks (faster 0 ABCDEFGH I…YZ than brute force) – history shows that designers are too optimistic Substitutions ABCDEFGHIJKLMNOPQRSTUVWXYZ about the security of their cryptosystems MZNJSOAXFQGYKHLUCTDVWBIRPE 11 12

2 Cryptographic Algorithms February 2018 Bart Preneel

Assumptions on Eve (the opponent) New assumptions on Eve

• Cryptology = cryptography + cryptanalysis • Eve may have access to side channels • Eve knows the algorithm, except for the key – timing attacks (Kerckhoffs’s principle) – simple power analysis • increasi ng capabili ty of E ve: – differenti al power anal ysi s – knows some information about the plaintext (e.g., in – acoustic attacks English) – electromagnetic interference – knows part of the plaintext – can choose (part of) the plaintext and look at the ciphertext • Eve may launch (semi-)invasive attacks – can choose (part of) the ciphertext and look at the plaintext – differential fault analysis – probing of memory or bus 13 14

Side channel analysis: power setup Side channel analysis: electromagnetic setup

resistor smart card

Measure voltage over a resistor to Use simple antenna to measure the current (and thus the measure radiation of an power consumption) of a smart FPGA computing a card public key operation card reader 15 16

Simple and differential power analysis: Cryptology + side channels DES block cipher

DES on a smart card: power Eve consumption Alice Bob

average power CRYP Clear CRYP %^C& %^C& Clear TOB TOB Correct key text @&^( @&^( text 2 correlation OX OX methods (example of success and failure)

17 18 Measurement data from 2 setups hence not comparable

3 Cryptographic Algorithms February 2018 Bart Preneel

The Rotor machines (WW II) Life cycle of a cryptographic algorithm

idea

mathematical analysis

publication

public evaluation

RIP OK

hw/sw implementation

standardization

industrial products $$$

20 19 take out of service

Vernam scheme (1917) Shannon (1948) Mauborgne: one time pad (1917+x) Vernam scheme: Venona F. Miller (1882) •c= p + k key is random string, as long as the plaintext 1 1 information theoretic proof of security •c2 = p2 + k • then c1 –c2 = p1 –p2

10010 ⊕ 11001 11001 ⊕ 10010 • a skilled cryptanalyst can recover p1 and p2 C from p –p using the redundancy in the P P 1 2 language 01011 01011

22

Vernam scheme Three approaches in cryptography

• 0 + 1 = 1 • information theoretic security • 1 + 0 = 1 – ciphertext only • 0 + 0 = 0 – part of ciphertext only • 1 + 1 = 0 – noisy version of ciphertext • system-based or practical security • identical – also known as “prayer theoretic” security mathematical symbols can result in different • complexity theoretic security: electrical signals model of computation, definition, proof – variant: quantum cryptography 23 24

4 Cryptographic Algorithms February 2018 Bart Preneel

Synchronous Stream Cipher (SSC) Exhaustive key search

IV IV • 2019: 240 instructions is easy, 260 is somewhat hard, 280 state state 128 init init is hard, 2 is completely infeasible – 1 million machines with 16 cores and a clock speed of 4 GHz 56 80 K next K next can do 2 instructions per second or 2 per year state state – trying 1 key requires typically a few 100 instructions fifunction fifunction • Moore’s “law”: speed of computers doubles every 18 months: key lengths need to grow in time – but adding 1 key bit doubles the work for the attacker output output function “looks” function • Key length recommendations in 2018 random – < 70 bits: insecure P C P – 80 bits: one year (but not for NSA) – 100 bits: 20 years 26

Exhaustive key search: multiple targets SSC: Specific properties • If one wants to recover 1 key out of 2t keys, the cost to recover a key is 2k-t < 2k • Recipient needs to be synchronized with sender • If one wants to recover all of 2t keys with t > k/3 • No error-propagation the cost per k ey can b e red uced t o 2 2k/3 – excellent for wireless communications k 2k/3 •2precomputation to fill a memory of size 2 • Key stream independent of data • on-line cost per key: 22k/3 encryptions – key stream can be precomputed • known as time/memory tradeoff or “rainbow tables” – particular model for cryptanalysis: attacker is not • So depending on the circumstances, a 128-bit key can able to influence the state become an 85-bit key 27 28

SSC: Avoid repeating key stream Practical stream ciphers • For a fixed key K and initial value IV, the stream cipher output is a deterministic function of the state. • A5/1 (GSM) (64 or 54) • A repetition of the state (for a given K, IV) leads to • E0 (Bluetooth) (128) insecure! a repetition of the key stream and plaintext recovery ((pthink of the problem of Vernam encr yption with • RC4 (browser) (40-128) reused key) • SNOW-3G (3GSM) (128) – hence state needs to be large and next state function • HC-128 (128) needs to guarantee a long period –IVcan be used to generate a different key stream for • Trivium (80) every packet in a packet-oriented communication setting • ChaCha20 (128) – old stream ciphers defined without IV are problematic in such a setting 29 30

5 Cryptographic Algorithms February 2018 Bart Preneel

A5/1 stream cipher (GSM) A5/1 stream cipher (GSM) 64 54 18 0 • exhaustive key search: 2 (or rather 2 ) – hardware 10K$ < 1 minute ciphertext only • search 2 smallest registers: 245 steps 21 0 • [BWS00] 1 minute on a PC – 2dfklitt2 seconds of known plaintext –248 precomputation, 146 GB storage 22 0 • [BB05]: 10 minutes on a PC, – 3-4 minutes of ciphertext only • [Nohl-Paget’09]: rainbow tables Clock control: registers agreeing with – seconds with a few frames of ciphertext only majority are clocked (2 or 3) 31 32

Bluetooth stream cipher A simple cipher: RC4 (1987)

• designed by Ron Rivest (MIT) • leaked in 1994 • S[0..255]: secret table derived from user key K for i0 i=0 to 255 S[i]:= i j:=0 for i=0 to 255 j:=(j + S[i] + K[i]) mod 256 swap S[i] and S[j] brute force: 2128 steps i:=0, j:=0 24 38 33 [Lu+05] 24 known bits of 2 frames, 2 computations, 2 memory 34 33

A simple cipher: RC4 (1987) RC4: weaknesses Generate key stream which is added to plaintext • was often used with 40-bit key – US export restrictions until Q4/2000 i:=i+1 241 j:=(j + S[i]) mod 256 • best known general shortcut attack: 2 [Maximov-Khovratovich’09] swap S[i] and S[j] t:=(S[i]+] + S[j]) mod 256 • weak keyyyp(y)s and key setup (shuffle theory) output S[t] • large statistical deviations t – bias of output bytes (sometimes very large) – can recover 220 out of 256 bytes of plaintexts after sending the same 000 001 002 093 094 095 254 255 message 1 billion times (WPA/TLS) 205 162092 013 ... 033 92162 079 ... 099 143 • problem with resynchronization modes (WEP) i • problem with use in TLS

j 36 35

6 Cryptographic Algorithms February 2018 Bart Preneel

Block cipher Block cipher P1 P2 P3 • large table: list n-bit ciphertext for each n- bit plaintext block block block Never use – if n is large: very secure (codebook) cipher cipher cipher a block – btfbut for an n-bit bl ock : 2 n values cipher in this way – impractical if n ≥ 32 • alternative n = 64 or 128 C1 C2 C3 – simplify the implementation • larger data units (blocks): 64…128 bits – repeat many simple operations • memoryless

37 • repeat simple operation (round) many times 38

Practical block ciphers Data Encryption Standard (1977)

• DES: outdated • encrypts 64 plaintext bits under control of a • 3-DES: financial sector 56-bit key •AES • 16 iterations of a relatively simple mapping • KASUMI (3GSM) • FIPS: US government standard for sensitive • Keeloq (remote control for cars, garage but unclassified data doors) • worldwide de facto standard since early 80ies • surrounded by controversy

39 40

DES S-box 1 Security of DES (56-bit key)

• PC: trying 1 DES key: 7.5 ns • Trying all keys on 128 PCs: 1 month: 227 x 216 x 25 x 27= 255 • M. Wiener’s desigg(n (1993 ): 1,000,000 $ machine: 3 hours (in 2017: 0.3 seconds)

EFF Deep Crack (July 1998) 250,000 $ machine: 50 hours…

42 www.gungfu.de

7 Cryptographic Algorithms February 2018 Bart Preneel

3-DES: NIST Spec. Pub. 800-67 Federal Register, July 24, 2004 (May 2004) DEPARTMENT OF COMMERCE • SUMMARY: The Data Encryption Standard (DES), • two-key triple DES: until 2009 National Institute of Standards and currently specified in Federal Technology Information Processing Standard • three-key triple DES: until 2030 [Docket No. 040602169– 4169– 01] (FIPS) 46–3, was evaluated pursuant to its scheduled review. At the conclusion of this review, Annou ncing Proposed Withdraw al of NIST determined that the Federal Information Processing strength of the DES algorithm is Standard (FIPS) for the Data no longer sufficient to Encryption Standard (DES) and adequately protect Federal Clear -1 %^C& Request for Comments DES DES DES government information. As a @&^( result, NIST proposes to withdraw text AGENCY: National Institute of FIPS 46–3, and the associated Standards and Technology (NIST), FIPS 74 and FIPS 81. Future use Commerce. of DES by Federal agencies is to be permitted only as a component 1 23 ACTION: Notice; request for function of the Triple Data comments. Encryption Algorithm (TDEA). 44 43

Symmetric Key Lengths and Moore’s “law” AES (Advanced Encryption Standard)

AES 140 • open competition launched by US government (Sept. ‘97) -128 to replace DES 120 3-key 2-key 3DES • 22 contenders including IBM, RSA, Deutsche Telekom 100 3DES 80 DES • 128-bit bl ock ci ph er with k ey of 128/192/256 bit s 60 • as strong as triple-DES, but more efficient 40 • royalty-free 20

0

88 48 A machine that cracks a DES key in 1 second 1976 19 2000 2012 2024 2036 20 2060 would take 149 trillion years to crack a 128-bit key Moore’s “law”: speed of computers doubles every 18 months 45 46

AES: Rijndael AES (2001) • FIPS 197 published on December 2001after 4-year open competition S S S S S S S S S S S S S S S S round – other standards: ISO, IETF, IEEE 802.11,… • fast adoption in the market

ule round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S – except for financial sector d round – NIST validation list: ≥ 5241 implementations • Key length: 16/24/32 bytes • http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html .

Key Sche Key • 2003: AES-128 also for secret information and AES- . • Block length: 192/-256 for top secret information! round – Rijndael: 16/24/32 bytes • 2015: NSA recommends to switch to AES-256 for the – AES: 16 bytes only long term 47 48

8 Cryptographic Algorithms February 2018 Bart Preneel

AES (2001) Encryption limitations • security: – algebraic attacks of [Courtois+02] not effective • Ciphertext becomes random string: “normal” crypto – side channel attacks: cache attacks on unprotected does not encrypt a credit card number into a (valid) implementations credit card number • speed: • Typically does not hide the length of the plaintext – sofl/bftware: 7.6 cycles/byte [Käsper-Schbhwabe’09] (unless randomized padding) – hardware: Intel provides AES instruction (since 2010) at 0.63..1.5 cycles/byte for decryption – •Does not hide existence of plaintext (requires AMD one year behind; ARM a bit more steganography) •Does not hide that Alice is talking to Bob (requires [Shamir ’07] AES may well be the last block cipher traffic confidentiality, e.g. TOR)

49

Symmetric cryptology: Data authentication: the problem data authentication • encryption provides confidentiality: • the problem – prevents Eve from learning information on the cleartext/plaintext • hash functions without a key – but does not protect against modifications (active – MDC: Manipulation Detection Codes eavesdropping) • hash functions with a secret key • BbBob wants to k now: –the source of the information (data origin) – MAC: Message Authentication Codes – that the information has not been modified – (optionally) timeliness and sequence • data authentication is typically more complex than data confidentiality

51 52

Data authentication: MAC algorithms MAC algorithms

• Replace protection of authenticty • CBC-MAC of (long) message by protection (CMAC) of secrecy of (short) key •HMAC • Add MAC to the plaintext •GMAC Clear Clear Clear VER Clear This is an input to a MAC MAC algorithm. The input is a very text text text IFY text long string, that is reduced by the hash function to a string of fixed length. There are additional 7E6FD7198A198FB3C security conditions: it should be very hard for someone who does not know the secret key to compute the hash function on a new input.

53

9 Cryptographic Algorithms February 2018 Bart Preneel

Data authentication: MAC algorithms MAC algorithms • typical MAC lengths: 32..96 bits • Banking: CBC-MAC based on triple-DES – Forgery attacks: 2m steps with m the MAC length in bits • Internet: HMAC and CBC-MAC based on AES •typical ke y leng ths: (56 )..112..160 bits – Exhaustive key search: 2k steps with k the • information theoretic secure MAC algorithms key length in bits (authentication codes): GMAC/UMAC/Po1y1305 • birthday attacks: security level smaller – highly efficient than expected – rather long keys (some) – part of the key refreshed per message

55 56

ANSI Retail MAC based on DES CBC-MAC based on AES (LMAC) x P2 P3 x1 2 x P1 H1 H2 … Ht-1 t G DES K1 DES K1 K1 DES Ht DES-1 AES AES AES K2 K K K1 2 1 C3 C2 select leftmost K1 DES C1 64 bits MAC (x) K Secure up to 250 message blocks 58 57

MAC based on a hash function Data authentication: MDC

• HMAC • MDC (manipulation •(MD5) . h (X) = h(K || h(K || x) ) detection code) K 2 1 • (SHA-1), SHA- . not secure with MD4/MD5 • Protect short hash value 256, SHA-512 . ok with SHA-1 and SHA-2 rather than long text • RIPEMD-160 . there is a an alternative (simple) construction with SHA-3 This is an input to a • SHA-3 (Keccak) cryptographic hash function. The K x input is a very long string, that is 1 reduced by the hash function to a string of fixed length. There are h 1A3FD4128A198FB3CA345932 additional security conditions: it h should be very hard to find an K 2 input hashing to a given value (a h preimage) or to find two colliding inputs (a collision).

60

10 Cryptographic Algorithms February 2018 Bart Preneel

MDC Security requirements (n-bit result) Data authentication: MDC preimage 2nd preimage collision • n-bit result ? x ≠ ? ? ≠ ? • preimage resistance: for given y, hard to find input xsuchthath(x)=yx such that h(x) = y (2n operations) h h h h h •2nd preimage resistance: hard to find x’≠ x such that h(x’) = h(x) (2n operations) h(x) h(x) = h(x’) = • Collision resistance: hard to find (x,x’) 2n 2n 2n/2 with x’ ≠ x such that h(x’) = h(x) (2n/2 operations) 62

Important hash algorithms NIST’s Modes of Operation for AES •MD5 –(2nd) preimage 2128 steps (improved to 2123 steps) • ECB/CBC/CFB/OFB + CTR (Dec 01) Use only with MAC – collisions 264 steps • MAC algorithm: CMAC (May 05) shortcut: Aug. ‘04: 239 steps; ‘09: 220 steps • Authenticated encryption: • SHA-1: – CCM: CTR + CBC-MAC – (2nd)preimage2) preimage 2160 steps – GCM: Galois Counter Mode 0.3 M$ for 1 year in 2018 – collisions 280 steps shortcut: Aug. ‘05: 269 steps Issues: •IAPM • CCM •GCM collisions 23/02/2017: 261 steps • associated data •XECB • parallelizable •OCB • (EAX) • SHA-2 family (2002) • on-line • (CWC) • SHA-3 family (2013) – Keccak (Belgian design) • provable security –(2nd) preimage 2256 .. 2512 steps patented 63 – collisions 2128 .. 2256 steps 64

Permutation (π) based hash: sponge Permutation (f) based (e.g. SHA-3/Keccak) authenticated encryption x1 x2 x3 x4 h1 h2

H10 r π π π π π π H2 0 … c

absorb squeeze if result has n bits, H1 has r bits (rate), H2 has c bits (capacity) and the permutation π is “ideal” collisions min (2c/2 , 2n/2) Simple and elegant 2nd preimage min (2c/2 , 2n) Source of figure: Keccak team [Bertoni-Daemen-Peeters-Van Assche] preimage min (2c , 2n) 65 66

11 Cryptographic Algorithms February 2018 Bart Preneel

Concrete recommendations Public-key cryptology

• AES-128 in CCM mode • the problem – CCM = CTR mode + CBC-MAC • public-key encryption – change key after 240 blocks • digital signatures • Stream ciphers (better performance) • an example: RSA – hardware: SNOW-3G or Trivium – software: HC-128 or ChaCha20 • advantages of public-key cryptology • CAESAR: open competition from 2013-2018 will come up with better solutions – http://competitions.cr.yp.to/caesar.html 67 68

Public key cryptology: encryption Limitation of symmetric cryptology

• Reduce security of information to security of keys

CRYP CRYP Clear %^C& %^C& Clear TOB TOB text @&^( @&^( text • But: how to establish these secret keys? OX OX – cumbersome and expensive – or risky: all keys in 1 place Public key Private key • Do we really need to establish secret keys?

69 70

Public key cryptology: digital signature A public-key distribution protocol: Diffie-Hellman • Before: Alice and Bob have never met and share no secrets; they know a public system parameter α generate x α x generate y α x α y compute α y compute Clear Clear Clear VER Clear SIGN α y x α x y text text text IFY text compute k=( ) compute k=( ) • After: Alice and Bob share a short term key k Private key Public key – Eve cannot compute k : in several mathematical structures it is hard to derive x from α x (this is known as the discrete logarithm problem) 71 72

12 Cryptographic Algorithms February 2018 Bart Preneel

RSA (‘78) Factorisation records 2009: 768 bits or 232 digits • choose 2 “large” prime numbers p and q • modulus n = p.q Size (digits) Effort (log) • compute λ(n) = lcm(p-1,q-1) 1 digit ~3.3 bits 250 • choose e relatively prime w.r.t. λ(n) 768 bits • compute d = e-1 mod λ(n) 200 The security of RSA is based on the “fact” that it is 512 bits easy to generate two large 150 • public key = (e,n) primes, but that it is hard to • private key = d of (p,q) factor their product 100

50 • encryption: c = me mod n • decryption: m = cd mod n try to factor 2419 0 64 68 72 76 80 84 88 92 96 1002000 104 1082009 73

4-channel Varian Progress in quantum computers spectrometerPicture of the lab 11.7 T Oxford magnet, 2011: D-Wave*: 128 qubits “QC” but topology room temperature bore Jan. 2014: NSA 85 M$ for research to build a QC 2013: D-Wave: 512 qubits “QC” 2015: D-Wave 2X: a 1000+ qubit “QC” (15M$) 2015: Intel invests US$50 million with QuTech (Delft) –2017: test chip with 17 qubits delivered March 2017: Rigetti has raised nearly $70 million and 15=5 x3 has built an 8-qubit QC May 2017: IBM announced 16-qubit QC based on superconductivity Oct 2017: Google/UCSB: plan for 49-bit QC based on superconductivity grad students in Microsoft: will build QC on topological qubits sunny California... Nov 2017: IBM announces a 50-qubit QC 75 * Note: D-Wave does not build QCs with “full functionality”

Advantages of public key cryptology Disadvantages of public key cryptology

• Reduce protection of information to • Calculations in software or hardware two to protection of authenticity of public keys three orders of magnitude slower than • Confidentiality without establishing secret symmetric algorithms keys • Longer key s: 1024 bits rather than 56 …128 – extremely useful in an open environment bits • Data authentication without shared secret • What if factoring is easy? keys: digital signature – sender and receiver have different capability – third party can resolve dispute between sender and receiver 77 78

13 Cryptographic Algorithms February 2018 Bart Preneel

Crypto software libraries Secure multi-party computation Wikipedia Javascript: https://gist.github.com/jo/8619441 • auctions http://ece.gmu.edu/crypto_resources/web_resources/libraries.htm • medical statistics and advice C/C++/C# C/C++ Java • e-voting • Botan (C++) (embedded) • road pricing • SunJCA/JCE • BoringSSL • CyaSSL (C) • (social) search • cryptlib (C) • BouncyCastle (BC, C#) •MatrixSSL • C(C)Crypto++ (C++) (C++) • EspreSSL • GnuTLS (C) • FlexiProvider • libgcrypt (C++) • libtomcrypt (C) • GNU Crypto • libsodium (C) •IAIK • Miracl (binaries) • Java SSL • NaCl (C/Assembly) •RSA JSafe • Nettle (C) • OpenSSL (C) • WolfCrypt (C)

Crypto recommendations http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report Reading material http://www.ecrypt.eu.org/ Good Bad Authenticated encryption Encryption only, e.g. AES-CBC • B. Preneel, Modern cryptology: an AES-CCM RC4, A5/1, A5/2, E0, DST, Keeloq, Crypto-1, Hitag- HC-128 + Poly1305 2, DSAA, DSC, GMR-1, GMR-2, CSS introduction. MD2, MD4, MD5, SHA-1 HMAC-SHA-2 – This text corresponds more or less to the second RSA PKCS#1v.5 SHA-3 half of these slides DSA, ECDSA Diffie-Hellman – It covers in more detail how block ciphers are ≥ Dual_EC_DRBG Zp 2048 used in practice, and explains how DES works. ECC ≥ 256 and up ECC curves from NIST? – It does not cover identification, key management ECIES ≥ 256 and up SSL 3.0/TLS 1.0/TLS 1.1 and application to network security. RSA KEM-DEM ≥ 2048 TLS with RSA key exchange RSA-PSS Skype Implementations that do not run in constant time 82

Selected books on cryptology Books on network security and more • W. Stallings, Network and Internetwork Security: Principles and • D. Stinson, Cryptography: Theory and Practice, CRC Press, 3rd Practice, Pearson, 7th Ed., 2016. Solid background on network security. Ed., 2005. Solid introduction, but only for the mathematically inclined. Explains basic concepts of cryptography. • A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of • W. Stallings, Network Security Essentials: Applications and Applied Cryptography, CRC Press, 1997. The bible of modern Standards, 6th Ed., 2016, Pearson. Short version of the previous book. cryptography. Thorough and complete reference work – not suited as a first • W. Diffie, S. Landau, Privacy on the line. The politics of text b ook . F reel y avail abl e at http:// www.cacr.math .uwat erl oo.ca/h ac wiretapping and encryption, MIT Press, 2nd Ed., 2007. The best • N. Smart, Cryptography, An Introduction: 3rd Ed., 2008. Solid book so far on the intricate politics of the field. and up to date but on the mathematical side. Freely available at • Ross Anderson, Security Engineering, Wiley, 2nd Ed., 2008. http://www.cs.bris.ac.uk/~nigel/Crypto_Book/ Insightful. A must read for every information security practitioner. First and second • B. Schneier, Applied Cryptography, Wiley, 1996. Widely popular editions are available for free at http://www.cl.cam.ac.uk/~rja14/book.html and very accessible – make sure you get the errata, online • Jay Ramachandran, Designing Security Architecture Solutions, • Other authors: Johannes Buchmann, Serge Vaudenay Wiley 2002. • Gary McGraw, Software Security: Building Security In, Addison Wesley, 2006. 84 83

14