Cryptographic Algorithms March 2016 Bart Preneel

Outline

Cryptographic algorithms • 1. Cryptology: concepts and algorithms – symmetric algorithms for confidentiality – symmetric algorithms for data authentication Prof. Bart Preneel – public-key cryptology COSIC • 2. Cryptology: protocols Bart.Preneel(at)esatDOTkuleuven.be – identification/entity authentication http://homes.esat.kuleuven.be/~preneel – key establishment March 2016 • 3. Public-Key Infrastructure fundamentals

© Bart Preneel. All rights reserved

Outline (2) Definitions data entities

Confidentiality confidentiality anonymity Integrity Availability authentication data authentication identification • 4. Network security protocols – web (SSL/TLS) and Ipsec Authorisation • 5. Post-Snowden Non-repudiation of origin, receipt Don’t use the • 6. Cryptography best practices word Contract signing authentication without defining Notarisation and Timestamping it

4

Cryptology: basic principles Symmetric cryptology: confidentiality • old cipher systems: AliceEve Bob – transposition, substitution, rotor machines • the opponent and her power

CRYP • the Vernam scheme CRYP %^C& %^C& Clear Clear TOB TOB @&^( @&^( text OX OX text • DES and triple-DES •AES • RC4

1 Cryptographic Algorithms March 2016 Bart Preneel

Old cipher systems (pre 1900) example: TIPGK RERCP JZJZJ WLE GVCTX EREPC WMWMW JYR UJQHL SFSDQ KAKAK XMF HWDUY FSFQD XNXNX KZS • Caesar cipher: shift letters over k positions in VKRIM TGTER LBLBL YNG IXEVZ GTGRE YOYOY LAT the alphabet (k is the secret key) WLSJN UHUFS MCMCM ZOH JYFWA HUHSF ZPZPZ MBU XDTKO VOVGT NDNDN API KZGXB IVITG AQAQA NCV THIS IS THE CAESAR CIPHER YNULP WKWHU OEOEO BQJ LAHYC JWJUH BRBRB ODW WKLV LV WKH FDHVDU FLSKHU ZOVMQ XKXIV PFPFP CRK MBIZD KXKVI CSCSC PEX APWNR YLYJW QGQGQ DSL NCJAE LYLWJ DTDTD QFY BQXOS ZMXKX RHRHR ETM ODKBF MZMXK EUEUE RGZ • Julius Caesar never changed his key (k=3). ANALY SISIS FUN PELCG NANYL FVFVF SHA DSZQU BOBMZ TJTJT GVO QFMDH OBOZM GWGWG TIB ETARV CPCNA UKUKU HWP RGNEI PCPAN HXHXH UJC FUBSW DQDOB VLVLV IXQ SHOFJ QDQBO IYIYI VKD 7 Plaintext? k = 17 8

Old cipher systems (pre 1900) (2) Security

• there are n! different substitutions on an alphabet • Substitutions with n letters – ABCDEFGHIJKLMNOPQRSTUVWXYZ ! Easy to break using • there are n! different transpositions of n letters – MZNJSOAXFQGYKHLUCTDVWBIPER statistical • n=26: n!=403291461126605635584000000 = 4 . 1026 keys techniques • trying all possibilities at 1 nanosecond per key • Transpositions requires.... TRANS OIPSR 4.1026 /(109 . 105 . 4 102) = 1010 years POSIT NOTNT keys per seconds days per IONS OSAI second year 9 per day 10

Letter distributions Assumptions on Eve (the opponent) 12 • A scheme is broken if Eve can deduce the key 10 or obtain additional plaintext 8 • Eve can always try all keys till “meaningful” 6 plaintext appears: a brute force attack 4 – solution: large key space 2 • Eve will try to find shortcut attacks (faster 0 ABCDEFGH I…YZ than brute force) – history shows that designers are too optimistic Substitutions – ABCDEFGHIJKLMNOPQRSTUVW about the security of their cryptosystems XYZ – MZNJSOAXFQGYKHLUCTDVWBI 11 12 PER

2 Cryptographic Algorithms March 2016 Bart Preneel

Assumptions on Eve (the opponent) New assumptions on Eve

• Cryptology = cryptography + cryptanalysis • Eve may have access to side channels • Eve knows the algorithm, except for the key – timing attacks (Kerckhoffs’s principle) – simple power analysis • increasing capability of Eve: – differential power analysis – knows some information about the plaintext (e.g., in – acoustic attacks English) – electromagnetic interference – knows part of the plaintext – can choose (part of) the plaintext and look at the • Eve may launch (semi-)invasive attacks – can choose (part of) the ciphertext and look at the plaintext – differential fault analysis – probing of memory or bus 13 14

Side channel analysis: power setup Side channel analysis: electromagnetic setup

resistor smart card

Measure voltage over a resistor to Use simple antenna to measure the current (and thus the measure radiation of an power consumption) of a smart FPGA computing a card public key operation card reader 15 16

Simple and differential power analysis: Cryptology + side channels DES

DES on a smart card: power Eve consumption Alice Bob

average power CRYP Clear CRYP %^C& %^C& Clear TOB TOB Correct key text @&^( @&^( text 2 correlation OX OX methods (example of success and failure)

17 18 Measurement data from 2 setups hence not comparable

3 Cryptographic Algorithms March 2016 Bart Preneel

The Rotor machines (WW II) Life cycle of a cryptographic algorithm

idea

mathematical analysis

publication

public evaluation

RIP OK

hw/sw implementation

standardization

industrial products $$$

20 19 take out of service

Vernam scheme (1917) Shannon (1948) Mauborgne: one time pad (1917+x) Vernam scheme: Venona F. Miller (1882) •c= p + k key is random string, as long as the plaintext 1 1 information theoretic proof of security •c2 = p2 + k • then c1 –c2 = p1 –p2

10010  11001 11001  10010 • a skilled cryptanalyst can recover p1 and p2 C from p –p using the redundancy in the P P 1 2 language 01011 01011

22

Vernam scheme Three approaches in cryptography

• 0 + 1 = 1 • information theoretic security • 1 + 0 = 1 – ciphertext only • 0 + 0 = 0 – part of ciphertext only • 1 + 1 = 0 – noisy version of ciphertext • system-based or practical security • identical – also known as “prayer theoretic” security mathematical symbols can result in different • complexity theoretic security: electrical signals model of computation, definition, proof – variant: quantum cryptography 23 24

4 Cryptographic Algorithms March 2016 Bart Preneel

Synchronous (SSC) Exhaustive key search

IV IV • 2016: 240 instructions is easy, 260 is somewhat hard, 280 state state 128 init init is hard, 2 is completely infeasible – 1 million machines with 16 cores and a speed of 4 GHz 56 80 K next K next can do 2 instructions per second or 2 per year state state – trying 1 key requires typically a few 100 instructions function function • Moore’s “law”: speed of computers doubles every 18 months: key lengths need to grow in time – but adding 1 key bit doubles the work for the attacker output output function “looks” function • Key length recommendations in 2016 random – < 70 bits: insecure P C P – 80 bits: one year (but not for NSA) – 100 bits: 20 years 26

Exhaustive key search: multiple targets SSC: Specific properties • If one wants to recover 1 key out of 2t keys, the cost to recover a key is 2k-t < 2k • Recipient needs to be synchronized with sender • If one wants to recover all of 2t keys with t > k/3 • No error-propagation the cost per key can be reduced to 22k/3 – excellent for wireless communications k 2k/3 •2precomputation to fill a memory of size 2 • Key stream independent of data • on-line cost per key: 22k/3 • known as time/memory tradeoff or “rainbow tables” – key stream can be precomputed – particular model for cryptanalysis: attacker is not • So depending on the circumstances, a 128-bit key can able to influence the state become an 85-bit key 27 28

SSC: Avoid repeating key stream Practical stream ciphers • For a fixed key K and initial value IV, the stream cipher output is a deterministic function of the state. • A5/1 (GSM) (64 or 54) • A repetition of the state (for a given K, IV) leads to • E0 (Bluetooth) (128) a repetition of the key stream and plaintext recovery insecure! (think of the problem of Vernam encryption with • RC4 (browser) (40-128) reused key) • SNOW-3G (3GSM) (128) – hence state needs to be large and next state function • HC-128 (128) needs to guarantee a long period –IVcan be used to generate a different key stream for • Trivium (80) every packet in a packet-oriented communication setting • ChaCha20 (128) – old stream ciphers defined without IV are problematic in such a setting 29 30

5 Cryptographic Algorithms March 2016 Bart Preneel

A5/1 stream cipher (GSM) A5/1 stream cipher (GSM) 64 54 18 0 • exhaustive key search: 2 (or rather 2 ) – hardware 10K$ < 1 minute ciphertext only • search 2 smallest registers: 245 steps 21 0 • [BWS00] 1 minute on a PC – 2 seconds of known plaintext –248 precomputation, 146 GB storage 22 0 • [BB05]: 10 minutes on a PC, – 3-4 minutes of ciphertext only • [Nohl-Paget’09]: rainbow tables Clock control: registers agreeing with – seconds with a few frames of ciphertext only majority are clocked (2 or 3) 31 32

Bluetooth stream cipher A simple cipher: RC4 (1987)

• designed by Ron Rivest (MIT) • leaked in 1994 • S[0..255]: secret table derived from user key K for i=0 to 255 S[i]:=i j:=0 for i=0 to 255 j:=(j + S[i] + K[i]) mod 256 swap S[i] and S[j] brute force: 2128 steps i:=0, j:=0 24 38 33 [Lu+05] 24 known bits of 2 frames, 2 computations, 2 memory 34 33

A simple cipher: RC4 (1987) RC4: weaknesses Generate key stream which is added to plaintext • was often used with 40-bit key – US export restrictions until Q4/2000 i:=i+1 • best known general shortcut attack: 2241 j:=(j + S[i]) mod 256 [Maximov-Khovratovich’09] swap S[i] and S[j] • weak keys and key setup (shuffle theory) t:=(S[i] + S[j]) mod 256 output S[t] • large statistical deviations t – bias of output bytes (sometimes very large) – can recover 220 out of 256 bytes of plaintexts after sending the same 000 001 002 093 094 095 254 255 message 1 billion times (WPA/TLS) 205 162092 013 ... 033 92162 079 ... 099 143 • problem with resynchronization modes (WEP) i • problem with use in TLS

j 36 35

6 Cryptographic Algorithms March 2016 Bart Preneel

Block cipher Block cipher P1 P2 P3 • large table: list n-bit ciphertext for each n- bit plaintext block block block Never use – if n is large: very secure (codebook) cipher cipher cipher a block – but for an n-bit block: 2n values cipher in this way – impractical if n  32 • alternative n = 64 or 128 C1 C2 C3 – simplify the implementation • larger data units (blocks): 64…128 bits – repeat many simple operations • memoryless

37 • repeat simple operation (round) many times 38

Exhaustive key search Practical block ciphers • 2016: 240 instructions is easy, 260 is somewhat hard, 280 is hard, 2128 is completely infeasible – 1 million machines with 16 cores and a clock speed of 4 GHz • DES: outdated can do 256 instructions per second or 280 per year • 3-DES: financial sector – trying 1 key requires typically a few 100 instructions • Moore’s “law”: speed of computers doubles every 18 •AES months: key lengths need to grow in time • KASUMI (3GSM) – but adding 1 key bit doubles the work for the attacker • Keeloq (remote control for cars, garage • Key length recommendations in 2016 doors) – < 70 bits: insecure – 80 bits: a few years (not for NSA ) – 100 bits: 20-25 years • More details http://www.ecrypt.eu.org 39 40

Data Encryption Standard (DES) (1977)

• encrypts 64 plaintext bits under control of a 56-bit key • 16 iterations of a relatively simple mapping • FIPS: US government standard for sensitive but unclassified data • worldwide de facto standard since early 80ies • surrounded by controversy

41 42

7 Cryptographic Algorithms March 2016 Bart Preneel

The DES round function DES S-box 1

www.gungfu.de

Security of DES (56-bit key) Federal Register, July 24, 2004 • PC: trying 1 DES key: 7.5 ns DEPARTMENT OF COMMERCE • SUMMARY: The Data Encryption Standard (DES), • Trying all keys on 128 PCs: National Institute of Standards and currently specified in Federal 1 month: 227 x 216 x 25 x 27= 255 Technology Information Processing Standard [Docket No. 040602169– 4169– 01] (FIPS) 46–3, was evaluated pursuant to its scheduled review. • M. Wiener’s design (1993): At the conclusion of this review, Announcing Proposed Withdrawal of NIST determined that the 1,000,000 $ machine: 3 hours Federal Information Processing strength of the DES algorithm is Standard (FIPS) for the Data no longer sufficient to (in 2012: 3 seconds) Encryption Standard (DES) and adequately protect Federal Request for Comments government information. As a result, NIST proposes to withdraw AGENCY: National Institute of FIPS 46–3, and the associated EFF Deep Crack (July 1998) Standards and Technology (NIST), FIPS 74 and FIPS 81. Future use Commerce. of DES by Federal agencies is to 250,000 $ machine: 50 hours… be permitted only as a component ACTION: Notice; request for function of the Triple Data comments. Encryption Algorithm (TDEA). 45 46

3-DES: NIST Spec. Pub. 800-67 Symmetric Key Lengths and Moore’s “law” (May 2004) 140 AES • two-key triple DES: until 2009 -128 120 3-key 3DES • three-key triple DES: until 2030 100 2-key 3DES 80 DES 60 Clear DES DES-1 DES %^C& 40 text @&^( 20

0 1 23 88 12 36 9 0 0 1976 1 2000 2 2024 2 2048 2060 47 Moore’s “law”: speed of computers doubles every 18 months 48

8 Cryptographic Algorithms March 2016 Bart Preneel

AES (Advanced Encryption Standard) AES: Rijndael • open competition launched by US government (Sept. ‘97) to replace DES S S S S S S S S S S S S S S S S • 22 contenders including IBM, RSA, Deutsche Telekom round

round MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S MixColumnsS S S S • 128-bit block cipher with key of 128/192/256 bits • as strong as triple-DES, but more efficient round • Key length: 16/24/32 bytes • royalty-free . Key Key Schedule . • Block length: round – Rijndael: 16/24/32 bytes A machine that cracks a DES key in 1 second – AES: 16 bytes only would take 149 trillion years to crack a 128-bit key 50 49

AES (2001) AES (2001) • FIPS 197 published on December 2001after 4-year • security: open competition – algebraic attacks of [Courtois+02] not effective – other standards: ISO, IETF, IEEE 802.11,… – side channel attacks: cache attacks on unprotected • fast adoption in the market implementations • speed: – except for financial sector – software: 7.6 cycles/byte [Käsper-Schwabe’09] – NIST validation list: > 3800 implementations – hardware: Intel provides AES instruction (since • http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html 2010) at 0.63..1.5 cycles/byte for decryption – • 2003: AES-128 also for secret information and AES- AMD one year behind; ARM a bit more 192/-256 for top secret information! • 2015: NSA recommends to switch to AES-256 for the [Shamir ’07] AES may well be the last block cipher long term 51 52

Symmetric cryptology: Encryption limitations data authentication • Ciphertext becomes random string: “normal” crypto • the problem does not encrypt a credit card number into a (valid) • hash functions without a key credit card number – MDC: Manipulation Detection Codes • Typically does not hide the length of the plaintext (unless randomized ) • hash functions with a secret key •Does not hide existence of plaintext (requires – MAC: Message Authentication Codes steganography) •Does not hide that Alice is talking to Bob (requires traffic confidentiality, e.g. )

54

9 Cryptographic Algorithms March 2016 Bart Preneel

Data authentication: the problem Data authentication: MAC algorithms • encryption provides confidentiality: • Replace protection of authenticty • CBC-MAC – prevents Eve from learning information on the of (long) message by protection (CMAC) cleartext/plaintext of secrecy of (short) key – but does not protect against modifications (active •HMAC • Add MAC to the plaintext eavesdropping) •GMAC • Bob wants to know: This is an input to a MAC –the source of the information (data origin) algorithm. The input is a very long string, that is reduced by the – that the information has not been modified hash function to a string of fixed length. There are additional 7E6FD7198A198FB3C – (optionally) timeliness and sequence security conditions: it should be very hard for someone who does • data authentication is typically more complex than not know the secret key to compute the hash function on a data confidentiality new input.

55 56

MAC algorithms Data authentication: MAC algorithms • typical MAC lengths: 32..96 bits – Forgery attacks: 2m steps with m the MAC length in bits • typical key lengths: (56)..112..160 bits Clear Clear Clear VER Clear – Exhaustive key search: 2k steps with k the key MAC IFY text text text text length in bits • birthday attacks: security level smaller than expected

58

CBC-MAC based on AES MAC algorithms P1 P2 P3 • Banking: CBC-MAC based on triple-DES

• Internet: HMAC and CBC-MAC based on AES AES AES AES • information theoretic secure MAC algorithms (authentication codes): GMAC/UMAC/Po1y1305 C3 – highly efficient C1 C2 – rather long keys (some) AES – part of the key refreshed per message security level: 264 59 select leftmost 64 bits 60

10 Cryptographic Algorithms March 2016 Bart Preneel

Data authentication: MDC MDC Security requirements (n-bit result) • MDC (manipulation •(MD5) nd collision detection code) preimage 2 preimage • (SHA-1), SHA- • Protect short hash value 256, SHA-512 ? x  ? ?  ? rather than long text • RIPEMD-160

This is an input to a • SHA-3 (Keccak) cryptographic hash function. The h h h h h input is a very long string, that is reduced by the hash function to a string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it should be very hard to find an h(x) h(x) = h(x’) = input hashing to a given value (a preimage) or to find two colliding inputs (a collision). 2n 2n 2n/2

61

Important hash algorithms Data authentication: MDC •MD5 –(2nd) preimage 2128 steps (improved to 2123 steps) • n-bit result – collisions 264 steps shortcut: Aug. ‘04: 239 steps; ‘09: 220 steps • preimage resistance: for given y, hard to find input • SHA-1: x such that h(x) = y (2n operations) –(2nd) preimage 2160 steps 80 1.6 M$ for 1 year in 2014 •2nd preimage resistance: hard to find x’ x such that – collisions 2 steps shortcut: Aug. ‘05: 269 steps h(x’) = h(x) (2n operations) collisions expected for 2016 • SHA-2 family (2002) • Collision resistance: hard to find (x,x’) • SHA-3 family (2013) – Keccak (Belgian design) with x’  x such that h(x’) = h(x) nd 256 512 n/2 –(2 ) preimage 2 .. 2 steps (2 operations) 64 63 – collisions 2128 .. 2256 steps

NIST’s Modes of Operation for AES Concrete recommendations • ECB/CBC/CFB/OFB + CTR (Dec 01) • MAC algorithm: CMAC (May 05) • AES-128 in CCM mode • Authenticated encryption: – CCM = CTR mode + CBC-MAC – CCM: CTR + CBC-MAC – change key after 240 blocks – GCM: Galois Counter Mode • Stream ciphers (better performance) Issues: •IAPM • CCM – hardware: SNOW-3G or Trivium • associated data •XECB • GCM – software: HC-128 or ChaCha20 • parallelizable •OCB • (EAX) • CAESAR: open competition from 2013-2017 • on-line • (CWC) • provable security will come up with better solutions patented – http://competitions.cr.yp.to/caesar.html 65 66

11 Cryptographic Algorithms March 2016 Bart Preneel

Public-key cryptology Limitation of symmetric cryptology

• the problem • Reduce security of information to security of • public-key encryption keys • digital signatures • an example: RSA • advantages of public-key cryptology • But: how to establish these secret keys? – cumbersome and expensive – or risky: all keys in 1 place • Do we really need to establish secret keys?

67 68

Public key cryptology: encryption Public key cryptology:

CRYP CRYP Clear %^C& %^C& Clear TOB TOB Clear Clear Clear VER Clear text @&^( @&^( text SIGN OX OX text text text IFY text

Private key Public key Public key Private key

69 70

A public-key distribution protocol: Diffie-Hellman RSA (‘78) • Before: Alice and Bob have never met and share no • choose 2 “large” prime numbers p and secrets; they know a public system parameter  • modulus n = p.q • compute (n) = lcm(p-1,q-1) x generate y generate x  • choose e relatively prime w.r.t. (n) x y compute  y compute  • compute d = e-1 mod (n)  The security of RSA is y x x y based on the “fact” that it is compute k=( ) compute k=( ) easy to generate two large • public key = (e,n) primes, but that it is hard to • After: Alice and Bob share a short term key k • private key = d of (p,q) factor their product – Eve cannot compute k : in several mathematical • encryption: c = me mod n structures it is hard to derive x from  x • decryption: m = cd mod n try to factor 2419 (this is known as the discrete logarithm problem) 72 71

12 Cryptographic Algorithms March 2016 Bart Preneel

Factorisation records 4-channel Varian 2009: 768 bits or 232 digits spectrometerPicture of the lab 11.7 T Oxford magnet, Size (digits) room temperature bore Effort (log) 1 digit ~3.3 bits 250 768 bits 200 512 bits 150 15=5x3

100

50 grad students in 0 sunny California... 64 68 72 76 80 84 88 92 96 1002000 104 1082009 74

• 2001: 7-bit quantum computer factors 15 Advantages of public key cryptology • 2007: two new 7-bit quantum computers • 2012: 143 has been factored in Apr. ’12 • Reduce protection of information to • 2012: 10 to 15 years for a large protection of authenticity of public keys quantum computer • Confidentiality without establishing secret QuantumQuantum Computing: An IBM Perspective keys Steffen, M.; DiVincenzo, D. P.; Chow, J. M.; Theis, T. N.; Ketchen, M. B. – extremely useful in an open environment Quantum physics provides an intriguing basis for achieving computational power to address certain categories of mathematical problems that are completely intractable with machine computation as we know it today. We • Data authentication without shared secret present a brief overview of the current theoretical and experimental works in the emerging field of quantum computing. The implementation of a functioning keys: digital signature quantum computer poses tremendous scientific and technological challenges, but current rates of progress suggest that these challenges will be – sender and receiver have different capability substantively addressed over the next ten years. We provide a sketch of a quantum computing system based on superconducting circuits, which are the – third party can resolve dispute between sender current focus of our research. A realistic vision emerges concerning the form and receiver 76 of a future scalable fault-tolerant quantum computer. 75

Disadvantages of public key cryptology Secure multi-party computation • auctions • Calculations in software or hardware two to • medical statistics and advice three orders of magnitude slower than • e-voting • road pricing symmetric algorithms • (social) search • Longer keys: 1024 bits rather than 56…128 bits • What if factoring is easy?

77

13 Cryptographic Algorithms March 2016 Bart Preneel

Crypto recommendations Crypto software libraries http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report http://ece.gmu.edu/crypto_resources/web_resources/libraries.htm Good Bad C/C++/C# Java Authenticated encryption Encryption only, e.g. AES-CBC AES-CCM RC4, A5/1, A5/2, E0, DST, Keeloq, Crypto-1, • Botan (C++) • SunJCA/JCE HC-128 + Poly1305 Hitag-2, DSAA, DSC, GMR-1, GMR-2, CSS • Cryptlib (C) MD2, MD4, MD5, SHA-1 • BouncyCastle (BC, C#) HMAC-SHA-2 • Crypto++ (C++) RSA PKCS#1v.5 • CryptixCrypto (until ’05) SHA-3 • CyaSSL (C) embedded DSA, ECDSA • GnuTLS (C) • EspreSSL Diffie-Hellman Dual_EC_DRBG • Libgcrypt (C++) • FlexiProvider Zp  2048 ECC curves from NIST • MatrixSSL (C++) embedded • GNU Crypto ECC  256 and up • Miracl (binaries) ECIES  256 and up •IAIK SSL 3.0/TLS 1.0/TLS 1.1 • OpenSSL (C++) RSA KEM-DEM  2048 • PolarSSL (C) • Java SSL TLS with RSA key exchange • RSA JSafe RSA-PSS Skype Implementations that do not run in constant time

Reading material Selected books on cryptology  D. Stinson, Cryptography: Theory and Practice, CRC Press, 3rd Ed., 2005. Solid introduction, but only for the • B. Preneel, Modern cryptology: an mathematically inclined.  A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, introduction. Handbook of Applied Cryptography, CRC Press, 1997. – This text corresponds more or less to the second The bible of modern cryptography. Thorough and complete half of these slides reference work – not suited as a first text book. Freely available at http://www.cacr.math.uwaterloo.ca/hac – It covers in more detail how block ciphers are  N. Smart, Cryptography, An Introduction: 3rd Ed., used in practice, and explains how DES works. 2008. Solid and up to date but on the mathematical side. Freely – It does not cover identification, key management available at http://www.cs.bris.ac.uk/~nigel/Crypto_Book/ and application to network security.  B. Schneier, Applied Cryptography, Wiley, 1996. Widely popular and very accessible – make sure you get the errata, online

81  Other authors: Johannes Buchmann, Serge Vaudenay 82

Books on network security and more  W. Stallings, Network and Internetwork Security: Principles and Practice, Prentice Hall, 5th Ed., 2010. Solid background on network security. Explains basic concepts of cryptography.  W. Diffie, S. Landau, Privacy on the line. The politics of wiretapping and encryption, MIT Press, 2nd Ed., 2007. The best book so far on the intricate politics of the field. • Ross Anderson, Security Engineering, Wiley, 2nd Ed., 2008. Insightful. A must read for every information security practitioner. Available for free at http://www.cl.cam.ac.uk/~rja14/book.html • IACR (International Association for Cryptologic Research): www.iacr.org

14