| Practical Cryptography (2003) |
| Front Cover | Book Details | ||||||||||||||
|
|
| Plot |
| Book Description Two of the world’s top experts in cryptography teach you how to secure your digital future In today’s world, security is a top concern for businesses worldwide. Without a secure computer system, you don’t make money, you don’t expand, and–bottom line–you don’t survive. Cryptography holds great promise as the technology to provide security in cyberspace. Amazingly enough, no literature exists about how to implement cryptography and how to incorporate it into real-world systems. With Practical Cryptography, an author team of international renown provides you with the first hands-on cryptographic product implementation guide, bridging the gap between cryptographic theory and real-world cryptographic applications. This follow-up guide to the bestselling Applied Cryptography dives in and explains the how-to of cryptography. You’ll find discussions on: Practical rules for choosing and using cryptographic primitives, from block ciphers to digital signatures Implementing cryptographic algorithms and systems in a secure way on today’s computers A consistent design philosophy to ensure that every part of the system achieves the required security level Why security affects every part of the system, and why it has to be a primary goal of the project How simple interfaces for cryptographic primitives reduce system complexity and increase system security Back Cover Copy Two of the world’s top experts in cryptography teach you how to secure your digital future In today’s world, security is a top concern for businesses worldwide. Without a secure computer system, you don’t make money, you don’t expand, and - bottom line - you don’t survive. Cryptography holds great promise as the technology to provide security in cyberspace. Amazingly enough, no literature exists about how to implement cryptography and how to incorporate it into real-world systems. With Practical Cryptography, an author team of international renown provides you with the first hands-on cryptographic product implementation guide, bridging the gap between cryptographic theory and real-world cryptographic applications. This follow-up guide to the bestselling Applied Cryptography dives in and explains the how-to of cryptography. You’ll find discussions on: Practical rules for choosing and using cryptographic primitives, from block ciphers to digital signatures Implementing cryptographic algorithms and systems in a secure way on today’s computers A consistent design philosophy to ensure that every part of the system achieves the required security level Why security affects every part of the system, and why it has to be a primary goal of the project How simple interfaces for cryptographic primitives reduce system complexity and increase system security About the Author NIELS FERGUSON is a cryptographic engineer and consultant. He has extensive experience in the design and implementation of cryptographic algorithms, protocols, and large-scale security infrastructures. Previously, Ferguson was a cryptographer for DigiCash and CWI, and he worked closely with Bruce Schneier at Counterpane Internet Security. He has published numerous scientific papers. BRUCE SCHNEIER is founder and chief technical officer at Counterpane Internet Security, a managed-security monitoring company. A world-renowned scientist, security expert, and lecturer, he is the author of Secrets and Lies: Digital Security in a Networked World and Applied Cryptography (both from Wiley). Preface In the past decade, cryptography has done more to damage the security of digital systems than it has to enhance it. Cryptography burst onto the world stage in the early 1990s as the securer of the Internet. Some saw cryptography as a great technological equalizer, a mathematical tool that would put the lowliest privacy-seeking individual on the same footing as the greatest national intelligence agencies. Some saw it as the weapon that would bring about the downfall of nations when governments lost the ability to police people in cyberspace. Others saw it as the perfect and terrifying tool of drug dealers, terrorists, and child pornographers, who would be able to communicate in perfect secrecy. Even those with more realistic attitudes imagined cryptography as a technology that would enable global commerce in this new on-line world. Ten years later, none of this has come to pass. Despite the prevalence of cryptography, the Internet's national borders are more apparent than ever. The ability to detect and eavesdrop on criminal communications has more to do with politics and human resources than mathematics. Individuals still don't stand a chance against powerful and well-funded government agencies. And the rise of global commerce had nothing to do with the prevalence of cryptography. For the most part, cryptography has done little more than give Internet users a false sense of security by promising security but not delivering it. And that's not good for anyone except the attackers. The reasons for this have less to do with cryptography as a mathematical science, and much more to do with cryptography as an engineering discipline. We have developed, implemented, and fielded cryptographic systems over the past decade. What we've been less effective at is converting the mathematical promise of cryptographic security into a reality of security. As it turns out, this is the hard part. Too many engineers consider cryptography to be a sort of magic security dust that they can sprinkle over their hardware or software, and which will imbue those products with the mythical property of "security." Too many consumers read product claims like "encrypted" and believe in that same magic security dust. Reviewers are no better, comparing things like key lengths and on that basis, pronouncing one product to be more secure than another. Security is only as strong as the weakest link, and the mathematics of cryptography is almost never the weakest link. The fundamentals of cryptography are important, but far more important is how those fundamentals are implemented and used. Arguing about whether a key should be 112 bits or 128 bits long is rather like pounding a huge stake into the ground and hoping the attacker runs right into it. You can argue whether the stake should be a mile or a mile-and-a-half high, but the attacker is simply going to walk around the stake. Security is a broad stockade: it's the things around the cryptography that make the cryptography effective. The cryptographic books of the last decade have contributed to that aura of magic. Book after book extolled the virtues of, say, 112-bit triple-DES without saying much about how its keys should be generated or used. Book after book presented complicated protocols for this or that without any mention of the business and social constraints within which those protocols would have to work. Book after book explained cryptography as a pure mathematical ideal, unsullied by real-world constraints and realities. But it's exactly those real-world constraints and realities that mean the difference between the promise of cryptographic magic and the reality of digital security. Practical Cryptography is also a book about cryptography, but it's a book about sullied cryptography. Our goal is to explicitly describe the real-world constraints and realities of cryptography, and to talk about how to engineer secure cryptographic systems. In some ways, this book is a sequel to Bruce Schneier's first book, Applied Cryptography, which was first published ten years ago. But while Applied Cryptography gives a broad overview of cryptography and the myriad possibilities cryptography can offer, this book is narrow and focused. We don't give you dozens of choices; we give you one option and tell you how to implement it correctly. Applied Cryptography displays the wondrous possibilities of cryptography as a mathematical science---what is possible and what is attainable; Practical Cryptography gives concrete advice to people who design and implement cryptographic systems. Practical Cryptography is our attempt to bridge the gap between the promise of cryptography and the reality of cryptography. It's our attempt to teach engineers how to use cryptography to increase security. We're qualified to write this book because we're both seasoned cryptographers. Bruce is well known from his books Applied Cryptography and Secrets and Lies, and from his newsletter "Crypto-Gram." Niels Ferguson cut his cryptographic teeth building cryptographic payment systems at the CWI (Dutch National Research Institute for Mathematics and Computer Science) in Amsterdam, and later at a Dutch company called DigiCash. Bruce designed the Blowfish encryption algorithm, and both of us were on the team that designed Twofish. Niels's research led to the first example of the current generation of efficient anonymous payment protocols. Our combined list of academic papers runs into three digits. More importantly, we both have extensive experience in designing and building cryptographic systems. From 1991 to 1999, Bruce's consulting company Counterpane Systems provided design and analysis services to some of the largest computer and financial companies in the world. More recently, Counterpane Internet Security, Inc., has provided Managed Security Monitoring services to large corporations and government agencies worldwide. Niels also worked at Counterpane before founding his own consulting company, MacFergus. We've seen cryptography as it lives and breathes in the real world, as it flounders against the realities of engineering or even worse, against the realities of business. We're qualified to write this book because we've had to write it again and again for our consulting clients. How to Read this Book Practical Cryptography is more a narrative than a reference. It follows the design of a cryptographic system from the specific algorithm choices, outwards through concentric rings to the infrastructure required to make it work. We discuss a single cryptographic problem---one of establishing a means for two people to communicate securely---that's at the heart of almost every cryptographic application. By focusing on one problem and one design philosophy for solving that problem, it is our belief that we can teach more about the realities of cryptographic engineering. We've both published books before, and we know that publishing is an imperfect science. Try as we might, this book will not be error-free. We're sorry, but it's simply the way things are. (Oddly enough, cryptographic systems have the same problem; we'll talk about that in a few chapters.) While we've endeavored to make this book as perfect as possible, we have a procedure for ensuring that the inevitable errors get corrected. Before reading this book, go to http://www.macfergus.com/pc and download the current list of corrections. If you find an error in the book, please check to see if it is already on the list. If it is not on the list, please alert us at practical-cryptography@macfergus.com. We will add the error to the list. We think cryptography is just about the most fun you can have with mathematics. We've tried to imbue this book with that feeling of fun, and we hope you enjoy the results. Thanks for coming along on our ride. Table of Contents ============== 1 Our Design Philosophy 1 1.1 The Evils of Performance 2 1.2 The Evils of Features 5 2 The Context of Cryptography 7 2.1 The Role of Cryptography 8 2.2 The Weakest Link Property 9 2.3 The Adversarial Setting 11 2.4 Practical Paranoia 12 2.4.1 Attack 13 2.5 Threat Model 15 2.6 Cryptography Is Not the Solution 17 2.7 Cryptography Is Very Difficult 18 2.8 Cryptography Is the Easy Part 19 2.9 Background Reading 20 3 Introduction to Cryptography 21 3.1 Encryption 21 3.1.1 Kerckhoffs' Principle 23 3.2 Authentication 23 3.3 Public-Key Encryption 26 3.4 Digital Signatures 28 3.5 PKI 29 3.6 Attacks 30 3.6.1 Ciphertext-Only 31 3.6.2 Known Plaintext 31 3.6.3 Chosen Plaintext 32 3.6.4 Chosen Ciphertext 32 3.6.5 Distinguishing Attacks 33 3.6.6 Birthday 33 3.6.7 Meet in the Middle 34 3.6.8 Other Types of Attack 36 3.7 Security Level 36 3.8 Performance 37 3.9 Complexity 39 I Message Security 41 4 Block Ciphers 43 4.1 What Is a Block Cipher? 43 4.2 Types of Attack 44 4.3 The Ideal Block Cipher 46 4.4 Definition of Block Cipher Security 46 4.4.1 Parity of a Permutation 49 4.5 Real Block Ciphers 50 4.5.1 DES 51 4.5.2 AES 55 4.5.3 Serpent 58 4.5.4 Twofish 59 4.5.5 Other AES Finalists 61 4.5.6 Equation-Solving Attacks 62 4.5.7 Which Block Cipher Should I Choose? 63 4.5.8 What Key Size Should I Use? 65 5 Block Cipher Modes 67 5.1 Padding 68 5.2 ECB 69 5.3 CBC 70 5.3.1 Fixed IV 70 5.3.2 Counter IV 70 5.3.3 Random IV 71 5.3.4 Nonce-Generated IV 72 5.4 OFB 73 5.5 CTR 75 5.6 Newer Modes 76 5.7 Which Mode Should I Use? 77 5.8 Information Leakage 79 5.8.1 Chances of a Collision 80 5.8.2 How to Deal With Leakage 81 5.8.3 About Our Math 82 6 Hash Functions 83 6.1 Security of Hash Functions 84 6.2 Real Hash Functions 86 6.2.1 MD5 87 6.2.2 SHA-1 88 6.2.3 SHA-256, SHA-384, and SHA-512 89 6.3 Weaknesses of Hash Functions 89 6.3.1 Length Extensions 90 6.3.2 Partial-Message Collision 91 6.4 Fixing the Weaknesses 92 6.4.1 A Thorough Fix 92 6.4.2 A More Efficient Fix 93 6.5 Which Hash Function Should I Choose? 95 6.6 Future Work 95 7 Message Authentication Codes 97 7.1 What a MAC Does 97 7.2 The Ideal MAC 98 7.3 MAC Security 98 7.4 CBC-MAC 99 7.5 HMAC 101 7.5.1 HMAC versus SHAd 103 7.6 UMAC 104 7.6.1 Size of MAC 104 7.6.2 Which UMAC? 105 7.6.3 Platform Flexibility 106 7.6.4 Amount of Analysis 106 7.6.5 Why Mention UMAC at All? 107 7.7 Which MAC to Choose? 107 7.8 Using a MAC 108 8 The Secure Channel 111 8.1 Problem Statement 111 8.1.1 Roles 111 8.1.2 Key 112 8.1.3 Messages or Stream 113 8.1.4 Security Properties 113 8.2 Order of Authentication and Encryption 115 8.3 Outline 117 8.3.1 Message Numbers 117 8.3.2 Authentication 119 8.3.3 Encryption 119 8.3.4 Frame Format 120 8.4 Details 120 8.4.1 Initialization 121 8.4.2 Sending a Message 122 8.4.3 Receiving a Message 123 8.4.4 Message Order 125 8.5 Alternatives 126 8.6 Conclusion 127 9 Implementation Issues (I) 129 9.1 Creating Correct Programs 131 9.1.1 Specifications 131 9.1.2 Test and Fix 132 9.1.3 Lax Attitude 133 9.1.4 So How Do We Proceed? 134 9.2 Creating Secure Software 135 9.3 Keeping Secrets 136 9.3.1 Wiping State 136 9.3.2 Swap File 138 9.3.3 Caches 140 9.3.4 Data Retention by Memory 141 9.3.5 Access by Others 143 9.3.6 Data Integrity 144 9.3.7 What to Do 145 9.4 Quality of Code 146 9.4.1 Simplicity 146 9.4.2 Modularization 147 9.4.3 Assertions 148 9.4.4 Buffer Overflows 149 9.4.5 Testing 149 9.5 Side-Channel Attacks 150 9.6 Conclusion 152 II Key Negotiation 153 10 Generating Randomness 155 10.1 Real Random 156 10.1.1 Problems With Using Real Random Data 158 10.1.2 Pseudorandom Data 158 10.1.3 Real Random Data and PRNGs 159 10.2 Attack Models for a PRNG 160 10.3 Fortuna 161 10.4 The Generator 162 10.4.1 Initialization 164 10.4.2 Reseed 165 10.4.3 Generate Blocks 165 10.4.4 Generate Random Data 166 10.4.5 Generator Speed 167 10.5 Accumulator 167 10.5.1 Entropy Sources 168 10.5.2 Pools 169 10.5.3 Implementation Considerations 171 Distribution of Events Over Pools 171 Running Time of Event Passing 172 10.5.4 Initialization 174 10.5.5 Getting Random Data 174 10.5.6 Add an Event 176 10.6 Seed File Management 177 10.6.1 Write Seed File 178 10.6.2 Update Seed File 178 10.6.3 When to Read and Write the Seed File 179 10.6.4 Backups 179 10.6.5 Atomicity of File System Updates 180 10.6.6 First Boot 181 10.7 So What Should I Do? 182 10.8 Choosing Random Elements 182 11 Primes 185 11.1 Divisibility and Primes 186 11.2 Generating Small Primes 188 11.3 Computations Modulo a Prime 190 11.3.1 Addition and Subtraction 191 11.3.2 Multiplication 192 11.3.3 Groups and Finite Fields 192 11.3.4 The GCD Algorithm 194 11.3.5 The Extended Euclidean Algorithm 195 11.3.6 Working Modulo 2 197 11.4 Large Primes 197 11.4.1 Primality Testing 200 11.4.2 Evaluating Powers 204 12 Diffie-Hellman 207 12.1 Groups 208 12.2 Basic DH 210 12.3 Man in the Middle 211 12.4 Pitfalls 212 12.5 Safe Primes 214 12.6 Using a Smaller Subgroup 215 12.7 The Size of p 216 12.8 Practical Rules 218 12.9 What Could Go Wrong 220 13 RSA 223 13.1 Introduction 223 13.2 The Chinese Remainder Theorem 224 13.2.1 Garner's Formula 225 13.2.2 Generalizations 226 13.2.3 Uses 227 13.2.4 Conclusion 228 13.3 Multiplication Modulo n 228 13.4 RSA Defined 229 13.4.1 Digital Signatures with RSA 230 13.4.2 Public Exponents 230 13.4.3 The Private Key 232 13.4.4 The Size of n 233 13.4.5 Generating RSA Keys 233 13.5 Pitfalls Using RSA 236 13.6 Encryption 237 13.7 Signatures 240 14 Introduction to Cryptographic Protocols 245 14.1 Roles 245 14.2 Trust 246 14.2.1 Risk 248 14.3 Incentive 248 14.4 Trust in Cryptographic Protocols 251 14.5 Messages and Steps 251 14.5.1 The Transport Layer 252 14.5.2 Protocol and Message Identity 253 14.5.3 Message Encoding and Parsing 254 14.5.4 Protocol Execution States 255 14.5.5 Errors 255 14.5.6 Replay and Retries 257 15 Key Negotiation Protocol 261 15.1 The Setting 261 15.2 A First Try 262 15.3 Protocols Live Forever 264 15.4 An Authentication Convention 265 15.5 A Second Attempt 265 15.6 A Third Attempt 267 15.7 Our Final Protocol 268 15.8 Different Views of the Protocol 271 15.8.1 Alice's View 271 15.8.2 Bob's View 272 15.8.3 Attacker's View 272 15.8.4 Key Compromise 273 15.9 Computational Complexity of the Protocol 274 15.9.1 Optimization Tricks 275 15.10 Protocol Complexity 276 15.11 A Gentle Warning 277 15.12 Key Negotiation from a Password 277 16 Implementation Issues (II) 279 16.1 Large Integer Arithmetic 279 16.1.1 Wooping 281 16.1.2 Checking DH Computations 284 16.1.3 Checking RSA Encryption 285 16.1.4 Checking RSA Signatures 286 16.1.5 Conclusion 286 16.2 Faster Multiplication 286 16.3 Side-Channel Attacks 288 16.3.1 Countermeasures 289 16.4 Protocols 290 16.4.1 Protocols Over a Secure Channel 291 16.4.2 Receiving a Message 291 16.4.3 Timeouts 293 III Key Management 295 17 The Clock 297 17.1 Uses for a Clock 297 17.1.1 Expiration 297 17.1.2 Unique Value 298 17.1.3 Monotonicity 298 17.1.4 Real-Time Transactions 299 17.2 Using the Real-Time Clock Chip 299 17.3 Security Dangers 300 17.3.1 Setting the Clock Back 300 17.3.2 Stopping the Clock 301 17.3.3 Setting the Clock Forward 302 17.4 Creating a Reliable Clock 302 17.5 The Same-State Problem 304 17.6 Time 306 17.7 Conclusion 307 18 Key Servers 309 18.1 Basics 310 18.2 Kerberos 310 18.3 Simpler Solutions 311 18.3.1 Secure Connection 312 18.3.2 Setting Up a Key 312 18.3.3 Rekeying 313 18.3.4 Other Properties 313 18.4 What to Choose 314 19 The Dream of PKI 315 19.1 A Very Short PKI Overview 315 19.2 PKI Examples 316 19.2.1 The Universal PKI 316 19.2.2 VPN Access 317 19.2.3 Electronic Banking 317 19.2.4 Refinery Sensors 317 19.2.5 Credit Card Organization 317 19.3 Additional Details 318 19.3.1 Multilevel Certificates 318 19.3.2 Expiration 319 19.3.3 Separate Registration Authority 320 19.4 Conclusion 321 20 PKI Reality 323 20.1 Names 323 20.2 Authority 326 20.3 Trust 326 20.4 Indirect Authorization 327 20.5 Direct Authorization 328 20.6 Credential Systems 330 20.7 The Modified Dream 332 20.8 Revocation 333 20.8.1 Revocation List 333 20.8.2 Fast Expiration 335 20.8.3 Revocation Is Required 335 20.9 So What Is a PKI Good For? 336 20.10 What to Choose 337 21 PKI Practicalities 339 21.1 Certificate Format 339 21.1.1 Permission Language 340 21.1.2 The Root Key 340 21.2 The Life of a Key 341 21.3 Why Keys Wear Out 343 21.4 So What Should You Do? 345 22 Storing Secrets 347 22.1 Disk 347 22.2 Human Memory 348 22.2.1 Salting and Stretching 350 22.3 Portable Storage 353 22.4 Secure Token 353 22.5 Secure UI 355 22.6 Biometrics 356 22.7 Single Sign-On 357 22.8 Risk of Loss 358 22.9 Secret Sharing 358 22.10 Wiping Secrets 360 22.10.1 Paper 360 22.10.2 Magnetic Storage 360 22.10.3 Solid-State Storage 362 IV Miscellaneous 363 23 Standards 365 23.1 The Standards Process 365 23.1.1 The Standard 367 23.1.2 Functionality 367 23.1.3 Security 368 23.2 SSL 369 23.3 AES: Standardization by Competition 370 24 Patents 373 24.1 Prior Art 373 24.2 Continuations 374 24.3 Vagueness 375 24.4 Reading Patents 375 24.5 Licensing 376 24.6 Defensive Patents 377 24.7 Fixing the Patent System 378 24.8 Disclaimer 379 25 Involving Experts 381 Acknowledgments 385 Bibliography 387 Index 397 |
|
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Notes |
| Present de Aniversario do Guilherme (2003) http://www.counterpane.com/crypto-gram.html |