Cryptography Engineering

Design Principles and

Practical Applications

Niels Ferguson
Bruce Schneier
Tadayoshi Kohno

WILEY
Wiley Publishing, Inc.

Contents

Preface to Cryptography Engineering

History
Example Syllabi
Additional Information
Preface to Practical Cryptography (the 1 st Edition)
How to Read this Book

xxiii
xxiv
xxiv
xxvi
xxvii
xxix

Part 1

Introduction

Chapter 1

The Context of Cryptography

1.1
The Role of Cryptography
The Weakest Link Property
1.2
The Adversarial Setting
1.3
Professional Paranoia
1.4
1.4.1
Broader Benefits
1.4.2
Discussing Attacks
Threat Model
1.5
1.6
Cryptography Is Not the Solution
Cryptography Is Very Difficult
1.7
Cryptography Is the Easy Part
1.8
1.9
Generic Attacks
Security and Other Design Criteria
1.10
1.10.1 Security Versus Performance
1.10.2 Security Versus Features
1.10.3 Security Versus Evolving Systems

3
4
5
7
9
9
10
12
13
13
14
14
14
17
17
xiii

xiv

Contents
1.11
1.12

1.13
Chapter 2

Further Reading
Exercises for Professional Paranoia
1.12.1 Current Event Exercises
1.12.2 Security Review Exercises
General Exercises

18
18
19
20
21

Introduction to Cryptography

23

2.1

23
24
25
27
29
29
31
31
31
32
32
32
33
33
33
34
36
37
37
38

2.2
2.3
2.4
2.5
2.6

2.7

2.8
2.9
2.10
2.11

Encryption
2.1.1
Kerckhoffs' Principle
Authentication
Public-Key Encryption
Digital Signatures
PKI
Attacks
2.6.1
The Ciphertext-Only Model
2.6.2
The Known-Plaintext Model
2.6.3
The Chosen-Plaintext Model
2.6.4
The Chosen-Ciphertext Model
2.6.5
The Distinguishing Attack Goal
2.6.6
Other Types of Attack
Under the Hood
2.7.1
Birthday Attacks
2.7.2
Meet-in-the-Middle Attacks
Security Level
Performance
Complexity
Exercises

Part II

Message Security

41

Chapter 3

Block Ciphers

43

3.1
3.2
3.3
3.4

43
44
46
46
49
50
51
54
56

3.5

What Is a Block Cipher?

Types of Attack
The Ideal Block Cipher
Definition of Block Cipher Security
3.4.1
Parity of a Permutation
Real Block Ciphers
3.5.1
DES
3.5.2
AES
3.5.3
Serpent

Contents

3.6
Chapter 4

Block Cipher Modes

4.1
4.2
4.3

4.4
4.5
4.6
4.7
4.8

4.9
Chapter 5

3.5.4
Twofish
3.5.5
Other AES Finalists
3.5.6
Which Block Cipher Should I Choose?
3.5.7
What Key Size Should I Use?
Exercises

Padding
ECB
CBC
Fixed IV
4.3.1
4.3.2
Counter IV
Random IV
4.3.3
4.3.4
Nonce-Generated IV
OFB
CTR
Combined Encryption and Authentication
Which Mode Should I Use?
Information Leakage
Chances of a Collision
4.8.1
How to Deal With Leakage
4.8.2
About Our Math
4.8.3
Exercises

57
58
59
60
61
63
64
65
65
66
66
66
67
68
70
71
71
72
73
74
75
75

Hash Functions

77

5.1
5.2

78
79
80
81
82
82
83
83
84
84
85
85
87
87
87

5.3

5.4

5.5
5.6

Security of Hash Functions

Real Hash Functions
5.2.1
A Simple But Insecure Hash Function
5.2.2
MD5
5.2.3
SHA-1
5.2.4
SHA-224, SHA-256, SHA-384, and SHA-512
Weaknesses of Hash Functions
5.3.1
Length Extensions
5.3.2
Partial-Message Collision
Fixing the Weaknesses
5.4.1
Toward a Short-term Fix
5.4.2
A More Efficient Short-term Fix
5.4.3
Another Fix
Which Hash Function Should I Choose?
Exercises

xvi

Contents
Chapter 6

Chapter 7

Message Authentication Codes

89

6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8

89
90
91
93
94
95
95
97

The Secure Channel

7.1

7.2
7.3

7.4

7.5
7.6
Chapter 8

What a MAC Does

The Ideal MAC and MAC Security
CBC-MAC and CMAC
HMAC
GMAC
Which MAC to Choose?
Using a MAC
Exercises

Properties of a Secure Channel

7.1.1
Roles
7.1.2
Key
7.1.3
Messages or Stream
7.1.4
Security Properties
Order of Authentication and Encryption
Designing a Secure Channel: Overview
7.3.1
Message Numbers
7.3.2
Authentication
7.3.3
Encryption
7.3.4
Frame Format
Design Details
7.4.1
Initialization
7.4.2
Sending a Message
7.4.3
Receiving a Message
7.4.4
Message Order
Alternatives
Exercises

99
99
99
100
100
101
102
104
105
106
106
107
107
107
108
109
111
112
113

Implementation Issues (I)

T15

8.1

116
117
118
119
119
120
120
121
122

8.2
8.3

Creating Correct Programs

8.1.1
Specifications
8.1.2
Test and Fix
8.1.3
Lax Attitude
8.1.4
So How Do We Proceed?
Creating Secure Software
Keeping Secrets
8.3.1
Wiping State
8.3.2
Swap File

Contents

8.4

8.5
8.6
8.7

8.3.3
Caches
8.3.4
Data Retention by Memory
8.3.5
Access by Others
Data Integrity
8.3.6
8.3.7
What to Do
Quality of Code
8.4.1
Simplicity
Modularization
8.4.2
8.4.3
Assertions
8.4.4
Buffer Overflows
Testing
8.4.5
Side-Channel Attacks
Beyond this Chapter
Exercises

124
125
127
127
128
128
129
129
130
131
131
132
133
133

Part III

Key Negotiation

135

Chapter 9

Generating Randomness

137

9.1

9.2
9.3
9.4

9.5

9.6

Real Random
Problems With Using Real Random Data
9.1.1
Pseudorandom Data
9.1.2
Real Random Data and PRNGS
9.1.3
Attack Models for a PRNG
Fortuna
The Generator
9.4.1
Initialization
9.4.2
Reseed
Generate Blocks
9.4.3
9.4.4
Generate Random Data
Generator Speed
9.4.5
Accumulator
9.5.1
Entropy Sources
9.5.2
Pools
Implementation Considerations
9.5.3
9.5.3.1 Distribution of Events Over Pools
9.5.3.2 Running Time of Event Passing
Initialization
9.5.4
9.5.5
Getting Random Data
Add an Event
9.5.6
Seed File Management
9.6.1
Write Seed File

138
139
140
140
141
142
143
145
145
146
146
147
147
147
148
150
150
151
152
153
154
155
156

xvii

xviii

Contents

9.7
9.8

9.6.2
Update Seed File
When to Read and Write the Seed File
9.6.3
9.6.4
Backups and Virtual Machines
Atomicity of File System Updates
9.6.5
First Boot
9.6.6
Choosing Random Elements
Exercises

Chapter 10 Primes
10.1 Divisibility and Primes
10.2 Generating Small Primes
10.3 Computations Modulo a Prime
10.3.1 Addition and Subtraction
10.3.2 Multiplication
10.3.3 Groups and Finite Fields
10.3.4 The GCD Algorithm
10.3.5 The Extended Euclidean Algorithm
10.3.6 Working Modulo 2
10.4 Large Primes
10.4.1 Primality Testing
10.4.2 Evaluating Powers
10.5 Exercises
Chapter 11

Groups
Basic DH
Man in the Middle
Pitfalls
Safe Primes
Using a Smaller Subgroup
The Size of p
Practical Rules
What Can Go Wrong?
Exercises

Introduction
The Chinese Remainder Theorem
12.2.1 Garner's Formula
12.2.2 Generalizations
12.2.3 Uses
12.2.4 Conclusion
Multiplication Modulo n

195
195
196
196
197
198
199
199

Chapter 12 RSA
12.1
12.2

12.3

163
163
166
167
168
169
169
170
171
172
173
176
178
179

181
182
183
184
185
186
187
188
190
191
193

Diffie-Hellman
11.1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
11.10

156
157
157
158
158
159
161

Contents
12.4

RSA Defined
12.4.1 Digital Signatures with RSA
12.4.2 Public Exponents
12.4.3 The Private Key
12.4.4 The Size of n
12.4.5 Generating RSA Keys
Pitfalls Using RSA
Encryption
Signatures
Exercises

200
200
201
202
203
203
205
206
209
211

Chapter 13 Introduction to Cryptographic Protocols

213

12.5
12.6
12.7
12.8

13.1
13.2
13.3
13.4
13.5

13.6

Roles
Trust
13.2.1 Risk
Incentive
Trust in Cryptographic Protocols
Messages and Steps
13.5.1 The Transport Layer
13.5.2 Protocol and Message Identity
13.5.3 Message Encoding and Parsing
13.5.4 Protocol Execution States
13.5.5 Errors
13.5.6 Replay and Retries
Exercises

Chapter 14 Key Negotiation

14.1 The Setting
14.2 A First Try
14.3 Protocols Live Forever
14.4 An Authentication Convention
14.5 A Second Attempt
14.6 A Third Attempt
14.7 The Final Protocol
14.8 Different Views of the Protocol
14.8.1 Alice's View
14.8.2 Bob's View
14.8.3 Attacker's View
14.8.4 Key Compromise
14.9 Computational Complexity of the Protocol
14.9.1 Optimization Tricks
14.10 Protocol Complexity

213
214
215
215
217
218
219
219
220
221
221
223
225
227
227
228
229
230
231
232
233
235
235
236
236
238
238
239
240

xix

xx

Contents
14.11 A Gentle Warning
14.12 Key Negotiation from a Password
14.13 Exercises
Chapter 15 Implementation Issues (II)
15.1

15.2
15.3
15.4

15.5
Part IV

Large Integer Arithmetic

15.1.1 Wooping
15.1.2 Checking DH Computations
15.1.3 Checking RSA Encryption
15.1.4 Checking RSA Signatures
15.1.5 Conclusion
Faster Multiplication
Side-Channel Attacks
15.3.1 Countermeasures
Protocols
15.4.1 Protocols Over a Secure Channel
15.4.2 Receiving a Message
15.4.3 Timeouts
Exercises

Key Management

Chapter 16 The Clock

16.1

16.2
16.3

16.4
16.5
16.6
16.7
16.8

Uses for a Clock

16.1.1 Expiration
16.1.2 Unique Value
16.1.3 Monotonicity
16.1.4 Real-Time Transactions
Using the Real-Time Clock Chip
Security Dangers
16.3.1 Setting the Clock Back
16.3.2 Stopping the Clock
16.3.3 Setting the Clock Forward
Creating a Reliable Clock
The Same-State Problem
Time
Closing Recommendations
Exercises

Chapter 17 Key Servers

17.1 Basics
17.2 Kerberos

241
241
241
243
243
245
248
248
249
249
249
250
251
252
253
253
255
255
257
259
259
259
260
260
260
261
262
262
262
263
264
265
266
267
267
269
270
270

Contents
17.3

17.4
17.5

Simpler Solutions
17.3.1 Secure Connection
17.3.2 Setting Up a Key
17.3.3 Rekeying
17.3.4 Other Properties
What to Choose
Exercises

271
272
272
272
273
273
274

Chapter 18 The Dream of PKI

275

18.1
18.2

275
276
276
276
276
277
277
277
277
278
279
280
280

18.3

18.4
18.5

A Very Short PKI Overview

PKI Examples
18.2.1 The Universal PKI
18.2.2 VPN Access
18.2.3 Electronic Banking
18.2.4 Refinery Sensors
18.2.5 Credit Card Organization
Additional Details
18.3.1 Multilevel Certificates
18.3.2 Expiration
18.3.3 Separate Registration Authority
Summary
Exercises

Chapter 19 PKI Reality

19.1
19.2
19.3
19.4
19.5
19.6
19.7
19.8

Names
Authority
Trust
Indirect Authorization
Direct Authorization
Credential Systems
The Modified Dream
Revocation
19.8.1 Revocation List
19.8.2 Fast Expiration
19.8.3 Online Certificate Verification
19.8.4 Revocation Is Required
19.9 So What Is a PKI Good For?
19.10 What to Choose
19.11 Exercises

281
281
283
284
285
286
286
288
289
289
290
291
291
292
293
294

xxi

xxii

Contents
Chapter 20 PKI Practicalities

295

20.1

295
295
296
297
298
300
300

20.2
20.3
20.4
20.5

Certificate Format
20.1.1 Permission Language
20.1.2 The Root Key
The Life of a Key
Why Keys Wear Out
Going Further
Exercises

Chapter 21 Storing Secrets

21.1 Disk
21.2 Human Memory
21.2.1 Salting and Stretching
Portable Storage
Secure Token
Secure UI
Biometrics
Single Sign-On
Risk of Loss
Secret Sharing
Wiping Secrets
21.10.1 Paper
21.10.2 Magnetic Storage
21.10.3 Solid-State Storage
21.11 Exercises

301
302
304
306
306
307
308
309
310
310
311
311
312
313
313

Miscellaneous

315

21.3
21.4
21.5
21.6
21.7
21.8
21.9
21.10

PartV

301

Chapter 22 Standards and Patents

22.1

22.2

Standards
22.1.1 The Standards Process
22.1.1.1 The Standard
22.1.1.2 Functionality
22.1.1.3 Security
22.1.2 SSL
22.1.3 AES: Standardization by Competition
Patents

317
317
317
319
319
320
320
321
322

Chapter 23 Involving Experts

323

Bibliography

327

Index

339