Cryptography Engineering

Cryptography Engineering Design Principles and Practical Applications

Niels Ferguson Bruce Schneier Tadayoshi Kohno

WILEY Wiley Publishing, Inc.

Contents

Preface to Cryptography Engineering History Example Syllabi Additional Information Preface to Practical Cryptography (the 1 st Edition) How to Read this Book

xxiii xxiv xxiv xxvi xxvii xxix

Part 1

Introduction

1

Chapter 1

The Context of Cryptography 1.1 The Role of Cryptography The Weakest Link Property 1.2 The Adversarial Setting 1.3 Professional Paranoia 1.4 1.4.1 Broader Benefits 1.4.2 Discussing Attacks Threat Model 1.5 1.6 Cryptography Is Not the Solution Cryptography Is Very Difficult 1.7 Cryptography Is the Easy Part 1.8 1.9 Generic Attacks Security and Other Design Criteria 1.10 1.10.1 Security Versus Performance 1.10.2 Security Versus Features 1.10.3 Security Versus Evolving Systems

3 4 5 7 9 9 10 12 13 13 14 14 14 17 17 xiii

xiv

Contents 1.11 1.12

1.13 Chapter 2

Further Reading Exercises for Professional Paranoia 1.12.1 Current Event Exercises 1.12.2 Security Review Exercises General Exercises

18 18 19 20 21

Introduction to Cryptography

23

2.1

23 24 25 27 29 29 31 31 31 32 32 32 33 33 33 34 36 37 37 38

2.2 2.3 2.4 2.5 2.6

2.7

2.8 2.9 2.10 2.11

Encryption 2.1.1 Kerckhoffs' Principle Authentication Public-Key Encryption Digital Signatures PKI Attacks 2.6.1 The Ciphertext-Only Model 2.6.2 The Known-Plaintext Model 2.6.3 The Chosen-Plaintext Model 2.6.4 The Chosen-Ciphertext Model 2.6.5 The Distinguishing Attack Goal 2.6.6 Other Types of Attack Under the Hood 2.7.1 Birthday Attacks 2.7.2 Meet-in-the-Middle Attacks Security Level Performance Complexity Exercises

Part II

Message Security

41

Chapter 3

Block Ciphers

43

3.1 3.2 3.3 3.4

43 44 46 46 49 50 51 54 56

3.5

What Is a Block Cipher? Types of Attack The Ideal Block Cipher Definition of Block Cipher Security 3.4.1 Parity of a Permutation Real Block Ciphers 3.5.1 DES 3.5.2 AES 3.5.3 Serpent

Contents

3.6 Chapter 4

Block Cipher Modes 4.1 4.2 4.3

4.4 4.5 4.6 4.7 4.8

4.9 Chapter 5

3.5.4 Twofish 3.5.5 Other AES Finalists 3.5.6 Which Block Cipher Should I Choose? 3.5.7 What Key Size Should I Use? Exercises

Padding ECB CBC Fixed IV 4.3.1 4.3.2 Counter IV Random IV 4.3.3 4.3.4 Nonce-Generated IV OFB CTR Combined Encryption and Authentication Which Mode Should I Use? Information Leakage Chances of a Collision 4.8.1 How to Deal With Leakage 4.8.2 About Our Math 4.8.3 Exercises

57 58 59 60 61 63 64 65 65 66 66 66 67 68 70 71 71 72 73 74 75 75

Hash Functions

77

5.1 5.2

78 79 80 81 82 82 83 83 84 84 85 85 87 87 87

5.3

5.4

5.5 5.6

Security of Hash Functions Real Hash Functions 5.2.1 A Simple But Insecure Hash Function 5.2.2 MD5 5.2.3 SHA-1 5.2.4 SHA-224, SHA-256, SHA-384, and SHA-512 Weaknesses of Hash Functions 5.3.1 Length Extensions 5.3.2 Partial-Message Collision Fixing the Weaknesses 5.4.1 Toward a Short-term Fix 5.4.2 A More Efficient Short-term Fix 5.4.3 Another Fix Which Hash Function Should I Choose? Exercises

xvi

Contents Chapter 6

Chapter 7

Message Authentication Codes

89

6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8

89 90 91 93 94 95 95 97

The Secure Channel 7.1

7.2 7.3

7.4

7.5 7.6 Chapter 8

What a MAC Does The Ideal MAC and MAC Security CBC-MAC and CMAC HMAC GMAC Which MAC to Choose? Using a MAC Exercises

Properties of a Secure Channel 7.1.1 Roles 7.1.2 Key 7.1.3 Messages or Stream 7.1.4 Security Properties Order of Authentication and Encryption Designing a Secure Channel: Overview 7.3.1 Message Numbers 7.3.2 Authentication 7.3.3 Encryption 7.3.4 Frame Format Design Details 7.4.1 Initialization 7.4.2 Sending a Message 7.4.3 Receiving a Message 7.4.4 Message Order Alternatives Exercises

99 99 99 100 100 101 102 104 105 106 106 107 107 107 108 109 111 112 113

Implementation Issues (I)

T15

8.1

116 117 118 119 119 120 120 121 122

8.2 8.3

Creating Correct Programs 8.1.1 Specifications 8.1.2 Test and Fix 8.1.3 Lax Attitude 8.1.4 So How Do We Proceed? Creating Secure Software Keeping Secrets 8.3.1 Wiping State 8.3.2 Swap File

Contents

8.4

8.5 8.6 8.7

8.3.3 Caches 8.3.4 Data Retention by Memory 8.3.5 Access by Others Data Integrity 8.3.6 8.3.7 What to Do Quality of Code 8.4.1 Simplicity Modularization 8.4.2 8.4.3 Assertions 8.4.4 Buffer Overflows Testing 8.4.5 Side-Channel Attacks Beyond this Chapter Exercises

124 125 127 127 128 128 129 129 130 131 131 132 133 133

Part III

Key Negotiation

135

Chapter 9

Generating Randomness

137

9.1

9.2 9.3 9.4

9.5

9.6

Real Random Problems With Using Real Random Data 9.1.1 Pseudorandom Data 9.1.2 Real Random Data and PRNGS 9.1.3 Attack Models for a PRNG Fortuna The Generator 9.4.1 Initialization 9.4.2 Reseed Generate Blocks 9.4.3 9.4.4 Generate Random Data Generator Speed 9.4.5 Accumulator 9.5.1 Entropy Sources 9.5.2 Pools Implementation Considerations 9.5.3 9.5.3.1 Distribution of Events Over Pools 9.5.3.2 Running Time of Event Passing Initialization 9.5.4 9.5.5 Getting Random Data Add an Event 9.5.6 Seed File Management 9.6.1 Write Seed File

138 139 140 140 141 142 143 145 145 146 146 147 147 147 148 150 150 151 152 153 154 155 156

xvii

xviii

Contents

9.7 9.8

9.6.2 Update Seed File When to Read and Write the Seed File 9.6.3 9.6.4 Backups and Virtual Machines Atomicity of File System Updates 9.6.5 First Boot 9.6.6 Choosing Random Elements Exercises

Chapter 10 Primes 10.1 Divisibility and Primes 10.2 Generating Small Primes 10.3 Computations Modulo a Prime 10.3.1 Addition and Subtraction 10.3.2 Multiplication 10.3.3 Groups and Finite Fields 10.3.4 The GCD Algorithm 10.3.5 The Extended Euclidean Algorithm 10.3.6 Working Modulo 2 10.4 Large Primes 10.4.1 Primality Testing 10.4.2 Evaluating Powers 10.5 Exercises Chapter 11

Groups Basic DH Man in the Middle Pitfalls Safe Primes Using a Smaller Subgroup The Size of p Practical Rules What Can Go Wrong? Exercises

Introduction The Chinese Remainder Theorem 12.2.1 Garner's Formula 12.2.2 Generalizations 12.2.3 Uses 12.2.4 Conclusion Multiplication Modulo n

195 195 196 196 197 198 199 199

Chapter 12 RSA 12.1 12.2

12.3

163 163 166 167 168 169 169 170 171 172 173 176 178 179

181 182 183 184 185 186 187 188 190 191 193

Diffie-Hellman 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10

156 157 157 158 158 159 161

Contents 12.4

RSA Defined 12.4.1 Digital Signatures with RSA 12.4.2 Public Exponents 12.4.3 The Private Key 12.4.4 The Size of n 12.4.5 Generating RSA Keys Pitfalls Using RSA Encryption Signatures Exercises

200 200 201 202 203 203 205 206 209 211

Chapter 13 Introduction to Cryptographic Protocols

213

12.5 12.6 12.7 12.8

13.1 13.2 13.3 13.4 13.5

13.6

Roles Trust 13.2.1 Risk Incentive Trust in Cryptographic Protocols Messages and Steps 13.5.1 The Transport Layer 13.5.2 Protocol and Message Identity 13.5.3 Message Encoding and Parsing 13.5.4 Protocol Execution States 13.5.5 Errors 13.5.6 Replay and Retries Exercises

Chapter 14 Key Negotiation 14.1 The Setting 14.2 A First Try 14.3 Protocols Live Forever 14.4 An Authentication Convention 14.5 A Second Attempt 14.6 A Third Attempt 14.7 The Final Protocol 14.8 Different Views of the Protocol 14.8.1 Alice's View 14.8.2 Bob's View 14.8.3 Attacker's View 14.8.4 Key Compromise 14.9 Computational Complexity of the Protocol 14.9.1 Optimization Tricks 14.10 Protocol Complexity

213 214 215 215 217 218 219 219 220 221 221 223 225 227 227 228 229 230 231 232 233 235 235 236 236 238 238 239 240

xix

xx

Contents 14.11 A Gentle Warning 14.12 Key Negotiation from a Password 14.13 Exercises Chapter 15 Implementation Issues (II) 15.1

15.2 15.3 15.4

15.5 Part IV

Large Integer Arithmetic 15.1.1 Wooping 15.1.2 Checking DH Computations 15.1.3 Checking RSA Encryption 15.1.4 Checking RSA Signatures 15.1.5 Conclusion Faster Multiplication Side-Channel Attacks 15.3.1 Countermeasures Protocols 15.4.1 Protocols Over a Secure Channel 15.4.2 Receiving a Message 15.4.3 Timeouts Exercises

Key Management

Chapter 16 The Clock 16.1

16.2 16.3

16.4 16.5 16.6 16.7 16.8

Uses for a Clock 16.1.1 Expiration 16.1.2 Unique Value 16.1.3 Monotonicity 16.1.4 Real-Time Transactions Using the Real-Time Clock Chip Security Dangers 16.3.1 Setting the Clock Back 16.3.2 Stopping the Clock 16.3.3 Setting the Clock Forward Creating a Reliable Clock The Same-State Problem Time Closing Recommendations Exercises

Chapter 17 Key Servers 17.1 Basics 17.2 Kerberos

241 241 241 243 243 245 248 248 249 249 249 250 251 252 253 253 255 255 257 259 259 259 260 260 260 261 262 262 262 263 264 265 266 267 267 269 270 270

Contents 17.3

17.4 17.5

Simpler Solutions 17.3.1 Secure Connection 17.3.2 Setting Up a Key 17.3.3 Rekeying 17.3.4 Other Properties What to Choose Exercises

271 272 272 272 273 273 274

Chapter 18 The Dream of PKI

275

18.1 18.2

275 276 276 276 276 277 277 277 277 278 279 280 280

18.3

18.4 18.5

A Very Short PKI Overview PKI Examples 18.2.1 The Universal PKI 18.2.2 VPN Access 18.2.3 Electronic Banking 18.2.4 Refinery Sensors 18.2.5 Credit Card Organization Additional Details 18.3.1 Multilevel Certificates 18.3.2 Expiration 18.3.3 Separate Registration Authority Summary Exercises

Chapter 19 PKI Reality 19.1 19.2 19.3 19.4 19.5 19.6 19.7 19.8

Names Authority Trust Indirect Authorization Direct Authorization Credential Systems The Modified Dream Revocation 19.8.1 Revocation List 19.8.2 Fast Expiration 19.8.3 Online Certificate Verification 19.8.4 Revocation Is Required 19.9 So What Is a PKI Good For? 19.10 What to Choose 19.11 Exercises

281 281 283 284 285 286 286 288 289 289 290 291 291 292 293 294

xxi

xxii

Contents Chapter 20 PKI Practicalities

295

20.1

295 295 296 297 298 300 300

20.2 20.3 20.4 20.5

Certificate Format 20.1.1 Permission Language 20.1.2 The Root Key The Life of a Key Why Keys Wear Out Going Further Exercises

Chapter 21 Storing Secrets 21.1 Disk 21.2 Human Memory 21.2.1 Salting and Stretching Portable Storage Secure Token Secure UI Biometrics Single Sign-On Risk of Loss Secret Sharing Wiping Secrets 21.10.1 Paper 21.10.2 Magnetic Storage 21.10.3 Solid-State Storage 21.11 Exercises

301 302 304 306 306 307 308 309 310 310 311 311 312 313 313

Miscellaneous

315

21.3 21.4 21.5 21.6 21.7 21.8 21.9 21.10

PartV

301

Chapter 22 Standards and Patents 22.1

22.2

Standards 22.1.1 The Standards Process 22.1.1.1 The Standard 22.1.1.2 Functionality 22.1.1.3 Security 22.1.2 SSL 22.1.3 AES: Standardization by Competition Patents

317 317 317 319 319 320 320 321 322

Chapter 23 Involving Experts

323

Bibliography

327

Index

339