Modern Cryptography and Networked Systems Security

Instructors

Prof. Dr.-Ing. Volker Roth

Description

This course gives a modern introduction to cryptography and cryptographic key management, followed by an introduction to cryptographic protocols and their applications in distributed systems security. Mathematical background is developed to the degree reasonable in an introductory class. In addition to the mathematical underpinnings of cryptographic primitives the course also touches on the importance of implementation for a secure system. However, note that this course is not a course on cryptoanalysis.

This semester, the course also includes four three digressive guest lectures on social engineering and espionage techniques, given by an professional expert in the field. See below for further information. If the guest lectures are received well then these lectures will be offered again in the summer semesters as part of the computer security course.

Time and Location

Lectures:

• Tuesdays, 16h - 18h, T9/005
• Thursdays, 12h - 14h, T9/005

Recitations (Tutorien):

• Mondays, 16h - 18h, T9/051

Note: The recitations start in the third week of the semester.

Grading

The grade will be computed as a weighted sum as shown below. Passing the exam is necessary to pass the course.

• 100% exam

Active participation requires successful completion of homework assignments and projects and is graded on a pass / no pass basis. At least 50% of the cumulative score is required to pass.

The exam will take place on Thursday March 29th, 2012 from 1pm ct to 3pm in lecture hall 001 of Arnimalle 3 (math department).

About the guest lectures

Description

Technical information security rests on the proper application of security mechanisms with the goal to counter threats to information assets. However, even systems with flawless security mechanisms are vulnerable to attacks that are directed against the human users of a system. The tactics employed range from so-called social engineering to coercion, and they are common tools for intelligence operations and industrial espionage. In this series of guest lectures, we will give an overview over these tactics and categorize them. Subsequently, we illustrate, analyze and discuss how these tactics have been applied in a series of real-world cases.

Speaker

Our guest speaker, the former aviator Christoph Remshagen, worked for nearly two decades in the Military Counterintelligence Service. His speciality was counter-espionage, a field on which he has regularly lectured in front of national and international audiences, including occasions as guest speaker at the School for the Protection of the Constitution. For the past two years, he has been assigned to the Legal Affairs Directorate of the German Federal Ministry of Defense.

Homework

Below are the homework assignments. Each assignment is given on a Monday, and is due on the Monday two weeks later (see exceptions below). You can turn in your assignments at the recitation or at Fabeckstraße 15 before the recitation.

• Homework 1 is due on Friday 11, 2011 at 2pm
• mini-project is due on December 22nd, 2011 at 5pm
• mini-project security analysis is due on March 10th, 2012 at 5pm; the source code is here.
• The web page with vulnerability reports is here.

Lectures

No lecture on Tuesday October 18, we begin on Tuesday 25th.

No lecture on Thursday October 20, we begin on Tuesday 25th.

Lecture 1, Tuesday October 25

Topics:

• Welcome and administrativa
• Private key encryption
• Historic ciphers and their cryptanalysis
• Principles of modern cryptography

Read: sect. 7.3 of [1]

Lecture 2, Thursday October 27

Topics:

• Perfectly-secret encryption
• Adversarial indistinguishability
• Vernam cipher
• Limitations of perfectly secure encryption

Read: chap. 2 of [2]

Lecture 3, Tuesday November 01

Topics:

• Shannon's Theorem and its proof
• Introduction to computational security

Read: chap. 2 of [2]

Lecture 4, Thursday November 03

Topic:

• Relaxations of perfect secrecy
• Efficient computation and negligible success probability
• Proofs by reduction
• Pseudorandomness and pseudorandom generators
• Indistinguishable encryptions in the presence of an eavesdropper

Read: chap. 3 of [2], the anecdote in [3]

Lecture 5, Tuesday November 08

Topics:

• Handling variable-length messages
• Indistinguishable multiple encryptions in the presence of an eavesdropper
• Probabilistic encryption
• Chosen plaintext attacks

Read: chap. 3 of [2], [4]

Lecture 6, Thursday November 10

Guest lecture: Christoph Remshagen

• Intelligence and counterintelligence
• Industrial espionage
• Social engineering tactics
• Coercion tactics
• Defenses

Lecture 7, Tuesday November 15

Topics:

• Introduction to cryptographic protocols
• Needham Schroeder
• Key management
• Key distribution centers
• Public key directories
• Public Key Infrastructure
• Kerberos
• Web of Trust
• Identity

Read: [5], [6], [7], [8], [9]

Lecture 8, Thursday November 17

Topics:

• DNS-Sec

Lecture 9, Tuesday November 29

Guest lecture: Christoph Remshagen

• Social engineering and coercion case studies I

Lecture 10, Tuesday January 17

Topics:

• Pseudorandom functions
• Pseudorandom permutations
• Indistinguishable encryptions under a chosen plaintext attack
• Block ciphers and operation modes

Read: chap. 3 of [2]

Lecture 11, Thursday January 19

Topics:

• Counter mode
• Chosen cipher text attacks and non-malleability

Read: chap. 3 of [2]

Lecture 12, Tuesday January 24

Guest lecture: Christoph Remshagen

• Social engineering and coercion case studies I

Lecture 13, Thursday January 26

Topics:

• Encryption versus message authentication
• Message authentication codes
• Existential unforgeability under adaptive-chosen message attacks
• Replay attacks
• Constructions of fixed-length MAC

Read: chap. 4 of [2]

Lecture 14, Thursday February 02

Topics:

• Constructions of variable-length MAC
• CBC-MAC for fixed-length and variable-length messages

Read: chap. 4 of [2]

Lecture 15, Monday February 6

Topics:

• Collision resistant hash functions
• Birthday attacks
• Merkle-Damgard transform

Read: chap. 4 of [2]

Lecture 16, Tuesday February 07

Topics:

• Encryption secure against chosen ciphertext attacks

Read: chap. 4 of [2]

Lecture 17, Thursday February 09

Topics:

• Practical constructions of pseudorandom permutations
• Substitution permutation networks
• Feistel networks
• DES and AES
• 2-DES, meet-in-the-middle attacks, 3-DES

Read: chap. 5 of [2]

Lecture 18, Tuesday February 14

Topics:

• The factoring assumption
• The RSA assumption
• The discrete logarithm assumption
• The DH assumptions
• Factoring and one-way functions
• Discrete logarithms and collision resistant hash functions

Read: chap. 7 of [2]

Lecture 19, Thursday February 16

Topics:

• From private key management to public key cryptography
• Diffie-Hellman key exchange

Read: chap. 9 of [2]

Lecture 20, Monday March 05

Topics:

• Public key encryption
• Public key encryption and indistinguishable encryptions

Read: chap. 10 of [2]

Lecture 21, Monday March 05

Topics:

• Hybrid encryptions secure against chosen plaintext atacks

Read: chap. 10 of [2]

Lecture 22, Tuesday March 06

Topics:

• Attacks on text book RSA
• Implementation issues
• ElGamal encryption
• Chosen ciphertext attacks against RSA and ElGamal

Read: chap. 10 of [2]

Lecture 23, Tuesday March 06

Topics:

• Digital signature schemes
• The hash and sign paradigm

Read: chap. 12 of [2]

Lecture 24, Wednesday March 07

Topics:

• Security in the random oracle model

Read: chap. 13 of [2], [10]

Lecture 25, Wednesday March 07

Topics:

• Homomorphic encryption
• The Paillier encryption scheme

Read: sect. 11.3 of [2], [11], [12]

Lecture 26, Thursday March 08

Topics to be determined

Lecture 27, Thursday March 08

Topics to be determined

Lecture 28, Friday March 09

Topics to be determined

Lecture 29, Friday March 09

Topics to be determined

Literature

1. Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press, 2001.
2. Jonathan Katz, Yehuda Lindell. Introduction to Modern Cryptography. Chapman & Hall/CRC, 2008.
3. R. Morris and K. Thompson. Password security: a case history. Commun. ACM 22, 11 (Nov. 1979), 594-597.
4. Hongjun Wu, The Misuse of RC4 in Microsoft Word and Excel. IACR e-print number 007, 2005.
5. Martin Abadi and Roger Needham. Prudent Engineering Practice for Cryptographic Protocols. Digital Equipment Corporation, November 1995.
6. Loren M. Kohnfelder. Towards a practical public-key cryptosystem. B.Sc. thesis, MIT, May 1978.
7. Carl M. Ellison. Establishing Identity Without Certification Authorities. In Proc. USENIX Security Symposium, July 1996.
8. Moxie Marlinspike. Null Prefix Attacks against SSL/TLS Certificates. Published online.
9. Moxie Marlinspike. Defeating OCSP With the Character '3'. Published online.
10. Mihir Bellare and Phillip Rogaway. Random Oracles are practical: a paradigm for designing efficient protocols. Proc. ACM Computer and Communications Security, November 1993.
11. Caroline Fontaine and Fabien Galand. A Survey of Homomorphic Encryption for Nonspecialists. EURASIP Journal on Information Security, October 2007.
12. Castelluccia, C., Chan, A. C., Mykletun, E., and Tsudik, G. 2009. Efficient and provably secure aggregation of encrypted data in wireless sensor networks. ACM Trans. Sen. Netw. 5, 3 (May. 2009), 1-36.