Read an Excerpt

Preface

Our society has entered an era where commerce activities, business transactionsand government services have been, and more and more of them will be, conductedand offered over open computer and communications networks such as the Internet,in particular, via WorldWideWeb-based tools. Doing things online has a greatadvantage of an always-on availability to people in any corner of the world. Hereare a few examples of things that have been, can or will be done online:

Banking, bill payment, home shopping, stock trading, auctions, taxation,gambling, micro-payment (e.g., pay-per-downloading), electronicidentity, online access to medical records, virtual private networking, securedata archival and retrieval, certified delivery of documents, fair exchangeof sensitive documents, fair signing of contracts, time-stamping,notarization, voting, advertising, licensing, ticket booking, interactivegames, digital libraries, digital rights management, pirate tracing, . . .

And more can be imagined.

Fascinating commerce activities, transactions and services like these are onlypossible if communications over open networks can be conducted in a secure manner.An effective solution to securing communications over open networks is to applycryptography. Encryption, digital signatures, password-based user authentication,are some of the most basic cryptographic techniques for securing communications.However, as we shall witness many times in this book, there are surprising subtletiesand serious security consequences in the applications of even the most basiccryptographic techniques. Moreover, for many "fancier" applications, such as manylisted in the preceding paragraph, the basiccryptographic techniques are no longeradequate.

With an increasingly large demand for safeguarding communications over opennetworks for more and more sophisticated forms of electronic commerce, businessand servicesa, an increasingly large number of information security professionalsaGartner Group forecasts that total electronic business revenues for business to business (B2B)and business to consumer (B2C) in the European Union will reach a projected US $2.6trillion inwill be needed for designing, developing, analyzing and maintaining informationsecurity systems and cryptographic protocols. These professionals may range fromIT systems administrators, information security engineers and software/hardwaresystems developers whose products have security requirements, to cryptographers.

In the past few years, the author, a technical consultant on information securityand cryptographic systems at Hewlett-Packard Laboratories in Bristol, haswitnessed the phenomenon of a progressively increased demand for information securityprofessionals unmatched by an evident shortage of them. As a result, manyengineers, who are oriented to application problems and may have little propertraining in cryptography and information security have become "roll-up-sleeves"designers and developers for information security systems or cryptographic protocols.This is in spite of the fact that designing cryptographic systems and protocolsis a diffcult job even for an expert cryptographer.

The author's job has granted him privileged opportunities to review many informationsecurity systems and cryptographic protocols, some of them proposedand designed by "roll-up-sleeves" engineers and are for uses in serious applications.In several occasions, the author observed so-called "textbook crypto" features insuch systems, which are the result of applications of cryptographic algorithms andschemes in ways they are usually introduced in many cryptographic textbooks. Directencryption of a password (a secret number of a small magnitude) under abasic public-key encryption algorithm (e.g., "RSA") is a typical example of textbookcrypto. The appearances of textbook crypto in serious applications with a"non-negligible probability" have caused a concern for the author to realize thatthe general danger of textbook crypto is not widely known to many people whodesign and develop information security systems for serious real-world applications.

Motivated by an increasing demand for information security professionals anda belief that their knowledge in cryptography should not be limited to textbookcrypto, the author has written this book as a textbook on non-textbook cryptography.This book endeavors to:

• Introduce a wide range of cryptographic algorithms, schemes and protocols
• with a particular emphasis on their non-textbook versions.
• Reveal general insecurity of textbook crypto by demonstrating a large number
• of attacks on and summarizing typical attacking techniques for such systems.
• Provide principles and guidelines for the design, analysis and implementation
• of cryptographic systems and protocols with a focus on standards.
• Study formalism techniques and methodologies for a rigorous establishment of strong and fit-for-application security notions for cryptographic systems and
• protocols.
• Include self-contained and elaborated material as theoretical foundations of
• modern cryptography for readers who desire a systematic understanding of
• the subject.

Modern cryptography is a vast area of study as a result of fast advances made in thepast thirty years. This book focuses on one aspect:in troducing fit-for-applicationcryptographic schemes and protocols with their strong security properties evidentlyestablished.

The book is organized into the following six parts:

Part I This part contains two chapters (1—2) and serves an elementary-level introductionfor the book and the areas of cryptography and information security.Chapter 1 begins with a demonstration on the effectiveness of cryptographyin solving a subtle communication problem. A simple cryptographic protocol(first protocol of the book) for achieving "fair coin tossing over telephone"will be presented and discussed. This chapter then carries on to conduct acultural and "trade" introduction to the areas of study. Chapter 2 uses aseries of simple authentication protocols to manifest an unfortunate fact inthe areas:pitfalls are everywhere.As an elementary-level introduction, this part is intended for newcomers tothe areas.

Part II This part contains four chapters (3—6) as a set of mathematical backgroundknowledge, facts and basis to serve as a self-contained mathematicalreference guide for the book. Readers who only intend to "knowhow," i.e.,know how to use the fit-for-application crypto schemes and protocols, mayskip this part yet still be able to follow most contents of the rest of the book.Readers who also want to "know-why," i.e., know why these schemes andprotocols have strong security properties, may find that this self-containedmathematical part is a suffcient reference material. When we present workingprinciples of cryptographic schemes and protocols, reveal insecurity forsome of them and reason about security for the rest, it will always be possiblefor us to refer to a precise point in this part of the book for supportingmathematical foundations.This part can also be used to conduct a systematic background study of thetheoretical foundations for modern cryptography.

Part III This part contains four chapters (7—10) introducing the most basic cryptographicalgorithms and techniques for providing privacy and data integrity protections. Chapter 7 is for symmetric encryption schemes, Chapter 8, asymmetrictechniques. Chapter 9 considers an important security quality possessedby the basic and popular asymmetric cryptographic functions whenthey are used in an ideal world in which data are random. Finally, Chapter10 covers data integrity techniques.Since the schemes and techniques introduced here are the most basic ones,many of them are in fact in the textbook crypto category and are consequentlyinsecure. While the schemes are introduced, abundant attacks onmany schemes will be demonstrated with warning remarks explicitly stated.For practitioners who do not plan to proceed with an in-depth study of fitfor-application crypto and their strong security notions, this textbook cryptopart will still provide these readers with explicit early warning signals on thegeneral insecurity of textbook crypto.

Part IV This part contains three chapters (11—13) introducing an important notionin applied cryptography and information security:authen tication. Thesechapters provide a wide coverage of the topic. Chapter 11 includes technicalbackground, principles, a series of basic protocols and standards, common attackingtricks and prevention measures. Chapter 12 is a case study for fourwell-known authentication protocol systems for real world applications. Chapter13 introduces techniques which are particularly suitable for open systemswhich cover up-to-date and novel techniques.Practitioners, such as information security systems administration staff in anenterprise and software/hardware developers whose products have securityconsequences may find this part helpful.

Part V This part contains four chapters (14—17) which provide formalism andrigorous treatments for strong (i.e., fit-for-application) security notions forpublic-key cryptographic techniques (encryption, signature and signcryption)and formal methodologies for the analysis of authentication protocols. Chapter14 introduces formal definitions of strong security notions. The next twochapters are fit-for-application counterparts to textbook crypto schemes introducedin Part III, with strong security properties formally established (i.e.,evidently reasoned). Finally, Chapter 17 introduces formal analysis methodologiesand techniques for the analysis of authentication protocols, which wehave not been able to deal with in Part IV.

Part VI This is the final part of the book. It contains two technical chapters (18—19) and a short final remark (Chapter 20). The main technical content of thispart, Chapter 18, introduces a class of cryptographic protocols called zeroknowledgeprotocols. These protocols provide an important security service claimant. Zero-knowledge protocols to be introduced in this part exemplifythe diversity of special security needs in various real world applications, whichare beyond confidentiality, integrity, authentication and non-repudiation. Inthe final technical chapter of the book (Chapter 19) we will complete ourjob which has been left over from the first protocol of the book:to realize"fair coin tossing over telephone." That final realization will achieve a protocolwhich has evidently-established strong security properties yet with aneffciency suitable for practical applications.

Needless to say, a description for each fit-for-application crypto scheme or protocolhas to begin with a reason why the textbook crypto counterpart is unfit forapplication. Invariably, these reasons are demonstrated by attacks on these schemesor protocols, which, by the nature of attacks, often contain a certain degree of subtleties.In addition, a description of a fit-for-application scheme or protocol mustalso end at an analysis that the strong (i.e., fit-for-application) security propertiesdo hold as claimed. Consequently, some parts of this book inevitably containmathematical and logical reasonings, deductions and transformations in order tomanifest attacks and fixes.

While admittedly fit-for-application cryptography is not a topic for quick masteryor that can be mastered via light reading, this book, nonetheless, is not one forin-depth research topics which will only be of interest to specialist cryptographers.The things reported and explained in it are well-known and quite elementary tocryptographers. The author believes that they can also be comprehended by nonspecialistsif the introduction to the subject is provided with plenty of explanationsand examples and is supported by self-contained mathematical background andreference material.Who Should Read This Book

Students who have completed, or are near to completion of, first degree courses in computer, information science or applied mathematics, and plan to pursue a career in information security. For them, this book may serve as an advanced course in applied cryptography.

Security engineers in high-tech companies who are responsible for the design and development of information security systems. If we say that the consequence of textbook crypto appearing in an academic research proposal may not be too harmful since the worst case of the consequence would be an embarrassment, then the use of textbook crypto in an information security product may lead to a serious loss. Therefore, knowing the unfitness of textbook crypto for real world applications is necessary for these readers. Moreover, these readers should have a good understanding of the security principles behind the fit-for-application schemes and protocols and so they can apply the schemes and the principles correctly. The self-contained mathematical foundations material in Part II makes the book a suitable self-teaching text for which is needed in various "fancy" electronic commerce and business applications: v erification of a claimed property of secret data (e.g., in conforming with a business requirement) while preserving a strict privacy quality for the these readers.

Information security systems administration staff in an enterprise and software/ hardware systems developers whose products have security consequences. For these readers, Part I is a simple and essential course for cultural and "trade" training; Parts III and IV form a suitable cut-down set of knowledge in cryptography and information security. These three parts contain many basic crypto schemes and protocols accompanied with plenty of attacking tricks and prevention measures which should be known to and can be grasped by this population of readers without demanding them to be burdened by theoretical foundations.

New Ph.D. candidates beginning their research in cryptography or computer security. These readers will appreciate a single-point reference book which covers formal treatment of strong security notions and elaborates these notions adequately. Such a book can help them to quickly enter into the vast area of study. For them, Parts II, IV, V and VI constitute a suitable level of literature survey material which can lead them to find further literatures, and can help them to shape and specialize their own research topics.

A cut-down subset of the book (e.g., Part I, II, III and VI) also form a suitable course in applied cryptography for undergraduate students in computer science, information science and applied mathematics courses.