Applied Crypto
From OpenCA Labs WiKi
Introduction to Practical Cryptography Workshop ('08)
In this workshop we focus our attention on applied cryptography and its usage in a networked world. In particular the workshop covers the basics about cryptography and Public Key Certificates and Infrastructures.
What you will get
How to think critically
*If you want to be a good cop, you need to think like the bad guy. It's a valuable skill to be able to shape the problem, and look at it from different perspectives.
How to argue effectively
*If you think a system is secure (resp. insecure), how do you convince yourself? how do you convince others?
Make sane decisions as a cyber-citizen
*To properly protect yourself, and together make the cyber-world a safer place to be in, you have to understand the security threats and their associated risks, as well as the pros and cons of the defensive mechanisms.
What you won't get
This workshop has no official affiliation with the CS Department. No credit can be earned by participating in this workshop.
Logistics
Teachers
* Massimiliano Pala (http://www.cs.dartmouth.edu/~pala/) - Research Associate, PhD * Patrick Tsang (http://www.cs.dartmouth.edu/~patrick) - PhD Student
Structure
* 6 weeks of class * 3 hours of lecture and 2 hours of homework assignment per week * Tentatively, we will do Tues and Thus, 1.5 hour each * We also hold 1 hour of office hour per week
Prerequisites
* Desire to know the answers to one or more of the following questions: * What did Alan Turing and folks do to German's Engima during WWII? * RSA says they can protect my data from the bad guy, how do I know if they aren't the bad guy? * If secure crypto hash functions extincted, what would happen to our own species? * I need keys and certs and what not to join the Dartmouth Secure network, what's going on under the hood? * Patrick's ECC key is only 160-bit while Max has a 1024-bit RSA key. Is Max cooler than Patrick? * My browser says it's really Amazon.com who's asking for my credit card number, how can it be so sure? * etc
* Commitment to: * show up during classes * active participation in discussion * do the assigned homework and reading * Brief experience/knowledge of the following subjects would be helpful but is otherwise NOT required * Discrete Math, Number Theory and Theory of Computation * Systems Security and Privacy * Familiarity with Unix-like systems and C-programming
Class Schedule
Week 1
Day 1: Warming Up (Patrick)
Agenda
Welcome and Logistics
* Introducing the workshop, the teachers and the students
Classical Cryptography -- an arms race ongoing for more than 2000 years
* Caesar's Cipher * Vigenere's Cipher * The one-time pad * Polyalphabetic Ciphers and the Enigma * DES and AES
Confidentiality from Art to Science, or, "Okay, what on earth do you really want, Alice?"
* Alice and Bob (just for fun: http://xkcd.com/177/) * The envelop analogy
Homework Assignment
* Reading: * Exercise: Pick one of the following two: * Break the code * Break the cipher
Day 2: Encryption (Patrick)
Agenda
When Keys Go Asymmetric: Public-key Encryption
* Why? * Cool, but how? * Assumptions and Reductions
Number Theory 101 and RSA
* primes, modular arithmetics, primitive elements, euclidean algorithm, etc * The RSA encryption scheme
Thinking like Cryptographers
* From RSA-naive to RSA-OAEP * Desires, constructions, arguments and cracks
Homework Assignment
* Reading: * Exercises (choose 1): * Crack a scheme * Do a reduction
Week 2
Day 3: Producers in the Crypto Food-chain: Crypto Hashes (Patrick)
Agenda
== What makes a hash crypto hash? == == What depends on crypto hash? What if we didn't have crypto hash anymore? == == HMACs ==
Homework Assignment
* Reading: * Exercises (2-choose-1): * Be creative with MD5 collisions * maybe an essay-type question
Day 4: Digital Signatures (Patrick)
Agenda
== Acting like a Cryptographer: Let's Model it == * Operations? Entities? Trust? security guarantees?
== Acting like a Cryptographer: Let's Build it == * Using the RSA assumption * How about the DDH assumption?
== Acting like a Cryptographer: Prove it, or Crack it ==
Homework Assignment
* Reading: * Exercises (1 out of 2): * essay-type question on side-issues: randomness, performance, pre-computation, etc * tbd
Week 3
Cryptographic primitives and security principles have to be applied in the real world in order to provide solutions to real problems. This week's lessons will focus on applying crypto to the real world:
Day 5: PKIs
Basics about PKIs
* Why do we need PKIs
X509 PKIs
* Digital Certificates (PKC)
* Certification Authorities (CAs) * Issuing Certificates * Revoking Certificates
* Validating Certificates * Certificate Revocation Lists (CRLs) * Online Certificate Status Protocol (OCSP) overview
Trust Management in X509 PKIs
* Trust Anchors (TAs) and Trust Models * Hierarchies * Cross-Certification * Bridge CAs
Other PKIs
* PGP Trust Model * PGP Usage Example
Assignment:
- Install LibPKI on your (UniX) system - Reading:
Day 6: Certificates Practical Usage
Certificates and Applications
* Certificates in the Real World
* Looking at certificates in Applications (Browser and Email Clients)
* Exporting and Importing Certificates
* PKCS#12 format
* The SSL/TLS Protocol Basics * Adding a Security Layer * Client and Server Authentication
* Secure EMAIL (S/MIME)
* Using digital certificate
* Signing and Encrypting Emails
* PKCS#7 and CMS
Assignment:
- Request and Install a Certificate from Dartmouth CA and send an encrypted - Export the certificate from the browser and import into the email client - Send asigned email. - (Optional) Use OpenSSL command line tool to look at the contents of the .p12 file. What's in there ?
Week 4
This week is focused on real world implementation and Applications overview. In the first part of the week, basic cryptographic programming overview and examples will be provided. The second part of the week will be focused on additional theory about cryptographic algorithms)
Day 7: Introduction to Cryptographic APIs
* Programming Crypto-enabled applications * Dealing with long numbers * Many Algorithms and Signature Schemes
* How To use LibPKI
* The TOKEN interface * Configuring a Token * Generating a new KeyPair
* Using a TOKEN * Signing Certificates
* Using the Log Interface
* Retrieving Data using the URL interface
* LDAP
* HTTP
* MySQL
* PostgreSQL
* Generating PKCS#7 Messages * Signing Data * Encrypting Data
Assignment:
* //**Code programming project**// Code a Program to use one of the implemented algorithm (public or symmetric) starting from a provided skeleton program
Day 8: Advanced PKIs
* Cryptographic Hardware Support
* PKCS#11 overview
* Smart Cards and USB Tokens
* Adding Hardware Support to Application
* Example of PKCS#11 usage (Firefox and Thunderbird)
* The OpenSSL's ENGINE interface
* Overview of other Cryptographic Libraries * OpenSSL (C) * Java Crypto API (JCA) * Microsoft Crypto Provider * Network Security Services (NSS)
Week 5
This week is focused on additional details about PKIs and digital certificates in the real world. We will talk about the services that help PKIs to provide useful applications of digital signatures. We will also expose the basics of the openssl command line tools that may be used to quickly generate and/or validate PKC or singned/encrypted data.
Agenda
Day 9: Authenticating Data
* Authentication (Patrick) * Key exchange and authentication Protocols * Anonymous Authentication * Project Announcement * Homework
Day 10: Introduction to advanced X509 PKI Services
* Certificate Repositories * The LDAP Server * HTTP certificate retrieval
* Advanced Services * Time Stamping Services * Server-Based Certificate Validation (SCVP) * Online Certificate Status Protocol (OCSP)
* Long-Term Signatures (Notary Systems)
Command line tools: the basic OpenSSL how-to
* Generating a Key Pair
* Generating a Certificate Request
* Generating a Certificate
* Connecting to an SSL/TLS web server
* Looking behind the scenes with s_client
Week 6
An important aspect of security is experience. Dealing with complex systems and practical needs is always a difficult task that involves many skills, both technical and organizational. This week is mostly focused on providing the students with real-world user cases. Moreover an overview about current activities in the PKI Lab will introduce the students to current research activities in privacy and PKIs.
Day 10: Privacy and anonymity
* Guest Lecture (Apu Kapadia ?) * Project Presentation and Discussion I
Day 11: Real World PKI implementations
* Guest Lecture (Scott Rea ?) * Project Presentation and Discussion II
Day 12: Research in the PKI Lab
* Guest Lecture (Sean Smith ?) * Wrapping up
Resources
Suggested Texts
Cryptography
- Niels Ferguson and Bruce Schneier. **Practical Cryptography.** Wiley, 2003. ([[1] (http://www.amazon.com/Practical-Cryptography-Niels-Ferguson/dp/047122894X/ref=pd_bbs_sr_8/103-6424862-0885464?ie=UTF8&s=books&qid=1186178331&sr=8-8|Amazon)]) - Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone. ** Handbook of Applied Cryptography.** CRC Press, 1996. ([[2] (http://www.amazon.com/Handbook-Cryptography-Discrete-Mathematics-Applications/dp/0849385237/ref=pd_bbs_11/103-6424862-0885464?ie=UTF8&s=books&qid=1186178331&sr=8-11|Amazon)], [it for free (http://www.cacr.math.uwaterloo.ca/hac/|get)]) - Bruce Schneier. ** Applied Cryptography: Protocols, Algorithms, and Source Code in C. ** 2nd Edition. Wiley, 1995. ([[3] (http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471128457/ref=sr_1_1/103-6424862-0885464?ie=UTF8&s=books&qid=1186178828&sr=1-1|Amazon)]) - William Stallings. ** Cryptography and Network Security.** 4th Edition. Prentice Hall, 2005. ([Amazon (http://www.amazon.com/Cryptography-Network-Security-William-Stallings/dp/0131873164/ref=pd_bbs_sr_1/103-6424862-0885464?ie=UTF8&s=books&qid=1186179054&sr=1-1|)]) - Wenbo Mao. ** Modern Cryptography: Theory and Practice.** Prentice Hall PTR, 2003. [[4] (http://www.amazon.com/Modern-Cryptography-Practice-Wenbo-Mao/dp/0130669431/ref=pd_bbs_sr_2/103-6424862-0885464?ie=UTF8&s=books&qid=1186178331&sr=8-2|Amazon)]) - Douglas R. Stinson. ** Cryptography: Theory and Practice. ** 3rd Edition. Chapman & Hall/CRC, 2005. ([[5] (http://www.amazon.com/Cryptography-Practice-Discrete-Mathematics-Applications/dp/1584885084/ref=sr_1_1/103-6424862-0885464?ie=UTF8&s=books&qid=1186179327&sr=1-1|Amazon)])
Security
- Sean W. Smith and John Marchesini. The Craft of System Security. Addison-Wesley. To appear.
Helpful Additional Material/Lecture
- [Developing Software on a Linux Computer (http://www.dartmouth.edu/comp/support/courses/research/scientific/unix-dev.html)]
Links
External Link (http://linuxgazette.net/issue87/vinayak.html)
