Notes
Cryptography Engineering - ISBN:978-0470-47424-2
Scratch Notes
- Cryptography is both easy and difficult
- Role of cryptography in Systems
- Lock
- Big Picture
- Useless on its own
- Walls and fences
- importance of security on rest of the system
- Weakest link property
- Signs of Breakage in a system
- Breaking the cryptography of a system vs breaking remaining pieces of a system
- Designing attack trees
- Defence in depth
- Attacker’s perspective of weakest link
- Attacker’s objective
- Adversarial Setting
- Professional Paranioa
- Attacker’s motive is unknown
- Standards of cryptography community
- Attack the system and not the person
- Try breaking a new system to look for faults
- Do not invent your own cryptographic method and if you do, get it peer reviewed
- Constructive critism
- Trade offs
- Relative threat analysis of security model
- Cryptography is not always the only solution
- Generic Attacks outside the cryptosystem
- Define
- Provide analysis
- No cryptosystem is completely resistant to generic attacks
- Defining priorities while designing the system:
- That works, is safe and secure
- Efficient
- Willing to spend 90% of resources to keep system secure always.
- Not always necessary or need but willing to expend such resources if needed.
- if given an option to use 90% of resources to main security and lesser features or use lesser resources for a less secure system, always choose with secuirty being the highest and paramount priority.
- Security comes first, second and third along priority scale; after that comes performance and effeciency
- under no ciircumstance will you compromise on security
- Security vs Features
- Simplicity is always better than complexity
- Complexity is a measure of how many things interact at one point
- Build modular structures
- Complexity is the worst enemy of security
- System needs to be built from ground up with security in mind
- Security vs evolving systems
- Needs to withstand the test of time
- designers must account for evolving systems and continuous development and incoming/expected attacks
- Excercises
- For professional paranoia
- immersion
- Acceptance
- Analysis of current events
- Security review excercises [PG 20]
- General Excercises
- For professional paranoia
- What is encryption
- example Alice – Eve – Bob
- Kerckhoff’S principle
- Public key encryption
- Eg: communication with large number of entities involved
- Digital Signatures
- Public Key Infrastructure(PKI)
- Central authority: Certificate Authority
Attacks:
- Cipher text only attack
- Known plaintext model
- To find decryption key
- Chosen plain text model
- Plain text is chosen
- Obj: to find decryption key
- Chosen cipher text attack
- both cipler text and plain text are chosen
- Distinguishing attack goal
- Obj: To defend against distinguishing attack
- Information leakage
- Side channel attack
- Collision Attacks:
- Birthday Attack
- Meet in the middle attack
- Moore’s law
- Security level:
- Exhaustive search attack
- Performance security
- Reduce complexity:
- Keep it simple Silly principle
- Modularity