Notes

Cryptography Engineering - ISBN:978-0470-47424-2

Scratch Notes

• Cryptography is both easy and difficult
• Role of cryptography in Systems
  • Lock
  • Big Picture
  • Useless on its own
  • Walls and fences
• importance of security on rest of the system
• Weakest link property
• Signs of Breakage in a system
  • Breaking the cryptography of a system vs breaking remaining pieces of a system
• Designing attack trees
• Defence in depth
  • Attacker’s perspective of weakest link
  • Attacker’s objective
• Adversarial Setting
• Professional Paranioa
  • Attacker’s motive is unknown
• Standards of cryptography community
  • Attack the system and not the person
  • Try breaking a new system to look for faults
  • Do not invent your own cryptographic method and if you do, get it peer reviewed
  • Constructive critism
• Trade offs
• Relative threat analysis of security model
• Cryptography is not always the only solution
• Generic Attacks outside the cryptosystem
  • Define
  • Provide analysis
  • No cryptosystem is completely resistant to generic attacks
• Defining priorities while designing the system:
  • That works, is safe and secure
  • Efficient
  • Willing to spend 90% of resources to keep system secure always.
  • Not always necessary or need but willing to expend such resources if needed.
  • if given an option to use 90% of resources to main security and lesser features or use lesser resources for a less secure system, always choose with secuirty being the highest and paramount priority.
  • Security comes first, second and third along priority scale; after that comes performance and effeciency
  • under no ciircumstance will you compromise on security
• Security vs Features
  • Simplicity is always better than complexity
  • Complexity is a measure of how many things interact at one point
  • Build modular structures
  • Complexity is the worst enemy of security
  • System needs to be built from ground up with security in mind
• Security vs evolving systems
  • Needs to withstand the test of time
  • designers must account for evolving systems and continuous development and incoming/expected attacks
• Excercises
  • For professional paranoia
    • immersion
    • Acceptance
  • Analysis of current events
  • Security review excercises [PG 20]
  • General Excercises

• What is encryption
  • example Alice – Eve – Bob
• Kerckhoff’S principle
• Public key encryption
  • Eg: communication with large number of entities involved
  • 
• Digital Signatures
• Public Key Infrastructure(PKI)
  • Central authority: Certificate Authority

Attacks:

• Cipher text only attack
• Known plaintext model
  • To find decryption key
• Chosen plain text model
  • Plain text is chosen
  • Obj: to find decryption key
• Chosen cipher text attack
  • both cipler text and plain text are chosen
• Distinguishing attack goal
  • Obj: To defend against distinguishing attack
• Information leakage
• Side channel attack
• Collision Attacks:
  • Birthday Attack
  • Meet in the middle attack
• Moore’s law
• Security level:
  • Exhaustive search attack
  • Performance security
  • Reduce complexity:
  • Keep it simple Silly principle
  • Modularity