For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
For a college course -- CNIT 141: Cryptography for Computer Networks, at City College San Francisco
Based on "Serious Cryptography: A Practical Introduction to Modern Encryption", by Jean-Philippe Aumasson, No Starch Press (November 6, 2017), ISBN-10: 1593278268 ISBN-13: 978-1593278267
Instructor: Sam Bowne
More info: https://samsclass.info/141/141_S19.shtml
This PPT explains about the term "Cryptography - Encryption & Decryption". This PPT is for beginners and for intermediate developers who want to learn about Cryptography. I have also explained about the various classes which .Net provides for encryption and decryption and some other terms like "AES" and "DES".
Cryptography is the science of using mathematics to encrypt and decrypt data.
Cryptography enables you to store sensitive information or transmit it across insecure networks so that it cannot be read by anyone except the intended recipient.
A detailed description about Cryptography explaining the topic from the very basics. Explaining how it all started, and how is it currently being applied in the real world. Mostly useful for students in engineering and mathematics.
Describing basic networking concepts, topologies, the OSI model, and the media used to physically connect a network, for those interested in learning the fundamentals of computer networks.
Complete study notes.
What is DRM?
DRM standards
Microsoft Playready , Apple FairPlay , OMA DRM
DRM Techniques
Streaming standards
HTTP live stream, MPEG DASH etc.
DRM content playback
Silverlight, Flash, HTML5 Premium Video Extensions
Is your crypto secure? Let's take a look at what main issues there are in modern cryptography that software developers and architects have to be aware of.
This PPT explains about the term "Cryptography - Encryption & Decryption". This PPT is for beginners and for intermediate developers who want to learn about Cryptography. I have also explained about the various classes which .Net provides for encryption and decryption and some other terms like "AES" and "DES".
Cryptography is the science of using mathematics to encrypt and decrypt data.
Cryptography enables you to store sensitive information or transmit it across insecure networks so that it cannot be read by anyone except the intended recipient.
A detailed description about Cryptography explaining the topic from the very basics. Explaining how it all started, and how is it currently being applied in the real world. Mostly useful for students in engineering and mathematics.
Describing basic networking concepts, topologies, the OSI model, and the media used to physically connect a network, for those interested in learning the fundamentals of computer networks.
Complete study notes.
What is DRM?
DRM standards
Microsoft Playready , Apple FairPlay , OMA DRM
DRM Techniques
Streaming standards
HTTP live stream, MPEG DASH etc.
DRM content playback
Silverlight, Flash, HTML5 Premium Video Extensions
Is your crypto secure? Let's take a look at what main issues there are in modern cryptography that software developers and architects have to be aware of.
This talk was presented by Miguel Duarte (http://miguelduarte.pt) at Codebits (VII) (http://codebits.eu).
A video of the talk is available here: http://youtu.be/PgETyozr2cM
There original abstract was as follows:
You've probably heard of Bitcoin, right? Bitcoin is original cryptocurrency which exploded in value in the last few months and paved the way for alt-coins such as Litecoin, Quark or Dogecoin. Currently, 1 bitcoin is worth nearly $1000, which left some of the original investors and miners, with thousands upon thousands of bitcoins, quite rich. Recently, even the Dogecoin community helped fund Jamaica's bobsled team to help go to the Sochi Winter Olympics by donating 30 million dogecoins, or roughly $30,000! What the hell is that all about? This talk aims to explain what cryptocurrencies are, how they work, and how they create value.
Here are some of the topics I intend on covering:
-the advantages of cryptocurrencies;
-the basics of the blockchain;
-how new blocks are mined using proof-of-work algorithms;
-how to mine using CPU, GPU or even ASIC miners;
-differences between Bitcoin's algorithm and scrypt-based alt-coins;
-security considerations;
-an overview of how cryptocurrencies are currently being used in society;
-how cryptocurrencies can change the world's economic landscape.
This is a Superb Way to Seriously Educate Yourself on CryptoCurrency, Before It's 'Ship' Sails...The 'Ship' of being the 'Best Timing Ever'.
http://CryptoCurrenSea.com
BeachJCD@gmail.com
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
You don't need to (and probably shouldn't) write your own cryptographic storage implementation. Using the public-domain aescrypt library means you don't have to...but how does it work? In this presentation I examine the aescrypt file format and explain what it does and why.
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
SPARKNaCl https://github.com/rod-chapman/SPARKNaCl is a new, freely-available, verified and fast reference implementation of the NaCl cryptographic API, based on the TweetNaCl distribution. It has a fully automated, complete and sound proof of type-safety and several key correctness properties. In addition, the code is surprisingly fast - out-performing TweetNaCl's C implementation on an Ed25519 Sign operation by a factor of 3 at all optimisation levels on a 32-bit RISC-V bare-metal machine. This talk will concentrate on how "Proof Driven Optimisation" can result in code that is both correct and fast.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
2. 2
Introducing Alice, Bob and Eve
Alice Bob
Eve
Alice&wants&to&send&a&message&to&Bob.&Eve&is&going&to&be&able&to&read&any&
message&sent.&What&should&Alice&do?&
3. 3
Alice has heard of Encryption
Alice Bob
Eve
c&=&E(K,&c)&
c&
m&=&D(K,&c)&
5. 5
What is AES?
• AES is a block cipher
• Block Ciphers: Work on fixed blocks of data
• Current commonly used block ciphers use 128 bit blocks
Visualizing&Ideal&Block&Cipher&
128&
&bits&
1011….000000…00000
0000….110000…00001
1001….001111….1110
1100….111111….1111
Randomly&mapped&lookup&table&of&size&2&^128&&
128&
&bits&Input& Output&
Random&&
mapping&
6. 6
What does AES do?
Single&Round&of&AES&
Round&Key&XOR&Data&
Fixed&lookup&table&mapping&
ShiR&each&byte&by&fixed&
offset&
Mixed&with&a&linear&
transformaVon&funcVon&
Repeat&for&10X14&
rounds&depending&
on&size&of&key.&
7. 7
Quick Note: Kerckhoff’s principal
• The security of the encryption scheme must depend only
on the secrecy of the key Ke, and not on the secrecy of
the algorithm
Why?
• Algorithms are hard to change
• It is difficult to get cryptographic algorithms right and it is
better to publish it for analysis.
8. 8
Alice decides to use AES encryption
Alice Bob
Eve
c&=&E(K,&c)&
c&
m&=&D(K,&c)&
Buy INTC 50 90 shares
Block&
!"#$ %&'( )*+, +-.. /019
Each&block&ci&=&E(K,&mi)&&ECB$
Mode$
9. 9
But Eve is clever. She changes the message in
following way
Buy INTC 50 90 shares
Block&
!"#$ %&'( )*+,+-.. /019
Each&block&ci&=&E(Ke,&mi)&&ECB$
Mode$
Eve$Swaps$
these$blocks$
Alice$Sends$$following$
Buy INTC 90 50 shares
Eve$receives$following$
Each&block&mi&=&D(Ke,&ci)&&
10. 10
AES Electronic Code book (ECB) mode issues
• Blocks can be swapped
• Patterns can be detected
Original&image& Encrypted&image&
AES&ECB&
mode&
11. 11
Quick Note : Padding
• Block ciphers work on messages that are multiple of block
size
• If message is not a multiple of block size, padding is required
• Two common padding schemes:
• Append 128 and then as many 0s as needed to make
message a multiple of block size
• Determine number of bytes required n > 0 to make it a
multiple of block size. Add n bytes, each with value n
DD DD DD DD DD DD DD DD DD DD DD DD 80 00 00 00
DD DD DD DD DD DD DD DD DD DD DD DD 04 04 04 04
DD DD DD DD DD DD DD DD 08 08 08 08 08 08 08 08
12. 12
Alice looked up other block cipher modes
She likes two :
• CBC
• CTR
Let us look at both
13. 13
Quick Note: IV
• Initialization vector: Used in block ciphers as an input
along with the key
• Fixed IV : IV that doesn’t change
• Counter IV: IV=0 for first message, IV = 1 for second etc.
• Random IV: Large random number as IV for each message
• Nonce-Generated IV: “Number used once” per key
• Message numbers
• Random number + message number
17. 17
CBC: Which IV to use?
• Fixed IV: What if two messages start with the same
plaintext block?
• Counter IV: If first block of messages have simple
difference, the XOR with a counter may cancel them out.
• Random IV : Good. But requires a random number to be
sent
• Nonce IV: Good. Use a smaller random number + counter.
20. 20
AES CTR
• Counter = Nonce || i
• If ever the counter is repeated.
• Cx ⊕ Cy = E(K,counter) ⊕ Px ⊕ E(K,counter) ⊕ Py
• i.e. Cx ⊕ Cy = Px ⊕ Py
• Never Ever repeat counter with same key
21. 21
CTR Advantages
• Random access is possible.
• Both encryption and decryption can be parallelized.
• Needs only encryption implementation
22. 22
Alice decides to use AES CTR encryption
Alice Bob
Eve
c&=&E(Ke,&Nonce||i)& $Pi&
c&
m&=&E(KeNonce&||&i)& $Ci&
Buy INTC 50 90 shares
Block&
!"#$ %&'( )*+, +-.. /019
Each&block&ci&=&E(Ke,&Nonce||i)& $Pi&
&&
ECB$
Mode$
23. 23
Eve is clever
• Sends using CTR.
• She changes the first block by performing a XOR with
(Buy Sell)
• So first block becomes:
• c = E(Ke, Nonce||1) ⊕ Buy ⊕ (Buy ⊕ Sell)
• i.e. c = E(Ke, Nonce||1) ⊕ Sell
• So, Bob gets:
Sell INTC 50 90 shares
25. 25
Alice figures she needs something to protect this
message
• Her goal this time is to ensure that Eve can’t change the
message.
• Doesn’t care about confidentiality (to keep things simple)
• She looks up hash functions
26. 26
What is a hash function?
Ideal Hash Function
Arbitrary&length&
input&&
Fixed&length&output&
• Random&mapping&
• Same&output&for&same&input&
27. 27
Defining security of hash functions
• Pre-image resistance:
• Given a hash h it should be difficult to find any message m
such that h = hash(m).
• Second pre-image resistance
• Given an input m1 it should be difficult to find another input
m2 such that m1 ≠ m2 and hash(m1) = hash(m2).
• Collision resistance
• It should be difficult to find two different messages m1 and m2
such that hash(m1) = hash(m2).
28. 28
Standard hash functions
• MD5 : Don’t use
• SHA1 : Avoid. Not recommended for usage. Only use if
system gives you no other choice.
• SHA2 : Use this.
• SHA3 (not finalized)
• One of the properties (bug ?) of the hash functions above
is that
• If m = m1, m2
• H(m) = h(h(m1),m2)
• This is called the length extension issue
29. 29
Alice is now confident
• She decides to use SHA-2 hash
• Assume:
• Alice and Bob share a secret key K just like Encryption
30. 30
Alice decides to use SHA-2
Alice Bob
Eve
Buy INTC 50 SHA2(K|| Data)
K$is$the$secret$
31. 31
As usual Eve is clever
• Eve computes
• Sha2( SHA2 ( K||Data), 90)
• Also, changes the message to
Buy INTC 50 Sha2( SHA2 ( K||Data), 90)90
32. 32
How to fix this?
• Use HMAC
• HMAC (K,m) = H((K opad) || H((K ipad) || m))
• opad is the outer padding (0x5c5c5c…5c5c, one-block-long
hexadecimal constant),
• ipad is the inner padding (0x363636…3636, one-block-long
hexadecimal constant).
Other MACs are available, but this is the
most commonly recommended
33. 33
Horton Principle
• "Authenticate what is being meant, not what is being said”
• Suppose you had two messages to send.
• M1 & M2
• You just send M1||M2|| HMAC(M1||M2)
• What happens?
35. 35
Lesson: Always structure your message to be
unambiguous and then MAC the whole thing
• For example Send:
• {
message1_length= aa;
message1=“M1”;
message2_length=bb;
message2=“M2”;
}
HMAC ({….})
"AuthenVcate&what&is&being&meant,¬&what&is&being&said”&
36. 36
Alternative MAC 1: CBC-MAC
• CBC-MAC: Use CBC with IV=0 and return the last block
as the MAC
• H0 = IV. IV Should be fixed. Generally 0.
• Hi = E(K, Pi⊕ Hi-1)
• MAC = Hk
• Why IV= 0?
• CBC-MAC is good and secure, but suffers from certain
types on collision attacks.
• So, use CMAC.
37. 37
Alternative MAC2 : CMAC
• Same as CBC-MAC, except the way last block is handled
• Generate two keys k1 & k2 from the MAC key k
• Calculate MAC using CBC-MAC except for last block.
• Change the last block (mn′) to following before applying
CBC-MAC
• If mn′ is a complete block
• mn = k1 ⊕ mn′
• else mn = k2 ⊕ (mn′∥ 10…02).
39. 39
Alice wants the following
• Eve shouldn’t learn anything about the messages except
for the timing and size
• Bob should only get proper messages and is able to figure
out the correct order.
• Duplicates are detected
• Message modifications are detected
• By now you have probably guessed that this can be
achieved by combination of Encryption and Authentication
40. 40
Authentication and Encryption
Three possibilities:
1. MAC then encrypt all including MAC
2. Encrypt and then MAC the encrypted message
3. Encrypt and MAC the plaintext message
• Which one to use?
41. 41
Encrypt and MAC the plaintext message
• Not recommended as any weakness in MAC will leak info
about the message.
42. 42
MAC and then encrypt the whole message
including MAC
• Eve only gets to see ciphertext and encrypted MAC
• Much harder to attack MAC
• This is fine to use.
• Potential timing attacks with padding (TLS Lucky 13 attack)
43. 43
Encrypt and then MAC the encrypted message
• Can drop invalid message fast without decryption
• Is not in fully line with Horton’s principal
• There may be ambiguity
• This is good to use
• We will use this and add authenticated headers for removing
ambiguity
44. 44
Secure Channel : Generate Keys
• KEYSENDENC ← HMAC-SHA2(K, "Enc Alice to Bob")
• KEYRECENC ← HMAC-SHA2(K, "Enc Bob to Alice")
• KEYSENDAUTH ← HMAC-SHA2(K,"Auth Alice to Bob")
• KEYRECAUTH ← HMAC-SHA2(K,"Auth Bob to Alice")
• Swap Encryption & Decryption key if message is from Bob
to Alice
45. 45
Message counters
• Two message counters
• Cab = Alice-to-Bob Message counter
• Cba =Bob-to-Alice message counter
• Both Alice and Bob store state of both counters
• Initialize both to 0.
46. 46
Alice sending message to Bob
• We will only go through this direction
• Bob to Alice is identical
47. 47
Choosing CTR counter
• It is recommended that number of blocks encrypted with
an AES 128 bit key < 264-1
• This is because after 264 block you will be able to
distinguish from random
• To ensure that, we use counter for message sent from
Alice to Bob never repeats and number of blocks
encrypted < 264
• Counter = (Cab || i) for the ith block in this particular message.
• Ensure that Cab < 232 -1
• Ensure that length(m) < 232 -1 * block_size
48. 48
Alice Sending a message
• Ensure that Cab < 232 -1
• Increment Cab
• Ensure that length(m) < (232 -1) * block_size
• Use Counter = (Cab || i) for the ith block for AES-CTR
Version CabLength
Header Encrypted message HMAC-SHA2
Type Message
49. 49
Bob: Receiving a message
• Ensure that Cab > Last received Cab
• Check HMAC of the message
• Drop if it does not match
• Store Cab. Check Version.
• Decrypt using AES CTR
• Counter = (Cab || i) for the ith block
• Check type and process accordingly.
Version CabLength
Header Encrypted message HMAC-SHA2
Type Message
55. 55
Other values
Pre-Known/Exchanged values:
• p,g,q (may be exchanged as part of the protocol)
• Always check:
• p = Nq +1
• (gx)q = 1 mod p, g ≠ 1, gx ≠ 1
• Make sure q is a large enough prime (≥ 256 bits)
• Make sure p is large enough prime (≥ 2048 bits)
56. 56
Man in the middle
Alice Alice
gx&
Eve
gv&
gy&
gw&
K&=&(gw)x& K&=&(gv)y&
K1&=&(gx)w&
&
K1&=&(gy)v&
57. 57
So, how to exchange?
• Assume there is some way to authenticate messages.
• We will see how to do that in Public/Private key cryptography
• Authenticated DH Protocol
• First we will look at RSA Public Private Key cryptography
62. 62
RSA : key generation (1/2)
• Generate two distinct large prime numbers p & q
• Calculate n = p *q
• Compute t = (p-1)(q-1) OR t = lcm (p-1,q-1)
• Choosing t like this implies
• xt = 1 mod n
• xt+1 = x mod n
• Proof by authority !
63. 63
RSA : key generation (2/2)
• Choosing t like this implies xkt+1 = x mod n
• Proof by authority !
• Choose ed = 1 mod t , i.e. ed = t + 1
• Common e value is 216 + 1 = 65,537
• Public Key : n,e
• Private Key : n, d
64. 64
Example RSA key generation
• p = 61 and q = 53
• n = 61*53 = 3233
• t = (p-1)(q-1) = (61-1)(53-1) = 3120
• Let e = 17. Then solving for ed = 1 mod t
• d = 2753
• 2753*17 = 15*3120 +1
• 46801 = 46800 + 1
65. 65
RSA encryption/ decryption
• c = me mod n
• m = cd mod n
• X = (me)d mod n
• We know ed = kt +1
• X = mkt+1 mod n
• Or X = (mt)k
* m mod n
• We also know, for any x: xt = 1 mod n
• So X = (1)k
* m mod n = m
• Hence we can decrypt !
66. 66
RSA encryption/ decryption example
• Let m = 65. Then using previous e = 17,d=2753, n=3233
• c = 6517 (mod 3233) = 2790
• m = 27902753 (mod 3233) = 65
67. 67
RSA: why not to sign/encrypt data directly
• If you sign m1 and m2
• m1
d (mod n)
• m2
d (mod n)
• Attacker can compute m3
d (mod n) = m1
d * m2
d (mod n)
68. 68
What is recommended?
• Use one of the standards for signing and encryption
• Signing: RSA-PSS (RSA –Probabilistic signature scheme)
• Encryption: RSA-OAEP (RSA-Optimal asymmetric encryption
protocol)
• Don’t use same key for encryption and signing
• Attacker may be able to exploit decryption (public key) for
getting signatures (private key) from you or other way around
• Encryption keys and signing keys generally have different
lifetimes
74. 74
Elliptic curve discrete logarithm problem
• With a curve of form y2 = x3+ ax + b mod p, where p is a
large prime and operation point addition +
• P + P +…+ P = dP = T
• Given dP and P, it should be hard to compute d.
• d is kept secret like a private key
• Intuitively: P+P+P… for
very large d (>160 bits)
Source:&Chapter&9&of&Understanding&Cryptography&by&Christof&Paar&and&Jan&Pelzl&
75. 75
Example of ECC usage: ECDH (simplified)
Alice Bob
Given&a&prime&p,&a&suitable&ellipVc&curve&E&and&a&point&P=(xP,yP)&
Choose&kPrA=&a&{2,&3,…,&#EX1}&
&
Compute&kPubA=&A&=&aP&=&(xA,yA)&
Choose&kPrB=&b&{2,&3,…,&#EX1}&
&
Compute&kPubB=&B&=&bP&=&(xB,yB)&
A&
B&
Compute&aB&=&Tab&
Compute&bA&=&Tab&
• One&of&the&coordinates&of&the&point&TAB&(usually&the&xXcoordinate)&can&be&used&as&
session&key&&(oRen&aRer&applying&a&hash&funcVon)&
76. 76
Elliptic curve summary
• Elliptic Curve Cryptography (ECC) is based on the
discrete logarithm problem.
• ECC provides the same level of security as RSA or
discrete logarithm systems with much shorter key sizes
(160-256 bits) vs (1024-3072 bits)
• ECC can be used for key exchange, signatures and
encryption
• ECC generally has performance advantage over RSA
78. 78
Why DH Protocol?
• Lot of time security cert only supports signing
• Perfect Forward Security
• Even if you find my private keys later you can not decrypt my
communication
80. 80
Reminder DH
Pre-Known/Exchanged values:
• p,g,q (may be exchanged as part of the protocol)
• Always check:
• p = Nq +1
• (gx)q = 1 mod p, g ≠ 1, gx ≠ 1
• Make sure q is a large enough prime (≥ 256 bits)
• Make sure p is large enough prime (≥ 2048 bits)
82. 82
Identity misbinding attack on DH
Alice Bob
A,&gx&
B,&gy,&SigB(gx,&gy)&&
SigA(gx,&gy)&&
E&doesn’t&know&K&=&gxy&,&but&B&thinks&that&anything&coming&
from&A&is&coming&from&E&
Eve
E,&gx&
B,&gy,&SigB(gx,&gy)&&
SigE(gx,&gy)&&
84. 84
Limitations
• Both parties need to know each other’s identity before
they can authenticate
• Leaves a signed proof of communication (signing peer’s
identity)
• Sigma solves these issues
85. 85
Sigma Basic version
Alice Bob
gx&
B,&gy,&SigB(gx,&gy),&MacKm(B)&&
A,&SigA(gx,&gy),&MacKm(A)&&&
• Km&is&derived&from&gxy&&
• Does¬&require&knowing&peer’&id&for&own&auth&
• Adds&deniability&
&
Alice Bob
A,&gx&
B,&gy,&SigB(gx,&gy,&A)&
A,&SigA(gx,&gy,&B),&&
Authenticated DH
86. 86
Sigma-I: Active protection of Initiator’s ID
Alice Bob
gx&
gy,&{B,&SigB(gx,&gy),&MACKm(B)}$Ke$$
{A,$SigA(gx,&gy),&MACKm(A)}Ke$$
• Km&and&Ke&are&derived&from&gxy&&
• IniVator’s&id&is&protected&and¬&revealed&except&to&
an&authenVcated&party&
87. 87
Sigma-R: Active protection of Responder’s ID
Alice Bob
gx&
&{A,&SigA(gx,&gy),&MACKm(A)}$Ke$$
{B,SigA(gx,&gy),&MACKm’(B)}Ke’$$
• Km&and&Ke&are&derived&from&gxy&&
• Responder’s&ID&is¬&revealed&unVl&iniVator's&is&
revealed&
gy&
88. 88
Next Part
• EPID based Sigma key exchange
• PKI : Public key infrastructure
• Why random numbers are important?
• Clocks and monotonic counters
• Storing secrets
• Analysis of common protocols
• TLS
• Sigma key exchange
• IKE and IPSEC
Editor's Notes
----- Meeting Notes (8/29/13 16:44) -----
Should be unpredictable
Use a PRNG --- AES --- CTR
Both sides could create based on generate
----- Meeting Notes (9/12/13 16:35) -----
p should have 2048 bits….
----- Meeting Notes (9/12/13 16:35) -----
- Encryptin keys and signing keys have different lifetimes...
----- Meeting Notes (9/12/13 16:35) -----
p should have 2048 bits….