2DMI10 — Applied Cryptography — 2017

Andreas Hülsing, MF 6.146, e-mail a.t.huelsing@tue.nl
GPG-key: 152BFF2E
Fingerprint: BF9B D534 C876 99CA B62D 0E94 E2DE 5372 152B FF2E

There was some trouble with the room and timeslot assignment. I am working on fixing this, getting a room for the Thursday timeslot. The current assignment in the online system for Wednesday evenings is wrong. No worries.

Dates and time:		Location:
Tuesday, 10:45 - 12:30		AUD.12
Thursday, 13:45 - 15:30		FLUX 1.05

Last lecture on Thursday, January 18th.

As we stopped tele-lecturing this year, the lectures are recorded. This has the advantage that also students that got conflicting lectures can follow the class. The videos should be online the day after the lecture. You can find the videos at the TU/e Mediasite (videocollege.tue.nl) under TU/e lectures → (2) Computer Science → 2DMI10 (2017-2018).

At the end of this course:

• you understand the cryptography behind modern cryptographic system
• and how it interacts with higher protocol levels;
• you know how to choose the right crypto primitive for a situation;
• you know how to analyze the security of security systems involving cryptography.

This course deals with modern applications of cryptography. Topics covered are

• cryptographic aspects of internet protocols including TLS, DNS, DNSSEC, DNSCurve, SSL,
• cryptographic aspects of Tor,
• public-key infrastructure (PKI) including trust models and validation models for X.509 and PGP,
• real-world problems such as side-channel attacks and kleptography,
• cryptographic aspects of e-cash including Bitcoin,
• identity-based cryptography, and

These topics will be explained and failure cases and popular attacks will be pointed out. Depending on time and up to date developments the course might also cover private information retrieval, proofs of storage, quantum cryptography, post-quantum cryptography, and a 'bug of the week' section.

You have to write two papers, one in mid-term and one in the exam period. You will be asked to study some literature or a standard document, and report on that in written form. The first one will be on PKI, the second one on one of the other topics. In both cases there will be a list of topics from which you can choose.

The first paper has weight 1/3, the second one has weight 2/3.

All papers must be submitted encrypted and signed by email.

• First assignment.
  

  Deadlines:
  Publication of assignment:	Sunday, November 26th.
  Choice of topic:	before Thursday, November 30th, 23:59.
  Assignment of topic:	till Monday, December 4th.
  Submission of paper:	before Sunday, December 17th, 23:59.

• Second assignment.
  

  Deadlines:
  Publication of assignment:	Sunday, December 17th.
  Choice of topic:	before Thursday, December 21st, 23:59.
  Assignment of topic:	till Wednesday, December 27th.
  Submission of paper:	before Sunday, February 11th, 23:59.

Here you find for each lecture a note on what has been treated, the slides, and further literature for some topics.

Lecture on PKI.
Slides: [pptx] [pdf]
Topics: PKI basics; X.509; PGP; Certificates; Trust Models; Direkt trust; Web of trust; Hierarchical trust; Certificat chain validation.
Further reading:

• J. Buchmann, E. Karatsiolis, and A. Wiesmaier. Introduction to Public Key Infrastructures. Springer, 2013.

Lecture on PKI.
Slides: [pptx] [pdf]
Topics: PKI; X.509 Certificates; Revocation (CRL, OCSP, Novomodo); WebPKI (Incidents and counter measures).
There was an issue with the microfone for the recordings of the second half of the lecture. You can watch the videos of last years lecture on Tuesday, 22nd of November, instead. I covered the same topic then (only the certification path models are missing there, so please also watch the first ~15min of this years lecture).
Further reading:

• J. Buchmann, E. Karatsiolis, and A. Wiesmaier. Introduction to Public Key Infrastructures. Springer, 2013.
• S. Micali. Novomodo. PKI Research Workshop. 2002
• The EFF SSL observatory
• OWASP on certificate pinning
• Certificate Transparency

Lecture by Tanja on kleptography.
Slides: [pdf]
Topics: Kleptography in RSA, DH, and Dual EC.
Further reading:

• Young, Yung: "Kleptography: Using Cryptography Against Cryptography"
• Slides about Kleptography by Moti Yung
• Checkoway, Fredrikson, Niederhagen et.al.: "On the Practical Exploitability of Dual EC in TLS Implementations"
• Bernstein, Lange, Niederhagen: "Dual EC: A Standardized Back Door"
• Website about "Dual EC DRBG"

Guest lecture by Dan Bernstein on DNSSEC.
Slides: [link]
Topics: The DNS security mess.
Further reading:

• RFC 4033: DNS Security Introduction and Requirements
• RFC 4034: Resource Records for the DNS Security Extensions
• RFC 4035: Protocol Modifications for the DNS Security Extensions
• DNSCurve: Usable security for DNS

Lecture on IPsec and SSL/TLS.
Slides: [pdf]
Topics: Crypto on different layers of the network stack; IPsec; SSL and TLS: key exchange, PRF, cipher suits.
Further reading:

• TLS 1.3 draft
• For Internet protocols Wikipedia has pretty detailed articles.

Lecture on Attacks on SSL/TLS.
Slides: [pdf]
Topics: SSLstrip, BEAST, CRIME, BREACH, POODLE, FREAK, Logjam, ...
Further reading:

• Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
• Just ask your favorite search engine about the respective attacks and you will find a never ending stream of sources, ranging from explainations to tools that allow to experimentally verify the attacks...

Lecture on security of in use RSA signature schemes.
Slides: [pptx] [pdf]
Topics: Attacks on textbook and PKCS#1v1.x RSA signatures; existential unforgeability under adaptive chosen message attacks; the random oracle model; full domain hash; RSA-PFDH with secruity reduction in ROM.
Further reading:

• Jonathan Katz. Digital Signatures. Springer, 2010
• J.-F. Misarsky. How (not) to design RSA signature schemes. International Workshop on Public Key Cryptography, PKC 1998, pp 14-28. Springer, 1998
• Jean-Sébastien Coron, David Naccache, Yvo Desmedt, Andrew Odlyzko, Julien P. Stern. Index Calculation Attacks on RSA Signature and Encryption. Designs, Codes and Cryptography, January 2006, Volume 38, Issue 1, pp 41-53. Springer 2006.

Lecture on electronic cash.
Slides: [pdf]
Topics: Blind Signatures, RSA Blind Signatures, Chaums eCash (online, offline), Bitcoin.
Further reading:

• Lecture Notes by Bellare and Goldwasser with nice explaination of eCash
• David Chaum. Blind signatures for untraceable payments. Crypto 1982. (The original paper by Chaum)
• Chaum, Fiat, Naor. Untraceable electronic cash. Crypto 1990. (The offline scheme)
• Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. (The original paper)
• Bitcoin statistics.

Lectures on anonymity networks.
Slides: [pdf]
Slides part 2: [pptx] [pdf]
Topics: Dining cryptographers, mix nets, Tor; Zero-knowledge proofs
Further reading:

• Anonbib
• Censorbib
• How governments have tried to block Tor [28C3]
• Tor: Overview
• Consensus Health
• Tor Metrics
• Tor Atlas
• Tor Specifications

Lecture on private social communication.
Slides: [pdf]
Topics: Secure chat protocols; OTR, cryptocat, mpOTR, SCIMP, Axolotl.
Further reading:

• Off-the-Record Communication, or, Why Not To Use PGP
• mpOTR
• Silent Circle Instant Messaging Protocol Protocol Specification
• Axolotl Protocol Explaination
• Axolotl ProtocolV2

Lecture on post-quantum cryptography.
Slides: [pdf] [pptx]
Topics: Quantum computation; conjectured quantum-hard problems; multivariate, code-base, lattice-based crypto; hash-based signatures.
Further reading:

• Explaination of the quantum part of Shor's algorithm by Scott Aaronson.
• Bernstein, Buchmann, Dahmen. Post-quantum cryptography. Springer, Berlin, 2009. ISBN 978-3-540-88701-0.
• Kaye, Laflamme, Mosca. An Introduction to Quantum Computing. Oxford University Press, 2006.
• Chris Peickert. A Decade of Lattice Cryptography. IACR eprint, 2015. (Survey on lattice-based cryptography)

Lecture on hash-based signatures and hash-and-sign.
Slides: [pptx] [pdf]
Topics: Hash-based signatures: Lamport's scheme, Merkle signature scheme, Winternitz OTS, XMSS, SPHINCS; Hash-and-sign: Hash-and-sign, TCR hash-and-sign, eTCR-hash-and-sign, multi-user secure hashing.
Further reading:

• For hash-based signatures see the literature list on my homepage.
• Halevi, Krawczyk: "Strengthening Digital Signatures via Randomized Hashing"
• Mironov: "Collision-resistant No More: Hash-and-sign Paradigm Revisited"

Lecture on identity-based cryptography.
Slides: [pdf]
Topics: Identity-based cryptography, models for IB signature schemes (IBS) and encryption (IBE), generic construction for (IBS), Shamir's IBS, ind-id-cca/cpa, Boneh-Franklin IBE, security reduction for BF-IBE.
Further reading:

• The original paper: Adi Shamir. Identity-based cryptosystems and signature schemes. Crypto'84, Springer, 1985.
• A nice book on the topic: Marc Joye and Gregory Neven. Identity-Based Cryptography. IOS Press, 2009.
• The proof for Shamir's and other IBS: M. Bellare, C. Namprempre, and G.Neven. Security Proofs for Identity-Based Identification and Signature Schemes. Eurocrypt'04. Springer, 2004.

Lecture on Password Security and Password Hashing.
Slides: [pdf]
Topics: Differnt ways how to create passwords; dictionaries and rainbow tables; PBKDF2, bcrypt, scrypt, and Argon2.
Further reading:

• PBKDF2: RFC 2898
• bcrypt
• scrypt
• Password Hashing Competition
• Argon2

• Surveillance Self-Defense
• Let's Encrypt
• Cryptopals Real World Crypto Challenges

Latest modification: January 11, 2018.