|
Encryption and Security Tutorial
Public/Private Key Encryption,Security tools,Online Shopping Security, Encryption,Security questions and answers
(Continued from previous question...)
Encryption and Security Tutorial
Encryption and Security Tutorial
Overview
This page contains my godzilla crypto tutorial, totalling 811 slides in 10
parts, of which the first 8 (+ part 0) are the tutorial itself and the 9th is
extra material which covers crypto politics. Part 9 isn't officially part of
the technical tutorial itself, and much of it is now also rather dated (the
material is extensively covered elsewhere so I haven't spent much time
updating it).
The tutorial is done at a reasonably high level, there are about two dozen
books which cover things like DES encryption done at the bit-flipping level so
I haven't bothered going down to this level. Instead I cover encryption
protocols, weaknesses, applications, and other crypto security-related
information. Since the slides are accompanying material for a proper tutorial,
there's a lot of extra context which isn't available just by reading the
slides. Bear in mind that some of the claims and comments on the slides need
to be taken in the context of the full tutorial.
The Tutorial
The tutorial is formatted so that two slides fit one page, which means that
you'll burn out over 400 pages of paper printing them all out (half that if
you print double-sided). To view the tutorial you'll need a copy of the free
Adobe
Acrobat reader software. Note that most of the diagrams (and there are
quite a few of them) will look a lot better on paper than on screen. The
gv viewer (a
replacement for ghostview) displays the slides better than the Acrobat viewer,
especially with antialiasing enabled.
The technical material consists of 9 parts:
Part 0, Introduction,
23 slides: Security threats and requirements, services and mechanisms, and
security data format templates.
Part 1,
Algorithms and Mechanisms, 59 slides: Historical ciphers, cipher machines,
stream ciphers, RC4, block ciphers, DES, breaking DES, brute-force attacks,
other block ciphers (AES, Blowfish, CAST-128, GOST, IDEA, RC2, Skipjack,
triple DES), block cipher encryption modes (ECB, CBC, CFB, encrypt+MAC modes),
public-key encryption (RSA, DH, Elgamal, DSA), using PKCs, elliptic curve
algorithms, hash and MAC algorithms (MD2, MD4, MD5, SHA-1, SHA-2, RIPEMD-160,
the HMAC's), pseudorandom functions.
Part 2, 158 slides:
Key management, key distribution, the certification process, X.500 and X.500
naming, certification heirarchies, X.500 directories and LDAP, the PGP web of
trust, certificate revocation, X.509 certificate structure and extensions,
certificate profiles, setting up and running a CA, CA policies, RA's,
timestamping, PGP certificates, SPKI.
Part 2a,
Digital Signature Legislation, 93 slides: Why do we need digital signature
legislation, what is a signature, paper vs.electronic signatures,
non-repudiation, trust, and liability, existing approaches, examples of
existing legislation of various types including advantages and drawbacks, the
Digital Signature Law litmus test.
Part 3,
Authentication, 86 slides: User authentication, Unix password encryption,
Hellman's time/memory tradeoff, Rainbow tables, generalising Rainbow tables,
LANMAN and NT domain authentication and how to break it, GSM security, S/Key,
OPIE, TANs, PPP PAP/CHAP, PAP variants (SPAP, ARAP, MSCHAP), RADIUS, DIAMETER,
TACACS/XTACACS/TACACS+, EAP and variants (EAP-TTLS, EAP-TLS, LEAP, PEAP)
Kerberos 4 and 5, Kerberos-like systems (KryptoKnight, SESAME, DCE),
authentication tokens, SecurID, X9.26, FIPS 196, Netware 3.x and 4.x
authentication, biometrics, PAM.
Part 4, Sessions, 98
slides: SSL, TLS, TLS-PSK, SGC, SSH, TLS vs.SSH, IPsec, AH, ESP, IPsec key
management (Photuris, SKIP, ISAKMP, Oakley, SKEME), IKE, IPsec problems,
OpenVPN, WEP, WEP problems, WPA, TKIP, AES-CCM, DNSSEC, S-HTTP, SNMP.
Part 5, Email, 60
slides: Email security mechanisms, PEM, the PEM CA model, PGP, PGP keys
and the PGP trust model, MOSS, PGP/MIME, S/MIME and CMS, MSP, opportunistic
email encryption (STARTTLS/STLS/AUTH TLS).
Part 6, Electronic
commerce, 56 slides: Electronic payment mechanisms, Internet transactions,
payment systems, Netcash, First Virtual, Cybercash, book entry systems,
Paypal, Digicash, e-cheques, SET, the SET CA model, SET problems, prEN 1546,
TeleQuick, Geldkarte, EMV, micropayments.
Part 7, Smart
cards and crypto devices, 57 slides: Smart cards, smart card file
structures, card commands, PKCS #11, PC/SC, JavaCard/OCF, multiapplication
cards, iButtons, contactless cards, vicinity cards, attacks on smart cards,
Part 8, Miscellaneous,
49 slides: Traffic analysis, anonymity, mixes, onion routing, mixmaster,
crowds, LPWA, steganography, watermarking, misc. crypto applications
(hashcash, PGP Moose), TEMPEST, snake oil crypto, selling security.
TCSEC/Orange Book.
Here endeth the technical material. The final part goes into crypto
politics.
Part 9, 71 slides:
History of crypto politics, digital telephony, Clipper, Fortezza and Skipjack,
post-Clipper crypto politics, US export controls, effects of export controls,
legal challenges, French and Russian controls, non-US controls (Wassenaar),
Menwith Hill, Echelon, blind signal demodulation, undersea cable tapping,
European parliament reports on Echelon, Echelon and export controls, Cloud
Cover, UK DTI proposals, various GAK issues.
Miscellaneous Questions
Various people have asked about doing things with the tutorial which go beyond
just reading it. The following answers should cover the most common
requests:
Using portions of the material in your own work: This is fine provided
you attribute it and stay within reasonable limits - the usual copyright "fair
use" rules apply.
Using the original slides: I'm rather reluctant to provide access to
these because it was an awful lot of work preparing them and I'd rather not
have everyone give the tutorial I've prepared. In general if you want to use
them within your organisation that's OK, but I'd rather not hand them out for
general use.
Mirroring: If you want to mirror things or provide a copy via your own
site, please leave the actual PDF's as links to the originals rather than
copying the files across. I update the slides from time to time as standards
and technology change, and have had problems in the past with incredibly
ancient copies of files stored on overseas mirrors. If you provide a link
to the PDF's rather than copying them across it'll ensure people always get
the latest copies.
Other Interview Questions
|