This is a draft of volume I of the textbook `Foundations of Cybersecurity'. This volume is titled `An applied introduction to cryptography'. This course evolved from my lecture notes in `introduction to cyber-security' course, which I give in University of Connecticut. See my project for this text for presentations and more details. Comments, corrections and other feedback appreciated.
We present CDN-on-Demand, a software-based defense that administrators of small to medium websites install to resist powerful DDoS attacks, with a fraction of the cost of comparable commercial CDN services. Upon excessive load, CDN-on-Demand serves clients from a scalable set of proxies that it automatically deploys on multiple IaaS cloud providers. CDN-on-Demand can use less expensive, and less trusted, clouds
to minimize costs. This is facilitated by the clientless secureobjects, which is a new mechanism we present. The clientless secure-objects mechanism avoids trusting the hosts with private keys or user-data, yet does not require installing new client programs. CDN-on-Demand also introduces an origin-connectivity mechanism, which ensures that essential communication with the content-origin is possible, even in case of severe DoS attacks.
A critical feature of CDN-on-Demand is in facilitating easy deployment. We introduce the origin-gateway module, which deploys CDN-on-Demand automatically and transparently, i.e., without introducing changes to web-server configuration or website content. We provide an open-source implementation of CDNon-Demand, which we use to evaluate each component separately as well as the complete system.
The ANSI X9.17/X9.31 pseudorandom number generator design was first standardized in 1985, with variants incorporated into numerous cryptographic standards over the next three decades. The design uses timestamps together with a statically keyed block cipher to produce pseudo-random output. It has been known since 1998 that the key must remain secret in order for the output to be secure. However, neither the FIPS 140-2 standardization process nor NIST's later descriptions of the algorithm specified any process for key generation. We performed a systematic study of publicly available FIPS 140- 2 certifications for hundreds of products that implemented the ANSI X9.31 random number generator, and found twelve whose certification documents use of static, hard-coded keys in source code, leaving the implementation vulnerable to an attacker who can learn this key from the source code or binary. In order to demonstrate the practicality of such an attack, we develop a full passive decryption attack against FortiGate VPN gateway products using FortiOS v4 that recovers the private key in seconds. We measure the prevalence of this vulnerability on the visible Internet using active scans, and demonstrate state recovery and full private key recovery in the wild. Our work highlights the extent to which the validation and certification process has failed to provide even modest security guarantees.
The reach of algebraic curves in cryptography goes far beyond elliptic curve or public key cryptography yet these other application areas have not been systematically covered in the literature. Addressing this gap, Algebraic Curves in Cryptography explores the rich uses of algebraic curves in a range of cryptographic applications, such as secret sharing, frameproof codes, and broadcast encryption. Suitable for researchers and graduate students in mathematics and computer science, this self-contained book is one of the first to focus on many topics in cryptography involving algebraic curves. After supplying the necessary background on algebraic curves, the authors discuss error-correcting codes, including algebraic geometry codes, and provide an introduction to elliptic curves. Each chapter in the remainder of the book deals with a selected topic in cryptography (other than elliptic curve cryptography). The topics covered include secret sharing schemes, authentication codes, frameproof codes, key distribution schemes, broadcast encryption, and sequences. Chapters begin with introductory material before featuring the application of algebraic curves.
A mode of operation, or mode, for short, is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication. A good mode can remedy some weaknesses of block cipher, on the other hand, a poorly designed mode may be insecure even though the underlying block cipher is good. The research of mode always goes with the development of block cipher. With the advent of new block ciphers, there is a need to update long-standing modes of operation and an opportunity to consider the development of new modes. From the ECB, CBC, CFB and OFB modes of DES to CTR, CCM, CMAC, GCM and AESKW modes of AES, the authors introduce the design rationales, security model, research results and the state-of-the-art of research on block cipher mode of operation in this paper.
