modern cryptography - theory & practice

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (17.8 MB, 755 trang )

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.

List of Figures

List of Algorithms, Protocols and Attacks

Part I: Introduction

Chapter 1. Beginning with a Simple Communication Game

Section 1.1. A Communication Game

Section 1.2. Criteria for Desirable Cryptographic Systems and Protocols

Section 1.3. Chapter Summary

Exercises

Chapter 2. Wrestling Between Safeguard and Attack

Section 2.1. Introduction

Section 2.2. Encryption

Section 2.3. Vulnerable Environment (the Dolev-Yao Threat Model)

Section 2.4. Authentication Servers

Section 2.5. Security Properties for Authenticated Key Establishment

Section 2.6. Protocols for Authenticated Key Establishment Using Encryption

Section 2.7. Chapter Summary

Exercises

Part II: Mathematical Foundations: Standard Notation

Chapter 3. Probability and Information Theory

Section 3.1. Introduction

Section 3.2. Basic Concept of Probability

Section 3.3. Properties

Section 3.4. Basic Calculation

Section 3.5. Random Variables and their Probability Distributions

Section 3.6. Birthday Paradox

Section 3.7. Information Theory

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN

: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.

Section 3.8. Redundancy in Natural Languages

Section 3.9. Chapter Summary

Exercises

Chapter 4. Computational Complexity

Section 4.1. Introduction

Section 4.2. Turing Machines

Section 4.3. Deterministic Polynomial Time

Section 4.4. Probabilistic Polynomial Time

Section 4.5. Non-deterministic Polynomial Time

Section 4.6. Non-Polynomial Bounds

Section 4.7. Polynomial-time Indistinguishability

Section 4.8. Theory of Computational Complexity and Modern Cryptography

Section 4.9. Chapter Summary

Exercises

Chapter 5. Algebraic Foundations

Section 5.1. Introduction

Section 5.2. Groups

Section 5.3. Rings and Fields

Section 5.4. The Structure of Finite Fields

Section 5.5. Group Constructed Using Points on an Elliptic Curve

Section 5.6. Chapter Summary

Exercises

Chapter 6. Number Theory

Section 6.1. Introduction

Section 6.2. Congruences and Residue Classes

Section 6.3. Euler's Phi Function

Section 6.4. The Theorems of Fermat, Euler and Lagrange

Section 6.5. Quadratic Residues

Section 6.6. Square Roots Modulo Integer

Section 6.7. Blum Integers

Section 6.8. Chapter Summary

Exercises

Part III: Basic Cryptographic Techniques

Chapter 7. Encryption — Symmetric Techniques

Section 7.1. Introduction

Section 7.2. Definition

Section 7.3. Substitution Ciphers

Section 7.4. Transposition Ciphers

Section 7.5. Classical Ciphers: Usefulness and Security

Section 7.6. The Data Encryption Standard (DES)

Section 7.7. The Advanced Encryption Standard (AES)

Section 7.8. Confidentiality Modes of Operation

Section 7.9. Key Channel Establishment for Symmetric Cryptosystems

Section 7.10. Chapter Summary

Exercises

Chapter 8. Encryption — Asymmetric Techniques

Section 8.1. Introduction

Section 8.2. Insecurity of "Textbook Encryption Algorithms"

Section 8.3. The Diffie-Hellman Key Exchange Protocol

Section 8.4. The Diffie-Hellman Problem and the Discrete Logarithm Problem

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher

: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.

Section 8.5. The RSA Cryptosystem (Textbook Version)

Section 8.6. Cryptanalysis Against Public-key Cryptosystems

Section 8.7. The RSA Problem

Section 8.8. The Integer Factorization Problem

Section 8.9. Insecurity of the Textbook RSA Encryption

Section 8.10. The Rabin Cryptosystem (Textbook Version)

Section 8.11. Insecurity of the Textbook Rabin Encryption

Section 8.12. The ElGamal Cryptosystem (Textbook Version)

Section 8.13. Insecurity of the Textbook ElGamal Encryption

Section 8.14. Need for Stronger Security Notions for Public-key Cryptosystems

Section 8.15. Combination of Asymmetric and Symmetric Cryptography

Section 8.16. Key Channel Establishment for Public-key Cryptosystems

Section 8.17. Chapter Summary

Exercises

Chapter 9. In An Ideal World: Bit Security of The Basic Public-Key Cryptographic Functions

Section 9.1. Introduction

Section 9.2. The RSA Bit

Section 9.3. The Rabin Bit

Section 9.4. The ElGamal Bit

Section 9.5. The Discrete Logarithm Bit

Section 9.6. Chapter Summary

Exercises

Chapter 10. Data Integrity Techniques

Section 10.1. Introduction

Section 10.2. Definition

Section 10.3. Symmetric Techniques

Section 10.4. Asymmetric Techniques I: Digital Signatures

Section 10.5. Asymmetric Techniques II: Data Integrity Without Source Identification

Section 10.6. Chapter Summary

Exercises

Part IV: Authentication

Chapter 11. Authentication Protocols — Principles

Section 11.1. Introduction

Section 11.2. Authentication and Refined Notions

Section 11.3. Convention

Section 11.4. Basic Authentication Techniques

Section 11.5. Password-based Authentication

Section 11.6. Authenticated Key Exchange Based on Asymmetric Cryptography

Section 11.7. Typical Attacks on Authentication Protocols

Section 11.8. A Brief Literature Note

Section 11.9. Chapter Summary

Exercises

Chapter 12. Authentication Protocols — The Real World

Section 12.1. Introduction

Section 12.2. Authentication Protocols for Internet Security

Section 12.3. The Secure Shell (SSH) Remote Login Protocol

Section 12.4. The Kerberos Protocol and its Realization in Windows 2000

Section 12.5. SSL and TLS

Section 12.6. Chapter Summary

Exercises

•
Table of Contents
Modern Cryptography: Theory and Practice
By

Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.

Chapter 13. Authentication Framework for Public-Key Cryptography

Section 13.1. Introduction

Section 13.2. Directory-Based Authentication Framework

Section 13.3. Non-Directory Based Public-key Authentication Framework

Section 13.4. Chapter Summary

Exercises

Part V: Formal Approaches to Security Establishment

Chapter 14. Formal and Strong Security Definitions for Public-Key Cryptosystems

Section 14.1. Introduction

Section 14.2. A Formal Treatment for Security

Section 14.3. Semantic Security — the Debut of Provable Security

Section 14.4. Inadequacy of Semantic Security

Section 14.5. Beyond Semantic Security

Section 14.6. Chapter Summary

Exercises

Chapter 15. Provably Secure and Efficient Public-Key Cryptosystems

Section 15.1. Introduction

Section 15.2. The Optimal Asymmetric Encryption Padding

Section 15.3. The Cramer-Shoup Public-key Cryptosystem

Section 15.4. An Overview of Provably Secure Hybrid Cryptosystems

Section 15.5. Literature Notes on Practical and Provably Secure Public-key Cryptosystems

Section 15.6. Chapter Summary

Section 15.7. Exercises

Chapter 16. Strong and Provable Security for Digital Signatures

Section 16.1. Introduction

Section 16.2. Strong Security Notion for Digital Signatures

Section 16.3. Strong and Provable Security for ElGamal-family Signatures

Section 16.4. Fit-for-application Ways for Signing in RSA and Rabin

Section 16.5. Signcryption

Section 16.6. Chapter Summary

Section 16.7. Exercises

Chapter 17. Formal Methods for Authentication Protocols Analysis

Section 17.1. Introduction

Section 17.2. Toward Formal Specification of Authentication Protocols

Section 17.3. A Computational View of Correct Protocols — the Bellare-Rogaway Model

Section 17.4. A Symbolic Manipulation View of Correct Protocols

Section 17.5. Formal Analysis Techniques: State System Exploration

Section 17.6. Reconciling Two Views of Formal Techniques for Security

Section 17.7. Chapter Summary

Exercises

Part VI: Cryptographic Protocols

Chapter 18. Zero-Knowledge Protocols

Section 18.1. Introduction

Section 18.2. Basic Definitions

Section 18.3. Zero-knowledge Properties

Section 18.4. Proof or Argument?

Section 18.5. Protocols with Two-sided-error

Section 18.6. Round Efficiency

Section 18.7. Non-interactive Zero-knowledge

Section 18.8. Chapter Summary

Exercises

Chapter 19. Returning to "Coin Flipping Over Telephone"

Section 19.1. Blum's "Coin-Flipping-By-Telephone" Protocol

Section 19.2. Security Analysis

Section 19.3. Efficiency

Section 19.4. Chapter Summary

Chapter 20. Afterremark

Bibliography

•
Table of Contents
Modern Cryptography: Theory and Practice

By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Copyright
Library of Congress Cataloging-in-Publication Data
A CIP catalog record for this book can be obtained from the Library of Congress.
Editorial/production supervision:
Mary Sudul

Cover design director:
Jerry Votta
Cover design:
Talar Boorujy
Manufacturing manager:
Maura Zaldivar
Acquisitions editor:
Jill Harry
Marketing manager:
Dan DePasquale
Publisher, Hewlett-Packard Books:
Walter Bruce
© 2004 by Hewlett-Packard Company
Published by Prentice Hall PTR
Prentice-Hall, Inc.
Upper Saddle River, New Jersey 07458
Prentice Hall books are widely used by corporations and government agencies for training,
marketing, and resale.
The publisher offers discounts on this book when ordered in bulk quantities. For more
information, contact Corporate Sales Department, Phone: 800-382-3419; FAX: 201-236-7141;
E-mail:

Or write: Prentice Hall PTR, Corporate Sales Dept., One Lake Street, Upper Saddle River, NJ
07458.
Other product or company names mentioned herein are the trademarks or registered trademarks
of their respective owners.
All rights reserved. No part of this book may be reproduced, in any form or by any means,
without permission in writing from the publisher.
Printed in the United States of America
1st Printing

Pearson Education LTD.
Pearson Education Australia PTY, Limited
Pearson Education Singapore, Pte. Ltd.
Pearson Education North Asia Ltd.
Pearson Education Canada, Ltd.
Pearson Educación de Mexico, S.A. de C.V.
Pearson Education — Japan
Pearson Education Malaysia, Pte. Ltd.

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad

many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Hewlett-Packard
®
Professional Books
HP-UX
Fernandez
Configuring CDE
Madell
Disk and File Management Tasks on HP-UX
Olker
Optimizing NFS Performance
Poniatowski
HP-UX 11i Virtual Partitions
Poniatowski
HP-UX 11i System Administration Handbook and
Toolkit, Second Edition
Poniatowski
The HP-UX 11.x System Administration Handbook
and Toolkit
Poniatowski

HP-UX 11.x System Administration "How To" Book
Poniatowski
HP-UX 10.x System Administration "How To" Book
Poniatowski
HP-UX System Administration Handbook and Toolkit
Poniatowski
Learning the HP-UX Operating System
Rehman
HP Certified: HP-UX System Administration
Sauers/Weygant
HP-UX Tuning and Performance
Weygant
Clusters for High Availability, Second Edition
Wong
HP-UX 11i Security
UNIX, L
INUX
, W
INDOWS, AND
MPE I/X
Mosberger/Eranian
IA-64 Linux Kernel
Poniatowski
UNIX User's Handbook, Second Edition
Stone/Symons
UNIX Fault Management
C
OMPUTER
A
RCHITECTURE

Evans/Trimper
Itanium Architecture for Programmers
Kane
PA-RISC 2.0 Architecture
Markstein
IA-64 and Elementary Functions
N
ETWORKING
/C
OMMUNICATIONS
Blommers
Architecting Enterprise Solutions with UNIX
Networking
Blommers
OpenView Network Node Manager
Blommers
Practical Planning for Network Growth
Brans
Mobilize Your Enterprise
Cook
Building Enterprise Information Architecture

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher

: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Lucke
Designing and Implementing Computer Workgroups
Lund
Integrating UNIX and PC Network Operating
Systems
S
ECURITY
Bruce
Security in Distributed Computing

Mao
Modern Cryptography:Theory and Practice
Pearson et al.
Trusted Computing Platforms
Pipkin
Halting the Hacker, Second Edition
Pipkin
Information Security
W
EB
/I
NTERNET
C
ONCEPTS AND
P
ROGRAMMING
Amor
E-business (R)evolution, Second Edition
Apte/Mehta
UDDI
Mowbrey/Werry
Online Communities
Tapadiya
.NET Programming
O
THER
P
ROGRAMMING
Blinn
Portable Shell Programming

Caruso
Power Programming in HP Open View
Chaudhri
Object Databases in Practice
Chew
The Java/C++ Cross Reference Handbook
Grady
Practical Software Metrics for Project Management
and Process Improvement
Grady
Software Metrics
Grady
Successful Software Process Improvement
Lewis
The Art and Science of Smalltalk
Lichtenbelt
Introduction to Volume Rendering
Mellquist
SNMP++
Mikkelsen
Practical Software Configuration Management
Norton
Thread Time
Tapadiya
COM+ Programming
Yuan
Windows 2000 GDI Programming
S
TORAGE
Thornburgh

Fibre Channel for Mass Storage
Thornburgh/Schoenborn
Storage Area Networks
Todman
Designing Data Warehouses
IT/IS

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-

world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Missbach/Hoffman
SAP Hardware Solutions
I
MAGE
P
ROCESSING
Crane
A Simplified Approach to Image Processing
Gann
Desktop Scanners

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1

Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
A Short Description of the Book
Many cryptographic schemes and protocols, especially those based on public-key cryptography,
have basic or so-called "textbook crypto" versions, as these versions are usually the subjects for
many textbooks on cryptography. This book takes a different approach to introducing
cryptography: it pays much more attention to
fit-for-application
aspects of cryptography. It
explains why "textbook crypto" is only good in an ideal world where data are random and bad
guys behave nicely. It reveals the general unfitness of "textbook crypto" for the real world by
demonstrating numerous attacks on such schemes, protocols and systems under various real-
world application scenarios. This book chooses to introduce a set of practical cryptographic
schemes, protocols and systems, many of them standards or de facto ones, studies them closely,
explains their working principles, discusses their practical usages, and examines their strong
(i.e., fit-for-application) security properties, often with security evidence formally established.

The book also includes self-contained theoretical background material that is the foundation for
modern cryptography.

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.

The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Preface
Our society has entered an era where commerce activities, business transactions and
government services have been, and more and more of them will be, conducted and offered over
open computer and communications networks such as the Internet, in particular, via
WorldWideWeb-based tools. Doing things online has a great advantage of an always-on
availability to people in any corner of the world. Here are a few examples of things that have
been, can or will be done online:
Banking, bill payment, home shopping, stock trading, auctions, taxation, gambling, micro-
payment (e.g., pay-per-downloading), electronic identity, online access to medical records,
virtual private networking, secure data archival and retrieval, certified delivery of
documents, fair exchange of sensitive documents, fair signing of contracts, time-stamping,
notarization, voting, advertising, licensing, ticket booking, interactive games, digital
libraries, digital rights management, pirate tracing, …
And more can be imagined.
Fascinating commerce activities, transactions and services like these are only possible if
communications over open networks can be conducted in a secure manner. An effective solution
to securing communications over open networks is to apply cryptography. Encryption, digital
signatures, password-based user authentication, are some of the most basic cryptographic
techniques for securing communications. However, as we shall witness many times in this book,
there are surprising subtleties and serious security consequences in the applications of even the
most basic cryptographic techniques. Moreover, for many "fancier" applications, such as many
listed in the preceding paragraph, the basic cryptographic techniques are no longer adequate.
With an increasingly large demand for safeguarding communications over open networks for
more and more sophisticated forms of electronic commerce, business and services
[a]
, an
increasingly large number of information security professionals will be needed for designing,
developing, analyzing and maintaining information security systems and cryptographic

protocols. These professionals may range from IT systems administrators, information security
engineers and software/hardware systems developers whose products have security
requirements, to cryptographers.
[a]
Gartner Group forecasts that total electronic business revenues for business to business (B2B) and
business to consumer (B2C) in the European Union will reach a projected US $2.6 trillion in 2004 (with
probability 0.7) which is a 28-fold increase from the level of 2000 [
5
]. Also, eMarketer [
104
] (page 41) reports
that the cost to financial institutions (in USA) due to electronic identity theft was US $1.4 billion in 2002, and
forecasts to grow by a compound annual growth rate of 29%.
In the past few years, the author, a technical consultant on information security and
cryptographic systems at Hewlett-Packard Laboratories in Bristol, has witnessed the
phenomenon of a progressively increased demand for information security professionals
unmatched by an evident shortage of them. As a result, many engineers, who are oriented to
application problems and may have little proper training in cryptography and information
security have become "roll-up-sleeves" designers and developers for information security
systems or cryptographic protocols. This is in spite of the fact that designing cryptographic
systems and protocols is a difficult job even for an expert cryptographer.
The author's job has granted him privileged opportunities to review many information security
systems and cryptographic protocols, some of them proposed and designed by "roll-up-sleeves"
engineers and are for uses in serious applications. In several occasions, the author observed so-
called "textbook crypto" features in such systems, which are the result of applications of
cryptographic algorithms and schemes in ways they are usually introduced in many

•
Table of Contents

Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
cryptographic textbooks. Direct encryption of a password (a secret number of a small
magnitude) under a basic public-key encryption algorithm (e.g., "RSA") is a typical example of
textbook crypto. The appearances of textbook crypto in serious applications with a "non-
negligible probability" have caused a concern for the author to realize that the general danger of

textbook crypto is not widely known to many people who design and develop information
security systems for serious real-world applications.
Motivated by an increasing demand for information security professionals and a belief that their
knowledge in cryptography should not be limited to textbook crypto, the author has written this
book as a
textbook on non-textbook cryptography
. This book endeavors to:
Introduce a wide range of cryptographic algorithms, schemes and protocols with a
particular emphasis on their
non-textbook
versions.
Reveal general insecurity of textbook crypto by demonstrating a large number of attacks on
and summarizing typical attacking techniques for such systems.
Provide principles and guidelines for the design, analysis and implementation of
cryptographic systems and protocols with a focus on standards.
Study formalism techniques and methodologies for a rigorous establishment of strong and
fit-for-application security notions for cryptographic systems and protocols.
Include self-contained and elaborated material as theoretical foundations of modern
cryptography for readers who desire a systematic understanding of the subject.

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date

: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Scope
Modern cryptography is a vast area of study as a result of fast advances made in the past thirty
years. This book focuses on one aspect: introducing fit-for-application cryptographic schemes
and protocols with their strong security properties evidently established.
The book is organized into the following six parts:
Part I
This part contains two chapters (
1
—
2
) and serves an elementary-level introduction

for the book and the areas of cryptography and information security.
Chapter 1
begins with
a demonstration on the effectiveness of cryptography in solving a subtle communication
problem. A simple cryptographic protocol (first protocol of the book) for achieving "fair coin
tossing over telephone" will be presented and discussed. This chapter then carries on to
conduct a cultural and "trade" introduction to the areas of study.
Chapter 2
uses a series of
simple authentication protocols to manifest an unfortunate fact in the areas: pitfalls are
everywhere.
As an elementary-level introduction, this part is intended for newcomers to the areas.
Part II
This part contains four chapters (
3
—
6
) as a set of mathematical background
knowledge, facts and basis to serve as a self-contained mathematical reference guide for
the book. Readers who only intend to "knowhow," i.e., know how to use the fit-for-
application crypto schemes and protocols, may skip this part yet still be able to follow most
contents of the rest of the book. Readers who also want to "know-why," i.e., know why
these schemes and protocols have strong security properties, may find that this self-
contained mathematical part is a sufficient reference material. When we present working
principles of cryptographic schemes and protocols, reveal insecurity for some of them and
reason about security for the rest, it will always be possible for us to refer to a precise point
in this part of the book for supporting mathematical foundations.
This part can also be used to conduct a systematic background study of the theoretical
foundations for modern cryptography.
Part III

This part contains four chapters (
7
—
10
) introducing the most basic cryptographic
algorithms and techniques for providing privacy and data integrity protections.
Chapter 7
is
for symmetric encryption schemes,
Chapter 8
, asymmetric techniques.
Chapter 9
considers
an important security quality possessed by the basic and popular asymmetric cryptographic
functions when they are used in an ideal world in which data are random. Finally,
Chapter
10
covers data integrity techniques.
Since the schemes and techniques introduced here are the most basic ones, many of them
are in fact in the textbook crypto category and are consequently
insecure
. While the
schemes are introduced, abundant attacks on many schemes will be demonstrated with
warning remarks explicitly stated. For practitioners who do not plan to proceed with an in-
depth study of fit-for-application crypto and their strong security notions, this textbook
crypto part will still provide these readers with explicit early warning signals on the general
insecurity of textbook crypto.
Part IV
This part contains three chapters (
11

—
13
) introducing an important notion in
applied cryptography and information security: authentication. These chapters provide a
wide coverage of the topic.
Chapter 11
includes technical background, principles, a series of
basic protocols and standards, common attacking tricks and prevention measures.
Chapter
12
is a case study for four well-known authentication protocol systems for real world
applications.
Chapter 13
introduces techniques which are particularly suitable for open

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
systems which cover up-to-date and novel techniques.
Practitioners, such as information security systems administration staff in an enterprise and
software/hardware developers whose products have security consequences may find this
part helpful.
Part V This part contains four chapters (
14
—
17
) which provide formalism and rigorous
treatments for strong (i.e., fit-for-application) security notions for public-key cryptographic
techniques (encryption, signature and signcryption) and formal methodologies for the
analysis of authentication protocols.
Chapter 14
introduces formal definitions of strong
security notions. The next two chapters are fit-for-application counterparts to textbook
crypto schemes introduced in

Part III
, with strong security properties formally established
(i.e., evidently reasoned). Finally,
Chapter 17
introduces formal analysis methodologies
and techniques for the analysis of authentication protocols, which we have not been able to
deal with in
Part IV
.
Part VI
This is the final part of the book. It contains two technical chapters (
18
—
19
) and a
short final remark (
Chapter 20
). The main technical content of this part,
Chapter 18
,
introduces a class of cryptographic protocols called zero-knowledge protocols. These
protocols provide an important security service which is needed in various "fancy"
electronic commerce and business applications: verification of a claimed property of secret
data (e.g., in conforming with a business requirement) while preserving a strict privacy
quality for the claimant. Zero-knowledge protocols to be introduced in this part exemplify
the diversity of special security needs in various real world applications, which are beyond
confidentiality, integrity, authentication and non-repudiation. In the final technical chapter
of the book (
Chapter 19
) we will complete our job which has been left over from the first

protocol of the book: to realize "fair coin tossing over telephone." That final realization will
achieve a protocol which has evidently-established strong security properties yet with an
efficiency suitable for practical applications.
Needless to say, a description for each fit-for-application crypto scheme or protocol has to begin
with a reason why the textbook crypto counterpart is unfit for application. Invariably, these
reasons are demonstrated by attacks on these schemes or protocols, which, by the nature of
attacks, often contain a certain degree of subtleties. In addition, a description of a fit-for-
application scheme or protocol must also end at an analysis that the strong (i.e., fit-for-
application) security properties do hold as claimed. Consequently, some parts of this book
inevitably contain mathematical and logical reasonings, deductions and transformations in order
to manifest attacks and fixes.
While admittedly fit-for-application cryptography is not a topic for quick mastery or that can be
mastered via light reading, this book, nonetheless, is not one for in-depth research topics which
will only be of interest to specialist cryptographers. The things reported and explained in it are
well-known and quite elementary to cryptographers. The author believes that they can also be
comprehended by non-specialists if the introduction to the subject is provided with plenty of
explanations and examples and is supported by self-contained mathematical background and
reference material.
The book is aimed at the following readers.
Students who have completed, or are near to completion of, first degree courses in
computer, information science or applied mathematics, and plan to pursue a career in
information security. For them, this book may serve as an advanced course in applied
cryptography.
Security engineers in high-tech companies who are responsible for the design and
development of information security systems. If we say that the consequence of textbook

•
Table of Contents
Modern Cryptography: Theory and Practice

By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
crypto appearing in an academic research proposal may not be too harmful since the worst
case of the consequence would be an embarrassment, then the use of textbook crypto in an
information security product may lead to a serious loss. Therefore, knowing the unfitness of
textbook crypto for real world applications is necessary for these readers. Moreover, these
readers should have a good understanding of the security principles behind the fit-for-

application schemes and protocols and so they can apply the schemes and the principles
correctly. The self-contained mathematical foundations material in
Part II
makes the book a
suitable self-teaching text for these readers.
Information security systems administration staff in an enterprise and software/hardware
systems developers whose products have security consequences. For these readers,
Part I
is a simple and essential course for cultural and "trade" training;
Parts III
and
IV
form a
suitable cut-down set of knowledge in cryptography and information security. These three
parts contain many basic crypto schemes and protocols accompanied with plenty of
attacking tricks and prevention measures which should be known to and can be grasped by
this population of readers without demanding them to be burdened by theoretical
foundations.
New Ph.D. candidates beginning their research in cryptography or computer security. These
readers will appreciate a single-point reference book which covers formal treatment of
strong security notions and elaborates these notions adequately. Such a book can help
them to quickly enter into the vast area of study. For them,
Parts II
, IV,
V
, and
VI
constitute a suitable level of literature survey material which can lead them to find further
literatures, and can help them to shape and specialize their own research topics.
A cut-down subset of the book (e.g.,

Part I
, II,
III
and
VI
) also form a suitable course in
applied cryptography for undergraduate students in computer science, information science
and applied mathematics courses.

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad

guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Acknowledgements
I am deeply grateful to Feng Bao, Colin Boyd, Richard DeMillo, Steven Galbraith, Dieter
Gollmann, Keith Harrison, Marcus Leech, Helger Lipmaa, Hoi-Kwong Lo, Javier Lopez, John
Malone-Lee, Cary Meltzer, Christian Paquin, Kenny Paterson, David Pointcheval, Vincent Rijmen,
Nigel Smart, David Soldera, Paul van Oorschot, Serge Vaudenay and Stefek Zaba. These people
gave generously of their time to review chapters or the whole book and provide invaluable
comments, criticisms and suggestions which make the book better.
The book also benefits from the following people answering my questions: Mihir Bellare, Jan
Camenisch, Neil Dunbar, Yair Frankel, Shai Halevi, Antoine Joux, Marc Joye, Chalie Kaufman,
Adrian Kent, Hugo Krawczyk, Catherine Meadows, Bill Munro, Phong Nguyen, Radia Perlman,
Marco Ricca, Ronald Rivest, Steve Schneider, Victor Shoup, Igor Shparlinski and Moti Yung.
I would also like to thank Jill Harry at Prentice-Hall PTR and Susan Wright at HP Professional
Books for introducing me to book writing and for the encouragement and professional support
they provided during the lengthy period of manuscript writing. Thanks also to Jennifer Blackwell,
Robin Carroll, Brenda Mulligan, Justin Somma and Mary Sudul at Prentice-Hall PTR and to
Walter Bruce and Pat Pekary at HP Professional Books.
I am also grateful to my colleagues at Hewlett-Packard Laboratories Bristol, including David Ball,
Richard Cardwell, Liqun Chen, Ian Cole, Gareth Jones, Stephen Pearson and Martin Sadler for
technical and literature services and management support.
Bristol, England
May 2003

2.1
A Simplified Pictorial Description of a Cryptographic System
25
3.1
Binomial Distribution
70
4.1
A Turing Machine
87
4.2
The operation of machine Div3
90
4.3
Bitwise Time Complexities of the Basic Modular Arithmetic
Operations
103
4.4
All Possible Moves of a Non-deterministic Turing Machine
124
5.1
Elliptic Curve Group Operation
168
7.1
Cryptographic Systems
208
7.2
Feistel Cipher (One Round)
220
7.3
The Cipher Block Chaining Mode of Operation

233
7.4
The Cipher Feedback Mode of Operation
238
7.5
The Output Feedback Mode of Operation
239
10.1
Data Integrity Systems
299
12.1
An Unprotected IP Packet
390
12.2
The Structure of an Authentication Header and its Position
in an IP Packet
392
12.3
The Structure of an Encapsulating Security Payload
393
12.4
Kerberos Exchanges
412
14.1
Summary of the Indistinguishable Attack Games
489
14.2
Reduction from an NM-attack to an IND-attack
495
14.3

Reduction from IND-CCA2 to NM-CCA2
497
14.4
Relations Among Security Notions for Public-key
Cryptosystems
498
15.1
Optimal Asymmetric Encryption Padding (OAEP)
503
15.2
OAEP as a Two-round Feistel Cipher
504
15.3
Reduction from Inversion of a One-way Trapdoor Function
f
to an Attack on the
f
-OAEP Scheme
511
15.4
Reduction from the DDH Problem to an Attack on the
Cramer-Shoup Cryptosystem
532
16.1
Reduction from a Signature Forgery to Solving a Hard
Problem
551
16.2
Successful Forking Answers to Random Oracle Queries
553

16.3
The PSS Padding
560
16.4
The PSS-R Padding
563
17.1
The CSP Language
609
17.2
The CSP Entailment Axioms
613

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,

have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
List of Algorithms, Protocols and Attacks
Protocol 1.1
: Coin Flipping Over Telephone
5
Protocol 2.1
: From Alice To Bob
32
Protocol 2.2
: Session Key From Trent
34
Attack 2.1
: An Attack on Protocol "Session Key From
Trent"
35
Protocol 2.3
: Message Authentication
39
Protocol 2.4

: Challenge Response (the Needham-
Schroeder Protocol)
43
Attack 2.2
: An Attack on the Needham-Schroeder Protocol
44
Protocol 2.5
: Needham-Schroeder Public-key
Authentication Protocol
47
Attack 2.3
: An Attack on the Needham-Schroeder Public-
key Protocol
50
Algorithm 4.1
: Euclid Algorithm for Greatest Common
Divisor
93
Algorithm 4.2
: Extended Euclid Algorithm
96
Algorithm 4.3
: Modular Exponentiation
101
Algorithm 4.4
: Searching Through Phone Book (a
ZPP
Algorithm)
108
Algorithm 4.5

: Probabilistic Primality Test (a Monte Carlo
Algorithm)
110
Algorithm 4.6
: Proof of Primality (a Las Vegas Algorithm)
113
Protocol 4.1
: Quantum Key Distribution (an Atlantic City
Algorithm)
117
Algorithm 4.7
: Random
k
-bit Probabilistic Prime
Generation
121
Algorithm 4.8
: Square-Freeness Integer
123
Algorithm 5.1
: Random Primitive Root Modulo Prime
166
Algorithm 5.2
: Point Multiplication for Elliptic Curve
Element
171
Algorithm 6.1
: Chinese Remainder
182
Algorithm 6.2

: Legendre/Jacobi Symbol
191
Algorithm 6.3
: Square Root Modulo Prime (Special Cases)
194
Algorithm 6.4
: Square Root Modulo Prime (General Case)
196

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad

274
Algorithm 9.1
: Binary Searching RSA Plaintext Using a
Parity Oracle
289
Algorithm 9.2
: Extracting Discrete Logarithm Using a
Parity Oracle
293
Algorithm 9.3
: Extracting Discrete Logarithm Using a
"Half-order Oracle"
294
Algorithm 10.1: The RSA Signature Scheme
309
Algorithm 10.2: The Rabin Signature Scheme
312
Algorithm 10.3: The ElGamal Signature Scheme
314
Algorithm 10.4: The Schnorr Signature Scheme
319
Algorithm 10.5: The Digital Signature Standard
320
Algorithm 10.6: Optimal Asymmetric Encryption Padding
for RSA (RSA-OAEP)
324
Protocol 11.1: ISO Public Key Three-Pass Mutual
Authentication Protocol
346
Attack 11.1

: Wiener's Attack on ISO Public Key Three-Pass
Mutual Authentication Protocol
347
Protocol 11.2: The Woo-Lam Protocol
350
Protocol 11.3: Needham's Password Authentication
Protocol
352
Protocol 11.4: The S/KEY Protocol
355
Protocol 11.5: Encrypted Key Exchange (EKE)
357
Protocol 11.6: The Station-to-Station (STS) Protocol
361
Protocol 11.7: Flawed "Authentication-only" STS Protocol
363
Attack 11.2
: An Attack on the "Authentication-only" STS
Protocol
364
Attack 11.3
: Lowe's Attack on the STS Protocol (a Minor
Flaw)
366
Attack 11.4
: An Attack on the S/KEY Protocol
371

•

Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Attack 11.5
: A Parallel-Session Attack on the Woo-Lam
Protocol

372
Attack 11.6
: A Reflection Attack on a "Fixed" Version of
the Woo-Lam Protocol
374
Protocol 11.8: A Minor Variation of the Otway-Rees
Protocol
379
Attack 11.7
: An Attack on the Minor Variation of the
Otway-Rees Protocol
381
Protocol 12.1: Signature-based IKE Phase 1 Main Mode
397
Attack 12.1
: Authentication Failure in Signature-based IKE
Phase 1 Main Mode
399
Protocol 12.2: A Typical Run of the TLS Handshake
Protocol
421
Algorithm 13.1: Shamir's Identity-based Signature
Scheme
437
Algorithm 13.2: The Identity-Based Cryptosystem of
Boneh and Franklin
451
Protocol 14.1: Indistinguishable Chosen-plaintext Attack
465
Protocol 14.2: A Fair Deal Protocol for the SRA Mental

Poker Game
469
Algorithm 14.1: The Probabilistic Cryptosystem of
Goldwasser and Micali
473
Algorithm 14.2: A Semantically Secure Version of the
ElGamal Cryptosystem
476
Protocol 14.3: "Lunchtime Attack" (Non-adaptive
Indistinguishable Chosen-ciphertext Attack)
483
Protocol 14.4: "Small-hours Attack" (Indistinguishable
Adaptive Chosen-ciphertext Attack)
488
Protocol 14.5: Malleability Attack in Chosen-plaintext
Mode
491
Algorithm 15.1: The Cramer-Shoup Public-key
Cryptosystem
526
Algorithm 15.2: Product of Exponentiations
529
Algorithm 16.1: The Probabilistic Signature Scheme (PSS)
561
Algorithm 16.2: The Universal RSA-Padding Scheme for
Signature and Encryption
564
Algorithm 16.3: Zheng's Signcryption Scheme SCSI
568
Algorithm 16.4: Two Birds One Stone: RSA-TBOS

Signcryption Scheme
573
Protocol 17.1: The Needham-Schroeder Symmetric-key
Authentication Protocol in Refined Specification
585

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,
have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic

schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Protocol 17.2: The Woo-Lam Protocol in Refined
Specification
586
Protocol 17.3: The Needham-Schroeder Public-key
Authentication Protocol
588
Protocol 17.4: The Needham-Schroeder Public-key
Authentication Protocol in Refined Specification
588
Protocol 17.5: Another Refined Specification of the
Needham-Schroeder Public-key Authentication Protocol
589
Protocol 17.6
:
MAP
1
595
Protocol 18.1: An Interactive Proof Protocol for Subgroup
Membership
623
Protocol 18.2: Schnorr's Identification Protocol
630
Protocol 18.3: A Perfect Zero-knowledge Proof Protocol for
Quadratic Residuosity
642

Protocol 18.4
: ZK Proof that
N
Has Two Distinct Prime
Factors
645
Protocol 18.5: "Not To Be Used"
651
Protocol 18.6: Chaum's ZK Proof of Dis-Log-EQ Protocol
654
Protocol 19.1: Blum's Coin-Flipping-by-Telephone Protocol
667

•
Table of Contents
Modern Cryptography: Theory and Practice
By
Wenbo Mao Hewlett-Packard Company

Publisher
: Prentice Hall PTR
Pub Date
: July 25, 2003
ISBN
: 0-13-066943-1
Pages
: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography,

have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for
many textbooks on cryptography. This book takes adifferent approach to introducing
cryptography: it pays much more attention tofit-for-application aspects of cryptography. It
explains why "textbook crypto" isonly good in an ideal world where data are random and bad
guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by
demonstratingnumerous attacks on such schemes, protocols and systems under variousreal-
world application scenarios. This book chooses to introduce a set of practicalcryptographic
schemes, protocols and systems, many of them standards or de factoones, studies them closely,
explains their working principles, discusses their practicalusages, and examines their strong
(i.e., fit-for-application) security properties, oftenwith security evidence formally established.
The book also includes self-containedtheoretical background material that is the foundation for
modern cryptography.
Part I: Introduction
The first part of this book consists of two introductory chapters. They introduce us to some
of the most basic concepts in cryptography and information security, to the environment in
which we communicate and handle sensitive information, to several well known figures who
act in that environment and the standard modus operandi of some of them who play role of
bad guys, to the culture of the communities for research and development of cryptographic
and information security systems, and to the fact of extreme error proneness of these
systems.
As an elementary-level introduction, this part is intended for newcomers to the areas.

modern cryptography - theory & practice

Tài liệu liên quan

Tài liệu bạn tìm kiếm đã sẵn sàng tải về