Yesterday I gave a day-long lecture on cryptography at the ACE Cyber Security Boot Camp run out of the Air Force Research Lab in Rome, NY. The ACE boot camp could make an interesting post in its own right, but for now I want to focus just on my lecture.
My aim was to present the aspects of cryptography that “information security professionals” should know, but I was a bit unsure exactly what to present even though I face exactly the same dilemma every time I teach cryptography as part of my Computer Security class. (In fact, except for cutting some material due to lack of time, I ended up covering pretty much what I cover in my Computer Security class.) I definitely feel that what I cover in both these cases should be targeted differently from what I cover in an undergraduate cryptography class — the goal of the latter is to really develop a deep understanding of cryptography, while the goal in the former cases is (in my opinion) to teach people how to use cryptography. (There is, of course, also the issue of time — there is no way I can cover all of a crypto undergrad course in one day, and when I teach Computer Security I cannot devote the entire semester to cryptography.)
So, what to teach? Here is roughly what I covered:
- I began with a discussion of “modern cryptography”, stressing the importance of definitions, explicit (cryptographic) assumptions, and proofs. While I don’t expect information security professionals to ever write (or read) a formal definition or proof, I do want them to know that these are out there: they should be able to informally define security requirements for some task; they should understand that different encryption schemes, say, provide different levels of security; and they should know to be very wary of using any crypto scheme that doesn’t come with a proof of security. I also want to correct the misconception that so many people seem to have about cryptography being an “art” rather than much more of a “science”. (Sadly, even many people teaching crypto at the university level seem to have this misconception…)
- I discussed private-key encryption, beginning with perfect secrecy and its limitations and using this to motivate computational security. I went through the exercise of asking them to propose a good definition of security to illustrate how subtle this really is. I covered PRGs and PRFs/block ciphers (3DES, AES), and defined CPA-security. I showed proofs for some simple constructions, though in retrospect this was probably a mistake since I think it was too much to cover in such a short time. (My goal was just to show one proof so they got the idea of how such proofs work.) I taught them about CBC mode and CTR mode, and stressed that they should use a standard mode with a standard block cipher.
- I then spoke about message authentication codes. Again I gave a simple construction and proof (and, again, this may have been too much), and then showed CBC-MAC and HMAC. Along the way I got to talk about hash functions. After this I talked briefly about CCA-security and authenticated encryption, and taught them to use the “Encrypt-then-Authenticate” technique to obtain authenticated encryption.
- I then moved on to a discussion of public-key cryptography. I began with the Diffie-Hellman protocol, and it was interesting to me how little number theory is needed to follow it. (I was planning to cover more, but cut it short due to lack of time. On the other hand this forced me to cut some details of Diffie-Hellman that I was going to address.) I talked about El Gamal encryption and then moved on to RSA. I mentioned “textbook RSA” encryption and why it is insecure, and then introduced RSA PKCS #1 v1.5 (“padded RSA”). I then taught them about hybrid encryption. Finally, I discussed chosen-ciphertext attacks/malleability, and then told them about the existence of RSA-OAEP/PKCS #1 v.2.1 (without going into any details). I stressed that they should always use a CCA-secure scheme.
- I ended with signature schemes, where I found (relatively speaking) not very much to say. After describing what signatures can be used for (along with the definition of security), I showed them “textbook RSA” signatures and why they are insecure, and then showed them “hashed RSA” (i.e., FDH). I mentioned the existence of DSA, without any details. I also mentioned the hash-and-sign technique.
- I had planned to talk a bit about PKI, and end with a discussion of “cryptography implementation pitfalls” but ran out of time. (I do cover these topics in my Computer Security class.)
I was clearly basing most of these topics on what is covered in my book, and I am overall happy with this coverage.
What would I do differently next time? I would like to mention PKI and talk a bit about “crypto in the real world” (i.e., implementation issues) since this seems more critical for this audience than some of the more theoretical topics I covered. I would also like to stress a bit more some of the concrete issues (e.g., what RSA modulus size should currently be used), although I should mention that this did come up due to questions I got from the audience.
To make room for the above (and also because I ran short of time even with what I covered), I have to cut something. I would probably cut all the proofs (while still talking about how proofs are important) — it’s simply too difficult to convey a cryptographic reduction to someone who has never seen one before in the limited amount of time I had.