Published: March 2, 2018
(6
years
1
month
ago.)
The book in...
One sentence:
A detailed entry point into the world of cryptography and network security that includes such topics as mathematics, cypher algorithms, hashing, public/private key pairs and other associated content.
Five sentences:
After a brief introduction to historical cryptography, a quick and dirty crash course of the mathematics required to understand most of the book is presented. Various cypher types, or modes, are discussed, including block, stream, chain, feedback, and counter in addition to symmetric/asymmetric cyphers, public/private key encryption and exchange, particular attention is paid to the DiffieHellman method of exchange. Some of the cryptographic algorithms covered include DES, AES, and RSA; these are presented alongside various hashing algorithms and it is explained how the use of certain combinations of these tools can provide, integrity, confidentiality, authentication, or any combination of these to data. The cryptographic section concludes with a pair of chapters on trust/key management, and user authentication to close a decidedly well rounded and complete examination of the aforementioned topics. The network security portion of the book covers everything from transport layer security like HTTPS and SSH, wireless security, email security, and includes a final chapter on IP security.
designates my notes. / designates important.
Thoughts
The first half of the book, the cryptography was interesting and why I read the
book. The latter half, network protocols and such was oldhat for me. That
said, I would strongly recommend this book to anyone interested in either
cryptography or network security.
Ample, but not detailed, mathematical foundations are provided, allowing anyone
without the prerequisite math skills to understand the entire book, provided
you are willing to roll up your mental sleeves. The elliptical parts are quite
difficult, but the rest is infinitely approachable by a novice.
It also covers the various forms ciphers can take, block, stream, etc. Random
and pseudo random number generators are discussed. Public and private key
systems are elaborated.
There are TONS of illustrations to help you visualize the algorithms and
communication routines. There are also many examples, starting from the most
basic shift ciphers all the way to DES, AES, and RSA. Hashing is also covered
in great detail with the aforementioned illustrations and examples.
Enough detail is given that you can easily implement the algorithms in a
programming language of your choosing. I built a number of python based toy
examples for things like the euclidean algorithm, the MillerRabin prime test,
and an RSA implementation among other things. I would strongly suggest anyone
interested in learning cryptography to implement as many of the algorithms as
you can, from scratch. The amount you learn doing this far exceeds what you
would get simply trying to absorb the book.
It really is a well rounded book.
Code
Here are links to the python programs I wrote, but be warned these are not
debugged and more of proof of concepts to facilitate understanding. Do not use
them for anything more than learning.
Books

Read all of the classic papers cited in the Recommended Reading section for
this chapter, available at the Author Web site at
WilliamStallings.com/Cryptography. The papers are available at
box.com/Crypto7e.

Dorothy Sayers’s Have His Carcase (fiction)
Table of Contents
page 010:
page 21:
 CIA triad = confidentiality, integrity,
availability
page 23:
 To this triad add authenticity and
accountability
page 27:
 Active attacks can be classified as: masquerade,
replay, modification of messages, and denial of service.
page 030:
page 033:
page 039:
page 041:
page 45:
 Read all of the classic papers cited in the Recommended Reading section for
this chapter, available at the Author Web site at
WilliamStallings.com/Cryptography. The papers are available at
box.com/Crypto7e.
page 48:
if a1, then a = +1
if ab and ba, then a = +b
any b != 0 divides 0
if ab and bc, then ac
If bg and bh, then b(mg + nh) for arbitrary integers m and n.
To see this last point, note that
If bg, then g is of the form g = b * g1 for some integer g1.
If bh, then h is of the form h = b * h1 for some integer h1 .
So
mg + nh = mbg1 + nbh1 = b * (mg1 + nh1)
and therefore b divides mg + nh.
 To calculate q and r with numpy:
np.floor(11/7)
np.remainder(11, 7)
page 49:
 Two integers are relatively prime if and only if
their only common positive integer factor is 1.
page 50:

gcd(a, b) = max[k, such that ka and kb]

8 and 15 are relatively prime because the positive divisors of 8 are 1, 2, 4,
and 8, and the positive divisors of 15 are 1, 3, 5, and 15. So 1 is the only
integer on both lists.
import numpy as np
def gcd(a, b):
#q = np.floor(a/b)
r = np.remainder(a, b)
#print q, r
if r > 0:
return gcd(b, r)
else:
return b
def gcd_2(a, b):
if b == 0:
return a
else:
return gcd(b, np.remainder(a, b))
if __name__ == "__main__":
print gcd(1160718174, 316258250) #1078
print gcd_2(1160718174, 316258250) #1078
page 050:
page 53:
>>> np.mod == np.remainder
True
 Two integers a and b are said to be congruent modulo
n, if (a mod n) = (b mod n). This is written as a = b (mod n).
page 054:
page 55:
Define the set Z_n as the set of nonnegative integers less than n: Z n = {0, 1,
…, (n  1)}
page 056:
page 057:
page 58:
 In general, an integer has a multiplicative inverse
in Z n if and only if that integer is relatively prime to n.
def mgcd(a, b):
if b == 0:
return a
else:
return mgcd(b, np.mod(a, b))
if __name__ == "__main__":
print mgcd(1160718174, 316258250) #1078
page 059:
page 061:
page 064:
page 065:
page 067:
page 068:
page 069:
page 071:
page 076:
page 87:
 We assume that it is impractical to decrypt a message on the basis of the
ciphertext plus knowledge of the encryption/decryption algorithm. In other
words, we do not need to keep the algorithm secret; we need to keep only the
key secret. This feature of symmetric encryption is what makes it feasible for
widespread use. The fact that the algorithm need not be kept secret means that
manufacturers can and have developed lowcost chip implementations of data
encryption algorithms. These chips are widely available and incorporated into
a number of products. With the use of symmetric encryption, the principal
security problem is maintaining the secrecy of the key.
page 088:
page 89:

All encryption algorithms are based on two general principles: substitution,
in which each element in the plaintext (bit, letter, group of bits or letters)
is mapped into another element, and transposition, in which elements in the
plaintext are rearranged.

If both sender and receiver use the same key, the system is referred to as
symmetric, singlekey, secretkey, or conventional encryption. If the sender
and receiver use different keys, the system is referred to as asymmetric,
twokey, or publickey encryption.
page 91:

With the exception of a scheme known as the onetime pad (described later in
this chapter), there is no encryption algorithm that is unconditionally secure.
Therefore, all that the users of an encryption algorithm can strive for is an
algorithm that meets one or both of the following criteria:

 The cost of breaking the cipher exceeds the value of the encrypted
information.

 The time required to break the cipher exceeds the useful lifetime of the
information.

An encryption scheme is said to be computationally secure if either of the
foregoing two criteria are met.
page 095:
page 97:
page 99:
page 104:
 Although the techniques for breaking a Vigenère cipher are by no means
complex, a 1917 issue of Scientific American characterized this system as
“impossible of translation.” This is a point worth remembering when similar
claims are made for modern algorithms.
page 105:

random key that is as long as the message, so that the key need not be
repeated. In addition, the key is to be used to encrypt and decrypt a single
message, and then is discarded. [onetime pad]

a onetime pad, is unbreakable.

Funny, saying this literally on the next page after
warning against such claims.
page 111:
page 113:
page 117:
page 120:
page 124:
 diffusion, the sta tistical structure of the plaintext is dissipated into
longrange statistics of the ciphertext. This is achieved by having each
plaintext digit affect the value of many ciphertext digits; generally, this is
equivalent to having each ciphertext digit be affected by many plaintext
digits.
page 125:
 confusion seeks to make the relationship between the statistics of the
ciphertext and the value of the encryption key as complex as possible, again to
thwart attempts to discover the key.
page 126:
page 127:

Block size: Larger block sizes mean greater security (all other things being
equal) but reduced encryption/decryption speed for a given algorithm. The
greater security is achieved by greater diffusion. Traditionally, a block size
of 64 bits has been considered a reasonable tradeoff and was nearly universal
in block cipher design. However, the new AES uses a 128bit block size.

Key size: Larger key size means greater security but may decrease encryption/
decryption speed. The greater security is achieved by greater resistance to
bruteforce attacks and greater confusion. Key sizes of 64 bits or less are now
widely considered to be inadequate, and 128 bits has become a common size.

Number of rounds: The essence of the Feistel cipher is that a single round
offers inadequate security but that multiple rounds offer increasing security.
A typical size is 16 rounds.

Subkey generation algorithm: Greater complexity in this algorithm should lead
to greater difficulty of cryptanalysis.

Round function F: Again, greater complexity generally means greater
resistance to cryptanalysis.
page 128:
page 130:
page 132:
 Avalanche effect = a small change in the plaintext
produces a significant change in the ciphertext.
page 143:
 A group G, sometimes denoted by {G, # }, is a set of elements with a binary
operation denoted by # that associates to each ordered pair (a, b) of elements
in G an element (a # b) in G, such that the following axioms are obeyed:
(A1) Closure: If a and b belong to G, then a # b is also in G.
(A2) Associative: a # (b # c) = (a # b) # c for all a, b, c in G.
(A3) Identity element: There is an element e in G such that a # e = e # a = a
for all a in G.
(A4) Inverse element: For each a in G, there is an element a′ in G such that a
# a′ = a′ # a = e.
page 145:

In essence, a ring is a set of elements in which we can do addition,
subtraction [a  b = a + ( b)], and multiplication without leaving the set.

With respect to addition and multiplication, the set of all nsquare matrices
over the real numbers is a ring.
page 146:
 In essence, a field is a set of elements in which we can do addition,
subtraction, multiplication, and division without leaving the set. Division is
defined with the fol lowing rule: a/b = a(b^1).
page 147:
 the order of a finite field (number of elements in the field) must be a power
of a prime p^n, where n is a positive integer. The finite field of order p^n is
generally written GF(p^n); GF stands for Galois field, in honor of the
mathematician who first studied finite fields.
page 148:
page 151:
page 152:
page 153:
page 154:
 in GF(2), addition is equivalent to the XOR operation, and multiplication is
equivalent to the logical AND operation. Further, addition and subtraction are
equivalent mod 2:
1 + 1 = 1  1 = 0
1 + 0 = 1  0 = 1
0 + 1 = 0  1 = 1
page 156:
 gcd[a(x), b(x)] = gcd[b(x), a(x) mod b(x)]
page 160:
page 164:
 addition of two polynomials in GF(2^n) corresponds to a bitwise XOR
operation.
page 165:
 In general, in GF(2^n) with an nthdegree polynomial p(x), we have x^n mod
p(x) = [p(x)  x^n].
page 178:
page 179:
page 185:
page 186:
page 187:
page 189:
page 190:
page 197:
 the AES decryption cipher is not identical to the encryption cipher (Figure
6.3). That is, the sequence of transformations for decryption differs from that
for encryption, although the form of the key schedules for encryption and
decryption is the same. This has the disadvantage that two separate software or
firmware modules are needed for applications that require both encryption and
decryption. There is, however, an equivalent version of the decryption
algorithm that has the same structure as the encryption algorithm. The
equivalent version has the same sequence of transformations as the encryption
algorithm (with transformations replaced by their inverses). To achieve this
equivalence, a change in key schedule is needed.
page 198:

an encryption round has the structure SubBytes, ShiftRows, MixColumns,
AddRoundKey. The standard decryption round has the structure InvShiftRows,
InvSubBytes, AddRoundKey, InvMixColumns. Thus, the first two stages of the
decryption round need to be interchanged, and the second two stages of the
decryption round need to be interchanged.

InvShiftRows[InvSubBytes(Si)] = InvSubBytes[InvShiftRows(S_i)]

InvMixColumns(Si ^ w_j) = [InvMixColumns(S_i)] ^ [InvMixColumns(wj)]
page 199:
page 214:
page 215:
 For lengthy messages, the ECB (electronic code book) mode may not be secure.
If the message is highly structured, it may be possible for a cryptanalyst to
exploit these regularities.
page 216:
page 218:

In conclusion, because of the chaining mechanism of CBC (cipher block
chaining), it is an appropriate mode for encrypting messages of length greater
than b bits.

In addition to its use to achieve confidentiality, the CBC mode can be used
for authentication. This use is described in Chapter 12.

For AES, DES, or any block cipher, encryption is performed on a block of b
bits. In the case of DES, b = 64 and in the case of AES, b = 128. However, it
is possible to convert a block cipher into a stream cipher, using one of the
three modes to be discussed in this and the next two sections: cipher feedback
(CFB) mode, output feedback (OFB) mode, and counter (CTR) mode. A stream cipher
eliminates the need to pad a message to be an integral number of blocks. It
also can operate in real time.
page 219:
page 221:

One advantage of the OFB (output feedback) method is that bit errors in
transmission do not propagate. For example, if a bit error occurs in C1, only
the recovered value of P1 is affected

The disadvantage of OFB is that it is more vulnerable to a message stream
modification attack than is CFB. Consider that complementing a bit in the
ciphertext complements the corresponding bit in the recovered plaintext. Thus,
controlled changes to the recovered plaintext can be made. This may make it
possible for an opponent, by making the necessary changes to the checksum
portion of the message as well as to the data portion, to alter the ciphertext
in such a way that it is not detected by an errorcorrecting code.

One distinction from the stream ciphers we discuss in Chapter 8 is that OFB
encrypts plaintext a full block at a time, where typically a block is 64 or 128
bits. Many stream ciphers encrypt one byte at a time.
page 223:
 Hardware efficiency: Unlike the three chaining modes, encryption (or
decryption) in CTR (counter) mode can be done in parallel on multiple blocks of
plaintext or ciphertext. For the chaining modes, the algorithm must complete
the computation on one block before beginning on the next block.
page 224:

Preprocessing: The execution of the underlying encryption algorithm does not
depend on input of the plaintext or ciphertext. Therefore, if sufficient memory
is available and security is maintained, preprocessing can be used to prepare
the output of the encryption boxes that feed into the XOR functions, as in
Figure 7.7. When the plaintext or ciphertext input is presented, then the only
computation is a series of XORs. Such a strategy greatly enhances throughput.

Provable security: It can be shown that CTR is at least as secure as the
other modes discussed in this chapter.
page 225:
page 231:

Formatpreserving encryption (FPE) refers to any encryption technique that
takes a plaintext in a given format and produces a ciphertext in the same
format. For example, credit cards consist of 16 decimal digits.

FPE facilitates the retrofitting of encryption technology to legacy
applications, where a conventional encryption mode might not be feasible
because it would disrupt data fields/pathways.
page 254:
page 259:
 Thus, the generating function becomes
m the modulus m > 0
a the multiplier 0 < a < m
c the increment 0 <= c < m
X_0 the starting value, or seed 0 <= X_0 < m
X_n + 1 = (aX_n) mod (2^31  1)
 Of the more than 2 billion possible choices for a, only a handful of
multipliers pass all three tests. One such value is a = 75 = 16807, which was
originally selected for use in the IBM 360 family of computers [LEWI69]. This
generator is widely used and has been subjected to a more thorough testing than
any other PRNG [pseudo random number generator]. It
is frequently recommended for statistical and simulation work (e.g., [JAIN91]).
page 260:
page 262:
 A random bit sequence of 256 bits was obtained from random.org, which uses
three radios tuned between stations to pick up atmospheric noise.
page 286:
 1 Diffie and Hellman first publicly introduced the concepts of publickey
cryptography in 1976. Hellman credits Merkle with independently discovering the
concept at that same time, although Merkle did not publish until 1978 [MERK78].
In fact, the first unclassified document describing publickey distribution and
publickey cryptography was a 1974 project proposal by Merkle
(http://merkle.com/1974). However, this is not the true beginning. Admiral Bobby Inman, while director of the National Security
Agency (NSA), claimed that publickey cryptography had been discovered at NSA
in the mid1960s [SIMM93]. The first documented introduction of these
concepts came in 1970, from the CommunicationsElectronics Security Group,
Britain’s counterpart to NSA, in a classified report by James Ellis [ELLI70].
Ellis referred to the technique as nonsecret encryption and describes the
discovery in [ELLI99].
page 290:
 You can encrypt the whole message for confidentiality,
but this means you need to keep the cipher and plain texts to authenticate. You
can encrypt only a small block of the message to authenticate, but with no
confidentiality.
page 291:
 to provide both the authentication function and confidentiality by a double
use of the publickey scheme (Figure 9.4):
Z = E(PU_b, E(PR_a,X))
X = D(PU_a, D(PR_b,Z))
page 294:

Another form of attack is to find some way to compute
the private key given the public key. To date, it has not been mathematically
proven that this form of attack is infeasible for a particular publickey
algorithm. Thus, any given algorithm, including the widely used RSA algorithm, is suspect. The history of
cryptanalysis shows that a problem that seems insoluble from one perspective
can be found to have a solution if looked at in an entirely different way.

Finally, there is a form of attack that is peculiar to publickey systems.
This is, in essence, a probablemessage attack. Suppose, for example, that a
message were to be sent that consisted solely of a 56bit DES key. An adversary
could encrypt all possible 56bit DES keys using the public key and could
discover the encrypted key by matching the transmitted ciphertext. Thus, no
matter how large the key size of the publickey scheme, the attack is reduced
to a bruteforce attack on a 56bit key. This attack can be thwarted by
appending some random bits to such simple messages.
page 295:
 We are now ready to state the RSA scheme. The ingredients are the following:
p, q, two prime numbers (private, chosen)
n = pq (public, calculated)
e, with gcd(f(n), e) = 1; 1 6 e 6 f(n) (public, chosen)
d K e 1 (mod f(n)) (private, calculated)
page 296:
 For this example, the keys were generated as follows.
1. Select two prime numbers, p = 17 and q = 11.
2. Calculate n = pq = 17 * 11 = 187.
3. Calculate f(n) = (p  1)(q  1) = 16 * 10 = 160.
4. Select e such that e is relatively prime to f(n) = 160 and less than f(n);
we choose e = 7.
5. Determine d such that de K 1 (mod 160) and d 6 160. The correct value is
d = 23, because 23 * 7 = 161 = (1 * 160) + 1; d can be calculated using
the extended Euclid’s algorithm (Chapter 2).

The resulting keys are public key PU = {7, 187} and private key PR = {23, 187}.

The example shows the use of these keys for a plaintext input of M = 88. For
encryption, we need to calculate C = 887 mod 187. Exploiting the properties of
modular arithmetic, we can do this as follows.
88^7 mod 187 = [(88^4 mod 187) * (88^2 mod 187) * (88^1 mod 187)] mod 187
88^1 mod 187 = 88
88^2 mod 187 = 7744 mod 187 = 77
88^4 mod 187 = 59,969,536 mod 187 = 132
88^7 mod 187 = (88 * 77 * 132) mod 187 = 894,432 mod 187 = 11
 For decryption, we calculate M = 11 23 mod 187:
11^23 mod 187 = [(11^1 mod 187) * (11^2 mod 187) * (11^4 mod 187)
* (11^8 mod 187) * (11^8 mod 187)] mod 187
11^1 mod 187 = 11
11^2 mod 187 = 121
11^4 mod 187 = 14,641 mod 187 = 55
11^8 mod 187 = 214,358,881 mod 187 = 33
11^23 mod 187 = (11 * 121 * 55 * 33 * 33) mod 187 = 79,720,245 mod 187 = 88
page 297:
page 298:
page 299:
 To speed up the operation of the RSA algorithm using the public key, a
specific choice of e is usually made. The most common choice is 65537 (216 +
1); two other popular choices are 3 and 17. Each of these choices has only two
1 bits, so the number of multiplications required to per form exponentiation
is minimized.
page 303:
page 315:
page 316:
page 320:
page 321:
page 323:
 Elliptic curves are not ellipses. They are so named because they are described by
cubic equations, similar to those used for calculating the circumference of an ellipse.
In general, cubic equations for elliptic curves take the following form, known as a
Weierstrass equation:
y^2 + axy + by = x^3 + cx^2 + dx + e
 In geometric terms, the rules for addition can be stated as follows: If three
points on an elliptic curve lie on a straight line, their sum is O.
page 324:
page 325:
 For a prime curve over Z p, we use a cubic equation in which the variables
and coefficients all take on values in the set of integers from 0 through p  1
and in which calculations are performed modulo p. For a binary curve defined
over GF(2^m), the variables and coefficients all take on values in GF(2^m) and
in calculations are performed over GF(2^m). [FERN99] points out that prime curves are best for software applications, because the
extended bitfiddling operations needed by binary curves are not required; and
that binary curves are best for hardware applications, where it takes
remarkably few logic gates to create a powerful, fast cryptosystem.
page 332:
page 333:
 SP 80057 recommends that at least through 2030, acceptable key lengths are
from 3072 to 14,360 bits for RSA and 256 to 512 bits for ECC. Similarly, the
European Union Agency for Network and Information Security (ENISA) recommends
in their 2014 report (Algorithms, Key Size and Parameters report—2014, November
 minimum key lengths for future system of 3072 bits and 256 bits for RSA
and ECC, respectively.
page 340:

(a) a data object that maps to a prespecified hash result (the oneway
property) or (b) two data objects that map to the same hash result (the
collisionfree property).

Typically, the input is padded out to an integer multiple of some fixed
length (e.g., 1024 bits), and the padding includes the value of the length of
the original mes sage in bits.
page 343:
page 344:
 More commonly, message authentication is achieved using a message
authentication code (MAC), also known as a keyed hash function. Typically, MACs
are used between two parties that share a secret key to authenticate
information exchanged between those parties. A MAC function takes as input a
secret key and a data block and produces a hash value, referred to as the MAC,
which is associated with the protected message. If the integrity of the message
needs to be checked, the MAC function can be applied to the message and the
result compared with the associated MAC value. An attacker who alters the
message will be unable to alter the associated MAC value without knowledge of
the secret key.
page 345:
page 348:
 For a hash value h = H(x), we say that x is the preimage of h. That is, x is
a data block whose hash value, using the function H, is h. Because H is a
manytoone mapping, for any given hash value h, there will in general be
multiple preimages. A collision occurs if we have x != y and H(x) = H(y).
page 349:
 The fifth property, second preimage resistant, guarantees that it is
infeasible to find an alternative message with the same hash value as a given
message. This pre vents forgery
page 350:
page 353:
page 356:
 SHA1 and SHA2 are also specified in RFC 6234, which essentially duplicates
the material in FIPS 1803 but adds a C code implementation.
page 357:
page 358:
page 360:
page 361:
page 362:
 The SHA512 algorithm has the property that every bit of the hash code is a
function of every bit of the input.
page 363:
page 383:
 In summary, message authentication is a procedure to verify that received
messages come from the alleged source and have not been altered. Message
authentication may also verify sequencing and timeliness. A digital signature
is an authentication technique that also includes measures to counter
repudiation by the source.
page 384:
page 386:
page 388:
 An alternative authentication technique involves the use of a secret key to
generate a small fixedsize block of data, known as a cryptographic checksum or MAC, that is appended to the
message.
page 389:
page 390:

Typically, it is preferable to tie the authentication directly to the
plaintext, so the method of Figure 12.4b is used.

Finally, note that the MAC does not provide a digital signature, because both
sender and receiver share the same key.
page 394:
 Suppose the key size is k bits and that the attacker has one known texttag
pair. Then the attacker can compute the nbit tag on the known text for all
possible keys. … To summarize, the level of effort for bruteforce attack on
a MAC algorithm can be expressed as min(2^k, 2^n ). The assessment of strength
is similar to that for symmetric encryption algorithms. It would appear
reasonable to require that the key length and tag length satisfy a relationship
such as min(k, n) >= N, where N is perhaps in the range of 128 bits.
page 398:
 if speed is a concern, it is fully acceptable to use MD5 rather than SHA1 as
the embedded hash function for HMAC.
page 414:
page 421:
page 422:
 For example, suppose that John sends an authenticated message to Mary, using
one of the schemes of Figure 12.1. Consider the following disputes that could
arise.
1. Mary may forge a different message and claim that it came from John. Mary
would simply have to create a message and append an authentication code using
the key that John and Mary share.
2. John can deny sending the message. Because it is possible for Mary to forge
a message, there is no way to prove that John did in fact send the message.
 In situations where there is not complete trust between sender and receiver,
something more than authentication is needed. The most attractive solution to
this problem is the digital signature.
page 427:
page 428:
page 429:
page 432:
page 442:
 For symmetric encryption to work, the two parties to an exchange must share
the same key, and that key must be protected from access by others.
Furthermore, frequent key changes are usually desirable
to limit the amount of data compromised if an attacker learns the key.
Therefore, the strength of any cryptographic system rests with the key
distribution technique, a term that refers to the means of delivering a key to
two parties who wish to exchange data without allowing others to see the key.
page 448:
page 451:
 If A wishes to communicate with B, the following procedure is employed:
1. A generates a public/private key pair {PUa, PR a} and transmits a message to
B consisting of PUa and an identifier of A, ID A.
2. B generates a secret key, K s, and transmits it to A, which is encrypted
with A’s public key.
3. A computes D(PR a, E(PUa, K s)) to recover the secret key. Because only A
can decrypt the message, only A and B will know the identity of K s.
4. A discards PUa and PR a and B discards PUa. A and B can now securely
communicate using conventional encryption and the session key Ks. At the
completion of the exchange, both A and B discard K s. Despite its simplicity,
this is an attractive protocol.
page 453:
page 460:
page 481:
1. A > B: ID_A  N_a
2. B > KDC: ID_B  N_b  E(K_b, [ID_A  N_a  T_b])
3. KDC > A: E(K_a, [ID_B  N_a  K_s  T_b])  E(K_b, [ID_A  K_s  T_b])  N_b
4. A > B: E(K_b, [ID_A  K_s  T_b])  E(K_s, N_b)
 = concatenate
KDC = Key Distribution Center
N = Nonce
K = Key
T = Timestamp
ID = Identifier
page 488:
page 489:
page 491:
page 532:
 Software as a Service (SaaS), Infrastructure as a Service (IaaS), and
Platform as a Service (PaaS)
page 549:
page 556:
page 568:
page 569:
page 570:
page 571:
page 576:
page 599:
page 631:
page 638:

Whereas X.509 certificates are trusted if there is a valid PKIX chain to a
trusted root, an OpenPGP public key is trusted if it is signed by another
OpenPGP public key that is trusted by the recipient. This is called the
WebofTrust.

OpenPGP does not include the sender’s public key with each message, so it is
necessary for recipients of OpenPGP messages to sepa rately obtain the
sender’s public key in order to verify the message.
page 640:
page 643:

DANE is a protocol to allow X.509 certificates, commonly used for Transport
Layer Security (TLS), to be bound to DNS names using DNSSEC. It is proposed in
RFC 6698 as a way to authenticate TLS client and server entities without a
certificate authority (CA).

The rationale for DANE is the vulnerability of the use of CAs in a global PKI
system. Every browser developer and operating system supplier maintains a list
of CA root certificates as trust anchors. These are called the software’s root
certifi cates and are stored in its root certificate store. The PKIX procedure
allows a cer tificate recipient to trace a certificate back to the root. So
long as the root certificate remains trustworthy, and the authentication
concludes successfully, the client can proceed with the connection.

However, if any of the hundreds of CAs operating on the Internet is compro
mised, the effects can be widespread. The attacker can obtain the CA’s private
key, get issued certificates under a false name, or introduce new bogus root
certificates into a root certificate store. There is no limitation of scope for
the global PKI and a compromise of a single CA damages the integrity of the
entire PKI system. In addition, some CAs have engaged in poor security
practices.
page 664:
page 668:
 IPsec policy is determined primarily by the interaction of two databases, the
security association database (SAD) and the security policy database (SPD).
page 669:
page 672:
page 673:
page 674:
page 678:
 Transport and Tunnel modes.
page 679:
 Whereas the transport mode is suitable for protecting connections between
hosts that support the ESP feature, the tunnel mode is useful in a
configuration that includes a firewall or other sort of security gateway that
protects a trusted network from external networks. In this latter case,
encryption occurs only between an external host and the security gateway or
between two security gateways. This relieves hosts on the internal network of
the processing burden of encryption and simplifies the key distribution task by
reducing the number of needed keys. Further, it thwarts traffic analysis based
on ultimate destination.
page 680:
page 693:
 RFC 6379 defines four optional cryptographic suites that are compatible with
the United States National Security Agency’s Suite B specifications. In 2005,
the NSA issued Suite B, which defined the algorithms and strengths needed to
protect both sensitive but unclassified (SBU) and classified information for
use in its Cryptographic Modernization program [LATT09]. The four suites
defined in RFC 6379 provide choices for ESP and IKE. The four suites are
differentiated by the choice of cryptographic algorithm strengths and a choice
of whether ESP is to provide both confidentiality and integrity or integrity
only. All of the suites offer greater protection than the two VPN suites
defined in RFC 4308.