Pointers on Cryptography and Information Security

• Access control
  • Jerome Saltzer and Michael Schroeder, The Protection of Information in Computer Systems
  • Hao Chen, David Wagner and Drew Dean, Setuid Demystified
  • David Bell and Len LaPadula, Secure Computer System: Unified Exposition and Multics Interpretation
  • Butler Lampson, A Note on the Confinement Problem
  • MS Windows access control
• Automated teller machine (ATM) security
  • ATM Marketplace
  • Ross Anderson, Why Cryptosystems Fail
  • Mike Bond and Piotr Zielinski, Decimalisation Table Attacks for PIN Cracking
  • Mike Bond's website on phantom withdrawals
  • British High Court's order on February 2003, gagging public disclosure of Citibank's crypto vulnerabilities
  • VISA's PIN Entry Device Security Requirements Manual
• Biometrics
  • The Biometric Consortium, serving as the U.S. government's focal point for biometric research
  • International Biometric Group, the biometric industry's leading consulting firm
  • FBI's tutorial on fingerprint classification
  • Neurotechnologija's VeriFinger fingerprint identification software
  • Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, and Satoshi Hoshino, Impact of Artificial "Gummy" Fingers on Fingerprint Systems
• Classical cryptography
  • David Kahn, The Codebreakers
  • Simon Singh, The Code Book
  • Jefferson wheel cipher
  • The Enigma machine
  • The PURPLE machine
  • Key reuse of the one-time pad: NSA's VENONA project
• DNA and quantum computing
  • DNA Computing: A Primer
  • Len Adleman, Molecular Computation of Solutions to Combinatorial Problems
  • Dan Boneh, Richard Lipton and Chris Dunworth, Breaking DES Using a Molecular Computer
  • Ehud Shapiro's 2004 announcement of his DNA computer for diagnosing cancer
  • Centre for Quantum Computation of the Universities of Oxford and Cambridge
  • Peter Shor, Algorithms for Quantum Computation: Discrete Logarithms and Factoring
  • IBM's 2001 announcement of the successful factorization of 15 using a 7-qubit quantum computer
• Email spamming
  • Coalition Against Unsolicited Commercial Email (CAUCE)
  • Email filters: Microsoft's SmartScreen technology, SpamAssassin, Spamhaus
  • Hadmut Danisch's RMX
  • Adam Back's hash cash
  • Microsoft's Penny Black
  • Microsoft's Sender ID
  • The U.S. CAN-SPAM Act
• Emissions security
  • The Complete, Unofficial TEMPEST Information Page
  • Markus Kuhn, Optical Time-Domain Eavesdropping Risks of CRT Displays
  • Markus Kuhn and Ross Anderson, Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations
  • NSA's TEMPEST Endorsement Program
• Firewalls and intrusion detection systems
  • Mark Grennan's online tutorial, Firewall and Proxy Server HOWTO
  • Packet filters: Cisco ASA and PIX, netfilter/iptables
  • Proxy servers: Squid, Wingate
  • Honeypots: Honeyd, Honeynet Project
  • Intrusion detection systems (IDS): Snort, Tripwire, AIDE
  • The fragroute IDS tester
  • Thomas Ptacek and Timothy Newsham, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
• Hash functions
  • RFC 1321: The official document describing MD5
  • NIST's Secure Hash Standard (SHS)
  • Paul van Oorschot and Michael Wiener, Parallel Collision Search with Application to Hash Functions and Discrete Logarithms
  • Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu, Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD
  • Xiaoyun Wang, Yiqun Lisa Yin and Hongbo Yu, Finding Collisions in the Full SHA-1
  • Bruce Schneier's weblog article on new cryptanalytic results against SHA-1 announced in August 2005
  • Magnus Daum's and Stefan Luck's website on finding MD5 collisions
• Key escrow and secret sharing
  • FIPS PUB 185: Escrowed Encryption Standard (EES)
  • NIST's Skipjack specification
  • Matt Blaze, Protocol Failure in the Escrowed Encryption Standard
  • EFF's Key Escrow Archive
  • Adi Shamir, How to Share a Secret
• Malware
  • CERT Coordination Center
  • Ken Thompson, Reflections on Trusting Trust
  • Anti-trojan.org
  • List of rootkits maintained by OSSEC.net
  • Rootkit detectors: chkrootkit, Rootkit Hunter
  • Fred Cohen, Computer Viruses – Theory and Experiments
  • David Chess and Steve White, An Undetectable Computer Virus
  • Carey Nachenberg, Computer Virus-Antivirus Coevolution
  • CERT/CC Computer Virus Resources
  • IBM Antivirus Research
  • Antivirus software vendors: Symantec (Norton), McAfee (VirusScan), Grisoft (AVG), Panda Security
  • Rick Skrenta's Elk Cloner, the first virus "in the wild"
  • Good Times Virus Hoax FAQ
  • Eugene Spafford, A Failure to Learn from the Past
  • David Moore, Colleen Shannon and Jeffery Brown, Code-Red: a case study on the spread and victims of an Internet worm
  • Analysis of the Sapphire Worm
  • Technical explanation of the MySpace worm
• Message authentication codes
  • FIPS PUB 113: The official NIST document describing DAC (CBC-MAC)
  • FIPS PUB 198: The official NIST document describing HMAC
  • Mihir Bellare, Joe Kilian and Phillip Rogaway, The Security of the Cipher Block Chaining Message Authentication Code
  • Mihir Bellare's webpage of HMAC papers
• Modern ciphers
  • RC4 cipher
  • FIPS PUB 46-3: The official NIST document describing DES
  • EFF's DES Cracker Project
  • Eli Biham and Adi Shamir, Differential Cryptanalysis of DES-like Cryptosystems
  • Mitsuru Matsui, The First Experimental Cryptanalysis of the Data Encryption Standard
  • Don Coppersmith, The Data Encryption Standard (DES) and its strength against attacks
  • NIST's AES Home Page
  • ECRYPT's AES Lounge
  • NIST's Block Cipher Modes
  • Eli Biham and Adi Shamir, Differential Fault Analysis of Secret Key Cryptosystems
• Network attacks
  • S.M. Bellovin, Security Problems in the TCP/IP Protocol Suite
  • Laurent Joncheray, Simple Active Attack Against TCP
  • Original Bugtraq message describing the Windows XP SP2 LAND attack vulnerability
  • SYN cookies, one possible solution to counter the SYN flood attack
  • Traceroute.org
  • Scanning tools: Nmap, Nessus
  • Packet sniffers: tcpdump, Wireshark
  • ARP spoofing tools: Ettercap, arpspoof in the dsniff suite
  • Dave Dittrich's resources on DDoS attacks/tools
  • The Honeynet Project and Research Alliance, Know your Enemy: Tracking Botnets
• Network security protocols
  • MIT's Kerberos website
  • Microsoft Kerberos
  • IETF's Kerberos Working Group
  • SSL 3.0 Specification from Netscape
  • IETF's TLS Working Group
  • OpenSSL
  • IETF's IPsec Working Group
  • Virtual Private Network Consortium
  • IETF's S/MIME Mail Security Working Group
  • DNSSEC: DNS Security Extensions
• Password security
  • Daniel Klein, "Foiling the Cracker": A Survey of, and Improvements to, Password Security
  • Password crackers: John the Ripper, Cain & Abel
  • Leslie Lamport, Password Authentication with Insecure Communication
  • A Business Week article on password-management systems
  • Single sign-on: Windows Live ID, OpenID, Liberty Alliance
• Program security
  • Smashing the Stack for Fun and Profit, Phrack Vol. 7, No. 49
  • Eric Chien and Péter Ször, Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses
  • David Wheeler's online book, Secure Programming for Linux and Unix HOWTO
  • Rough Auditing Tool for Security (RATS)
  • Libsafe from Avaya Labs Research
  • Non-executable stack patches for Linux: PaX, Openwall Project
  • Crispin Cowan, et al., StackGuard: Automatic Adaptive Detection and Prevention of Buffer Overflow Attacks
  • Hovav Shacham, et al., On the Effectiveness of Address-Space Randomization
  • Team TESO, Exploiting Format String Vulnerabilities
  • Kevin Fu, Emil Sit, Kendra Smith and Nick Feamster, Do's and Don'ts of Client Authentication on the Web
  • Amit Klein, Cross Site Scripting Explained
  • The online book, Securing JAVA, written by Gary McGraw and Ed Felten
• Pseudorandom number generators
  • Linear feedback shift registers (LFSR)
  • Goldberg and Wagner's 1995 break of Netscape's random number generator
  • Biryukov, Shamir and Wagner's 1999 break of GSM A5/1's LFSR
  • Peter Gutmann's book chapter on random number generation in software
  • NIST's standards on random number generation
  • Quantis: a random number generator based on quantum optics
  • LavaRnd: a random number generator based on chaotic sources
• Public-key cryptography
  • Whitfield Diffie and Martin Hellman, New Directions in Cryptography
  • Ralph Merkle, Secure Communications over Insecure Channels
  • James Ellis, The History of Non-Secret Encryption
  • RSA and factoring
    • Ron Rivest, Adi Shamir and Len Adleman, Method for Obtaining Digital Signatures and Public-Key Cryptosystems
    • 2002 Turing Award Lecture on RSA presented by Len Adleman, Ron Rivest and Adi Shamir
    • RSA, The Security Division of EMC and RSA Laboratories
    • Dan Boneh, Twenty Years of Attacks on the RSA Cryptosystem
    • Daniel Bleichenbacher, Chosen Ciphertext Attacks Against Protocols Based on RSA Encryption Standard PKCS #1
    • RSA Factoring Challenge
    • Research papers on factoring attacks
    • Adi Shamir, Factoring Large Numbers with the TWINKLE Device
    • Eran Tromer's TWIRL Homepage
  • Mihir Bellare's OAEP Homepage
  • The ECC tutorial from Certicom
  • Public Key Cryptography Standards (PKCS)
  • NIST's standards on digital signatures: DSA, RSA, and ECDSA
  • PGP Corporation
  • The International PGP Home Page
  • GNU Privacy Guard (GPG)
  • GnuPG for Windows
  • Alma Whitten and Doug Tygar, Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0
  • Paul Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems
• Public key infrastructures
  • IETF PKIX working group, responsible for developing Internet standards for X.509-based PKI
  • MS Windows 2000 PKI
  • NIST's Federal PKI
  • Leading PKI vendors: Verisign, Entrust
  • Microsoft's security bulletin on "Erroneous Verisign-Issued Digital Certificates Pose Spoofing Hazard"
  • Entrust's FAQ on PKI
• Smartcards and tamper resistance
  • Smart Card Alliance
  • RFID Journal
  • RSA SecurID
  • FIPS PUB 140-2, describing NIST's current standard to certify tamper-resistant cryptographic modules
  • CryptoCards, IBM's product line of tamper-resistant cryptoprocessors
  • Ross Anderson and Markus Kuhn, Tamper Resistance – a Cautionary Note
  • Ross Anderson and Markus Kuhn, Low Cost Attacks on Tamper Resistant Devices
  • Oliver Kömmerling and Markus Kuhn, Design Principles for Tamper-Resistant Smartcard Processors
  • Cryptography Research's differential power analysis
  • Discretix Technologies, Introduction to Side-Channel Attacks
• Wireless security
  • IEEE 802.11 Working Group
  • Wi-Fi Alliance
  • The Official Bluetooth® Technology Info Site
  • Wireless sniffers: NetStumbler, Kismet
  • Nikita Borisov, Ian Goldberg and David Wagner, Intercepting Mobile Communications: The Insecurity of 802.11
  • Scott Fluhrer, Itsik Mantin and Adi Shamir, Weaknesses in the Key Scheduling Algorithm of RC4
  • FMS attack implementations: AirSnort and WEPCrack
  • Ford-Long Wong, Frank Stajano and Jolyon Clulow, Repairing the Bluetooth pairing protocol
  • Yaniv Shaked and Avishai Wool, Cracking the Bluetooth PIN
• Miscellaneous
  • Bruce Schneier's Crypto-Gram monthly newsletter
  • Communications Electronics Security Group (CESG), UK
  • Computer Professionals for Social Responsibility (CPSR)
  • Cypherpunk mail list
  • Electronic Frontier Foundation (EFF)
  • Fire Suppression Systems Association (FSSA)
  • Information Security Magazine
  • Internet Corporation for Assigned Names and Numbers (ICANN)
  • Lists of well-known ports and top-level domains from the Internet Assigned Numbers Authority (IANA)
  • Mixnets: Free Haven Project, Mixminion
  • National Institute of Standards and Technology (NIST)
  • National Security Agency (NSA)
  • Physical Site Security Info Resources from InfoSysSec
  • Ron Rivest's Voting Resources Page
  • The Sleuth Kit forensics tool
  • The Owner Free Filing (OFF) System, a copyright-hacking distributed filesystem using the one-time pad

---

Return to Kenny Fong's home page
Last updated February 23, 2008