Written by 1.1 Evolution of cryptography Over the past four decades or so, cryptography has evolved from an exotic field known to a select few into a fundamental skill for the design and operation of modern IT systems. Today, nearly every modern product, from the bank card in your pocket to the server farm running your favorite […]
1.2 The advent of TLS and the internet We’ll now turn to the original theme of this book, TLS and the cryptographic tools it is made of. TLS is a protocol designed to protect data sent over the internet, so we’ll start with a brief look into the early history of the internet. Despite its […]
1.3 Increasing connectivity Connectivity allows designers to add novel, unique features to their products and enables new business models with huge revenue potential that simply would not exist without it. At the same time, connectivity makes it much harder to build secure systems. Similar to Ferguson and Schneier’s argument on security implications of complexity, one […]
1.3.3 Connectivity versus scaling attacks To summarize, connectivity exposes devices and IT systems to remote attacks that target network-facing software (and, thus, directly benefit from the continuously increasing software complexity), are very cheap to launch, can be launched by a large number of threat actors, and have zero marginal cost. In addition, there exists a […]
1.4.1 Complexity versus security – features The following thought experiment illustrates why complexity arising from the number of features or options is a major security risk. Imagine an IT system, say a small web server, whose configuration consists of 30 binary parameters (that is, each parameter has only two possible values, such as on or […]
1.5.3 The Jeep hack At the BlackHat 2015 conference, security researchers Charlie Miller and Chris Valasek demonstrated the first remote attack on an unaltered, factory passenger car [120]. In what later became known as the Jeep hack, the researchers demonstrated how the vehicle’s infotainment system, Uconnect, which has both remote connectivity as well as the […]
2.1 Technical requirements This chapter introduces basic definitions, design principles, and goals and therefore requires no specific software or hardware. 2.2 Preliminaries The fundamental objective of cryptography and computer security in general is to enable two persons, let’s call them Alice and Bob, to communicate over an insecure channel so that an opponent, commonly called […]
2.3 Confidentiality A fundamental need in secure communication is to ensure the privacy of the information transmitted between the communicating parties. In cryptography, this is referred to as confidentiality of data. More precisely, confidentiality is the ability to keep the content of information from all but those authorized to have it [117]. Confidentiality therefore guarantees […]
2.4 Integrity Integrity is the ability to detect data manipulation by unauthorized entities. By data manipulation, we mean unauthorized acts such as the insertion, deletion, or substitution of individual data chunks or entire messages. It is not required that manipulations as such are rendered impossible; given the multitude of possible communication channels, this would be […]
2.5.1 Message authentication Message authentication is the ability of the communicating party that receives a message to verify – through corroborative evidence – the identity of the party that originated the message [117]. This form of authentication is also referred to as data origin authentication. Message authentication can be achieved by providing additional information together […]