Readings
This page will list all the non-textbook readings that students are responsible for in CSC 580. Note that some readings are for graduate students only, while others are for all students in the class. Note: some papers are not publicly available due to copyright, and in that case links go through the UNCG library proxy - this will directly access the paper if you are on a UNCG IP address, and otherwise it will ask you to log in with your UNCG account. Non-UNCG people trying to follow these links: Sorry... Try googling the title to see if other versions are publicly available.
Readings for All Students
- (Read by Wed., Jan 15) NSA surveillance: A guide to staying secure, Bruce Schneier, Sept. 6, 2013
This is an article written by Bruce Schneier that provides a good summary of NSA activities based on documents and information from Edward Snowden. It's a newpaper article, written for a non-technical audience, so is a relatively light read. This article gives lots of "food for thought" as far as what a very powerful adversary can do in regards to computer and information security, and will provide some context for various protection measures that we will discuss in this class.
- (Read by Wed., Jan 22) Ken Thompson. Reflections on trusting trust," Communications of the ACM, Vol. 27, No. 8, Aug. 1984, pp. 761-763.
This is a classic -- it comes from Ken Thompson's Turing Award Lecture, and vividly illustrates the importance of thinking about what parts of a system are trustworthy. Every person who develops software that has potential security issues (pretty much every person who develops software) should read this ahd think about the consequences.
- (Read by Mon., April 14) Fatal crypto flaw in some government-certified smartcards makes forgery a snap, Ars Technica, Sept. 16, 2013.
This is a news story about a flaw in smartcards used as part of the Taiwanese Citizen Digital Certificate program led to trivially-breakable keys. There is more technical information available in the cited research paper, but this is a pretty light read about the probem. For a similar example of problems generating RSA keys, see the paper by Heninger et al. below ("Mining your Ps and Qs") in the graduate student readings.
- (Optional, but good to read before Mon., April 14)
A (relatively easy to understand) primer on elliptic curve cryptography
This is a technical-press article that gives a good overview not just of elliptic curve cryptography (ECC) but also of general public key crypto leading up to ECC. Written for readers that are technically astute but who are not cryptographers, this is a nicely written introduction to the important ideas behind ECC.
- (Read by Wed., April 16)
Matt Green, The Many Flaws of Dual_EC_DRBG (from Matt's blog, "A Few Thoughts on Cryptographic Engineering")
This is a nice description of the flaws and possible backdoor that is in the Dual_EC_DRBG pseudorandom number generator that is included in the NIST SP800-90A document ("Recommendation foRandom Number Generation Using Deterministic Random Bit Generators"). Some additional information on how vulnerabilities are reflected in use of Dual_EC_DRBG in real-world cryptographic libraries is given in the report On the Practical Exploitability of Dual EC in TLS Implementations (this is not required reading).
- Case Study 1: (Read by Mon., April 21)
TrueCrypt Documentation -- read "Introduction" and "Beginner's Tutorial" to get a feel for how the system works, and at least the first four sections under "Technical Details" (Notation, Encryption Scheme, Modes of Operation, and Header Key Derivation).
TrueCrypt is a cross-platform system for encrypting storage volumes, which can be backing files or full disk partitions. In typical use, a filesystem will be built on an encrypted volume so that all data stored in the filesystem is protected. We will discuss the ongoing major project to audit TrueCrypt for security vulnerabilities, the IsTrueCryptAuditedYet? project in class.
- Case Study 2: (Required for Assignment 6, which is due Mon., April 28)
T. Kohno, T., A. Stubblefield, A.D. Rubin, D.S. Wallach. "Analysis of an electronic voting system," IEEE Symposium on Security and Privacy, 2004, pp.27-40.
This is an excellent audit of a system in which security should have been paramount, an electronic voting machine used in real elections, but which was full of security-breaking implementation flaws. This paper illustrates just how easy it is for implementers with poor understanding of security concepts to make an insecure system, and how important it is to pay attention to the details. Note: The link goes to a version on Avi Rubin's web site - this version is formatted differently than the "official" version, and may or may not contain exactly the same content.
Note: We are almost certainly not going to get to Bitcoin because of the number of days we have missed due to snow and ice, but I'm going to leave this reading here anyway. You aren't required to read this for the CSC 580 class, but many of you might find it interesting.
- How the Bitcoin protocol actually works, by Michael Nielsen, Dec. 6, 2013
This is a blog posting that does an excellent job of breaking down the fundamental ideas behind Bitcoin. This is write-up is a nice middle ground between the original Bitcoin paper, which is good at outlining the general idea but has very few details, and the Bitcoin wiki which has a ton of technical information.
Readings for Graduate Students
The following readings are required of graduate students, who will write short reports on each research reading. These are all research papers, and go a little deeper technically than the readings above for all students. Note that while this course is an introduction to cryptography, these papers focus more on correct implementation and use of cryptography -- pure crypto research papers, as exemplified by the top-tier CRYPTO conference, typically have a depth that is beyond what is expected in this first, introductory course. Graduate students who are interested in the field are encouraged to take a look at some of these papers, and perhaps dive into some of this depth in their class project.
-
(Report due: Mon., Feb 3) J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, Edward W. Felten. "Lest We Remember: Cold Boot Attacks on Encryption Keys," USENIX Security Symposium, 2008, pp. 45-60. Available from https://www.usenix.org/legacy/events/sec08/tech/ (direct link: https://www.usenix.org/legacy/events/sec08/tech/full_papers/halderman/halderman.pdf)
-
(Report due: Mon., Feb 17) Keaton Mowery, Michael Wei, David Kohlbrenner, Hovav Shacham, Steven Swanson, "Welcome to the Entropics: Boot-Time Entropy in Embedded Devices," IEEE Symposium on Security and Privacy, 2013, pp. 589-603.
-
(Report due: Wed., Mar 19) Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in android applications," in Proceedings of the 2013 ACM Conference on Computer and Communications Security (CCS '13), 2013, pp. 73-84.
-
(Report due: Mon., Mar 31) Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. "Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices," USENIX Security Symposium, 2012, pp. 205-220. Available at https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/heninger