Overview

This page contains my godzilla crypto tutorial, totalling 583 slides in 8 parts, of which the first 7 are the tutorial itself and the 8th is extra material which covers crypto politics. Part 8 isn't officially part of the technical tutorial itself.

The tutorial is done at a reasonably high level, there are about two dozen books which cover things like DES encryption done at the bit-flipping level so I haven't bothered going down to this level. Instead I cover encryption protocols, weaknesses, applications, and other crypto security-related information. Since the slides are accompanying material for a proper tutorial, there's a lot of extra context which isn't available just by reading the slides. Bear in mind that some of the claims and comments on the slides need to be taken in the context of the full tutorial.

Accompanying the slides are about 150 images, unfortunately I can't make these available for copyright reasons.

The Tutorial

The tutorial is formatted so that two slides fit one page, which means you'll burn out about 300 pages of paper printing them all out (half that if you print double-sided). To view the tutorial you'll need a copy of the free Adobe Acrobat reader software. Note that most of the diagrams (and there are quite a few of them) will look a lot better on paper than on screen. The gv viewer (a replacement for ghostview) displays the slides better than the Acrobat viewer, especially with antialiasing enabled.

The output was generated from Powerpoint slides, unfortunately Powerpoint converts the text colours of embedded tables into a very hard-to-read light grey, ignoring the actual text colouring set for the table. A solution for this problem has been found by Markus Friedl which involves using acroread-3 to convert the PDF to Postscript and then modifying the PS with:

    % sed '/^0\.[89][0-9][0-9] g$/s//0.1 g/' < part3.ps.orig > part3.ps
What acroread is doing is producing PS which uses "0.898 g" and "0.922 g" to set the color to light grey ("0.000 g" is black, "1.000 g" is white), the sed script above replaces it with dark grey (0.100 g). This makes the text much more readable, but only work with acroread and not with 'gv'.

(I know, I know, Powerpoint and PDF... at least it's not all in Word format).

The technical material consists of 7 parts:

Part1, 66 slides: Security threats and requirements, services and mechanisms, historical ciphers, cipher machines, stream ciphers, RC4, block ciphers, DES, breaking DES, brute-force attacks, other block ciphers (triple DES, RC2, IDEA, Blowfish, CAST-128, Skipjack, GOST, AES), block cipher encryption modes, public-key encryption (RSA, DH, Elgamal, DSA), elliptic curve algorithms, hash and MAC algorithms (MD2, MD4, MD5, SHA-1, RIPEMD-160, the HMAC's).

Part2, 116 slides: Key management, key distribution, the certification process, X.500 and X.500 naming, certification heirarchies, X.500 directories and LDAP, the PGP web of trust, certificate revocation, X.509 certificate structure and extensions, certificate profiles, setting up and running a CA, CA policies, RA's, timestamping, PGP certificates, SPKI, digital signature legislation.

Part3, 103 slides: IPSEC, ISAKMP, Oakley, Photuris, SKIP, ISAKMP/Oakley, SSL, non-US strong SSL, SGC, TLS, S-HTTP, SSH, DNSEC, SNMP security, email security mechanisms, PEM, the PEM CA model, PGP, PGP keys and the PGP trust model, MOSS, PGP/MIME, S/MIME and CMS, MSP.

Part4, 55 slides: User authentiction, Unix password encryption, LANMAN and NT domain authentication and how to break it, Netware 3.x and 4.x authentication, Kerberos 4 and 5, Kerberos-like systems (KryptoKnight, SESAME, DCE), authentication tokens, SecurID, S/Key, OPIE, PPP PAP/CHAP, PAP variants (SPAP, ARAP, MSCHAP), RADIUS, TACACS/XTACACS/TACACS+, ANSI X9.26, FIPS 196, biometrics, PAM.

Part 5, 37 slides: Electronic payment mechanisms, Internet transactions, payment systems (Netcash, Cybercash, book entry systems in general), Digicash, e-cheques, SET, the SET CA model.

Part 6, 48 slides: Why security is hard to get right, buffer overflows, protecting data in memory, storage sanitisation, data recovery techniques, random number generation, TEMPEST, snake oil crypto, selling security.

Part 7, 87 slides: Smart cards, smart card file structures, card commands, electronic purse standards (prEN 1546, Telequick), PKCS #11, JavaCard/OCF, PC/SC, iButtons, attacks on smart cards, voice encryption, GSM security and how to break it, traffic analysis, anonymity, mixes, onion routing, mixmaster, crowds, steganography, watermarking, misc. crypto applications (hashcash, PGP Moose).

Here endeth the technical material. The final part goes into crypto politics.

Part 8, 71 slides: History of crypto politics, digital telephony, Clipper, Fortezza and Skipjack, post-Clipper crypto politics, US export controls, effects of export controls, legal challenges, French and Russian controls, non-US controls (Wassenaar), Menwith Hill, Echelon, blind signal demodulation, undersea cable tapping, European parliament reports on Echelon, Echelon and export controls, Cloud Cover, UK DTI proposals, various GAK issues.

Miscellaneous Questions

Various people have asked about doing things with the tutorial which go beyond just reading it. The following answers should cover the most common requests:

Using portions of the material in your own work: This is fine provided you attribute it and stay within reasonable limits - the usual copyright "fair use" rules apply.

Using the original slides: I'm rather reluctant to provide access to these because it was an awful lot of work preparing them and I'd rather not have everyone give the tutorial I've prepared. In general if you want to use them within your organisation that's OK, but I'd rather not hand them out for general use.

Mirroring: If you want to mirror things or provide a copy via your own site, please leave the actual PDF's as links to the originals rather than copying the files across. I plan to update the slides from time to time as standards and technology change, and have had problems in the past with incredibly ancient copies of files stored on overseas mirrors. If you provide a link to the PDF's rather than copying them across it'll ensure people always get the latest copies.