Add presentation for cryptography basics and PKI

Signed-off-by: Holger Dengler <dengler@linutronix.de>

14 files changed, 505 insertions, 0 deletions

diff --git a/images/crypt-cbc.odg b/images/crypt-cbc.odg
new file mode 100644
index 0000000..fb3fcdb
--- /dev/null
+++ b/images/crypt-cbc.odg
diff --git a/images/crypt-cbc.png b/images/crypt-cbc.png
new file mode 100644
index 0000000..1dc436e
--- /dev/null
+++ b/images/crypt-cbc.png
diff --git a/images/crypto-cbc.odg b/images/crypto-cbc.odg
new file mode 100644
index 0000000..980d832
--- /dev/null
+++ b/images/crypto-cbc.odg
diff --git a/images/crypto-cbc.png b/images/crypto-cbc.png
new file mode 100644
index 0000000..bbe38bb
--- /dev/null
+++ b/images/crypto-cbc.png
diff --git a/images/crypto-cfb.odg b/images/crypto-cfb.odg
new file mode 100644
index 0000000..ac32304
--- /dev/null
+++ b/images/crypto-cfb.odg
diff --git a/images/crypto-cfb.png b/images/crypto-cfb.png
new file mode 100644
index 0000000..80b7501
--- /dev/null
+++ b/images/crypto-cfb.png
diff --git a/images/crypto-ctr.odg b/images/crypto-ctr.odg
new file mode 100644
index 0000000..bac845c
--- /dev/null
+++ b/images/crypto-ctr.odg
diff --git a/images/crypto-ctr.png b/images/crypto-ctr.png
new file mode 100644
index 0000000..5dc2870
--- /dev/null
+++ b/images/crypto-ctr.png
diff --git a/images/crypto_3tux.png b/images/crypto_3tux.png
new file mode 100644
index 0000000..a7bc4a6
--- /dev/null
+++ b/images/crypto_3tux.png
diff --git a/images/pki-overview.odg b/images/pki-overview.odg
new file mode 100644
index 0000000..3f0ce7f
--- /dev/null
+++ b/images/pki-overview.odg
diff --git a/images/pki-overview.png b/images/pki-overview.png
new file mode 100644
index 0000000..cb0c53b
--- /dev/null
+++ b/images/pki-overview.png
diff --git a/security/crypto/Makefile b/security/crypto/Makefile
new file mode 100644
index 0000000..257d70d
--- /dev/null
+++ b/security/crypto/Makefile
@@ -0,0 +1,9 @@
+all:
+	for pdf in `ls -1 handout_*.tex pres_*.tex 2> /dev/null` ; do \
+		TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \
+		TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \
+	done
+
+clean:
+	rm -f *.aux *.log *.pdf *.log *.snm *.toc *.vrb *.nav *.out
+
diff --git a/security/crypto/pres_crypto_en.tex b/security/crypto/pres_crypto_en.tex
new file mode 100644
index 0000000..606f61c
--- /dev/null
+++ b/security/crypto/pres_crypto_en.tex
@@ -0,0 +1,278 @@
+\def\lximg{/usr/share/lx/icons/fueller.png}
+
+\newcommand{\superscript}[1]{\ensuremath{^{\textrm{#1}}}}
+\newcommand{\subscript}[1]{\ensuremath{_{\textrm{#1}}}}
+
+\input{configpres}
+
+\subsection{Cryptography}
+
+\title{Cryptography}
+\maketitle
+
+\def\lximg{none}
+
+\begin{frame}
+\frametitle{Contents}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\subsubsection{Fundamentals}
+
+\begin{frame}[fragile]
+\frametitle{Cryptography: Historical}
+\begin{itemize}
+\item First mention: 300 BC in ancient Egypt
+\item Mechanical Systems
+\item Character Exchange Tables and Codebooks
+\item Problem: Crypto Analysis, Transmission
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Cryptography: Modern}
+\begin{itemize}
+\item Revolution starts in 1970
+\item Cryptography for non-military purpose
+\item Data Encryption Standard (DES: 1976)
+\item Secret Key Exchange (Diffie, Hellmann: 1976)
+\item Private/Public Key: RSA Algorithm (Rivest, Shamir, Adleman: 1977)
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Kerckhoffs's principle}
+Auguste Kerckhoff (1983) on \emph{La Cryptographie Militaire}
+\begin{itemize}
+\item \dots
+\item It must not be required to be secret, and it must be able to fall into
+      the hands of the enemy without inconvenience
+\item \dots
+\end{itemize}
+Conclusion:
+\begin{itemize}
+\item No \emph{Security by Obscurity}
+\item The strength of the system must depend on the secret of
+the key, not on the secret of the algorithm
+\item published and standardized method/algorithm \\
+      (eliminate failures in theory)
+\item open implementation \\
+      (eliminate failures in implementation)
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Cryptographical Methods}
+\begin{itemize}
+\item Asymetric methods
+\begin{itemize}
+\item expensive and slow
+\item Public and Private Key
+\item Key Exchange
+\end{itemize}
+\item Symetric methods
+\begin{itemize}
+\item efficient and fast
+\item single Key
+\item Bulk Data Encryption/Hashes
+\end{itemize}
+\item non-linear bahavior
+\item resistent against
+\begin{itemize}
+\item statistical analysis
+\item differential crytanalysis
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Symetric Methods}
+
+\begin{frame}
+\frametitle{Data Encryption Standard (DES)}
+\begin{itemize}
+\item S-Box based, \\
+      56 bit key size, \\
+      64 bit cipher block size
+\item developed by IBM and NSA
+\item 1975: First publication
+\item 1976: accepted as standard
+\item 1977: published as FIPS PUB 46
+\item TDES is recommended as replacement since 1999
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Advanced Encryption Standard (AES)}
+\begin{itemize}
+\item S-Box based, \\
+      128, 192, 256 bit key size, \\
+      128 bit cipher block size
+\item 1997: public selection process started by NIST
+\item 1999: end of 1st round: 15 algorithms
+\item 2000: end of 2nd round: 6 algorithms
+\item 2000: Rijndael published as AES in October
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Asymetric Methods}
+
+\begin{frame}
+\frametitle{}
+\begin{itemize}
+\item based on one-way methods
+\item encryption with public information
+\item decryption only with private information
+\item RSA
+\begin{itemize}
+\item 512 to 4096 bit key size
+\item min. 2048 bit recommended
+\end{itemize}
+\item Elliptic Curve Cryptography (ECC)
+\begin{itemize}
+\item 160 to 512 bit key size
+\item equivalent security with shorter key size
+\item RSA/DH 2048 equivalent to ECDH 224
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Applications}
+
+\begin{frame}
+\frametitle{Modes of Operation}
+\begin{itemize}
+\item turn Block Cipher into a Stream Cipher
+\item disarrange repeating patterns
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[scale=0.3]{images/crypto_3tux.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Cipher Block Chaining (CBC)}
+\begin{itemize}
+\item Decryption parallelizable
+\item damaged IV affects first plaintext block
+\item one-bit flip in ciphertext affects whole plaintext block and the
+corresponding bit in the following plaintext block
+\item Multiple Cipherblock Size only, padding required (e.g. with CBC-CS)
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[scale=0.3]{images/crypto-cbc.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Cipher Feedback (CFB)}
+\begin{itemize}
+\item Required only Block Encryption
+\item Decryption parallelizable
+\item No padding required
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[scale=0.3]{images/crypto-cfb.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Counter (CFB)}
+\begin{itemize}
+\item Required only Block Encryption
+\item Encryption and Decryption parallelizable
+\item No padding required
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[scale=0.3]{images/crypto-ctr.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{SSL/TLS Handshake (1)}
+Secure Key Exchange
+\begin{itemize}
+\item Phase 1
+\begin{itemize}
+\item Client / Server exchange Random Numbers (RN\subscript{c} and
+RN\subscript {s})
+\item Negotiate Session Parameter (encryption method, compression)
+\end{itemize}
+\item Phase 2
+\begin{itemize}
+\item Server Certificate (incl. PubK\subscript{s}), checked by Client
+\item opt: Client verify Server Certificate Signature
+\item opt: Server request signed Client Certificate
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{SSL/TLS Handshake (2)}
+\begin{itemize}
+\item Phase 3:
+\begin{itemize}
+\item Client Certificate (incl. PubK\subscript{c}), checked by Server
+\item Hash over all previous messages, signed with PrivK\subscript{c}, checked by Server
+\item Client calculate Pre-Master-Secret (PMS)
+\item Encrypted PMS (with PrivK\subscript{c}) to Server
+\item Both sides calculate Master-Secret with RN\subscript{c},
+RN\subscript{s} and PMS
+\end{itemize}
+\item Phase 4:
+\begin{itemize}
+\item Both sides switch to encrypted communication with MS
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Open Crypto Libraries}
+\begin{itemize}
+\item OpenSSL: libcrypto and libssl \\
+      Implementations and Hardware support for most common algorithms
+\item GnuTLS: GNU SSL/TLS implementation \\
+      Focus on TLS handshaking and protocol implementation
+\item PKCS\#11 (API for Smartcard Slots and Tokens) \\
+      OpenSC Project \\
+      opencryptoki
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Related Links}
+
+\begin{frame}
+Starting point on Wikipedia
+\begin{itemize}
+\item \url{http://en.wikipedia.org/wiki/Cryptography}
+\end{itemize}
+National Institute of Standards and Technology
+\begin{itemize}
+\item \url{http://www.nist.gov}
+\end{itemize}
+RSA Labratories
+\begin{itemize}
+\item \url{http://www.rsa.com}
+\end{itemize}
+\end{frame}
+
+\subsection{}
+\input{tailpres}
diff --git a/security/crypto/pres_pki_en.tex b/security/crypto/pres_pki_en.tex
new file mode 100644
index 0000000..67af31a
--- /dev/null
+++ b/security/crypto/pres_pki_en.tex
@@ -0,0 +1,218 @@
+\def\lximg{/usr/share/lx/icons/fueller.png}
+
+\newcommand{\superscript}[1]{\ensuremath{^{\textrm{#1}}}}
+\newcommand{\subscript}[1]{\ensuremath{_{\textrm{#1}}}}
+
+\input{configpres}
+
+\subsection{Public Key Infrastructure}
+
+\title{Public Key Infrastructure}
+\maketitle
+
+\def\lximg{none}
+
+\begin{frame}
+\frametitle{Contents}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\subsubsection{Fundamentals}
+
+\begin{frame}[fragile]
+\frametitle{Overview}
+\begin{figure}[h]
+\centering
+\includegraphics[scale=0.6]{images/pki-overview.png}
+\end{figure}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Roles}
+\begin{itemize}
+\item Certificate Authority
+\begin{itemize}
+\item Issue CA-Certificate (CA Public Key)
+\item Sign Public Keys (with CA Private Key)
+\end{itemize}
+\item Validation Authority
+\begin{itemize}
+\item Provide signed Certificates
+\item Unique relation between Client and Certificate
+\end{itemize}
+\item Registration Authority
+\begin{itemize}
+\item Process Certificate Signing Requests
+\item Ensure Clients Identity
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Elements (1)}
+\begin{itemize}
+\item Key Pair
+\begin{itemize}
+\item Public and Private Key
+\end{itemize}
+\item Signature (of Payload)
+\begin{itemize}
+\item Payload-Hash, encrypted with the Private Key of the Signee
+\end{itemize}
+\item Certificate Sign Request
+\begin{itemize}
+\item Public Key of the Requester
+\item Meta-Information about the Requester
+\item Signature from the Requester (self-signed)
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Elements (2)}
+\begin{itemize}
+\item Certificate (of Owner)
+\begin{itemize}
+\item Public Key of the Owner
+\item Verified Meta-Information about the Owner
+\item Signature from the Owner (self-signed)
+\item Signatures of others (e.g. the CA)
+\end{itemize}
+\item Certificate Revocation List
+\begin{itemize}
+\item Revoked Certificates
+\end{itemize}
+\item Directory Server
+\begin{itemize}
+\item Certification Directory
+\item e.g. LDAP- or X.500-Server
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Workflows}
+
+\begin{frame}
+\frametitle{Create CA-Certificate}
+\begin{itemize}
+\item Create Key-Pair
+\item Self-Sign Public Key
+\item opt: generate Certificate Signing Request for Root CA
+\item Send CA-Certificate to Directory Server and/or Validation Authority
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Process Client Certificate}
+\begin{itemize}
+\item Requester
+\begin{itemize}
+\item Create Key-Pair
+\item Create Certificate Signing Request (Meta-Info)
+\item Send it to the RA
+\end{itemize}
+\item Registration Authority
+\begin{itemize}
+\item Validate Signature in CSR
+\item Validate Meta-Information of Requester
+\item Forward CSR to the CA
+\end{itemize}
+\item Certificate Authority
+\begin{itemize}
+\item Validate Signature in CSR
+\item Sign CSR
+\item Send Certificate to Requester and Directory Server
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\begin{frame}
+\frametitle{Working with Client Certificate}
+\begin{itemize}
+\item Client
+\begin{itemize}
+\item Send signed Request to Server
+\end{itemize}
+\item Server
+\begin{itemize}
+\item Send Signature Validation Request to VA
+\end{itemize}
+\item Validation Authority
+\begin{itemize}
+\item Retrieve Clients Certificate in Directory Server
+\item Check Certificate Revocation List
+\item Validate Clients Certificate with CA-Certificate
+\item Validate Signature with Clients Certificate
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Trust}
+
+\begin{frame}
+\frametitle{Trust Models}
+\begin{itemize}
+\item Strict Hierarchy
+\begin{itemize}
+\item No Signing between Levels
+\item Simple and efficient
+\item Compromising Root affects whole Tree
+\end{itemize}
+\item Cross-Signing
+\begin{itemize}
+\item Certificates signed by multiple CAs
+\item More than one Root must be compromised to affect the Tree
+\end{itemize}
+\item Web of Trust
+\begin{itemize}
+\item High Security
+\item Individual Trust
+\item High Maintenance Effort
+\end{itemize}
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Tools}
+
+\begin{frame}
+\frametitle{Tools}
+Commandline
+\begin{itemize}
+\item OpenSSL
+\item easy-rsa
+\end{itemize}
+GUI/Web
+\begin{itemize}
+\item OpenCA
+\item XCA (UI for Linux, Mac and Windows)
+\end{itemize}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Related Links}
+
+\begin{frame}
+Starting point on Wikipedia
+\begin{itemize}
+\item \url{https://en.wikipedia.org/wiki/Public\_key\_infrastructure}
+\end{itemize}
+Tools
+\begin{itemize}
+\item \url{http://www.openssl.org/}
+\item \url{http://openvpn.net/easyrsa.html}
+\item \url{http://www.openca.org/}
+\item \url{http://xca.sourceforge.net/}
+\end{itemize}
+\end{frame}
+
+\subsection{}
+\input{tailpres}