CSC 580: Cryptography and Security in Computing

More Information

There is a lot of great information about cryptography and computer security out there, both in print and on the Web. Here is a list of references that I think are particularly good or relevant for this class:

High-Quality, Free Resources

Material for "Security Overview"

Key Organizations and Standards Bodies/Sources

  • NIST (National Institute of Standards and Technology)
    US Government organization defining technology standards and other useful information
    NIST has a Computer Security Division which publishes the "800-series" of publications on Computer Security. See especially:

    • SP 800-12 - An Introduction to Computer Security: The NIST Handbook
    • SP 800-21 - Guidelines for Implementing Cryptography in the Federal Government
    • SP 800-53 Rev. 3 - Recommended Security Controls for Federal Information Systems and Organizations
    • SP 800-57 - Recommendation for Key Management
    • SP 800-61 - Computer Security Incident Handling Guide

  • FIPS (Federal Information Processing Standards)
    Run under the Information Technology Laboratory at NIST, publishes standards for how government systems must be run (including standard cryptographic algorithms such as AES, DSS, etc.)

  • IETF (Internet Engineering Task Force)
    Publishes internet standards, protocol definitions (including IP, TCP, TLS, etc.), and other documents as RFCs. Non-protocol documents of particular interest include:

    • RFC 4949 - Internet Security Glossary, Version 2
    • RFC 2340 - Expectations for Computer Security Incident Response
    • RFC 2196 - Site Security Handbook
    • RFC 2504 - Users' Security Handbook

  • ITU-T (International Telecommunication Union - Telecommunicaion Standardization Sector)
    Publishes the "X-series" recommendations, including

    • X.200 - Open Systems Interconnection (OSI) - Basic Reference Model
    • X.500 - OSI Directory
    • X.800 - OSI Security Architecture

Miscellaneous items from overview

Designing security in

Material for "Classical Encryption Techniques"

Interesting and/or unsolved ciphers

Information on classic cryptography



Advanced Encryption Standard (AES)

Public-key Cryptography, including Elliptic Curve Information

Security Model References

  • Ciphertext Indistinguishability article at Wikipedia - this is a little terse, and the models seem to assume a public key crypto model, but otherwise it's a reasonable reference

User Authentication

Hash Functions and MACs

  • Wikipedia page on Cryptographic Hash Functions - important table that include "Best Known Attacks" for different hash algorithms.
  • MD5 Collision Demo has a great overview of the vulnerability of MD5 with respect its lack of strong collision resistance. This page gives not just meaningless collisions, but very practical examples of different programs with the same MD5 hash value, and different Postscript files with the same MD5 hash value.
  • Wired article on X.509 certificate forgery - this was a real attack on a Certificate Authority that demonstrated how the MD5 weakness led to forged certificates.
  • The Sponge Functions Corner - the SHA-3 competition winner is based on the idea of "Sponge functions" (as opposed to prior major hash functions which used "compression functions"), and this page has some great info on Sponge functions.
  • The Keccak sponge function family - the specific function family used in the winning SHA-3 entry.
  • Verified Correctness and Security of OpenSSL HMAC - recent (2015) Usenix Security Symposium paper on a machine-verification of both implementation and security properties of HMAC

Randomness and pseudorandomness

Some references to times when randomness/pseudorandomness wasn't as good as it should have been: