About Course

Course Summary Cryptography Podcast Learning Objectives Topics Expected Background and Reading Material Participants' Comments About the Lecturers Apply

Cryptography and Computer Security [6.87s]

Click here for email updates - stay informed about course availability and registration dates.

Date: TBD, 2010 | Tuition: $2,900 (tentative) | Continuing Education Units (CEUs): 3.0 (tentative)

This class is tentatively planned for 2010, depending on the level of interest. Email the Short Programs office to express your interest in taking this course. Please include your industry and learning goals.

Course Summary

Did you buy anything online recently? Use an ATM machine? If so, whether you know it or not, you used cryptography. Cryptography (in the guise of the SSL protocol) protects your credit card information as it whizzes across the Internet, and ensures that others can't withdraw money from your account.

The ubiquitous use of tools such as SSL and SSH shows that cryptography, once an esoteric military concern, has now burst into the mainstream. Yet, this is only the beginning of a coming flood.

We see two ways in which an understanding of cryptography is important for your business, as we now explain.

Many companies have security related products, or see some security related opportunities, which ultimately have a piece of cryptography at their core. In many cases, this is something that, in principle, can be dealt with using basic and existing cryptographic tools and techniques. Nonetheless, it is too often the case that the designs produced are not secure. This results in the need for expensive software or hardware changes down the line. It is better to get it right the first time. This is possible as long as one has a good understanding of the basic tools and techniques and how to use them.

Meanwhile, new ideas, such as identity-based encryption, searchable encryption and secure computation are blossoming in this field, and fueling new applications. An understanding of cryptography enables you to know about the available technologies, and puts you in the position to seize new business opportunities.

The above has, hopefully, convinced you that an understanding of cryptography is valuable. The next question is: how do you get it? The answer is: take our course.

This course offers a unique approach to cryptography that you won't find in standard textbooks. It is based on the theory of provable security, and will ultimately enable you to assess cryptographic technologies with confidence, design cryptography that is error-proof, and understand many new technologies and their potential applications.

Historically, cryptography has had a kind of mystic reputation. Designs are produced, mysteriously, by experts. The only confidence one can have in them comes from the inability of other experts to break them. The impression you are given is that without the guidance of one of these "gurus", you are lost.

The provable security approach we teach allows you to bypass the experts. You will be able to assess cryptographic designs on your own, scientifically and with confidence, and decide which ones are good and which are not. Moreover, you will be able to justify your conclusions and choices to your customers and managers. You will not only be able to design mechanisms that will stand the test of time, but will be able to explain why they will do so.

When you understand and use provable security, you not only get more secure designs, but typically ones that are more efficient, meaning, better from the performance point of view. (Your software will be faster and cheaper.) This is not a paradox. When you don't know what you're doing, you tend to compensate by doing things that are more complicated, so that designs accumulate strange and unnecessary steps. With our approach, you know exactly what each step buys you, and your design can be minimal yet secure.

Professor Shafi Goldwasser, one of the lecturers, is one of the inventors of the theory of provable security. Professor Mihir Bellare, the other lecturer, is a leader in the application of provable security to practice. More information about the lecturers is available at the bottom of this page.

CryptographY and Computer Security Podcast

Listen to Shafi Goldwasser and Mihir Bellare discuss this course in the RSA Cryptography and Computer Security Podcast:
Listen online | Download <16:43>

Learning Objectives

1. Describe cryptographic definitions and identify why such definitions are crucial to building more secure systems and assessing the security of existing ones.
2. Understand the notion of provable security and how it leads to schemes with improved security guarantees.
3. Examine schemes in different standards, and evaluate their use in different situations.
4. Summarize the new ideas, opportunities, and technologies in this area.

Topics

Broadly speaking, the course has four parts: symmetric cryptography, public-key cryptography, key management and distribution, and advanced topics. In all cases, we not only cover fundamentals, but also discuss current standards and alternatives to them, so that you not only know what is available but also what is possible based on the most recent research.

Our coverage of symmetric (that is, shared key) cryptography begins with block ciphers like DES and AES, the workhorses in this domain. Now, classical textbooks will tell you a lot about how you attack these beasts, something that is ultimately only of use to the experts. We focus instead on what is important to you the user, namely how to use block ciphers to solve the problems that you want to solve. Via the theory of pseudorandom functions, you will learn how to think about block ciphers so that you know what you can securely do with them and what you can't.

Classical cryptography will tell you a lot about how to encrypt, but leave you largely in the dark regarding what exactly one is trying to achieve, let alone whether the mechanisms actually do achieve it. Our emphasis when studying symmetric encryption will be on defining the security goal, meaning, and saying in a precise way exactly what privacy means. Once this is done, it is much easier both to assess the security of encryption schemes and to use them securely in applications. We will discuss the security of popular encryption schemes such as the ECB and CBC modes of operation. The latter is in almost ubiquitous use in cryptography software worldwide.

Next, we will cover hash functions, a topic about which there has been a lot of press recently due to the attacks on MD5 and SHA-1. What are the implications of these attacks for your security? We will explain this. We will also explain how hash functions are designed and what are your replacement choices should replacement be necessary.

Our final topic in symmetric cryptography is message authentication. We will explain what are the goals and threats, and dissect popular schemes such as the CBC MAC and HMAC. The latter is used ubiquitously in security software, and has come into question due to the compromise of the hash functions on which it is based. We will clarify the security of HMAC in the light of the most recent attacks and proofs.

Our coverage of public-key cryptography begins with essential background on number theory. We then cover discrete logarithm, factoring and RSA-based systems. We cover both encryption and digital signatures. In both cases, we show how security can be defined and achieved. We also assess the security of current standards such as PKCS#1, which underlies a large fraction of the usages of public-key cryptography.

It was pointed out some time back that factoring-based cryptography is vulnerable to attacks by quantum computers. Should we be worried? It is, of course, hard to tell whether quantum computing will ever really happen in a practical sense. But, even if it does, modern cryptography has an answer. We will discuss lattice-based cryptography, which is not vulnerable to quantum computing attacks and is of interest even beyond this, as an alternative to the traditional means of obtaining public-key cryptography and hash functions.

Moving on to key distribution and management, we begin by discussing the public-key infrastructure, including certificates, certificate authorities and certificate revocation. We will then discuss session key distribution. We will begin with Kerberos. Then we move on to the type of session key distribution protocols underlying SSL and SSH. We cover forward security. Finally, we look at session key exchange based on passwords, and cover dictionary attacks and dictionary attack safe protocols.

Finally, in the advanced topics portion of the course, we discuss protocols for commitment and fair exchange. We discuss applications like Internet gambling, and how Alice and Bob can flip a fair coin across the Internet.

Cryptographic keys stored on systems are vulnerable to exposure due to system break-in and compromise. This can arise due to operating system holds, viruses or worms. We discuss various cryptographic ways to mitigate the threat of key exposure, including threshold cryptography, where the key is distributed across many servers, and forward security, where the key involves the time.

We discuss zero knowledge proof systems and their use for identification. We explain why this provides better security than classical password-based identification schemes. We explain the enormous implications of zero knowledge proof systems for cryptographic protocol design.

We discuss protocols for electronic voting and secure electronic auctions. We then discuss identity-based encryption and the uses and potential of this technology. We discuss new developments in the area of program obfuscation and the implications for digital rights management (DRM). We discuss Internet privacy concerns and the potential to address them via anonymous credentials.

Finally, we explain the concept of secure computation which generalizes and unifies the above, allowing a group of parties to compute a joint function of their private information without revealing more about this information than is necessary to determine the result of the function.

Expected Background and Reading material

We will assume a typical college background in algorithms and mathematics for computer science students. In general, ease with computer algorithms concepts is highly recommended.

The course will not assume any background or prior knowledge of cryptography. However, some prospective students, interested in delving into it a little beforehand, have asked us for pointers to some reading material. In this regard, our lecture notes are available. Also, this course webpage has many pointers which can be followed to obtain further information on the topic in question.

Participants' Comments

Senior Programmer/Analyst at the University of Pennsylvania
"The breadth and depth of information about the symmetric and asymmetric environments and the distinction between encryption and digital signatures was very beneficial as was the exposure to the underlying mathematics."

Information Assurance Security Officer from AT&T
"I have tried extensive searches and have attended numerous classes and professional sessions and I have never received the multitude of information and attention from any other course."

About The Lecturers

Shafi Goldwasser
RSA Professor of Computer Science and Engineering in the Dept of Electrical Engineering & Computer Science at MIT. Prof. Goldwasser is a co-leader of the Cryptography and Information Security Group and a member of the Complexity Theory Group within the Theory of Computation Group and the Laboratory for Computer Science.

Professor Goldwasser is one of the inventors of zero-knowledge-proofs, an interactive method to "probabilistically prove" theorems revealing no extra knowledge except the validity of the theorem, a key primitive in the design of modern cryptographic protocols. Her work on single-prover and multi-prover interactive proofs has led to a number of breakthroughs in computational complexity theory, including new methods for classifying the complexity of approximation problems, and showing the existence of fast and locally verifiable proofs.

Professor Goldwasser is a recipient of the NSF Presidential Young Investigator Award of 1987, and the NSF Faculty Award for Women of 1991. She received her first Gödel Prize in 1993 for her paper on "The Knowledge Complexity of Interactive Proofs,'' and a second Gödel Prize in 2001 for her paper on "Interactive Proofs and the Hardness of Approximating Cliques." She is the recipient of the 1997 ACM Grace Murray Hopper Award for outstanding young computer professional of the year, the 1998 winner of the RSA Award for Mathematics, is a member of the American Academy of Arts and Science since 2001, a member of the National Academy of Science 2004, National Academy of Engineering 2004, and is the first holder of the RSA Professorship which was established in 1997. She has been a plenary speaker in numerous conferences, including the International Congress of Mathematics (ICM) 2002, the International Symposium on Information Theory (ISIT) 2002, the Federated Computing Research Conference (FCRC) 1999, the Foundation of Computer Science Conference (1997), and the Principles of Distributed Computing Conference (1997). She received a B.S. (1979) in Mathematics from Carnegie Mellon University, and an M.S. (1981) and Ph.D. (1983) in computer science from the University of California at Berkeley.

For more information on Prof. Goldwasser's research and teaching activities you may visit http://people.csail.mit.edu/shafi/.

Mihir Bellare
Professor in the Dept of Computer Science and Engineering at the University of California San Diego.

Professor Bellare's work centers on practice-oriented provable security. He is a co-inventor of the HMAC authentication algorithm which is in ubiquitous use in Internet and wireless security and in particular is in SSL, SSH, and IEEE 802.11. (You use it every time you make a credit card based online purchase.) He is also a co-inventor of the OAEP encryption algorithm which is included in the RSA PKCS #1 v2.0 standard, and a co-developer of iKP, a family of electronic payment protocols that lead to MasterCard and Visa's SET.

Professor Bellare is a recipient of the 2003 RSA conference award for mathematics; a 2006 David and Lucille Packard Foundation Fellowship in Science and Engineering; a NSF CAREER Award, 1996; IBM Outstanding Innovation Award, 1997; IBM Outstanding Technical Achievement Award, 1996; IBM Invention Achievement Awards, 1993 and 1995; IBM Author Recognition Award, 1993; Spencer Eaken Allmond Scholarship, 1986; Carnation Prize, Caltech, 1985; and a Member of Tau Beta Pi honor society. He received his B.S. (in mathematics) from the California Institute of Technology (Caltech) and his Ph.D. in computer science from MIT.

For more information on Prof. Bellare's research and teaching activities you may visit http://www.cs.ucsd.edu/~mihir.