Motivation. Basic security services. Overview of historic ciphers. Attacks on and cryptoanalysis of historic ciphers. Principles of modern cryptography. Reasoning about security and threat models. Notation. Data serialization. Confidentiality and Information theoretic security. Ciphers. Vernam's One-Time pad. Information Theoretic Security. Perfect secrecy and Shannon's theorem. Ciphertextonly attack. Limitations of OTP. Symmetric ciphers. Stream ciphers and pseudorandomness. Computational ciphers and computational security. One-time semantic security. Attacks on stream ciphers. Block ciphers, pseudorandom functions and permutations. Padding. Block cipher examples. Semantic security for many-time key, chosen-plaintext attack. Randomized encryption: nonces, initialization vectors. Modes of operation: electronic code book, cipher block chaining, counter mode. Integrity and hashing. Use cases and the meaning of message authenticity. Message Authentication Code. Chosen-message attack and existential forgery. Secure MACs from secure PRFs, truncating lemma. Encrypted CBC-MAC and encrypted NMAC, lengthextension attack. Hash functions, collision resistance. Hash-MAC. Generic attacks on collision resistance and the birthday paradox. Merkle-Damgard construction. HMAC standard. Attacks on MAC verification, sidechannel and timing-attacks. Authenticated encryption. Ciphertext integrity and authenticated encryption. Chosen-ciphertext attack. Constructions: Encrypt then MAC, MAC and encrypt, MAC then encrypt. Standards GCM, CCM, EAX. Authenticated encryption with associated data. Public Key Encryption. Use cases. Public Key (PK) cipher. Semantic security for PK encryption. Chosen-ciphertext security for PK encryption. Secure trapdoor functions (TDF) and trapdoor permutations (TDP). Public-key cipher from secure TDF, hybrid encryption and ISO 18033-2 standard. Math revision: Arithmetic modulo composites and Euler's theorem. RSA trapdoor permutation, RSA assumption. Naive RSA. RSA PKCS#1 v1.5 encryption. Bleichenbacher attack and RFC 5246. RSA-OAEP. RSA security. Key-exchange protocols. The key management problem. On-line Trusted Third Parties (TTP): Example protocol, security analysis, benefits and limitations of TTPs. The Diffie-Hellman protocol: Math revision of arithmetic in modulo primes, security analysis of Diffie-Hellman, susceptibility to man-inthe-middle attack and open issues. Key exchange with public key encryption: the protocol and security analysis, susceptibility to man-in-the-middle attack and open issues. Key Derivation Techniques: bias in pseudorandom generators and key-exchange protocols, deriving many keys from one with counter mode construction, extract-thenexpand paradigm, HKDF standard, generating keys from passwords, PBKDF standard. Digital signatures. Digital signature scheme. Comparison to MACs. Public verifiability and non-repudiation. Chosen message attack and existential forgery. Signature schemes with hash-and-sign paradigm. Full Domain Hash. RSA Full Domain Hash. RSA PKCS#1 v1.5 signatures. Probabilistic Signature Schemes. Standards DSA, ECDSA. Authentication. Authenticating users, data and messages. Authentication factors (knowledge, ownership, inherence) and strong authentication. Passwords and preshared keys: one-time passwords, challengeresponse passwords, attacks against passwords. Storing passwords. Authentication using public key cryptography. Authentication with public keys. The manual approach in SSH. Centralized approach with Public-Key Infrastructure (PKI): introduction, relevance, and reasons for using digital certificates; Components: certification authorities, registration authorities, certificate revocation lists; Digital certificates: structure, contents, X.509 standard, certificate chains; PKI in practice: the Internet, qualified CAs in Slovenia; Vulnerabilities, risks, attacks. Distributed approach: Web of Trust (WOT): issues with PKI and motivation for WOT; Key management and trust relationships; Trust paths and transitivity, key signing parties; Examples: PGP, GPG, Tor. Key discovery issues: key registries, fake key attestations and trusted attestation authorities. Hybrid approaches.

- nosilec: David Jelenc