| Communication Theory of Secrecy Systems | Claude Shannon | • First formal statement of modern cryptography • Defined secrecy system, cipher, and how to determine the strength of secrecy system from information theoretic perspective |
| The Protection of Information in Computer Systems | Jerome H. Saltzer, and Michael D. Schroeder | • Introduces seminal secure design principles • Descriptor-based protection systems • Historical insights into computer security |
| Moore’s Law (Cramming More Components onto integrated circuits (1965) and Progress in Digital Integrated Electronics (1975)) | Gordon Moore | • Defined a model of processor development and progression • Provided a way to project computing capabilities into the future • A fundamental concept that has enabled the quantification of encryption security strength |
| New Directions in Cryptography | Whitfield Diffie and Martin Hellman | • First idea for public-key cryptography • Defined Diffie–Hellman key agreement protocol |
| A Method for Obtaining Digital Signatures and Public-Key Cryptosystems | Ron Rivest, Adi Shamir, and Leonard Adleman | • Defined RSA public-key system • One of the most used public-key cryptographic systems |
| On Data Banks and Privacy Homomorphisms (1978) | Ronald Rivest, Leonard Adleman, and Michael Dertouzos | • First paper defined homomorphic encryption |
| Fully Homomorphic Encryption Using Ideal Lattices (2009) | Craig Gentry | • Second paper defined the first practical fully homomorphic encryption scheme |
| The Byzantine Generals Problem | Leslie Lamport, Robert Shostak, and Marshall Pease | • Theoretical exploration of agreement under adversarial threat • Defined limitations of trust in redundant systems • Does not solve the common vulnerability challenge |
| Smashing the Stack for Fun and Profit | Aleph One (Elias Levy) | • First widespread introduction to buffer overflows • Step-by-step discussion of the vulnerability and shell code • Exploration of the implications |
| On the Security of Public-Key Protocols | Danny Dolev and Andrew Yao | • Theoretical exploration of attacks on public key protocols • Defined Dolev-Yao threat model that has become the threat model used for cryptographic protocols |
| A Computer Virus and a Cure for Computer Virus | Fred Cohen | • First definition of a virus • Proof of undecidability of detecting a virus (counterproof) by mapping to halting problem |
| The Foundations of Computer Security: We Need Some | Donald Good | • Essay to complain about lack of strong foundations for engineering in computer security (cybersecurity not a concept yet) • Surveyed how theoretically secure systems are not really secure • Proclaimed we need more theories before being able to engineer “secure” systems |
| Programming Satan’s Computer | Ross Anderson and Roger Needham | • Theoretical exploration of timing, ordering, and oracle attacks • Define principles for developing security protocols for integrity and authenticity using cryptography |
| The Base-Rate Fallacy and Its Implications for the Difficulty of Intrusion Detection | Stefan Axelsson | • Theoretical explanation of the problems we have with IDS • With extreme ratio of noise to signal (attacks=black swan events) even if you have a 100% detector you still need extremely low false-positive rate to not be inundated with false-positive detections |
| Red Pill (2004) | Joanna Rutkowska | • Red pill demonstrated a method to detect that you were running as a guest virtual machine • Blue pill demonstrated malware becoming a hypervisor to running OS dynamically |
| Introducing the Blue Pill (2006) |
| The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords | Joseph Bonneau | • Study that shows that regardless of subpopulation everyone choose equivalently weak passwords • An attacker is better off using a global password list |