crazylazy.info

txt

"Hey, it's easy"

Practical Cryptography by Niels Ferguson and Bruce Schneier is not necessarily scientific. In fact that's where it's making a difference: it's not just theory and addresses modern problems with cryptographic  implementations pragmatically. It's for people who audit these kinds of source code; for example.

People who just want to know but are no mathematicians or extraordinary gifted. Because math stuff is learnable at least and well defined. But how to implement that? Using libraries may be a good idea. But how do you verify the correctness of these libraries? There're countless languages, countless differently skilled people involved and even the vast number of available libraries per language is astonishing. So, what's the difference and why not just chose, what's most performant? Because: the weak-point most times is not mathematical. 

"You're doing it wrong!"

The focus of this small (~400 pages) book is not subversive on how to attack.- But it's about how to think of integrity and confidentiality issues linked with specific kinds of encryption standards in order to "do it right". It's about how to measure security. And to understand you neither need to be a programmer, nor a mathematician. It's astonishingly convenient to read. In a condensed way, comparing with "Applied Cryptography", it delivers insights on cryptography as a whole and doesn't focus the depths.

The first chapers therefore introduce the reader how to think while understanding the processes used to hide the content of messages. Which threats are present, how to model these, and how to deal with the unsolvable problem as the "human factor" at design level.

Afterwards of course it's about different ciphers, block-ciphers (DES; AES, Serpent...), different modes (CBC, ECB...) and the pros and cons. It doesn't lose itself to theory at any point, always questioning the reader to keep the pragmatic issues in mind: chose the right mode? The right cipher? And if there's a perfect solution...

I really liked the chapter on hash-functions. It's a topic of current relevance, if you remember the problems with MD5 and SSL certifications back in December 2008. The weaknesses of hash-functions are well described and commented. There're some fixes mentioned, like "salting" them - what isn't the answer of course.

Further chapters deal with Message Authentication Codes like MAC, or UMAC. Very briefly. If you're interested in these, chose another book. Or Secure Channel. Nevertheless the description of implementation issues here countervails this weakness. ;)

And it even gets awesome: the whole part of key negotiation, speaking of how to generate (non deterministic) randomness, primes, Diffie-Hellman, RSA, cryptographic protocols and... and ...  and so on is truly fascinating. I'm currently starting with "Key Management". Which is a problem that involves key-servers, PKI, revocation, expiration, authority, trust... and reality.

It's going to end with patent-problems to create awareness for this abstract problem developers everywhere will have in future as it seems. And it shouldn't be ignored just because currently there's no one suing you. There will be, if there's money involved.

A fascinating book: short, problem oriented, pragmatic, and it's not dry. It's written like cryptography was alive ;). And well... it is. At least if you're using the s after the http here. Or not?

Have fun, wishi