[Cryptography Team] Niels Ferguson,
Bruce Schneier. "Practical Cryptography"
Ron Teitelbaum
Ron at USMedRec.com
Mon Feb 13 22:39:24 CET 2006
Chris,
I agree that if Bruce says something we should listen. I find his news
letter very informative http://www.schneier.com/crypto-gram.html . His
article on SHA1 is why I implemented SHA256 and switched over my
applications.
Ron Teitelbaum
> -----Original Message-----
> From: cryptography-bounces at lists.squeakfoundation.org
> [mailto:cryptography-bounces at lists.squeakfoundation.org] On Behalf Of
> Chris Muller
> Sent: Monday, February 13, 2006 3:52 PM
> To: cryptography at lists.squeakfoundation.org
> Subject: [Cryptography Team] Niels Ferguson,Bruce Schneier. "Practical
> Cryptography"
>
> How's everybody doing around here? I wanted to let
> you know, thanks to Tony, Ron, Cees and Matthew's
> feedback I've gone back to the drawing board to
> improve my crypto knowledge.
>
> After having battering-rammed my brain through most of
> Alfred J. Menezes, Paul C. van Oorschot and Scott
> A. Vanstone "Handbook of Applied Cryptography", I
> then picked up Niels Ferguson and Bruce Schneier's
> "Practical Cryptography" last week and have
> practically inhaled the first half of it in one
> breath. So easy and refreshing.
>
> Most of the books and papers I have read to this point
> are from the ivory tower, mostly oblivious to
> real-world practical security issues, especially that
> of human comprehension and error. Worse, even after
> working through some of these difficult papers to get
> one gold "implementation nugget" I then find other
> material that contradicts it! For example, the
> envelope composition issue (MAC-then-encrypt vs.
> encrypt-then-MAC)..
>
> So what's one to do, just give up? That's not an
> option for me, I have to move forward. I spoke with a
> couple of security experts at C5 and they agree with
> Schneier, "Cryptography is hard" and "no one can know
> everything about it." Therefore, at some point, I
> have to choose to trust some information source and go
> with it. I've decided to make it this 2003 book
> because:
>
> 1) everyone, including those on this list, seem to
> acknowledge Schneier as an expert
> 2) the book is written (as it directly claims to be)
> for the purpose of implementing secure crypto systems
> with focus on real issues.
> 3) seems to, more than any other source I've come
> across, acknowledge real-world implementation issues
> regarding crypto; including factoring human-frailty
> into the security equation (i.e., problems such as
> complexity). I like and agree with this philosophy.
>
> This book (purportedly) gives the average
> crytologist-wannabe the advice necessary to implement
> secure protocols.
>
> One idea of the book is to throw away mathematical
> interactions between the crypto primitives that permit
> certain kinds of attacks. Just a few interactions
> between primitives, assuming you're aware of them at
> all, quickly explode into many permutations very
> hard-to-analyze, hard-to-remember, and essentially
> insecure because of the hideous complexity. They
> therefore describe how to implement "ideal" primitives
> that do not suffer from these weaknesses. These
> implementations are typically slower than their
> non-ideal counterparts, but the authors claim the idea
> is to put security first because "there are enough
> fast, insecure systems out there.."
>
> So far, I really like this book and its philosophies.
> Has anyone else read the book?
>
> Cheers,
> Chris
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
More information about the Cryptography
mailing list