How's everybody doing around here? I wanted to let
you know, thanks to Tony, Ron, Cees and Matthew's
feedback I've gone back to the drawing board to
improve my crypto knowledge.
After having battering-rammed my brain through most of
Alfred J. Menezes, Paul C. van Oorschot and Scott
A. Vanstone "Handbook of Applied Cryptography", I
then picked up Niels Ferguson and Bruce Schneier's
"Practical Cryptography" last week and have
practically inhaled the first half of it in one
breath. So easy and refreshing.
Most of the books and papers I have read to this point
are from the ivory tower, mostly oblivious to
real-world practical security issues, especially that
of human comprehension and error. Worse, even after
working through some of these difficult papers to get
one gold "implementation nugget" I then find other
material that contradicts it! For example, the
envelope composition issue (MAC-then-encrypt vs.
So what's one to do, just give up? That's not an
option for me, I have to move forward. I spoke with a
couple of security experts at C5 and they agree with
Schneier, "Cryptography is hard" and "no one can know
everything about it." Therefore, at some point, I
have to choose to trust some information source and go
with it. I've decided to make it this 2003 book
1) everyone, including those on this list, seem to
acknowledge Schneier as an expert
2) the book is written (as it directly claims to be)
for the purpose of implementing secure crypto systems
with focus on real issues.
3) seems to, more than any other source I've come
across, acknowledge real-world implementation issues
regarding crypto; including factoring human-frailty
into the security equation (i.e., problems such as
complexity). I like and agree with this philosophy.
This book (purportedly) gives the average
crytologist-wannabe the advice necessary to implement
One idea of the book is to throw away mathematical
interactions between the crypto primitives that permit
certain kinds of attacks. Just a few interactions
between primitives, assuming you're aware of them at
all, quickly explode into many permutations very
hard-to-analyze, hard-to-remember, and essentially
insecure because of the hideous complexity. They
therefore describe how to implement "ideal" primitives
that do not suffer from these weaknesses. These
implementations are typically slower than their
non-ideal counterparts, but the authors claim the idea
is to put security first because "there are enough
fast, insecure systems out there.."
So far, I really like this book and its philosophies.
Has anyone else read the book?