Niels Ferguson, Bruce Schneier. "Practical Cryptography"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Niels Ferguson, Bruce Schneier. "Practical Cryptography"

Chris Muller
How's everybody doing around here?  I wanted to let
you know, thanks to Tony, Ron, Cees and Matthew's
feedback I've gone back to the drawing board to
improve my crypto knowledge.

After having battering-rammed my brain through most of
 Alfred J. Menezes,  Paul C. van Oorschot  and  Scott
A. Vanstone  "Handbook of Applied Cryptography", I
then picked up Niels Ferguson and Bruce Schneier's
"Practical Cryptography" last week and have
practically inhaled the first half of it in one
breath.  So easy and refreshing.

Most of the books and papers I have read to this point
are from the ivory tower, mostly oblivious to
real-world practical security issues, especially that
of human comprehension and error.  Worse, even after
working through some of these difficult papers to get
one gold "implementation nugget" I then find other
material that contradicts it!  For example, the
envelope composition issue (MAC-then-encrypt vs.
encrypt-then-MAC)..

So what's one to do, just give up?  That's not an
option for me, I have to move forward.  I spoke with a
couple of security experts at C5 and they agree with
Schneier, "Cryptography is hard" and "no one can know
everything about it."  Therefore, at some point, I
have to choose to trust some information source and go
with it.  I've decided to make it this 2003 book
because:

  1) everyone, including those on this list, seem to
acknowledge Schneier as an expert
  2) the book is written (as it directly claims to be)
for the purpose of implementing secure crypto systems
with focus on real issues.
  3) seems to, more than any other source I've come
across, acknowledge real-world implementation issues
regarding crypto; including factoring human-frailty
into the security equation (i.e., problems such as
complexity).  I like and agree with this philosophy.

This book (purportedly) gives the average
crytologist-wannabe the advice necessary to implement
secure protocols.

One idea of the book is to throw away mathematical
interactions between the crypto primitives that permit
certain kinds of attacks.  Just a few interactions
between primitives, assuming you're aware of them at
all, quickly explode into many permutations very
hard-to-analyze, hard-to-remember, and essentially
insecure because of the hideous complexity.  They
therefore describe how to implement "ideal" primitives
that do not suffer from these weaknesses.  These
implementations are typically slower than their
non-ideal counterparts, but the authors claim the idea
is to put security first because "there are enough
fast, insecure systems out there.."

So far, I really like this book and its philosophies.
Has anyone else read the book?

Cheers,
  Chris
_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Niels Ferguson, Bruce Schneier. "Practical Cryptography"

Ron Teitelbaum
Chris,

I agree that if Bruce says something we should listen.  I find his news
letter very informative http://www.schneier.com/crypto-gram.html .  His
article on SHA1 is why I implemented SHA256 and switched over my
applications.

Ron Teitelbaum

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Chris Muller
> Sent: Monday, February 13, 2006 3:52 PM
> To: [hidden email]
> Subject: [Cryptography Team] Niels Ferguson,Bruce Schneier. "Practical
> Cryptography"
>
> How's everybody doing around here?  I wanted to let
> you know, thanks to Tony, Ron, Cees and Matthew's
> feedback I've gone back to the drawing board to
> improve my crypto knowledge.
>
> After having battering-rammed my brain through most of
>  Alfred J. Menezes,  Paul C. van Oorschot  and  Scott
> A. Vanstone  "Handbook of Applied Cryptography", I
> then picked up Niels Ferguson and Bruce Schneier's
> "Practical Cryptography" last week and have
> practically inhaled the first half of it in one
> breath.  So easy and refreshing.
>
> Most of the books and papers I have read to this point
> are from the ivory tower, mostly oblivious to
> real-world practical security issues, especially that
> of human comprehension and error.  Worse, even after
> working through some of these difficult papers to get
> one gold "implementation nugget" I then find other
> material that contradicts it!  For example, the
> envelope composition issue (MAC-then-encrypt vs.
> encrypt-then-MAC)..
>
> So what's one to do, just give up?  That's not an
> option for me, I have to move forward.  I spoke with a
> couple of security experts at C5 and they agree with
> Schneier, "Cryptography is hard" and "no one can know
> everything about it."  Therefore, at some point, I
> have to choose to trust some information source and go
> with it.  I've decided to make it this 2003 book
> because:
>
>   1) everyone, including those on this list, seem to
> acknowledge Schneier as an expert
>   2) the book is written (as it directly claims to be)
> for the purpose of implementing secure crypto systems
> with focus on real issues.
>   3) seems to, more than any other source I've come
> across, acknowledge real-world implementation issues
> regarding crypto; including factoring human-frailty
> into the security equation (i.e., problems such as
> complexity).  I like and agree with this philosophy.
>
> This book (purportedly) gives the average
> crytologist-wannabe the advice necessary to implement
> secure protocols.
>
> One idea of the book is to throw away mathematical
> interactions between the crypto primitives that permit
> certain kinds of attacks.  Just a few interactions
> between primitives, assuming you're aware of them at
> all, quickly explode into many permutations very
> hard-to-analyze, hard-to-remember, and essentially
> insecure because of the hideous complexity.  They
> therefore describe how to implement "ideal" primitives
> that do not suffer from these weaknesses.  These
> implementations are typically slower than their
> non-ideal counterparts, but the authors claim the idea
> is to put security first because "there are enough
> fast, insecure systems out there.."
>
> So far, I really like this book and its philosophies.
> Has anyone else read the book?
>
> Cheers,
>   Chris
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: Niels Ferguson, Bruce Schneier. "Practical Cryptography"

Tony Garnock-Jones-2
In reply to this post by Chris Muller
Chris Muller wrote:
> So what's one to do, just give up?  That's not an
> option for me, I have to move forward.  [...] I
> have to choose to trust some information source and go
> with it.  I've decided to make it this 2003 book
> because: [... 3 good reasons ...]

This all sounds good to me! I'll have to get hold of the book.

Cheers,
  Tony

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography