Niels Ferguson, Bruce Schneier. "Practical Cryptography"

> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> Chris Muller
> Sent: Monday, February 13, 2006 3:52 PM
> To: [hidden email]
> Subject: [Cryptography Team] Niels Ferguson,Bruce Schneier. "Practical
> Cryptography"
>
> How's everybody doing around here?  I wanted to let
> you know, thanks to Tony, Ron, Cees and Matthew's
> feedback I've gone back to the drawing board to
> improve my crypto knowledge.
>
> After having battering-rammed my brain through most of
>  Alfred J. Menezes,  Paul C. van Oorschot  and  Scott
> A. Vanstone  "Handbook of Applied Cryptography", I
> then picked up Niels Ferguson and Bruce Schneier's
> "Practical Cryptography" last week and have
> practically inhaled the first half of it in one
> breath.  So easy and refreshing.
>
> Most of the books and papers I have read to this point
> are from the ivory tower, mostly oblivious to
> real-world practical security issues, especially that
> of human comprehension and error.  Worse, even after
> working through some of these difficult papers to get
> one gold "implementation nugget" I then find other
> material that contradicts it!  For example, the
> envelope composition issue (MAC-then-encrypt vs.
> encrypt-then-MAC)..
>
> So what's one to do, just give up?  That's not an
> option for me, I have to move forward.  I spoke with a
> couple of security experts at C5 and they agree with
> Schneier, "Cryptography is hard" and "no one can know
> everything about it."  Therefore, at some point, I
> have to choose to trust some information source and go
> with it.  I've decided to make it this 2003 book
> because:
>
>   1) everyone, including those on this list, seem to
> acknowledge Schneier as an expert
>   2) the book is written (as it directly claims to be)
> for the purpose of implementing secure crypto systems
> with focus on real issues.
>   3) seems to, more than any other source I've come
> across, acknowledge real-world implementation issues
> regarding crypto; including factoring human-frailty
> into the security equation (i.e., problems such as
> complexity).  I like and agree with this philosophy.
>
> This book (purportedly) gives the average
> crytologist-wannabe the advice necessary to implement
> secure protocols.
>
> One idea of the book is to throw away mathematical
> interactions between the crypto primitives that permit
> certain kinds of attacks.  Just a few interactions
> between primitives, assuming you're aware of them at
> all, quickly explode into many permutations very
> hard-to-analyze, hard-to-remember, and essentially
> insecure because of the hideous complexity.  They
> therefore describe how to implement "ideal" primitives
> that do not suffer from these weaknesses.  These
> implementations are typically slower than their
> non-ideal counterparts, but the authors claim the idea
> is to put security first because "there are enough
> fast, insecure systems out there.."
>
> So far, I really like this book and its philosophies.
> Has anyone else read the book?
>
> Cheers,
>   Chris
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography