Reddit reviews Applied Cryptography: Protocols, Algorithms, and Source Code in C
We found 28 Reddit comments about Applied Cryptography: Protocols, Algorithms, and Source Code in C. Here are the top ones, ranked by their Reddit score.
applied cryptography
Thank you all for your responses! I have compiled a list of books mentioned by at least three different people below. Since some books have abbreviations (SICP) or colloquial names (Dragon Book), not to mention the occasional omission of a starting "a" or "the" this was done by hand and as a result it may contain errors.
edit: This list is now books mentioned by at least three people (was two) and contains posts up to icepack's.
edit: Updated with links to Amazon.com. These are not affiliate - Amazon was picked because they provide the most uniform way to compare books.
edit: Updated up to redline6561
Here is a "curriculum" of sorts I would suggest, as it's fairly close to how I learned:
Generally you'll probably want to look into IA-32 and the best starting point is the Intel Architecture manual itself, the .pdf can be found here (pdf link).
Because of the depth of that .pdf I would suggest using it mainly as a reference guide while studying "Computer Systems: A Programmers Perspective" and "Secrets of Reverse Engineering".
Of course if you just want to do "pentesting/vuln assessment" in which you rely more on toolsets (for example, Nmap>Nessus>Metasploit) structured around a methodology/framework than you may want to look into one of the PACKT books on Kali or backtrack, get familiar with the tools you will use such as Nmap and Wireshark, and learn basic Networking (a simple CompTIA Networking+ book will be a good enough start). I personally did not go this route nor would I recommend it as it generally shys away from the foundations and seems to me to be settling for becoming comfortable with tools that abstract you from the real "meat" of exploitation and all the things that make NetSec great, fun and challenging in the first place. But everyone is different and it's really more of a personal choice. (By the way, I'm not suggesting this is "lame" or anything, it was just not for me.)
*edited a name out
I liked Applied Cryptography by Bruce Schneier. Easy read.
Link
this should keep you busy for awhile.
Cough...
Actually, maybe that's why my relationships max out at two years.
Applied Cryptography might be useful to you.
That book is probably what you want. It looks like it focuses more on math and how it applies to cryptography rather than on crypto algorithms and how they work, pros/cons, etc. It was also used in this math class at Berkeley (lots of extra reading material on that page too).
Again, I think the book you found is what you want. But here are some other options if you want some:
Schneier's Applied Cryptography can be difficult to get through, but it is a really good book to spot read / keep as a reference.
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099
I'd also start reading blogs to get into the security mindset. Schneier on Security, Krebs, the podcasts that have been mentioned by other posts. They often have really good archives, too.
Applied Cryptography: Protocols, Algorithms, and Source Code in C by Bruce Schneier. Bruce Schneier is basically the Chuck Norris of Information Assurance. The book is old and many of the technical details about cryptography are out of date, but it's still probably the best introduction to the subject.
Bruce Schneier is Chief Security Technology Officer of British Telecom, one of the world's leading security experts and a very vocal advocate of strong security practices that benefit common people. He's published his crypto-gram newsletter since 1998, which is translated into several different languages, and published several books on the topic, including Applied Cryptography. If anyone is qualified to give testimony to Congress on the subject of technical measures to ensure airport security, it's this man.
Applied Cryptography is considered one of the best introductions.
This does not make sense to me.
> The Public keys will be base 36 numbers ranging from 00000 (0) to ZZZZZ (60,466,176).
As nsa_at_home points out, the key representation normally has nothing to do with the actual key. Cryptographers will represent things in binary as a convenient standard; you'd say "I want a key with at least 23.5 bits of entropy", say. It's very, very easy to represent a key with N bits of entropy in any form you want, which sounds to be your goal; in this case, you'd take a number in base 2 and just convert it to a number in base 36.
For most purposes, your keyspace is not large enough. Say encryption has a cost of N. That means that brute-forcing your entire keyspace only costs about 60 million times that much. If you want a signing operation to be reasonable on a computer, you probably can't blow more than, oh, say, let's say a second on it for most applications that I can think of. If I'm willing to brute force for a day, I've already covered 1/700th of the keyspace. If I get 700 computers, I've broken your encryption.
Your key has ~25.8 bits of entropy. ln(36\^5)/ln(2). A typical RSA pubkey in practical use today might have a key length of 2048 bits, to give you an idea of what you might want to shoot for.
> The Private Keys need to be originally derived from the public keys mathematically (or Vice Versa)
This makes no sense. The point of public/private key encryption is that the person who has the public key cannot derive the private key; this property means that you can give out the public key without needing to worry about anyone using the public key being able to decode messages others have encoded and sent to use using the public key.
If you don't care about this property, you would be using symmetric encryption, not pub/privkey encryption.
> The Private Keys need to be completely different yet within the same number range (0 - 60466176) without being guessable (ex: very complicated and possibly irreversible).
Now I'm really lost. A key isn't "reversible"; a process is. You can't run a key backwards; it's just a number.
The only other pieces of information out there that it might be deducible from would be the pubkey (and you've already specified that you want the privkey to be derivable from the pubkey, which doesn't make sense either, so that's already reversible) and a known-plaintext attack on the ciphertext (and as I point out above, for most practical uses, your mandated key length is so short that it probably is derivable from the ciphertext for most practical applications).
I'm not an expert here but I've picked up interest in the last 3 months and have been pouring through a lot of online resources related to Cryptography and coding. Here's some of what I've been working with:
Hacking Secret Cipher with Python: http://inventwithpython.com/hacking/
> Great hands on book teaching you about various types of ciphers, how they work, how to break them. If you don't know much coding, that's still okay for this book, you learn some of the Python basics.
Applied Cryptography
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=sr_1_1?s=books&ie=UTF8&qid=1394549623&sr=1-1&keywords=applied+cryptography
> Great book, essentially a cryptographers bible. I got the latest edition on Ebay for $20 total, nearly brand new, so it's cheaper than Amazon
Online course in Cryptography by Dan Boneh - standford
https://class.coursera.org/crypto-preview/lecture
> I'm halfway through this course and I'm loving it. I would be done by now but I've been busy the past couple of weeks.
That first resource is great and really easy to follow. It'll give a nice foundation for computer cryptography. I was able to get through it in a little over a week.
I made a similar jump, IT to Security Analyst.
I spun up a home lab in vmware with Kali, metasploitable, splunk, pfsense and security onion (for snorby).
I read a couple books:
Network Intrusion Detection:
https://www.amazon.com/gp/aw/d/0735712654
Applied Cryptography:
https://www.amazon.com/gp/aw/d/0471117099
Between this and diving into security centered news sites I went from 0 to (what felt like 60) in about 3 months. I was picked up as a security analyst for a pretty solid tech company.
All the credit goes to Applied Cryptography
One of the "bibles":
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=sr_1_1?ie=UTF8&s=books&qid=1256702627&sr=1-1
I read a bit of it, some great insights.
For what it's worth, cryptography is famously hard to get right and I would strongly recommend that you use existing crypto software if you are actually trying to secure your computer.
That said, if you're interested in coding and want to learn more about encryption just for fun, you should check out the Matasano Crypto Challenges. They teach you about the fundamentals of cryptography by having you build a bunch of ciphers and then break them.
If you're looking into doing this more professionally, I've been told that Cryptography Engineering and Applied Cryptography are some good resources, though I haven't read them myself.
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099
Applied Cryptology is the text you want.
Oi. Disclaimer: I haven't bought a book in the field in a while, so there might be some new greats that I'm not familiar with. Also, I'm old and have no memory, so I may very well have forgotten some greats. But here is what I can recommend.
I got my start with Koblitz's Course in Number Theory and Cryptography and Schneier's Applied Cryptography. Schneier's is a bit basic, outdated, and erroneous in spots, and the guy is annoying as fuck, but it's still a pretty darned good intro to the field.
If you're strong at math (and computation and complexity theory) then Oded Goldreich's Foundations of Cryptography Volume 1 and Volume 2 are outstanding. If you're not so strong in those areas, you may want to come up to speed with the help of Sipser and Moret first.
Also, if you need to shore up your number theory and algebra, Victor Shoup is the man.
At this point, you ought to have a pretty good base for building on by reading research papers.
One other note, two books that I've not looked at but are written by people I really respect Introduction to Modern Cryptography by Katz and Lindell and Computational Complexity: A Modern Approach by Arora and Barak.
Hope that helps.
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099
The ever-excellent Khan Academy has produced a very nice and short series of videos explaining how cryptography works. Anyone who understands basic high school arithmetic can follow this. If you have ever been interested in the science of codes, ciphers, breaking them, etc. this is worth a look:
http://www.khanacademy.org/science/brit-cruise/cryptography
More in-depth treatments of cryptography can be found here:
https://www.coursera.org/course/crypto
and here:
http://www.youtube.com/playlist?list=PL71FE85723FD414D7&feature=plcp
And for the truly hard-core some of best books on crypto are:
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Edition/dp/0471117099/ref=sr_1_1?s=books&ie=UTF8&qid=1340524661&sr=1-1&keywords=applied+cryptography
and
http://www.amazon.com/Practical-Cryptography-Niels-Ferguson/dp/0471223573/ref=sr_1_1?s=books&ie=UTF8&qid=1340524712&sr=1-1&keywords=practical+cryptography
and
http://www.amazon.com/Cryptography-Engineering-Principles-Practical-Applications/dp/0470474246/ref=sr_1_2?s=books&ie=UTF8&qid=1340524751&sr=1-2&keywords=practical+cryptography
> Suppose the voting machine stores...
No, this isn't how cryptography is used for voting (or can be used) as far as I recall. Recommended read: https://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099 :) I haven't taken much interest into secure voting apart from what I have read in this excellent book. I think it's a great starting point for any serious thinking about this topic.
I suck at explaining myself. For example, the second serial number I mentioned isn't for YOU and is not meant to prove anything but act as a "fake" (but verifiable) one you can present to blackmailer. I failed to explain even that properly.
As a side note, you make many assumptions about the voting process. For example, where I live you cannot get a duplicate voting card because this means messing with results easier so a photo would indeed be a proof etc. This is a detail though because I think you have much stricter expectations of a cryptographic system than you have of a physical one as if the latter couldn't be tampered with (they are!).
I think I'm not qualified for this discussion simply because cryptography isn't my specialization, esp. in this context. But thank you so much for sharing your thoughts.
If you "didn't mean Reddit.com" you shouldn't have said "a site like Reddit".
Anyway, no, what we have isn't "secure," but it at least (most places) has a paper trail. Any sort of internet voting system, however, would be less - far less - secure and far more gameable. No system running over the internet can be secure - at least, none that you can then give access to, well, everybody.
See Bruce Schneier's website - the man who literally wrote the book on cryptography.
Oh Bruce, how I love thee.
Get a copy of Bruce Scheier's Applied Cryptography, there is plenty of stuff in there that's accessable even without a strict mathematical background. Most (if not all) of the algorithms in the book are explained with an example setup using Alice and Bob (and other characters) to explain the steps of the algorithms.
It also has extensive chapters on modern stream- og blockcifers, which may be somewhat harder to dig into as a novice.
Note that it does not comtain any material on the Advanced Encryption Standard (AES), since it was written before that was adopted.
Ok, it's good a question. I loved cryptography learned bitcoin. But i recommended this book!
And if you suck at math i recommended write a code with existing crypto-libs (on python,go,cpp etc....)
Yes and no. A minimal keyspace password is still a problem but I covered that in a previous post. It's up to the engineer and the user to expand on that, not the hash. Or you have to go with lunatic 1s hash stuff which just creates it's own problems as you've pointed out - I believe there's better novel approaches to making sure more entropy is captured from the user.
Quick mention about rainbow tables; The input keyspace of any password is relatively small, which is why rainbow tables on unsalted hashs are the cheapest attack, but once you salt the password, it's impossible to predict where in the expanded hash keyspace the collision will occur, thus the whole keyspace of the hash is relevant.
You'd have to have a rainbow table for every salt (presuming another 1KiB) and for the common keyspace for user passwords. Using xkcd's easy example of 28bits entropy, that's still 8000^28 entries, so (8000^28 )*(10[pw]+1000[key]+1000[salt])bytes aka 3.888 x 10 ^112 bytes - ie. not feasible.
Which brings us back to brute forcing taking longer than the universe is old.
So entropy is the key and bring us back to xkcd... again. Educate users to make better passwords or provide better ways of capturing entropy like patterns, colours, picture (key files) and puzzles.
If you're really into the subject, go read Applied Cryptography. It'll better explain the situation than I! :D
edit: for superscripts going crazy and refocus the point.