[tahoe-dev] in praise of "Practical Cryptography"

[zooko]

Folks:

"Practical Cryptography" [1] is an excellent book in two ways.  It is  
simultaneously the easiest introduction to the theory of cryptography  
for someone who (like me) started with little of the relevant math  
background, and it is the only book on practical cryptography.   
Fortunately, it does an excellent job of covering that topic.  (Ross  
Anderson's "Security Engineering" is another book about practical  
security engineering, but its scope is much wider than cryptography,  
so it omits many important aspects of practical cryptography that  
this book covers.)

One caveat is that "Practical Cryptography" is narrowly focussed  
within the realm of theory while being widely focussed within the  
realm of practice.  They basically set out to design their own secure  
transport layer (like SSL), from the ground up, while documenting the  
process in extensive detail.  This means, for example, that they do  
not mention crypto algorithms unless they chose that algorithm for  
their final design (SHA-256, AES-256, CTR mode, Diffie-Hellman,  
HMAC), they seriously considered it before rejecting it (Twofish,  
UMAC), or it is an older and worse algorithm that serves to highlight  
the advantages of the modern replacement (SHA-1, DES, CBC mode, CBC- 
MAC).

On the other hand, they cover many details which are rarely treated  
in books but which can be critical in practice: side-channel attacks,  
speed of arithmetic computations, how to guarantee message ordering,  
how to automatically detect bugs in your long-integer math library  
(using the charmingly named technique of "wooping"), the interactions  
between crypto algorithms, the all-important topic of key management,  
etc., etc..

Here are a few specific parts of this book to which I would like to  
draw your attention, especially if you are my crypto design partner,  
Brian.

  * philosophy, s. 2.2, s. 2.3, s. 3.9
  * birthday attacks and meet-in-the-middle attacks, s. 3.6
  * security level, s 3.7
  * how to use hash functions, s 6.1, s 6.3, s 6.4, s 6.5
  * how to use PRNGs, s. 10.1.13

These sections offer a few concrete suggestions that we could use in  
tahoe v0.8.0: use AES-256, use SHAd-256 instead of just SHA-256, read  
32 bytes from /dev/random at startup and use it to seed your PRNG,  
and perhaps a few more ideas.

Disclosure: the primary author of "Practical Cryptography", Niels  
Ferguson, is a personal friend.  I worked with him years ago at  
DigiCash, and learned a lot from him then.  Now that I've read this  
book I've learned more.  He also made a comment about the tahoe  
project that I posted to this mailing list [2].

Regards,

Zooko

[1] http://www.amazon.com/Practical-Cryptography-Niels-Ferguson/dp/ 
0471223573
[2] http://allmydata.org/pipermail/tahoe-dev/2007-September/000130.html