Bruce Schneier wrote: |
First, what is a cryptographer? For our purposes, a cryptographer is someone who is active in the field of cryptography: someone who engages in research, writes papers, breaks algorithms and protocols, and sometimes writes his own algorithms and protocols. |
Bruce Schneier wrote: |
Of course, most people who implement cryptography in software and hardware products are not cryptographers. They are implementers of cryptography, security engineers. I find that most people who say they want to be cryptographers actually want to be security engineers. They want to be a person who builds secure systems the use cryptography. This essay is not really for them, although much of the advice is the same. Security engineering requires a strong understanding of cryptography, but it does not require creating new cryptography. |
Bruce Schneier wrote: |
From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today's information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality. It can prevent fraud in electronic commerce and assure the validity of financial transactions. It can prove your identity or protect your anonymity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital.
But the cryptography now on the market doesn't provide the level of security it advertises. Most systems are not designed and implemented in concert with cryptographers, but by engineers who thought of cryptography as just another component. It's not. You can't make systems secure by tacking on cryptography as an afterthought. You have to know what you are doing every step of the way, from conception through installation. |
Quote: |
But reality isn't that simple. Longer keys don't always mean more security. Compare the cryptographic algorithm to the lock on your front door. Most door locks have four metal pins, each of which can be in one of ten positions. A key sets the pins in a particular configuration. If the key aligns them all correctly, then the lock opens. So there are only 10,000 possible keys, and a burglar willing to try all 10,000 is guaranteed to break into your house. But an improved lock with ten pins, making 10 billion possible keys, probably won't make your house more secure. Burglars don't try every possible key (a brute-force attack); most aren't even clever enough to pick the lock (a cryptographic attack against the algorithm). They smash windows, kick in doors, disguise themselves as policemen, or rob keyholders at gunpoint. One ring of art thieves in California defeated home security systems by taking a chainsaw to the house walls. Better locks don't help against these attacks.
Strong cryptography is very powerful when it is done right, but it is not a panacea. Focusing on the cryptographic algorithms while ignoring other aspects of security is like defending your house not by building a fence around it, but by putting an immense stake into the ground and hoping that the adversary runs right into it. Smart attackers will just go around the algorithms. |
mxb wrote: |
History of cryptography:
Crypto - Steven Levy - Another good history book covering modern cryptography, showing how the US Government was trying to keep the lid on it from way back in the DES era. Books about pen and paper ciphers:
Abraham Sinkov - Elementary cryptanalysis - A more mathematical approach than Gaines' book, but basically the same idea. Mathematic books:
Implementating cryptography books:
Reference books:
|
JustinT wrote: |
Citeseer is also a great repository for papers on cryptography. DBLP is an excellent bibliographical database for author-searching. You've listed the best ones. MIT's CIS group has a partial list of their publications, as well as the Swiss Federal Institute of Technology's Information Security and Cryptography Research Group. There are various other lists at other universities - many of which can be found by Googling for "cryptography group," both inside and without quotation marks. Several universities also have "information security" in their group name as well, so this may be helpful in finding lesser known lists of publications. |
output generated using printer-friendly topic mod, All times are GMT + 2 Hours