Product Description

Security is the number one concern for businesses worldwide. The gold standard for attaining security is cryptography because it provides the most reliable tools for storing or transmitting digital information. Written by Niels Ferguson, lead cryptographer for Counterpane, Bruce Schneier′s security company, and Bruce Schneier himself, this is the much anticipated follow–up book to Schneier′s seminal encyclopedic reference, Applied Cryptography, Second Edition (0–471–11709–9), which has sold more than 150,000 copies.
Niels Ferguson (Amsterdam, Netherlands) is a cryptographic engineer and consultant at Counterpane Internet Security. He has extensive experience in the creation and design of security algorithms, protocols, and multinational security infrastructures. Previously, Ferguson was a cryptographer for DigiCash and CWI. At CWI he developed the first generation of off–line payment protocols. He has published numerous scientific papers.
Bruce Schneier (Minneapolis, MN) is Founder and Chief Technical Officer at Counterpane Internet Security, a managed–security monitoring company. He is also the author of Secrets and Lies: Digital Security in a Networked World (0–471–25311–1).

Product Details

• Amazon Sales Rank: #198252 in Books
• Published on: 2003-04-15
• Original language: English
• Number of items: 1
• Binding: Paperback
• 432 pages

From the Back Cover
Two of the world’s top experts in cryptography teach you how to secure your digital future

In today’s world, security is a top concern for businesses worldwide. Without a secure computer system, you don’t make money, you don’t expand, and–bottom line–you don’t survive. Cryptography holds great promise as the technology to provide security in cyberspace. Amazingly enough, no literature exists about how to implement cryptography and how to incorporate it into real–world systems. With Practical Cryptography, an author team of international renown provides you with the first hands–on cryptographic product implementation guide, bridging the gap between cryptographic theory and real–world cryptographic applications.

This follow–up guide to the bestselling Applied Cryptography dives in and explains the how–to of cryptography. You’ll find discussions on:

• Practical rules for choosing and using cryptographic primitives, from block ciphers to digital signatures
• Implementing cryptographic algorithms and systems in a secure way on today’s computers
• A consistent design philosophy to ensure that every part of the system achieves the required security level
• Why security affects every part of the system, and why it has to be a primary goal of the project
• How simple interfaces for cryptographic primitives reduce system complexity and increase system security

About the Author
NIELS FERGUSON is a cryptographic engineer and consultant. He has extensive experience in the design and implementation of cryptographic algorithms, protocols, and large–scale security infrastructures. Previously, Ferguson was a cryptographer for DigiCash and CWI, and he worked closely with Bruce Schneier at Counterpane Internet Security. He has published numerous scientific papers.

BRUCE SCHNEIER is founder and chief technical officer at Counterpane Internet Security, a managed–security monitoring company. A world–renowned scientist, security expert, and lecturer, he is the author of Secrets and Lies: Digital Security in a Networked World and Applied Cryptography (both from Wiley).

Excerpted from Practical Cryptography by Ferguson. Copyright © 2003. Reprinted by permission. All rights reserved.
CHAPTER 1 OUR DESIGN PHILOSOPHY

This book is about security: about how to build secure cryptographic systems. In this book, we are fanatical about security. There is a good reason for this. In all our years of working in this field, we have yet to see an entire system that is secure. That’s right. Every system we have analyzed has been broken in one way or another. There are always a few components that are good, but they invariably get used in insecure ways.

If we as a society want to secure our digital future, we will all need to shape up and do better. It is our hope that this book can contribute to that.

This book gives you a great deal of practical information about cryptographic systems, but none of that matters unless we can convince you that security is important enough to do right. Doing it right means being ruthless in many other areas. This will be hard to adjust to. It took us many years to become ruthless enough. There is no point in having just a bit of security. That is like putting up half a fence around a yard, or locking only your front door and leaving your back door wide open. Security is a system property you cannot compromise on. One hole in the fence is all it takes. So everything else has to give way to create enough room for security. From experience, we know that this is a tough sell in the IT industry. Yet it will have to be done if we want to be safe in our digital world.

OUR DESIGN PHILOSOPHY

The Evils of Performance
The bridge over the Firth of Forth in Scotland has to be seen to be believed. A 19th century engineering marvel, it is mindnumbingly large (and therefore expensive) compared to the trains that cross it. It is so incredibly overengineered it is hard to believe your eyes. Yet the designers did the right thing. They were confronted with a problem they had not solved successfully before: building a large steel bridge. They did an astoundingly good job. They succeeded spectacularly; their bridge is still in use today over a century later. That’s what good engineering looks like.

Over the years, bridge designers have learned how to build such bridges much more cheaply and efficiently. But the first priority is always to get a bridge that is safe and that works. Efficiency, in the form of reducing cost, is a secondary issue.

We have reversed these priorities in computer security. The primary design objective all too often includes very strict efficiency demands. The first priority is always speed, even in areas where speed is not important. This leads to security cost-cutting, and security is an area of engineering where we really don’t have the skills to build a good system even if we are given an unlimited budget. The result is invariably a system that is somewhat efficient, and inevitably a system that is not secure.

There is another side to the Firth of Forth bridge story. In 1878, Thomas Bouch completed the then-longest bridge in the world across the Firth of Tay at Dundee. Bouch used a new design combining cast iron and wrought iron, and the bridge was considered to be an engineering marvel. On the night of December 28, 1879, less than two years later, the bridge collapsed in a heavy storm as a train with 75 people on board crossed the bridge. All perished. It was the major engineering disaster of the time.1 So when the Firth of Forth bridge was designed a few years later, the designers put in a lot more steel, not only to make the bridge safe but also to make it look safe to the public.

We all know that engineers will sometimes get a design wrong, especially 1William McGonagall wrote a famous poem about it, ending with the lines For the stronger we our houses do build/The less chance we have of being killed. Advice that is still highly relevant today.

1.1. The Evils of Performance when they do something new. And when they get it wrong sometimes people are killed. But here is a good lesson from Victorian engineers: if it fails, back o® and become more conservative. The computer industry has forgotten this lesson. When we have very serious security failures in our computer systems, and we have them every week or so, we just plod along, accepting it as if it were fate. We don’t go back to the drawing board and design something more conservative. We just keep throwing a few patches out and hoping this will solve the problem. That is disgraceful.

By now it will be quite clear to you that we will choose security over efficiency any time. How much CPU time are we willing to spend on security? Almost all of it. We wouldn’t care if 90% of our CPU cycles were spent on a reliable security system. The lack of computer security is a real hindrance to us, and to most users. That is why people still have to send pieces of paper around with signatures, and why they have to worry about viruses and other attacks on our computer. Digital crooks of the future will know much more and be much better equipped, and computer security will become a larger and larger problem. We have only seen the very beginning of the digital crime wave. If we want to keep using the Internet for business transactions, we will have to secure our computers much better.

There are of course many ways of achieving security. But as Bruce extensively documented in Secrets and Lies, good security is always a mixture of prevention, detection, and response [7]. The role for cryptography is in the prevention part....

Customer Reviews

Cookbook cryptography
A successor, but not a replacement, for Schneier's renowned Applied Cryptography. Instead of that book's comprehensive approach, with descriptions of a multiplicity of techniques and algorithms, Practical Cryptography tends towards the opposite extreme, usually listing only one way to perform any task. Pseudocode is used to explain most algorithms. In some cases, readers are referred elsewhere for details (almost always available on the web). The authors go out of their way to keep the mathematics in explanations to a minimum: the maths is most apparent, as would be expected, in the section on public key cryptography. One or two implementation details, and the PRNG described, are previously unpublished (therefore less well tested?).

In general, Ferguson and Schneier's rather didactic approach works here, though occasionally I was left wishing for more detail. This book would most suit a programmer without much previous experience of cryptography, who needs to gain a working knowledge of cryptography without needing to wade through too much theory.

Practical, Real-world cryptography.
This book really does convey what practical cryptography is all about. Bruce and Niels hard-won experience of implementing cryptography shines through as they discuss not only different ways of implementing systems but take the reader through their reasoning for why one is more favourable than another. They assert that programming cryptographic systems requires a different mindset from conventional programming, and explain why. Using the classic Alice and Bob model they take the reader through the steps required to set-up a secure channel, despite Eve reading all the messages. This book could be the course text for a degree module in cryptography. It doesn't cover all the necessary nitty-gritty of algorithms (there are plenty of books that do that) rather it gives the reader a framework for thinking about and implementing practical cryptographic systems.

Very nice.
This book is excellent for anyone interested in cryptography. It gives coverage of a wide range of cryptographic topics, and is very easy to understand. 'Practical Cryptography' is a perfect partner with 'Applied Cryptography' - the former discusses the inner working of cryptographic systems and the latter, whilst giving some information on cryptographic theory, is more orientated on implementation choices. 4 Stars.