19

I like Applied Cryptography, and I am returning to cryptography after a while. So I am wondering if that book is up to date or can be complemented with other references.

I am looking for a book, authoritative, well documented. Possibly including code.

I would prefer to have a book as a reference, instead of asking naive questions to the community for something I could find in a book like Schneier’s. I wish to ask the community for help to understanding what’s in the book or ask for help on specific real world problems.

I have a background in cryptography, number theory, data, and coding.

enter image description here

kelalaka
  • 49,797
  • 12
  • 123
  • 211
user7338039
  • 301
  • 6

2 Answers2

17

The Applied Cryptography Second Edition goes back to 1996. Although there is a 20th-anniversary edition, 2015, it is not updated as one thought. If you look for Schneier's style, you may look at the

There is also another nice practical book by Jean-Philippe Aumasson

And, another one by David Wong as pointed by SAI Peregrinus

All three books are good for one to understand the cryptographic techniques at work in common tools, frameworks, and protocols. This will help to make excellent security choices for systems and applications. They are especially good for engineers and IT.

kelalaka
  • 49,797
  • 12
  • 123
  • 211
5

Well, you asked for a reference, and that's what Applied Cryptography (AC) is. But you also mentioned real world problems, so note that if you're going to actually do anything, a reference book will not tell you what to do, and how to do it, it will just give a pile of parts and a box of tools and leave the responsibility to you. Given we're talking cryptography, that's a somewhat important point, not because you might hurt yourself building a shed with those parts, but because you may well leave an invisible gaping hole in the bottom letting anyone sneak in.

Regarding AC in particular, Schneier has himself stated that the approach of AC was in hindsight not the best. The preface to his later book, Cryptography Engineering states:

But such books are also one step removed from the needs of cryptography and security engineers in practice. Cryptography and security engineers need to know more than how current cryptographic protocols work; they need to know how to use cryptography.

There's even a stronger phrasing, referred to and accepted as true by Schneier in his blog (Cryptography Engineering an updated version of Practical Cryptography):

But in the introduction to Bruce Schneier’s book, Practical Cryptography, he himself says that the world is filled with broken systems built from his earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying the problem.

Even as a reference, AC is almost 25 year old now, counting from the second edition published in 1996. It predates AES by 5 years, and accordingly spends a full chapter on the Data Encryption Standard (DES). Obviously, it is also missing such things as elliptic curve cryptography (ECC) and AEAD encryption modes, etc. Of course, Cryptography Engineering isn't much of a reference at all, it describes real-world issues and one design, but only mentions other subjects like RSA padding or GCM in passing.

As Matthew Green puts it,

you should [own a copy], if only to be awed by Bruce’s knowledge of bizarre, historical ciphers and all of the ways they’ve been broken.

but of course also that:

Unfortunately, some readers, abetted by Bruce’s detailed explanations and convenient source code examples, felt that they were now ready to implement crypto professionally. Inevitably their code made its way into commercial products, which shipped full of horribly ridiculous, broken crypto implementations.

And those aren't the only commentators with a similar tone, so be careful with it.

ilkkachu
  • 912
  • 6
  • 13