#TripwireBookClub – Serious Cryptography

Image

Welcome to the second installment of #TripwireBookClub, where we look at Serious Cryptography, published by No Starch Press. This was a book I was interested in because I don’t spend a lot of time digging into crypto these days, and the book seemed like a good dive into the topic. Serious Cryptography: A Practical Introduction to Modern Encryption by Jean-Philippe Aumasson looks to provide a complete dive into cryptography for both beginners and experts. The book is broken down into four parts – Fundamentals, Symmetric Crypto, Asymmetric Crypto, and Applications. A quick Google search for JP Aumasson reveals that he’s an expert in this field and incredibly qualified to write this book. One of the things that tends to hold true for tech books is that reading them from cover to cover can sometimes be draining. This held true with this book, as I occasionally found myself waking up with the book on my chest when I tried to read the book sequentially. While I wanted to learn more about cryptography, it’s definitely a dry subject that requires substantial focus. The fact that the chapters were self-contained and the parts of the book were broken down during the introduction allowed me to more easily jump around and read the portions of the book I was interested in when I was interested in reading them. Given the nature of the material, if the book had just built on itself and required start-to-finish reading, it’s unlikely I would have finished, so I have to commend the author for going the direction that he did. Here's what others who read the book with me had to say:

Jean-Philippe Aumasson’s book Serious Cryptography goes into detail explaining how certain aspects of cryptography works. His chapters allowed the readers to figure out how an aspect of cryptography works and then showed how it could be broken. Allowing the reader to see how quickly something could go wrong with cryptography. Serious Cryptography showed that even if cryptography was designed well, a particular implementation of the design could have security implications. I found the most interesting chapter to be Quantum and Post-Quantum because it enables the reader to realize the effect of quantum computing on cryptology. That is if human can break the barrier of being able to produce quantum computers. This chapter explains how quantum computing could potentially break current forms of cryptography without much effort. Jean-Philippe added that there are ways to protect current crypto from the quantum computer. However, Jean-Philippe mentions that some experts argue that quantum computers can happen in about 10 years, while some experts argue that humans may never see a quantum computer.

Rating: 4.1/5

– Andrew Swoboda, Security Researcher, Tripwire

Serious Cryptography is a great introduction to the challenges cryptographers face and how these challenges are overcome. For everything from S-Boxes and elliptic curves to padding oracles and nonce reuse, this book demystifies crypto in mostly plain and easy-to-understand language. Aumasson follows a logical progression through the concepts, allowing readers to gradually build a more comprehensive understanding of the technologies at play. The notable exception to this is the final chapter, dealing with post-quantum crypto, which absolutely left me scratching my head but in a good way. In general, the book strikes a good balance between having too few or too many technical details and is structured in a way that the reader can to some extent pick and choose topics of interest without being entirely lost. My main criticism of the book is that I feel some very interesting topics pertaining to RSA encryption were only mentioned in passing or omitted entirely. Due to the unfortunate prevalence RSA encryption still has on the Internet, I feel that this is an area of extreme importance for anyone studying modern cryptography. I would hope that the next revision of this book will go into more detail on Coppersmith and Bleichenbacher’s attacks on RSA, both of which returned to modern implementations since Serious Cryptography was published (e.g. ROCA and my personal contribution to RSA security, ROBOT). Overall, I would definitely recommend this book to anyone looking to expand their grasp on how crypto works. This book is appropriate for a wide range of audiences. People with little to no background in crypto can drink from the fire hose with this book while those readers with years of practical experience will likely still find that this book fills some gaps in their knowledge base.

Rating: 5/5

– Craig Young, Principal Security Researcher, Tripwire

Cryptography is one of those subjects that you either like a lot or hate a lot. Now, don’t get me wrong, I love the benefits provided by cryptographic technology. But, I just cannot seem to like the technical details underlying crypto---it is just not a topic that I have every enjoyed studying. However, I have to say that of all the documents and books that I have read related to crypto, Serious Cryptography by Jean-Philippe Aumasson is one of the better reads I have come across. Jean-Philippe does a great job introducing the reader to virtually every aspect of modern cryptographic technology. The book does have a good bit of detailed technical information, which is useful for technologists working with crypto, but non-technical readers can skim right over the technical details and still walk away with a good understanding of the why’s and how’s of modern cryptography.

Rating: 4.75/5

– Lane Thames, Senior Security Researcher, Tripwire

At this point, hopefully you’ve made an informed decision surrounding the book and you’re thinking about picking up a copy to give it a read. There’s a lot of good to be said for the book, which is why I would lean toward giving the book at 4.0/5.

Overall Rating: 4.5/5

Image

Join us for our June reading, as we read and discuss Gray Hat Python from No Starch Press. To learn more or get involved, please send a tweet to @tripwirevert.