Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Review: Practical Cryptography corrects Applied Cryptography's faults

Practical Cryptography prescribes solutions for a good crypto-system, with more analysis than Applied Cryptography provided, Bianco explains.

Many consider Bruce Schneier's Applied Cryptography to be the quintessential crypto text, providing copious implementation details for an expansive list of protocols and algorithms. Yes, it's packed with exhaustive amounts of information, but little analysis or examples. This leads many of its readers to implement poorly constructed crypto-security systems, a classic example of too much information being a dangerous thing.

Schneier and coauthor Niels Ferguson correct these shortcomings in Practical Cryptography.

This isn't a book about programming; it's about giving readers the pieces of a good crypto-system and showing how to properly use them. Schneier and Ferguson approach cryptography from a down-and-dirty engineering level, working from the basic requirement that a good system should provide -- at a minimum -- a 128-bit security level. This means that an attacker would have to perform about 2128 steps to break the system. It turns out that a cipher with a 128-bit key will usually only yield about 264 bits of security.

Rather than bewildering readers with a smorgasbord of algorithms, protocols and techniques, Schneier and Ferguson present a few robust, versatile solutions in each category. For example, their discussion of block ciphers covers DES, AES, Serpent and Twofish algorithms, and includes detailed explanations of their pros and cons. Most of the book is written in this fashion: Give readers clear information for making intelligent choices.

Cryptography is hard to get right, but that's not the only problem. Developers also have a tendency to use it as a security panacea. Practical Cryptography pokes several holes in this fallacy. As the authors repeatedly point out, application security is only as good as its weakest link. Developers must consider the system as a whole, and see how each component contributes or detracts from an application's security goals. For example, it can sometimes be incredibly difficult just to wipe sensitive data from RAM. The authors cite the case of someone who discovered that his computer was retaining data in memory while the system was powered off.

Good security depends on the complex interplay of many components, some of which will undoubtedly be out of the system architect's control. Schneier's and Ferguson's advice: plan accordingly.

Just as cryptography isn't a security silver bullet, Schneier and Ferguson admit that Practical Cryptography isn't a cure to the ills that followed Applied Cryptography. The authors acknowledge that some readers will misapply their newfound "expertise" to create insecure systems. That's a risk you run with any infosecurity book, and simply reading this book won't make you an expert on par with the authors. However, Practical Cryptography, as a necessary companion to Applied Cryptography, provides readers with a solid foundation in the proper cryptographic systems design.

If you've read Applied Cryptography, you owe it to yourself to follow up by reading Practical Cryptography.

Article 17 of 17
This was last published in September 2003

Dig Deeper on Disk and file encryption tools

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All