New Book: Cryptography Engineering

I have a new book, sort of. Cryptography Engineering is really the second edition of Practical Cryptography. Niels Ferguson and I wrote Practical Cryptography in 2003. Tadayoshi Kohno did most of the update work—and added exercises to make it more suitable as a textbook—and is the third author on Cryptography Engineering. (I didn’t like it that Wiley changed the title; I think it’s too close to Ross Anderson’s excellent Security Engineering.)

Cryptography Engineering is a techie book; it’s for practitioners who are implementing cryptography or for people who want to learn more about the nitty-gritty of how cryptography works and what the implementation pitfalls are. If you’ve already bought Practical Cryptography, there’s no need to upgrade unless you’re actually using it.

EDITED TO ADD (3/23): Signed copies are available. See the bottom of this page for details.

EDITED TO ADD (3/29): In comments, someone asked what’s new in this book.

We revised the introductory materials in Chapter 1 to help readers better understand the broader context for computer security, with some explicit exercises to help readers develop a security mindset. We updated the discussion of AES in Chapter 3; rather than speculating on algebraic attacks, we now talk about the recent successful (theoretical, not practical) attacks against AES. Chapter 4 used to recommended using nonce-based encryption schemes. We now find these schemes problematic, and instead recommend randomized encryption schemes, like CBC mode. We updated the discussion of hash functions in Chapter 5; we discuss new results against MD5 and SHA1, and allude to the new SHA3 candidates (but say it’s too early to start using the SHA3 candidates). In Chapter 6, we no longer talk about UMAC, and instead talk about CMAC and GMAC. We revised Chapters 8 and 15 to talk about some recent implementation issue to be aware of. For example, we now talk about the cold boot attacks and challenges for generating randomness in VMs. In Chapter 19, we discuss online certificate verification.

Tags: books, cryptography, Cryptography Engineering, encryption, hashes, Schneier news, security engineering

Posted on March 23, 2010 at 2:42 PM • 23 Comments

Comments

GreenSquirrel • March 23, 2010 2:47 PM

@ Bruce – you need to work on your sales technique.

Adam T • March 23, 2010 2:52 PM

@GreenSquirrel: I think actually his technique is better. I don’t have either of the books and would enjoy either one. The fact that he tells you that the contents hasn’t changed if you’re not using it makes me think Bruce is a stand up guy that cares about the topics and not just about making a quick buck selling snake oil or some supposed expertise.

Brandioch Conner • March 23, 2010 2:58 PM

@Bruce
“If you’ve already bought Practical Cryptography, there’s no need to upgrade unless you’re actually using it.”

Or if the possibility of the new copy being signed by the authors exists.

Any chance of signed editions being available?

GreenSquirrel • March 23, 2010 3:07 PM

@Adam T – I was joking.

David • March 23, 2010 5:00 PM

@GreenSquirrel: Bruce mentioned the book to the one audience in the world most likely to buy a new Bruce Schneier book. About the only thing he could have done to make sales more likely here is tell us how we can get his autograph encrypted onto the book.

Bruce Schneier • March 23, 2010 5:13 PM

“Any chance of signed editions being available?”

Sure. I’ll offer signed — by me, only — copies for sale. Watch the book URL; the details will be up in a day or so.

Alice • March 23, 2010 5:20 PM

Cryptographically signed or manually signed?

Anton • March 23, 2010 5:26 PM

Wow, I am stunned. I thought celebrity status was reserved for the rich and beautiful or Hollywood movie stars.

Bruce, I have some of your books, they are great. Also look forward to THE book that congeals all your blog entries into an entertaining volume on how not to be cynical.

Jay • March 23, 2010 7:39 PM

So if we are using /Practical Cryptography/, what’s in it for us to upgrade to /Cryptography Engineering/?

clvrmnky • March 23, 2010 8:55 PM

@Jay: you get the second part of the map showing how to get to the priceless artefact.

You did figure that out form the first book, right? Because you can’t get the second part without solving the first part.

Bruce Schneier • March 23, 2010 10:50 PM

“So if we are using Practical Cryptography, what’s in it for us to upgrade to Cryptography Engineering?.

We went through and updated everything, so that it’s as current as possible. We added exercises, in the hopes that professors would use it as a textbook. Unlike Applied Cryptography, the point of this book was to be deep instead of broad — we didn’t change that.

AC2 • March 24, 2010 12:30 AM

Hmmmm.. Well Bruce is a bit of a salesman as post sale you are presumably returned to
http://www.schneier.com/book-sos.html

Or was this a copy-paste induced error as the return from the buy button on the above link is back to the same page.

And is it a good idea to have a buy link on this page whose security can be questioned??

Questions, questions…

If anyone wants to understand what I’m blabbering on about please view HTML source for http://www.schneier.com/book-ce.html and look at

FORM action=https://secure.paypal.com/cgi-bin/webscr method=post

INPUT type=hidden
value=http://www.schneier.com/book-sos.html name=return

Tree • March 24, 2010 7:29 AM

It isn’t a textbook if it doesn’t have almost the same name as another textbook.

BF Skinner • March 24, 2010 12:26 PM

@clvrmnky

The cake is a lie.

@Bruce. You’re link says 35$ for an autographed copy (for US buyers). Is this 35 OVER the 55? or are you cutting one heck of a sweetheart discount for the cognicenti?

Anderson Ross • March 24, 2010 1:49 PM

I’d like a copy signed by Sandra Bullock.

🙂

Nick P • March 24, 2010 4:53 PM

@ “Anderson Ross”

I’ll get you Jessica Alba’s signature, but such beauty don’t come free [for you].

Brian M • March 24, 2010 9:39 PM

Bruce: Any eBook availability? I’m getting myself a signed version as well, but an eBook would be fantastic.

Debora Weber-Wulff • March 25, 2010 8:47 AM

Actually, this is much cheaper than what Amazon is flogging it for in Germany: they want 55 € or about 70$ for an (unsigned) copy.

Ed Norton • March 27, 2010 12:49 AM

Beyond adding exercises and updating things is there additional content?

Bruce Schneier • March 29, 2010 6:46 PM

We revised the introductory materials in Chapter 1 to help readers better understand the broader context for computer security, with some explicit exercises to help readers develop a security mindset. We updated the discussion of AES in Chapter 3; rather than speculating on algebraic attacks, we now talk about the recent successful (theoretical, not practical) attacks against AES. Chapter 4 used to recommended using nonce-based encryption schemes. We now find these schemes problematic, and instead recommend randomized encryption schemes, like CBC mode. We updated the discussion of hash functions in Chapter 5; we discuss new results against MD5 and SHA1, and allude to the new SHA3 candidates (but say it’s too early to start using the SHA3 candidates). In Chapter 6, we no longer talk about UMAC, and instead talk about CMAC and GMAC. We revised Chapters 8 and 15 to talk about about some recent implementation issue to be aware for. For example, we now talk about the cold boot attacks and challenges for generating randomness in VMs. In Chapter 19 we discuss online certificate verification.

Christopher Gilbert • April 15, 2010 7:40 AM

An eBook release would be greatly appreciated.

Michael C • June 13, 2014 12:14 PM

Hi,

I just bought your book. I want to do the exercices, but I cant verify if my answers are correct.
Where can i find the corrections?

Thanks,

Michael

Mike Bridge • December 7, 2016 2:21 PM

Is anyone else working on the exercises? I’m working on them at https://github.com/mikebridge/cryptoeng but don’t know how correct my answers are.

New Book: Cryptography Engineering

Comments

Leave a comment Cancel reply