Applied Cryptography / Bruce Schneier
This review also appeared in Slashdot.
More than any other field in computer science, cryptography is associated with computer warfare. Recent international treaties define cryptographic algorithms as weapons, and the laws of many countries prohibit either the development, the usage, or the export of cryptographic algorithms. Yet while feared by governments, cryptography is one of the most fascinating—and useful—fields of algorithmics.
The whole point of cryptography is to solve problems. (Actually, that’s the whole point of computers—something many people tend to forget.) Cryptography solves problems that involve secrecy, authentication, integrity, and dishonest people. You can learn all about cryptographic algorithms and techniques, but these are academic unless they can solve a problem.
Bruce Schneier’s Applied Cryptography, in its second edition, is probably the best introduction to the field. Schneier is not merely an excellent technical writer, but also a researcher in the field; for example, he developed the public-domain Blowfish encryption algorithm. But unlike many works by other researchers, Schneier’s work does not read like a dry paper for a scientific journal. His writing is very enjoyable (though the jokes are overdone at times) and his explanations are almost always lucid.
Breaking a plate is a good example of a one-way function. It is easy to smash a plate into a thousand tiny pieces. However, it’s not easy to put all those tiny pieces back together into a plate.
So, what good are one-way functions? We can’t use them for encryption as is. A message encrypted with the one-way function isn’t useful; no one could decrypt it. (Exercise: Write a message on a plate, smash the plate into bits, and then give the bits to a friend. Ask your friend to read the message. Observe how impressed he is with the one-way function.) For public-key cryptography, we need something else.
Generally, the book covers four main subjects: protocols, algorithms, source code (in C), and politics. As the title indicates, the book is intended to people who actually wish to apply cryptographic methods to their programs, and so the theoretical discussions and mostly at introductory level—sufficient to make you understand how an algorithm works and what are its benefits and potential weaknesses, but without elaborate mathematical proofs, for example.
Part I of the book, “Cryptographic Protocols,” includes five chapters: building blocks, basic protocols (like key exchange and authentication), intermediate protocols (timestamping, fair coin flips, key escrow, etc.), advanced (zero-knowledge proofs, simultaneous contract signing, digital certified mail, etc.) and esoteric ones (like secure elections and anonymous message broadcast).
Part II, “Cryptographic Techniques,” deals with such issues as key length, key management, and methods of employing algorithms. The longest section, Part III, spans 13 chapters—”Cryptographic Algorithms.” The algorithms covered include DES and its variants, Skipjack, Lucifer, LOKI, RC2, RC4, RC5, IDEA, Blowfish, RSA and many others. The greatest detail is given to the venerable old DES, but the information about other protocols (over 50 in all, including block ciphers, stream ciphers, random-sequence generators, one-way hash functions, public key algorithms, and more) is sufficiently detailed for you to decide which best suites your needs. And should you need more information, an outstandingly detailed list of over 1,600 references is included.
As in most texts about cryptography, protocols and algorithms are described using the merry cast of Alice (side A), Bob (side B), Eve the eavesdropper, Mallory the malicious attacker, and their other friends and foes. This makes descriptions much easier, since once you get used to these Dramatis Personae (which happens rather quickly), you immediately know who plays what role in each scene, without wasting time on repeated explanations. Schneier brings those characters to life in numerous examples of the pros and cons of various approaches.
Part IV, “The Real World,” deals with two subjects: sample implementations in actual products, and politics, including history and legal issues. The history of cryptography is much longer than that of computer science: from secret codes to invisible inks, encoded messages were here for a very long time indeed. On the other hand, cracking cryptographic codes was among the earliest uses of computers, back in WWII (as anyone familiar with the story of Alan Turing knows).
One section in chapter 25 lists the import and export limitations on cryptography in different places around the globe. The most interesting entry is for my own country, Israel, which (according to Schneier) “has import restrictions, but no one seems to know what they are.”
The final section, “Source Code,” includes over 50 pages of sources in C for several algorithms: DES, LOKI91, IDEA, GOST, Blowfish, 3-Way, RC5, A5 and SEAL. It looks insane that a book published in the mid-’90s with so many lines of code is not accompanied by a CD; but then you realize that what’s insane is not the book but export laws, which allow cryptographic algorithms to be distributed in print—but not on electronic media. Consider, for example, how Phil Zimmermann’s PGP was legally exported from the US to the rest of the world: the sources were printed in a one-copy book, which was mailed to Europe, scanned in and recompiled.
(Of course, in these days of global networks, you can probably download source codes for all algorithms even if you live in the most God-forsaken island in the ocean.)