Schneier on Security

The preface points out that cryptography has done more harm than good in terms of securing information systems, not because cryptography fails in and of itself, but, rather, due to the improper use or implementation of the technology. This book is intended to provide concrete advice to those designing and implementing cryptographic systems. As such, it is not the usual introduction to cryptography, and is aimed at a fairly limited group.

Chapter one asserts that we should be engineering for security, rather than speed or bells and whistles. Security is only as strong as the weakest link, we are told in chapter two, and (following from the idea of defence in depth) we need to have engineering in depth (and probably breadth, as well). The issues are important, but there is some lack of clarity to the organization and flow of the text and arguments: the reader may start to wonder what the essence of the message is. (I see that I should have trademarked “professional paranoia” when I started using it years ago, but it is nice to note that the point is being taken.) Chapter three is a rather unusual “Introduction to Cryptography” (and the mathematical format of the text doesn’t make it easier for the math-phobic to concentrate on the meaning), but focussing on the applications and problems, the cryptanalytic attacks, and repeating the injunctions against complexity and the sacrifice of security for performance is a reasonable position…