on December 23, 2003
The authors spend far too much time preaching that cryptography is only a small (albeit important) part of security. This is not a new revelation. Most cryptographers have known this for a long time. In fact, the only cryptographer I know who believed for many years that cryptography was the entire answer, only to later suddenly realize that this was not the case, is Bruce Schneier himself. (Not coincidentally, his change of opinion coincided with the change in direction his company took from cryptography consulting to managed security monitoring.....)
The book has an extremely condescending tone. It can be summarized as follows: "Cryptography is a very complicated and sophisticated task. Therefore, we will not provide you with any meaningful explanations and details, but only a few tidbits to convince the naive reader that we are very smart and experienced. This should convince you not to attempt to learn more about cryptography, but instead hire us as consultants."
The authors may succeed in fooling the novice reader, but they won't fool the experienced cryptographer or security practitioner.
on December 10, 2003
I've read a large number of cryptography books. Very few of them come down to brass tacks. They give you a description of a few algorithms, their strengths and weaknesses, and leave it at that. Either that, or they describe in lovingly complex detail the implementation of a particular protocol, one usually so fraught with options and details that you wonder how, at the end of it, that anybody writes a conforming implementation.
Practical Cryptography does neither of these things. It presents algorithm classes, why they exist, and what the best known algorithms are in each class. It explains how the various strengths and weaknesses of algorithms in each class combine to make a cryptosystem weaker or stronger. Then it goes on to show you how to use that information to build working cryptosystems.
People have complained about the book's seeming schizophrenia. On one hand, the authors are trying to show you how to build a secure cryptosystem. On the other, they're telling you how hopeless a task it is to build one that has no vulnerabilities, even if you're an expert in such things.
This can be annoying, but I more find it refreshing. Writing a secure cryptosystem is very hard. People should be aware that it is hard, and they are likely to make mistakes. It isn't something that should be attempted lightly. The current state of computer security is depressingly abysmal. People should be encouraged, as much as possible, to not contribute to the problem.
I'm not following my own advice, and I am building a new cryptosystem. I have found this book a more valuable resource than any other book on cryptography that I have yet read. Even if you aren't building your own cryptosystem, I think you will find the insights this book has into complexity and design to be useful tools in evaluating other cryptosystems.
on November 13, 2003
If Bruce Schneier has acquired a habit, it is the ability to take the same old material and rehash it into different books, year after year. My guess is that, next year, he'll use another slightly different angle and try to sell you the same basic information. What you need to do, as a consumer, is step back and see this book for what it is: supplemental income and marketing for Bruce Schneier.
Years ago, Bruce was laid off from AT&T Bell Labs. Since then, Bruce has been using rubes like you to augment his salary. Let's face it; if Bruce were a Ken Thompson or a Claude Shannon, he'd probably still have his job at Bell Labs. But he isn't. Instead he wrote a book and touted himself as an expert to an industry of people who didn't know any better.
What I find truly onerous about his books is the condescending tone that Schneier adopts when addressing the reader. It's if he's saying "I am so much more elite than you, I can't even begin to tell you." I agree with previous reviewers, I was a little put off by the fact that he recommends you hire an expert to implement a cryptosystem. Hire an expert? Then why in god's name should we buy the book? Entertainment value? Please, do tell Bruce, we're all waiting to hear why you made us waste $20.00. Did you buy a new sports car?
Recently I spoke with a PhD, from Brown, who performed decades of research in number theory. He recommended "Cryptography in C and C++," by Michael Welschenbach. He also said "I don't know why people think Applied Cryptography is such a good book. He [Schneier] doesn't seem to understand the mathematics very well." Pick up Applied Cryptography sometime and compare it side-by-side with Welschenbach's book. You'll see what that PhD was talking about.
The truth is that Bruce Schneier is a lot of style without much substance. He's a businessman who can sell himself to an unsuspecting public. What he lacks in ability he makes up for with moxie. Having lived in Minneapolis, I'm more than familiar with the type of silly yuppie pretenders that live on Hennepin Avenue with their nose piercings and their tattoos. Bruce, that ponytail doesn't fool anybody. You're just another suit with something to sell.
on September 6, 2003
If you liked Applied Cryptography, but were turned off by all the math, get this book.
It is Applied Cryptography Light.
Not that this is such an easy read, but a much easier, updated and practical read than Applied Cryptography.
on August 31, 2003
Classic books are often by definition, boring. Moby Dick is an American classic, and an insomniacs delight. Similarly, Bruce Schneier's Applied Cryptography is the definitive book on cryptography, but is far too complex and mathematical for most readers.
With that, Practical Cryptography is a superb text for anyone needing to know the core details of cryptography, but don't want to be bogged down with theoretical and abstract cryptographic ideas.
Where Applied Cryptography is a reference, Practical Cryptography is meant to be a narrative. The book follows the design of a secure cryptographic system from its algorithm selection, design philosophy, analysis, debugging and implementation.
The implementation aspect is crucial, as while there are many books available on the theory of cryptography, there is amazingly little about its practical implementation. While Practical Cryptography is a much easier read than Applied Cryptography, it is primarily geared for the applications
While Practical Cryptography is not as technical as its older brother Applied Cryptography, it is still not a For Dummies type of book. The average reader will likely find most of the book far too abstract for their needs. But for those that are looking for a practical and usable book about implementing cryptography, this is the definitive reference.
on July 31, 2003
The combination Schneier - Ferguson invites to travel the basic aspects of the cryptography and inclusive it proposes the best queries of what one has learned and we should learn on this process.
In the personal thing the chapter 6: Work Hash; the chapter 7: MAC; the chapter 14 referred to the cryptographic protocols; the chapters 19 and 20 referred to PKI consider they are excellent. They have a quite practical point of view, realist, didactic and very realistic overalls.
I consider that the mathematical aspect has been covered with the space that deserves.
Very good decision of publishing a book more about applied cryptography and in that sense my recommendations to the book.
on May 31, 2003
If you want an honest and extremely realistic analysis of security and encryption in general, this is the book for you. The authors are "dead-on" in their analysis of security as a process instead of just a system for cryptography. They especially "hit-the-mark" in their analysis of the sad state of affairs in Bio-Metrics and PKI (Public Key Infrastructure). This is not a balanced "middle-of-the-road" analysis. Instead, it is an opinionated view of security and cryptography solutions, implementations, and idealizations. The author's opinions are welcome and correct. They have the experience and they make more sense than most. (Not to mention that they take a very sensible approach the topics).
on May 20, 2003
Two of the leading world cryptographers take their time to show engineers of all kinds, not just programmers, how the security is to be implemented.
To quote: "one of the reasons for writing this book: to get other people to understand the insidious nature of security, and how important is to do it right."
The whole point of the book is to show how would the authors have built an encryption system if everything's to be done right. This means secure communication channel, key negotiation, random number generation and public key encryption. Basically what you have in this book is a blueprint for the best possible crypto system.
The authors describe a few cryptographic primitives, like block ciphers and hash functions, but not a whole lot and nothing in details. The authors just pick one of each (explaining exactly why the one they picked is the best) and stick with it throughout the book.
The book has surprisingly little math, if any. No details of any existing protocol in particular.
A lot of (literally dozens) attacks described, at any point, on any part, and for each a cure is proposed or "no cure possible" conclusion is made. Pretty informative.
Lots of advises, some more technical, some more philosophical. Lots of auxiliary info, like patents on crypto, dancing pigs :), implementation notes etc. Some chapters are about a dozen pages long. A touch, but it makes you think.
Oh, and it describes Mr. Schneier's new Yarrow random generator, and what's more - a shiny new extension to it called Fortuna. Fascinating stuff if you ask me.
There are some minor downsides too.
First, the pseudocode which is used for describing algorithms is strikingly bad. Dear authors of computer books, even if you don't want to take any language's side, please make your code readable for programmers.
Second, a few times the book goes like this: "there is that thingy, it's green and it does things". What ? I think if you even mention things, making a consistent view of what it is at least would be nice. To be specific, the book mentions but never even tries to explain: UMAC, OCB, CCM. There is a few more but I wouldn't mind omitting details on those as they are specifically marked as "stay clear off". I could have googled for them for sure, but what is the point of the book then ?
Third, some of the advises, especially on programming side don't stand. I found the most useful advises the ones that begin with "Niels once had..." and "We found useful...", i.e. the advises from the field. Some other advises are too general. In the very same time the authors say something like "we (the world) don't have a clue how to write secure software". I fully agree, but why trying to squeeze in a small book thus useless advises ? Like for instance, first they say "wipe any information as soon as you no longer need it" and then "assertion failures should always lead to an abort of a program". Cleanup, huh ? Shall we just say that writing quality software takes no less books than designing proper crypto ?
So, the book gets 5 out of 5, because it (1) delivers exactly what it advertises (2) provides an good coverage on the topic and (3) the authors are but the best cryptographers there are.
Recommended for anyone.
on May 18, 2003
Well, I can't really recommend the book. It's readable enough,
but I can't figure out their target audience. Only someone actually
implementing a cryptographic system would get anything out of
this book. At the end of the book, they warn you that a good
implementation is so hard that you really should hire an
expert to do it. They also say "The world is full of of bad
security systems designed by people who have read Applied
Cryptography. Practical Cryptography is likely to have the
They say they wrote the book as an introduction to the state
of the art ("[people] .. must learn it somewhere, and we didn't
know of any other suitable books.") Given that no one but a
programmer or mathematician would get through half the book,
it's unlikely to reach a general audience, or even the managers
who really need their advice.
The content level of the book is very uneven as well, with
general, strategic advice mixed with algorithm discussions. Yet
there's almost no nuts and bolts programming advice. They just
point you off to other sources for all of that.
They have these little "So what should I do?" sections at the
end of most chapters, but they are pretty cynical. The most
common advice amounts to "there's no way to know without analyzing
your requirements." The other comments are along the lines of
"the software industry is a mess", "the standards process is a mess",
"the patent process is a mess", "(technique X) hasn't been around
long enough to be analyzed much, is a patent minefield, or has been
broken, or nearly broken. Don't use it." And finally, that security
depends on the weakest link, which generally won't be the
cryptography anyway. (Don't even try to do this at home!) This
may all be true, but it's not really helpful.
I don't know if you could implement a complete system from their
description of which techniques are reasonably good. If you
trusted their implementation advice, should you also trust their
overall advice, which is to leave this to the experts?
The whole thing leaves me with the impression that they are pretty
bitter about the whole field. They want people to do better on
security, but they have no expectation that they will. They want
to be listened to (and hired), but don't expect that either. The
book is mostly to say "see how complicated this is (you idiots!)?"
on May 11, 2003
With its heritage in "Applied Cryptography", the world's most famous book on the subject, I had high hopes for "Practical Cryptography".
Until page 149, when I read the following: "We can give you advice on how to write good cryptographic code...specifically, don't use C or C++". I looked for emoticons or signs of a subtle humour, but couldn't find them. Better get Linus to dust off his JDK then. :-) They have a point, but the book's title is surely a misnomer. Unfortunately this style of advice is pretty symptomatic of much of the book.
Like Burnett's "Cryptography" in the RSA Security series, this book takes a comprehensive but high level approach. I think this is the wrong way to entice curious engineers. The authors lack Burnett's enthusiasm, setting a dismal backdrop in which good security is impossible, and at times appear very condescending.
The highlight of this book is the advice that the authors give on choosing symmetric algorithms - for example they like AES for its 256 bit key size, but don't like its 128 bit block size. Some of their thoughts place them in a cryptographic minority, but their rationale for these thoughts are well worth reading, almost enlightening.
They emphasize that cryptographic algorithms need close and lengthy scrutiny by their peers and warn the reader against new and untested designs. And then present in great length, without warnings about misuse, their new and unscrutinized PRNG Fortuna.
The final chapter of the book runs along the lines of "we've told you this stuff, but you're going to get it really wrong, so just use an expert". I agree that they are almost invariably right, but at a time when there is a glut of cryptographic literature, I'd love to know why they thought this book would contribute.
My final word: if you want technical cryptography, try Nigel Smart's excellent "Cryptography". If you want a high level view, try Burnett's competent "RSA's Official Guide to Cryptography".