This is about to eat my weekend, I think! :)<p>Quite seriously, this is exactly what the tech world needs - personally, I know that in terms of understanding of crypto I'm streets ahead of the average Joe, but orders of magnitude behind people who <i>actually</i> know the field. I'm certain I'm far from alone in that set, but the way the world's going means that we with the generalised technical know-how have a moral impetus to bring the rest of the world up to speed with the whys and wherefores.
The old Cryptopals challenges (<a href="http://cryptopals.com/" rel="nofollow">http://cryptopals.com/</a>) seem to cover the same material in a pedagogically very different way - they don't feed you the information as this book does, but give you a practical task which can be easily done with e.g. reading the specification of an algorithm from wikipedia, but figuring out the implementation of the attack yourself gives a much better understanding than simply reading about it.<p>Although this book claims a "Learn by doing" approach, I didn't find any specific assignments or data samples to facilitate that.
When I was taking Aikido, there was a day when the sensei was going through all of our techniques and showed how the <i>uke</i> (initiator of the attack, receiver of the technique) could turn things around on the <i>tori</i>. (receiver of the attack, initiator of the technique) It seemed like there were a half dozen ways each that a technique could go seriously wrong, and that many of them didn't require much skill, only determination and the opportunity provided by a mistake. That day made me question the validity of the entire notion of self defense.<p>I wonder if there shouldn't be a software engineering class where people try to set up a secure web app, with their own homegrown algorithms and protocols, which is then attacked by a tiger team which includes a conspirator on the inside? Perhaps there are such classes now.
With everything in Crypto I have to wonder: Is the information correct? I really have no way of verifying if I'm learning the correct DHE, and I know that it's easy to get wrong. Perhaps I can do some testing in code, but I may test it incorrectly too, and those small errors can be exploited.
Also here is is a Dan Boneh cryptography playlist <a href="https://www.youtube.com/playlist?list=PL9oqNDMzcMClAPkwrn5dm7IndYjjWiSYJ" rel="nofollow">https://www.youtube.com/playlist?list=PL9oqNDMzcMClAPkwrn5dm...</a>
Applied Cryptography is also one of the free advanced courses on Udacity:<p><a href="https://www.udacity.com/course/applied-cryptography--cs387" rel="nofollow">https://www.udacity.com/course/applied-cryptography--cs387</a>
There seems to be a lot of comments asking about the quality of this piece. I read through this the last time it was posted to HN, and I just have to say that this is the <i>perfect</i> balance of having enough detail to understand how things work, but not so much that it's overwhelming. That's a really difficult balance when it comes to crypto, so major props to the author. Fantastic work.
Whenever I have taken the small amount of cryptography knowledge I already have and tried to use it in a project, I've often been shutdown with "the system already does that" when it doesn't, or "this will be too complicated for the user, instead lets just roll our own [ad-hoc cryptography method]".<p>For those reading:<p>How do you convince people that it's worth using best practices?<p>Is there a good heuristic to measure the value of something, when deciding how much time and money to spend on securing it?<p>What are good library/SaaS solutions to help build secure applications with less chance of shooting yourself in the foot, better UX and lower cost? (Keybase, etc.)
The video claims that the Python standard library doesn't check certificates by default. In fact, it has done for at least a couple of years ([0] quotes the documentation as saying that it changed two years ago - in 2.7.9 and 3.4.3).<p>Although the video is marked 2015, the overlay at the start shows it's from PyCon 2013.<p>[0]: <a href="http://stackoverflow.com/a/28325763/2492" rel="nofollow">http://stackoverflow.com/a/28325763/2492</a>
I'm really disappointed that (9.4) Elliptic curve cryptography is still under TODO.<p>If anyone is interested in ECC, ars has a pretty good introduction [0].<p>[0] : <a href="http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/" rel="nofollow">http://arstechnica.com/security/2013/10/a-relatively-easy-to...</a>
I checked the PDF and this looks very interesting and comprehensive, any change you could give an eta for the final release and more specific the epub release?<p>Thanks!
Quick question, I had apparently Pinboarded this in March 2014. I see the PDF is still pre-release. Has anything changed with this, or is it kinda just coming up again because of recent political climate.<p>I'm fine either way, just curious if this has changed drastically from what I had looked at previously.
For idiots like myself, I found this video, Public key cryptography - Diffie-Hellman Key Exchange (full version), to be completely enlightening using mixed colors to explain the most basic features of a cryptography algorithm.[0]<p>[0] <a href="https://www.youtube.com/watch?v=YEBfamv-_do" rel="nofollow">https://www.youtube.com/watch?v=YEBfamv-_do</a>
For anyone interested I found this to be a good book on working through some cryto implementations in Go:<p><a href="https://leanpub.com/gocrypto" rel="nofollow">https://leanpub.com/gocrypto</a><p>Its free to read online but its also very reasonably priced. Its written by an engineer over at Cloudflare.
This is great! Kudos to the author and thanks Rackspace for sponsoring this as well.<p>It's really encouraging to see this increased democratization of crypto not necessarily in the engineering of it per se but rather the awareness and understanding of it.
I put this pdf on my phone and read through interesting sections over a vacation involving long flights. It's a very nicely written text that you can read over a few days with some basic computer-science/mathematical background.
Thanks for this my guy! Maybe I'm telling on myself here, but I get the impression that your average developer doesn't know much about security outside of the basic (sql injection/cross site scripting)
Maybe I am being too harsh, but it is clear the author does not have a formal education in the subject [0] nor any track in breaking non-toy crypto implementations [1]. This alone makes me a bit wary of any recommendation one may read in the material.<p>There seems to be more attention to listing all the beasts in the cryptographic zoo than to the few fundamental tools required to really understand the mechanics (e.g. birthday paradox, PRFs, some prime number theory).<p>Sure, I can't spot anything fundamentally wrong and it all reads pretty smoothly, but calling this a "course" is highly misleading. If the intention is to guide people in selecting good crypto primitives, then maybe "guide" is a more honest word?<p>For those interested, I would strongly recommend to bite the bullet and dedicate time to Boneh's course on Coursera.<p>[0] I don't have any either
[1] Ditto
This is currently on edx. Its more advanced that the courses mentioned here. I do not know what edx will do after the course ends, but if you want it you can get it while it ss still available.<p><a href="https://www.edx.org/course/quantum-cryptography-caltechx-delftx-qucryptox" rel="nofollow">https://www.edx.org/course/quantum-cryptography-caltechx-del...</a><p>Quantum Cryptography
by Thomas Vidick (Caltech) and Stephanie Wehner (Delft University)