So, you want to crypto

I think this quote from the article perfectly sums up the dangers of amateur cryptography:<p>&quot;<i>Cryptography isn&#x27;t something you can iterate on until you get it right, because you&#x27;ll never know if you do.</i>&quot;

The Matasano crypto challenges are a great place to start getting your feet wet and your hands dirty.<p><a href="http://www.matasano.com/articles/crypto-challenges/" rel="nofollow">http:&#x2F;&#x2F;www.matasano.com&#x2F;articles&#x2F;crypto-challenges&#x2F;</a><p>Myself, I&#x27;m trying them in ANSI C

&gt;Do not let users use your product until it&#x27;s been vetted.<p>Its OK to let them use it so you can have a large user-base to test with, you just need to explain to them that it isn&#x27;t proven secure. As in, explicitly tell them that they are under no circumstances to use it with sensitive information.<p>Playing around with cryptography is the only way to learn it, you just have to remember to tell people that playing is exactly what you are doing.

I&#x27;m taking an Intro to Crypto course this spring. What&#x27;s interesting is that it&#x27;s offered through the Math department, and assumed it was a CS class.<p>We&#x27;ll be using this text:<p><a href="http://www.amazon.com/Introduction-Cryptography-Coding-Theory-Edition/dp/0131862391/ref=sr_1_1?ie=UTF8&amp;qid=1387924295&amp;sr=8-1&amp;keywords=9780131862395" rel="nofollow">http:&#x2F;&#x2F;www.amazon.com&#x2F;Introduction-Cryptography-Coding-Theor...</a><p>Is this any good? Apparently a best seller in the &quot;Software Coding Theory&quot; category on Amazon.

article mentions nothing-up-my-sleeve numbers, so a topical reminder that the permutation for md2 (and rc2 apparently) is still unexplained (despite being &quot;derived from pi&quot;) - <a href="http://crypto.stackexchange.com/questions/11935/how-is-the-md2-hash-function-s-table-constructed-from-pi" rel="nofollow">http:&#x2F;&#x2F;crypto.stackexchange.com&#x2F;questions&#x2F;11935&#x2F;how-is-the-m...</a><p>for all you conspiracists - this was designed by rivest, the r in rsa, now famous for cooperating with nsa... (i don&#x27;t really believe that the permutation is a backdoor, but i would like to know how it&#x27;s derived - rivest is famous for elegant algorithms, and for the life of me i can&#x27;t find a simple, neat way to get those numbers from pi)

I&#x27;m curious to hear people&#x27;s thoughts about git. Git is &quot;crypto&quot; to some extent, Linus does not appear to have tons of crypto expertise, and it uses SHA1 as a MAC AFAICT (which according to tptacek&#x27;s earlier comment is invalid). And yet I&#x27;ve never heard about attacks on its crypto.<p>This was interesting for me to think about because it seems like a counterpoint to the article, in that it is a very successful project that came about in a very &quot;quick and dirty&quot; way as opposed to starting with formal protocol design.<p>--<p>I see that Linus disclaims the idea that SHA1 is about security: &quot;Git uses SHA-1 in a way which has nothing at all to do with security.... It&#x27;s just the best hash you can get.... It&#x27;s about the ability to trust your data. I guarantee you, if you put your data in Git, you can trust the fact that five years later, after it was converted from a hard disk to a DVD to whatever new technology and you copied it, five years later you can verify that the data that you get back out is the exact same data you put in.&quot;<p>But it seems like avoiding attacks like this must also be a goal: <a href="http://lkml.indiana.edu/hypermail/linux/kernel/0311.0/0621.html" rel="nofollow">http:&#x2F;&#x2F;lkml.indiana.edu&#x2F;hypermail&#x2F;linux&#x2F;kernel&#x2F;0311.0&#x2F;0621.h...</a>

If you want a more &quot;theoretical&quot; look at the theory, Introduction to Modern Cryptography by Jon Katz and Yehuda Lindell is a great book. Also good (but my copy had many printing errors) is Foundations of Cryptography by Oded Goldreich.

&gt;Both Applied Cryptography and the Handbook of Applied Cryptography are great resources, although they&#x27;re a little dated now. ... Step one is to read Cryptography Engineering. This is not optional. Read it. It is a fantastic book that details how to use cryptographic primitives.<p>It seems kinda superfluous to mention Applied Crypto when the real reco is to read Cryptography Engineering. I&#x27;d almost wonder if it would be better to direct people away from Applied Crypto...<p>Personally, I found Applied Cryptography to be so-so at best. Practical Cryptography was a breath of fresh air in comparison.

TL;DR - If you want to do crypto then learn crypto.<p>If you want to learn crypto and do crypto then certainly start with this. Then, when doing crypto...practice. Build it and reach out and ask for help and talk to people who know what they are doing and learn from them. Ask them about problems you encountered and ask them about the best ways to solve them...otherwise you will continue to make the same mistakes.

&gt; And don&#x27;t make your cryptography project sound like snake oil. Saying military grade encryption or N-bits of security makes you sound like you don&#x27;t know what you&#x27;re talking about.<p>Interesting to contrast this with patio11&#x27;s statement from just a few days ago (<a href="https://training.kalzumeus.com/newsletters/archive/sco_reminder" rel="nofollow">https:&#x2F;&#x2F;training.kalzumeus.com&#x2F;newsletters&#x2F;archive&#x2F;sco_remin...</a>):<p>&gt; People are better at remembering images than they are remembering claims or facts. &quot;256-bit SSL encryption&quot; is a true fact about your software product, but for most customers it goes in one ear and out the other. &quot;Bank-grade encryption&quot; is an image -- people can envision the vault -- and is vastly more likely to be recalled favorably when someone is worried about security.

Ok so I do want to crypto and (to the best of my ability) I already do. I follow best practices, read about the subject matter, did coursera&#x27;s crypto 1 (and where the hell is pt2? 1 was awesome!). I use established algorithms and I use, well audited implementations etc etc. where available.<p>I have a question about MACs. We&#x27;re using HMAC based on SHA256 with 32-byte keys on our new system, but our security architect only wants us to send and verify 4 or 8 bytes of the MAC output. Am I wrong to be suspicious of this? It massively reduces the number of bits an attacker has to guess or calculate, though at 8 bytes that&#x27;s 128 bits so not exactly a quick brute-force...

Surely the correct answer is &quot;just use keyczar&quot;? At least 99% of the time.

In college cryptography was my main interest, but it was mostly theoretical (math) and little programming, which meant I was in fact useless when it came to practice because I had no experience in implementation and (I found) there are so many unknowns that one of the most important things is experience in implementing stuff in&#x2F;on a specific language&#x2F;platform.<p>I have signed up to the Coursera course and hope to brush up on basic topics and start doing more advanced crypto.

I love this article. It takes a pro-active, how to proceed attitude at the same time laying out the classic pitfalls that exist. This is the tone I wish to have at all times instead of the cynical one that I undoubtedly adopt.

The author seems quite pissed at the state of crypto in the world, and he&#x27;s definitely trying to help. I like the general language of the post. Good work and keep it up!

This is a condescending blog post by someone with an (apparently) much weaker crypto background than the telegram people he is ranting about. Of course it&#x27;s much easier to post something like that than it is to actually get a rock-solid implementation at the first attempt - and we can safely assume that the telegram people do not need such advice.<p>Would not read again.

&gt;Don&#x27;t listen to idiots who tell you otherwise.<p>Real mature.