Practical Cryptography

With that, Practical Cryptography is a superb text for anyone needing to know the core details of cryptography, but don't want to be bogged down with theoretical and abstract cryptographic ideas.

Where Applied Cryptography is a reference, Practical Cryptography is meant to be a narrative. The book follows the design of a secure cryptographic system from its algorithm selection, design philosophy, analysis, debugging and implementation.

The implementation aspect is crucial, as while there are many books available on the theory of cryptography, there is amazingly little about its practical implementation. While Practical Cryptography is a much easier read than Applied Cryptography, it is primarily geared for the applications

While Practical Cryptography is not as technical as its older brother Applied Cryptography, it is still not a For Dummies type of book. The average reader will likely find most of the book far too abstract for their needs. But for those that are looking for a practical and usable book about implementing cryptography, this is the definitive reference.

Rating:
Summary: Excellent cryptography resource
Review: Classic books are often by definition, boring. Moby Dick is an American classic, and an insomniacs delight. Similarly, Bruce Schneier's Applied Cryptography is the definitive book on cryptography, but is far too complex and mathematical for most readers.

With that, Practical Cryptography is a superb text for anyone needing to know the core details of cryptography, but don't want to be bogged down with theoretical and abstract cryptographic ideas.

Where Applied Cryptography is a reference, Practical Cryptography is meant to be a narrative. The book follows the design of a secure cryptographic system from its algorithm selection, design philosophy, analysis, debugging and implementation.

The implementation aspect is crucial, as while there are many books available on the theory of cryptography, there is amazingly little about its practical implementation. While Practical Cryptography is a much easier read than Applied Cryptography, it is primarily geared for the applications

While Practical Cryptography is not as technical as its older brother Applied Cryptography, it is still not a For Dummies type of book. The average reader will likely find most of the book far too abstract for their needs. But for those that are looking for a practical and usable book about implementing cryptography, this is the definitive reference.

Rating:
Summary: A practical (bit boring) executive summary of AC
Review: For those of you (including myself) who were expecting an updated version of the Applied Cryptography, this book is NOT it. Based on the pre-publication blurbs here and there, I thought it may be a simple how-to book without too much theory. The book didn't turn out to be that sort of thing either.

This book is, sort of an executive summary of Applied Cryptography (AC), with some updates. It touches upon the insights that Scheneier mentioned in Secret and Lies (like crypto is the easy part and that won't solve security). It mentions some newer material, notably AES related stuff. The description is, in effect, a simplified version of AC. Also, it doesn't try to cover everything, and yes, some explanations about the practical applications are stressed slightly more than in AC.

So if you want to be practical, just go over the essential and latest stuff, this is a good book to read. But I must say that it's not as fun to read as AC. Not as many jokes, and absolutely no crazy stuff (like bio-computing and the significance of dark matters). Oh well, maybe that's what being practical means... But it doesn't give you the feeling of throughness that AC gave. Maybe this comes from my reading AC too much in detail (I actually translated the whole book into Japanese), but I think it is inherent in the book itself. In trying to cover as much ground as possible, the book hurries a lot.

So if you are in a hurry to cover just enough important stuff, get this book. And if you need some explanation on the newer stuff, get this. But I also recommend getting AC as well.

Rating:
Summary: Underwhelmed
Review: I appreciate the authors trying to get people to "do it right" by not offering a range of options. But, at the same time, there's not enough flexibility built into this book for some of the things I might need to do, particularly since I need to interoperate with systems that use ARC4, and don't use AES.

I think these guys, as smart about this stuff as they are, are still a bit in their ivory tower and don't do enough actual implementation work. It was good that Applied Cryptography had all that C code. There's none of it here, just protocol descriptions that seem easy to mess up.

I also get a bit spooked because these guys say, "peer review is important in cryptography" and then they say, "here are some new algorithms we invented, and they haven't been peer reviewed, and they might be wrong". I even looked at the acknowledgements, and it looks like only one person actually reviewed the contents. Wouldn't their time be better spent showing me how to use pre-existing stuff securely? For example, instead of creating their own protocol, they could have shown us how to use SSL properly.

I agree with a previous review that the book definitely feels a lot lighter than I would have wanted it to be. Some of the chapters, especially the ones on PKI in the back are devoid of the PRACTICAL content. They're a high level overview.

At the same time, this book DOES make Applied Cryptography look dated. It does cover important concepts that failed to make it into the other book, it just doesn't cover them in any sort of technical depth. And, it does give a better sense of the practical pitfalls than Applied Cryptography does. If this book did one thing, it made me realize that Appled Cryptography isn't quite as good as I thought it was.

Rating:
Summary: Outstanding in every way
Review: I preordered and my copied arrived end of last week... the first two chapters alone are worth the price of the book. They should be required reading for anyone involved with computer security in any way. This is a clear, enjoyable, practical book that should serve as the foundation for understanding how to design and implement security systems.

This is not an overview of what's out there in the world of cryptography in general, this is a focused and clear description of how to really create security systems in the real world, and a concise explanation of what the dangers are.

If you buy one book on cryptography, buy this one.

Rating:
Summary: this book has no substance
Review: I've read a large number of cryptography books. Very few of them come down to brass tacks. They give you a description of a few algorithms, their strengths and weaknesses, and leave it at that. Either that, or they describe in lovingly complex detail the implementation of a particular protocol, one usually so fraught with options and details that you wonder how, at the end of it, that anybody writes a conforming implementation.

Practical Cryptography does neither of these things. It presents algorithm classes, why they exist, and what the best known algorithms are in each class. It explains how the various strengths and weaknesses of algorithms in each class combine to make a cryptosystem weaker or stronger. Then it goes on to show you how to use that information to build working cryptosystems.

People have complained about the book's seeming schizophrenia. On one hand, the authors are trying to show you how to build a secure cryptosystem. On the other, they're telling you how hopeless a task it is to build one that has no vulnerabilities, even if you're an expert in such things.

This can be annoying, but I more find it refreshing. Writing a secure cryptosystem is very hard. People should be aware that it is hard, and they are likely to make mistakes. It isn't something that should be attempted lightly. The current state of computer security is depressingly abysmal. People should be encouraged, as much as possible, to not contribute to the problem.

I'm not following my own advice, and I am building a new cryptosystem. I have found this book a more valuable resource than any other book on cryptography that I have yet read. Even if you aren't building your own cryptosystem, I think you will find the insights this book has into complexity and design to be useful tools in evaluating other cryptosystems.

Rating:
Summary: Concrete presentation of a difficult subject
Review: I've read a large number of cryptography books. Very few of them come down to brass tacks. They give you a description of a few algorithms, their strengths and weaknesses, and leave it at that. Either that, or they describe in lovingly complex detail the implementation of a particular protocol, one usually so fraught with options and details that you wonder how, at the end of it, that anybody writes a conforming implementation.

Practical Cryptography does neither of these things. It presents algorithm classes, why they exist, and what the best known algorithms are in each class. It explains how the various strengths and weaknesses of algorithms in each class combine to make a cryptosystem weaker or stronger. Then it goes on to show you how to use that information to build working cryptosystems.

People have complained about the book's seeming schizophrenia. On one hand, the authors are trying to show you how to build a secure cryptosystem. On the other, they're telling you how hopeless a task it is to build one that has no vulnerabilities, even if you're an expert in such things.

This can be annoying, but I more find it refreshing. Writing a secure cryptosystem is very hard. People should be aware that it is hard, and they are likely to make mistakes. It isn't something that should be attempted lightly. The current state of computer security is depressingly abysmal. People should be encouraged, as much as possible, to not contribute to the problem.

I'm not following my own advice, and I am building a new cryptosystem. I have found this book a more valuable resource than any other book on cryptography that I have yet read. Even if you aren't building your own cryptosystem, I think you will find the insights this book has into complexity and design to be useful tools in evaluating other cryptosystems.

Rating:
Summary: Same old stuff, different day
Review: If Bruce Schneier has acquired a habit, it is the ability to take the same old material and rehash it into different books, year after year. My guess is that, next year, he'll use another slightly different angle and try to sell you the same basic information. What you need to do, as a consumer, is step back and see this book for what it is: supplemental income and marketing for Bruce Schneier.

Years ago, Bruce was laid off from AT&T Bell Labs. Since then, Bruce has been using rubes like you to augment his salary. Let's face it; if Bruce were a Ken Thompson or a Claude Shannon, he'd probably still have his job at Bell Labs. But he isn't. Instead he wrote a book and touted himself as an expert to an industry of people who didn't know any better.

What I find truly onerous about his books is the condescending tone that Schneier adopts when addressing the reader. It's if he's saying "I am so much more elite than you, I can't even begin to tell you." I agree with previous reviewers, I was a little put off by the fact that he recommends you hire an expert to implement a cryptosystem. Hire an expert? Then why in god's name should we buy the book? Entertainment value? Please, do tell Bruce, we're all waiting to hear why you made us waste $20.00. Did you buy a new sports car?

Recently I spoke with a PhD, from Brown, who performed decades of research in number theory. He recommended "Cryptography in C and C++," by Michael Welschenbach. He also said "I don't know why people think Applied Cryptography is such a good book. He [Schneier] doesn't seem to understand the mathematics very well." Pick up Applied Cryptography sometime and compare it side-by-side with Welschenbach's book. You'll see what that PhD was talking about.

The truth is that Bruce Schneier is a lot of style without much substance. He's a businessman who can sell himself to an unsuspecting public. What he lacks in ability he makes up for with moxie. Having lived in Minneapolis, I'm more than familiar with the type of silly yuppie pretenders that live on Hennepin Avenue with their nose piercings and their tattoos. Bruce, that ponytail doesn't fool anybody. You're just another suit with something to sell.

Rating:
Summary: this is applied crypro lite
Review: If you liked Applied Cryptography, but were turned off by all the math, get this book.

It is Applied Cryptography Light.

Not that this is such an easy read, but a much easier, updated and practical read than Applied Cryptography.