Real-World Cryptography teaches you applied cryptographic techniques to understand and apply security at every level of your systems and applications. You’ll go hands-on with cryptography building blocks such as hash functions and key exchanges, then learn how to use them as part of your security protocols and applications.
If you’re browsing the web, using public APIs, making and receiving electronic payments, or experimenting with blockchain, you’re relying on cryptography. And you’re probably trusting a collection of tools, frameworks, and protocols to keep your data, users, and business safe. It’s important to understand these tools so you can make the best decisions about how, where, and why to use them.
Real-World Cryptography teaches you applied cryptographic techniques to understand and apply security at every level of your systems and applications. You’ll go hands-on with cryptography building blocks such as hash functions and key exchanges, then learn how to use them as part of your security protocols and applications. Alongside modern methods, the book also explores the future of cryptography, diving into emerging and cutting-edge advances such as cryptocurrencies, password-authenticated key exchange, and post-quantum cryptography.
Real-World Cryptography contents preface A book, years in the making The real-world cryptographer curriculum Where most of the bugs are A need for a new book? acknowledgments about this book Who should read this book Students Security practitioners Developers who use cryptography directly or indirectly Cryptographers curious about other fields Engineering and product managers who want to understand more Curious people who want to know what real-world crypto is about Assumed knowledge, the long version How this book is organized: A roadmap About the code liveBook discussion forum about the author about the cover illustration Part 1—Primitives: The ingredients of cryptography 1 Introduction 1.1 Cryptography is about securing protocols 1.2 Symmetric cryptography: What is symmetric encryption? 1.3 Kerckhoff’s principle: Only the key is kept secret 1.4 Asymmetric cryptography: Two keys are better than one 1.4.1 Key exchanges or how to get a shared secret 1.4.2 Asymmetric encryption, not like the symmetric one 1.4.3 Digital signatures, just like your pen-and-paper signatures 1.5 Classifying and abstracting cryptography 1.6 Theoretical cryptography vs. real-world cryptography 1.7 From theoretical to practical: Choose your own adventure 1.8 A word of warning Summary 2 Hash functions 2.1 What is a hash function? 2.2 Security properties of a hash function 2.3 Security considerations for hash functions 2.4 Hash functions in practice 2.4.1 Commitments 2.4.2 Subresource integrity 2.4.3 BitTorrent 2.4.4 Tor 2.5 Standardized hash functions 2.5.1 The SHA-2 hash function 2.5.2 The SHA-3 hash function 2.5.3 SHAKE and cSHAKE: Two extendable output functions (XOF) 2.5.4 Avoid ambiguous hashing with TupleHash 2.6 Hashing passwords Summary 3 Message authentication codes 3.1 Stateless cookies, a motivating example for MACs 3.2 An example in code 3.3 Security properties of a MAC 3.3.1 Forgery of authentication tag 3.3.2 Lengths of authentication tag 3.3.3 Replay attacks 3.3.4 Verifying authentication tags in constant time 3.4 MAC in the real world 3.4.1 Message authentication 3.4.2 Deriving keys 3.4.3 Integrity of cookies 3.4.4 Hash tables 3.5 Message authentication codes (MACs) in practice 3.5.1 HMAC, a hash-based MAC 3.5.2 KMAC, a MAC based on cSHAKE 3.6 SHA-2 and length-extension attacks Summary 4 Authenticated encryption 4.1 What’s a cipher? 4.2 The Advanced Encryption Standard (AES) block cipher 4.2.1 How much security does AES provide? 4.2.2 The interface of AES 4.2.3 The internals of AES 4.3 The encrypted penguin and the CBC mode of operation 4.4 A lack of authenticity, hence AES-CBC-HMAC 4.5 All-in-one constructions: Authenticated encryption 4.5.1 What’s authenticated encryption with associated data (AEAD)? 4.5.2 The AES-GCM AEAD 4.5.3 ChaCha20-Poly1305 4.6 Other kinds of symmetric encryption 4.6.1 Key wrapping 4.6.2 Nonce misuse-resistant authenticated encryption 4.6.3 Disk encryption 4.6.4 Database encryption Summary 5 Key exchanges 5.1 What are key exchanges? 5.2 The Diffie-Hellman (DH) key exchange 5.2.1 Group theory 5.2.2 The discrete logarithm problem: The basis of Diffie-Hellman 5.2.3 The Diffie-Hellman standards 5.3 The Elliptic Curve Diffie-Hellman (ECDH) key exchange 5.3.1 What’s an elliptic curve? 5.3.2 How does the Elliptic Curve Diffie-Hellman (ECDH) key exchange work? 5.3.3 The standards for Elliptic Curve Diffie-Hellman 5.4 Small subgroup attacks and other security considerations Summary 6 Asymmetric encryption and hybrid encryption 6.1 What is asymmetric encryption? 6.2 Asymmetric encryption in practice and hybrid encryption 6.2.1 Key exchanges and key encapsulation 6.2.2 Hybrid encryption 6.3 Asymmetric encryption with RSA: The bad and the less bad 6.3.1 Textbook RSA 6.3.2 Why not to use RSA PKCS 1 v1.5 6.3.3 Asymmetric encryption with RSA-OAEP 6.4 Hybrid encryption with ECIES Summary 7 Signatures and zero-knowledge proofs 7.1 What is a signature? 7.1.1 How to sign and verify signatures in practice 7.1.2 A prime use case for signatures: Authenticated key exchanges 7.1.3 A real-world usage: Public key infrastructures 7.2 Zero-knowledge proofs (ZKPs): The origin of signatures 7.2.1 Schnorr identification protocol: An interactive zero-knowledge proof 7.2.2 Signatures as non-interactive zero-knowledge proofs 7.3 The signature algorithms you should use (or not) 7.3.1 RSA PKCS 1 v1.5: A bad standard 7.3.2 RSA-PSS: A better standard 7.3.3 The Elliptic Curve Digital Signature Algorithm (ECDSA) 7.3.4 The Edwards-curve Digital Signature Algorithm (EdDSA) 7.4 Subtle behaviors of signature schemes 7.4.1 Substitution attacks on signatures 7.4.2 Signature malleability Summary 8 Randomness and secrets 8.1 What’s randomness? 8.2 Slow randomness? Use a pseudorandom number generator (PRNG) 8.3 Obtaining randomness in practice 8.4 Randomness generation and security considerations 8.5 Public randomness 8.6 Key derivation with HKDF 8.7 Managing keys and secrets 8.8 Decentralize trust with threshold cryptography Summary Part 2—Protocols: The recipes of cryptography 9 Secure transport 9.1 The SSL and TLS secure transport protocols 9.1.1 From SSL to TLS 9.1.2 Using TLS in practice 9.2 How does the TLS protocol work? 9.2.1 The TLS handshake 9.2.2 How TLS 1.3 encrypts application data 9.3 The state of the encrypted web today 9.4 Other secure transport protocols 9.5 The Noise protocol framework: A modern alternative to TLS 9.5.1 The many handshakes of Noise 9.5.2 A handshake with Noise Summary 10 End-to-end encryption 10.1 Why end-to-end encryption? 10.2 A root of trust nowhere to be found 10.3 The failure of encrypted email 10.3.1 PGP or GPG? And how does it work? 10.3.2 Scaling trust between users with the web of trust 10.3.3 Key discovery is a real issue 10.3.4 If not PGP, then what? 10.4 Secure messaging: A modern look at end-to-end encryption with Signal 10.4.1 More user-friendly than the WOT: Trust but verify 10.4.2 X3DH: the Signal protocol’s handshake 10.4.3 Double Ratchet: Signal’s post-handshake protocol 10.5 The state of end-to-end encryption Summary 11 User authentication 11.1 A recap of authentication 11.2 User authentication, or the quest to get rid of passwords 11.2.1 One password to rule them all: Single sign-on (SSO) and password managers 11.2.2 Don’t want to see their passwords? Use an asymmetric password-authenticated key exchange 11.2.3 One-time passwords aren’t really passwords: Going passwordless with symmetric keys 11.2.4 Replacing passwords with asymmetric keys 11.3 User-aided authentication: Pairing devices using some human help 11.3.1 Pre-shared keys 11.3.2 Symmetric password-authenticated key exchanges with CPace 11.3.3 Was my key exchange MITM’d? Just check a short authenticated string (SAS) Summary 12 Crypto as in cryptocurrency? 12.1 A gentle introduction to Byzantine fault-tolerant (BFT) consensus algorithms 12.1.1 A problem of resilience: Distributed protocols to the rescue 12.1.2 A problem of trust? Decentralization helps 12.1.3 A problem of scale: Permissionless and censorship-resistant networks 12.2 How does Bitcoin work? 12.2.1 How Bitcoin handles user balances and transactions 12.2.2 Mining BTCs in the digital age of gold 12.2.3 Forking hell! Solving conflicts in mining 12.2.4 Reducing a block’s size by using Merkle trees 12.3 A tour of cryptocurrencies 12.3.1 Volatility 12.3.2 Latency 12.3.3 Blockchain size 12.3.4 Confidentiality 12.3.5 Energy efficiency 12.4 DiemBFT: A Byzantine fault-tolerant (BFT) consensus protocol 12.4.1 Safety and liveness: The two properties of a BFT consensus protocol 12.4.2 A round in the DiemBFT protocol 12.4.3 How much dishonesty can the protocol tolerate? 12.4.4 The DiemBFT rules of voting 12.4.5 When are transactions considered finalized? 12.4.6 The intuitions behind the safety of DiemBFT Summary 13 Hardware cryptography 13.1 Modern cryptography attacker model 13.2 Untrusted environments: Hardware to the rescue 13.2.1 White box cryptography, a bad idea 13.2.2 They’re in your wallet: Smart cards and secure elements 13.2.3 Banks love them: Hardware security modules (HSMs) 13.2.4 Trusted Platform Modules (TPMs): A useful standardization of secure elements 13.2.5 Confidential computing with a trusted execution environment (TEE) 13.3 What solution is good for me? 13.4 Leakage-resilient cryptography or how to mitigate side-channel attacks in software 13.4.1 Constant-time programming 13.4.2 Don’t use the secret! Masking and blinding 13.4.3 What about fault attacks? Summary 14 Post-quantum cryptography 14.1 What are quantum computers and why are they scaring cryptographers? 14.1.1 Quantum mechanics, the study of the small 14.1.2 From the birth of quantum computers to quantum supremacy 14.1.3 The impact of Grover and Shor’s algorithms on cryptography 14.1.4 Post-quantum cryptography, the defense against quantum computers 14.2 Hash-based signatures: Don’t need anything but a hash function 14.2.1 One-time signatures (OTS) with Lamport signatures 14.2.2 Smaller keys with Winternitz one-time signatures (WOTS) 14.2.3 Many-times signatures with XMSS and SPHINCS+ 14.3 Shorter keys and signatures with lattice-based cryptography 14.3.1 What’s a lattice? 14.3.2 Learning with errors (LWE), a basis for cryptography? 14.3.3 Kyber, a lattice-based key exchange 14.3.4 Dilithium, a lattice-based signature scheme 14.4 Do I need to panic? Summary 15 Is this it? Next-generation cryptography 15.1 The more the merrier: Secure multi-party computation (MPC) 15.1.1 Private set intersection (PSI) 15.1.2 General-purpose MPC 15.1.3 The state of MPC 15.2 Fully homomorphic encryption (FHE) and the promises of an encrypted cloud 15.2.1 An example of homomorphic encryption with RSA encryption 15.2.2 The different types of homomorphic encryption 15.2.3 Bootstrapping, the key to fully homomorphic encryption 15.2.4 An FHE scheme based on the learning with errors problem 15.2.5 Where is it used? 15.3 General-purpose zero-knowledge proofs (ZKPs) 15.3.1 How zk-SNARKs work 15.3.2 Homomorphic commitments to hide parts of the proof 15.3.3 Bilinear pairings to improve our homomorphic commitments 15.3.4 Where does the succinctness come from? 15.3.5 From programs to polynomials 15.3.6 Programs are for computers; we need arithmetic circuits instead 15.3.7 An arithmetic circuit to a rank-1 constraint system (R1CS) 15.3.8 From R1CS to a polynomial 15.3.9 It takes two to evaluate a polynomial hiding in the exponent Summary 16 When and where cryptography fails 16.1 Finding the right cryptographic primitive or protocol is a boring job 16.2 How do I use a cryptographic primitive or protocol? Polite standards and formal verification 16.3 Where are the good libraries? 16.4 Misusing cryptography: Developers are the enemy 16.5 You’re doing it wrong: Usable security 16.6 Cryptography is not an island 16.7 Your responsibilities as a cryptography practitioner, don’t roll your own crypto Summary Appendix—Answers to exercises Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter index Numerics A B C D E F G H I J K L M N O P Q R S T U V W X Z
How to download source code?
1. Go to:
2. Search the book title:
Real-World Cryptography, sometime you may not get the results, please search the main title
3. Click the book title in the search results
resources section, click
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.