My rating: 5 of 5 stars
This book is somewhat of a sequel to Applied Cryptography. Where that book is a long list of lots of different neat cryptographic algorithms, this is a much more practical book which gives solid advice on what algorithms, etc. to use.
It also hammers again and again that security is only as valuable as its weakest link, and often that won’t been the cryptography. As such, it covers a ton of different ways security can be compromised, including using cryptographic functions in the wrong mode, not verifying every protocol message back and forth, bad pseudorandom number generators, side-channel attacks, attacks on the clock, etc. It was kind of depressing, honestly 🙂 The first sentence of the preface is “In the past decade, cryptography has done more to damage the security of digital systems than it has to enhance it.” Later section titles include “Cryptography Is Very Difficult”, followed by “Cryptography Is the Easy Part”.
It talks about Diffie-Hellman and RSA in some depth (which means a bit of math), and works through designing a secure protocol. But, its practical advice is to use ones that exist already, and be very very careful. As the authors note repeatedly, “there are already enough insecure fast systems; we don’t need another one.”
Anyway, this is an invaluable book if you’re working on security in any shape or form, and I found it quite interesting regardless.
(paper book, available for borrowing)