
Joe Armstrong: Crypto Tutorial [pdf] - signa11
https://github.com/joearms/crypto_tutorial/blob/master/crypto_tutorial.pdf
======
mehrdada
Please, please, please, do not implement any crypto after reading this. The
simplistic explanation of symmetric encryption (talking about using "salts" to
get distinct ciphertext each time to "make attacker's life more difficult") is
superficial and you should not feel comfortable implementing crypto after
studying this tutorial. Go study something properly written by a real
cryptographer.

For the record, the AES algorithm itself does not encrypt arbitrarily sized
data: it works on 128-bit blocks only. To make it work on arbitrary data,
there's a ton of techniques that work together to make it happen that need far
more care than just "adding salt". Also, read about authenticated encryption
and why it is necessary.

I've heard Dan Boneh's Coursera course is a good intro to basic crypto.

Once again, please stay away of this guide.</scare>

~~~
sjtgraham
Do you realise the author is also the creator of the Erlang programming
language and not some random noob from the internet?

~~~
jsnell
That's no excuse, it's still bad crypto. If anything it's worse, because as
we've just seen from your reply, some people think that experience in language
design somehow translates to knowledge of cryptography.

~~~
sjtgraham
Please don't put words into my mouth.

The original top level comment was poor and my comment was responding to it,
e.g. Armstrong says "AES assumes the data to be encrypted is a multiple of 16
bytes long", which is correct so I don't know why the OP felt the need to say
"for the record, the AES algorithm itself does not encrypt arbitrarily sized
data" as Armstrong did not claim as such.

~~~
jsnell
The original comment is correct here. AES by itself is indeed just going to
encrypt a single block of 128/192/256 bits. To encrypt a plaintext longer than
that, you need to apply the cipher repeatedly on subsequent blocks. The exact
mode in which that's done is important.

For example in this case the code uses the CBC mode (a fact not mentioned
anywhere in the document). CBC has the funny property that flipping bit X in
cipherblock N will flip bit X in plaintext block N+1 (while completely
scrambling plaintext block N). This is a very exploitable property. Which is
why the standard advice would be that you always need to authenticate, not
just encrypt. (E.g. encrypt-then-mac).

But of course this document doesn't give even this most basic of crypto
recommendations. Which endangers anyone who reads it and thinks they learned
something.

~~~
mehrdada
nit: all AES variants are 128-bit block ciphers, i.e. they transform 128-bit
data blocks. AES-192 and AES-256 take 192-bit and 256-bit keys but still
operate on 128-bit blocks. (Rijndael itself supports varying block sizes, but
the AES standard has only adopted the 128-bit version.)

~~~
jsnell
You're of course correct, thanks. This is exactly why no one but an expert
should say anything at all about crypto. It'll always be wrong somehow :-P

------
polack
What Joe Armstrong wrote on the erlang mailinglist when announcing the
document:

I have written a crypto tutorial which shows how various cryptographic
algorithms can be written in Erlang.

[https://github.com/joearms/crypto_tutorial/blob/master/crypt...](https://github.com/joearms/crypto_tutorial/blob/master/crypto_tutorial.pdf)

I'm going to present this next week in Dublin.

It's a bit rough round the edges, but it's at the stage where I'd appreciate
feedback.

My intention is not to present 'the best' techniques nor the fastest
algorithms but to encourage understanding.

Cheers /Joe

------
gkop
The link to the PDF in GitHub's web interface crashed my tab in iPad Safari;
this raw link works though:
[https://raw.githubusercontent.com/joearms/crypto_tutorial/ma...](https://raw.githubusercontent.com/joearms/crypto_tutorial/master/crypto_tutorial.pdf)
.

