
Crypto 101 – Introductory course on cryptography - zerognowl
https://www.crypto101.io/
======
eponeponepon
This is about to eat my weekend, I think! :)

Quite seriously, this is exactly what the tech world needs - personally, I
know that in terms of understanding of crypto I'm streets ahead of the average
Joe, but orders of magnitude behind people who _actually_ know the field. I'm
certain I'm far from alone in that set, but the way the world's going means
that we with the generalised technical know-how have a moral impetus to bring
the rest of the world up to speed with the whys and wherefores.

~~~
milansm
> I'm streets ahead of the average Joe

Has anyone seen "streets ahead" being used by anyone else besides Pierce
Hawtorn and the OP? I mean, is it widely used now? (I'm not native speaker,
obviously)

~~~
lethargic_meat
I'm using it as much as possible just to push it into language.

------
PeterisP
The old Cryptopals challenges
([http://cryptopals.com/](http://cryptopals.com/)) seem to cover the same
material in a pedagogically very different way - they don't feed you the
information as this book does, but give you a practical task which can be
easily done with e.g. reading the specification of an algorithm from
wikipedia, but figuring out the implementation of the attack yourself gives a
much better understanding than simply reading about it.

Although this book claims a "Learn by doing" approach, I didn't find any
specific assignments or data samples to facilitate that.

~~~
lvh
Hi! I'm the author. Also a big fan of Cryptopals; I was one of the reviewers
for Set 8, and working with some of the authors. It's interesting to hear that
point of view; because I thought C101 took the same approach as Cryptopals in
the sense that it focused on teaching crypto by breaking it. When I say "learn
by doing", I'm referring to stuff like walking through a bit-flipping attack
just like cryptopals does. I recommend (and have organized/will be organizing)
study groups where we work through cryptopals using Crypto 101; and I think
that's a great idea. I was originally going to add exercises for C101, but
honestly, Cryptopals was already that, and there wasn't much point in
reinventing the wheel. I guess I should probably link to them?

~~~
boterock
I think it would be good to link them, I started reading, got to page 30 and
thought it would be nice to try the challenge. This reminds me when I thought
I could handle myself in Linux, but when I played OverTheWire wargames, I
still learned a ton of things that you only learn by doing.

------
stcredzero
When I was taking Aikido, there was a day when the sensei was going through
all of our techniques and showed how the _uke_ (initiator of the attack,
receiver of the technique) could turn things around on the _tori_. (receiver
of the attack, initiator of the technique) It seemed like there were a half
dozen ways each that a technique could go seriously wrong, and that many of
them didn't require much skill, only determination and the opportunity
provided by a mistake. That day made me question the validity of the entire
notion of self defense.

I wonder if there shouldn't be a software engineering class where people try
to set up a secure web app, with their own homegrown algorithms and protocols,
which is then attacked by a tiger team which includes a conspirator on the
inside? Perhaps there are such classes now.

~~~
gmluke
This is slightly tangential since you specified a conspirator on the inside,
but how easy is it to break a homegrown encryption algorithm if you don't have
the source code? I assume there are tools (what are they?) that will break a
simple caesar cipher if you have more than a sentence or so of plain text to
work with. But if you strung together 2-3 broken algorithms and your attacker
doesn't know which ones, is it still trivial to decrypt?

~~~
wolf550e
People who can break it won't spend the time breaking your homegrown crypto,
so you won't get proof it's broken. But it's still broken. If lots of money or
lives of political dissidents are at stake, it will be broken.

To have really capable people work on breaking your crypto for free, you have
to be an insider. You become an insider by breaking other people's crypto. You
can publish a break in an insider's crypto even if you are unknown. After you
publish a few such papers, you become an insider and can publish your own
crypto other people will spend their time trying to break.

People can learn the state of the art and develop an alternative to the common
(NIST) choices which are no worse, but also no better. Some of those are
blessed as "national pride ciphers" (GOST, Camellia, SEED, etc.).

~~~
stcredzero
Ciphers aren't the place where security most often fails. The failures have to
do with implementation. More commonly, they have to do with implementation of
protocols and systems using the protocols.

~~~
wolf550e
I agree, but I replied to someone who talked about ciphers.

~~~
stcredzero
Of course. I was also (mainly) posting for the benefit of 3rd parties.

------
TrinaryWorksToo
With everything in Crypto I have to wonder: Is the information correct? I
really have no way of verifying if I'm learning the correct DHE, and I know
that it's easy to get wrong. Perhaps I can do some testing in code, but I may
test it incorrectly too, and those small errors can be exploited.

~~~
lvh
Hi! I'm the author of Crypto 101.

Firstly, I'm a real, honest-to-God cryptographer. I don't know if there are
any particular people you had in mind whose recommendations you'd like to see,
but there are a few HN bigwigs who'd probably be willing to generally endorse
it :-) Also, it's been posted on HN a few times before, so it's had some
scrutiny. That doesn't mean I don't make mistakes, but generally speaking, an
active reader should be OK.

The other thing is in the way the book is structured. I teach you to break
crypto; so when I say something is broken, I prove it by showing you how to
break it.

Finally, the goal of this book is absolutely not to help you implement DHE. In
an ideal world, the primitives we offer people are hard to misuse. Crypto 101
then only exists to satisfy programmer curiosity. It is not a replacement for
a traditional academic education that will help you design new primitives; it
also doesn't show you how to write secure implementations. However, Crypto 101
is still useful beyond merely satisfying curiosity now, because most
cryptographic libraries _do not_ provide that easy-to-use API. Using regular
hashes for password storage, various forms of broken AES-CBC (unauthenticated,
key=IV, static IV...), et cetera are very real problems for real code, and
Crypto 101 teaches you how to avoid that minefield.

I'm also working on the "better, more accessible" crypto part, but I only have
so much free time :)

~~~
gist
My trust chain: I don't know crypto and didn't know who you were (so I might
have asked the same question) but a few days ago I found out you are involved
with tptacek with latacora.com so that was all I needed to know and trust what
you said.

~~~
tptacek
That's a little scary but I appreciate the compliment.

~~~
gist
It's sort of the HN version of 'yeah, he's a goodfella'.

Separately with latacora I suggest that you wrap in some ongoing residual that
carries on far past the 'eventually you staff your own security team' phase
(as added insurance for 'leadership').

~~~
tptacek
Thanks! We're not looking to make money from clients in perpetuity. One of the
things we like about the model is that we plan our own obsolescence and then
get out of the way. It lines up our incentives.

------
kanzure
Also here is is a Dan Boneh cryptography playlist
[https://www.youtube.com/playlist?list=PL9oqNDMzcMClAPkwrn5dm...](https://www.youtube.com/playlist?list=PL9oqNDMzcMClAPkwrn5dm7IndYjjWiSYJ)

~~~
nemild
And as context, Professor Dan Boneh teaches the main introductory crypto class
at Stanford (CS255) - it's a great intro for someone with some good CS
fundamentals. The course syllabus is here:

[http://crypto.stanford.edu/~dabo/cs255/syllabus.html](http://crypto.stanford.edu/~dabo/cs255/syllabus.html)

(Disclosure, I took the class a few years ago)

~~~
okbake
This is a great course. I also took it a few years ago and have been waiting
for his Crypto 2 course since then. It seems like it's always "Coming Soon
Fall 201x" though.

------
steamer25
Applied Cryptography is also one of the free advanced courses on Udacity:

[https://www.udacity.com/course/applied-cryptography--
cs387](https://www.udacity.com/course/applied-cryptography--cs387)

------
theschwa
There seems to be a lot of comments asking about the quality of this piece. I
read through this the last time it was posted to HN, and I just have to say
that this is the _perfect_ balance of having enough detail to understand how
things work, but not so much that it's overwhelming. That's a really difficult
balance when it comes to crypto, so major props to the author. Fantastic work.

------
lhnz
Whenever I have taken the small amount of cryptography knowledge I already
have and tried to use it in a project, I've often been shutdown with "the
system already does that" when it doesn't, or "this will be too complicated
for the user, instead lets just roll our own [ad-hoc cryptography method]".

For those reading:

How do you convince people that it's worth using best practices?

Is there a good heuristic to measure the value of something, when deciding how
much time and money to spend on securing it?

What are good library/SaaS solutions to help build secure applications with
less chance of shooting yourself in the foot, better UX and lower cost?
(Keybase, etc.)

~~~
tptacek
For normal application work, you should use NaCL (or it's repackaged version,
libsodium) to the exclusion of all else.

~~~
dhimes
Why the hell is this being downvoted?

------
sambe
The video claims that the Python standard library doesn't check certificates
by default. In fact, it has done for at least a couple of years ([0] quotes
the documentation as saying that it changed two years ago - in 2.7.9 and
3.4.3).

Although the video is marked 2015, the overlay at the start shows it's from
PyCon 2013.

[0]:
[http://stackoverflow.com/a/28325763/2492](http://stackoverflow.com/a/28325763/2492)

------
Raed667
I'm really disappointed that (9.4) Elliptic curve cryptography is still under
TODO.

If anyone is interested in ECC, ars has a pretty good introduction [0].

[0] : [http://arstechnica.com/security/2013/10/a-relatively-easy-
to...](http://arstechnica.com/security/2013/10/a-relatively-easy-to-
understand-primer-on-elliptic-curve-cryptography/)

~~~
tptacek
You can also mail Sean Devlin to get Set 8 of the Crypto Challenges, which
cover ECC. Finding the right place to mail I'll leave as an exercise for the
reader.

------
gespadas
Suggestion: Add some notification medium for when the book is ready.

~~~
midgetjones
Agreed. The one time I actually want to sign up to a mailing list, and there's
no way of doing it.

~~~
lvh
Hi! I'm the author.

I should really remove that pre-release stuff. There's no useful point for
"done", and it already includes most of the stuff I wanted to talk about.

~~~
midgetjones
Oh, well in that case I'll get reading! Thanks so much :)

------
LaurensBER
I checked the PDF and this looks very interesting and comprehensive, any
change you could give an eta for the final release and more specific the epub
release?

Thanks!

~~~
lvh
Hi! I'm the author. I should remove that "pre-release" notice. Sure; there's
plenty more that I could talk about, but there's also plenty of stuff there
that you can use right now (and most of the stuff I wanted to talk about).
Suggestions come in faster than I have time to implement them, so... Maybe
this will never be done, and maybe that doesn't stop it from being a useful
resource :-) I hope you enjoy it!

------
CameronBanga
Quick question, I had apparently Pinboarded this in March 2014. I see the PDF
is still pre-release. Has anything changed with this, or is it kinda just
coming up again because of recent political climate.

I'm fine either way, just curious if this has changed drastically from what I
had looked at previously.

~~~
ronjouch
Paragraph "Development" (page 14 in the current version) answers your
question:

 _" The entire Crypto 101 project is publicly developed on GitHub under the
crypto101 organization, including this book:
[https://github.com/crypto101/book](https://github.com/crypto101/book) "_

 _[...]_

 _" The copy of this book that you are reading right now is based on the git
commit with hash 3f89ec3 , also known as 0.4.0-22-g3f89ec3"_

Then, looking at the commits, yes the book changed a lot since 2014:
[https://github.com/crypto101/book/commits/master](https://github.com/crypto101/book/commits/master)

------
zappo2938
For idiots like myself, I found this video, Public key cryptography - Diffie-
Hellman Key Exchange (full version), to be completely enlightening using mixed
colors to explain the most basic features of a cryptography algorithm.[0]

[0] [https://www.youtube.com/watch?v=YEBfamv-
_do](https://www.youtube.com/watch?v=YEBfamv-_do)

------
bogomipz
For anyone interested I found this to be a good book on working through some
cryto implementations in Go:

[https://leanpub.com/gocrypto](https://leanpub.com/gocrypto)

Its free to read online but its also very reasonably priced. Its written by an
engineer over at Cloudflare.

------
bogomipz
This is great! Kudos to the author and thanks Rackspace for sponsoring this as
well.

It's really encouraging to see this increased democratization of crypto not
necessarily in the engineering of it per se but rather the awareness and
understanding of it.

------
chetanahuja
I put this pdf on my phone and read through interesting sections over a
vacation involving long flights. It's a very nicely written text that you can
read over a few days with some basic computer-science/mathematical background.

------
southphillyman
Thanks for this my guy! Maybe I'm telling on myself here, but I get the
impression that your average developer doesn't know much about security
outside of the basic (sql injection/cross site scripting)

------
qwertyuiop924
Can any crypto people here on HN verify that this gets it right?

~~~
tptacek
I'm biased, since LVH is a partner at our new firm, but I've always liked his
crypto writing. He's also a trained cryptographer.

~~~
bogomipz
Can you elaborate on his being a "trained cryptographer"? I'm not sure what
that means.

~~~
tptacek
He has a postgraduate degree in it.

------
mrcactu5
cryptography textbooks get very difficult. I get lost in a sea of hashes and
the prime number theorem

------
cponeill
I downloaded this about a year ago and loved it. Incredibly informative. Is
this an updated version?

~~~
Natanael_L
It gets continuously updated, so yes.

~~~
cponeill
Nice. Will have to get it again. Thank you.

------
truth_sentinell
Why is the url a hash? Also I'm getting privacy error on chrome mobile.

Thanks for this, seems pretty useful.

~~~
lvh
Hi! I'm the author. It's hosted on a CDN; I don't choose that URL. Sorry about
the privacy error; could you take a screenshot and submit a ticket on
[https://www.github.com/Crypto101/book](https://www.github.com/Crypto101/book)?
Thanks!

------
paulddraper
Looks interesting, but I can't open it with Adobe Reader on my Android.

------
Dowwie
good work, lvh

------
zimmerfrei
Maybe I am being too harsh, but it is clear the author does not have a formal
education in the subject [0] nor any track in breaking non-toy crypto
implementations [1]. This alone makes me a bit wary of any recommendation one
may read in the material.

There seems to be more attention to listing all the beasts in the
cryptographic zoo than to the few fundamental tools required to really
understand the mechanics (e.g. birthday paradox, PRFs, some prime number
theory).

Sure, I can't spot anything fundamentally wrong and it all reads pretty
smoothly, but calling this a "course" is highly misleading. If the intention
is to guide people in selecting good crypto primitives, then maybe "guide" is
a more honest word?

For those interested, I would strongly recommend to bite the bullet and
dedicate time to Boneh's course on Coursera.

[0] I don't have any either [1] Ditto

~~~
lvh
Hi! I'm the author. You're mistaken about [0] and [1]. I'd like to address
your specific point about being a guide rather than a course. I agree that a
crypto zoo would be a guide and not a course; although I disagree that either
the book or the talk are a zoo. It's possible that that hasn't come through
effectively enough. I could understand why someone might think that from
looking at the table of contents for example; it's certainly a lot clearer in
the talk. The approach is instead to walk someone through the kinds of
primitives that exist, but more importantly, why they exist. In that context,
when I say "primitive", I mean "block cipher" or "MAC"; not something like
"AES". That includes incidentally talking about PRFs, although I dance around
that term and use terminology they're going to find in their crypto libraries.
Similarly, there's an appendix on modular arithmetic; but I try not to get too
lost in proofs about group theory.

I could say "IND-CCA2" with a formal description, but in my experience that
makes people's eyes glaze over. It's a lot easier to show them a bunch of
reasonably-looking-yet-fatally-broken unauthenticated encryption to drive the
point home. My target audience is curious programmers, not new academic
cryptographers. If that's your criticism, that's absolutely valid. If you want
to be the person to design SHA-4; this book isn't for you.

It's true that I take a different approach than Dan Boneh does. That's not a
criticism: Boneh's course is great, it's just different. I think showing
people how to break stuff is a useful educational tool. If your threat model
is random web apps that have the letters "AES" or "MD5" in their code, I think
it's a more effective one than a rigorous mathematical approach that will
quickly dissuade the curious programmer.

~~~
bogomipz
Congrats on your book, I'm looking forward to reading it. What was Rackspace's
role or interest in the project?

~~~
ayrx
lvh was until very recently an employee at Rackspace and Rackspace provides
the hosting for the project.

------
seycombi
This is currently on edx. Its more advanced that the courses mentioned here. I
do not know what edx will do after the course ends, but if you want it you can
get it while it ss still available.

[https://www.edx.org/course/quantum-cryptography-caltechx-
del...](https://www.edx.org/course/quantum-cryptography-caltechx-delftx-
qucryptox)

Quantum Cryptography by Thomas Vidick (Caltech) and Stephanie Wehner (Delft
University)

~~~
hannob
So-called Quantum Cryptography is largely snake oil. The most important things
you need to know about it is that:

* In order to do QC you need an authenticated channel first. QC proponents hardly mention that or try to obscure it, but it basically means you can't have QC unless you already have some other secure cryptography.

* QC has severe practical limits. It needs a point to point connection capable of sending physical particles. That means: No Wifi, no mobile Internet and no connections over large distances. Given that these people recently started talking about a "Quantum Internet" makes this simply ridiculous.

~~~
jpt4
Of the first point I shall plead Wittgenstein and not speak, but as regards
the second: In what way are photons, the medium of wireless telecommunication,
not physical particles? In what way are, indirect connections not decomposable
into multiple direct connections (broadcast vs. point-to-point is a more
robust difference, I agree)?

~~~
marcosdumay
For QC to work, the receiver must receive the exact same photons the
transmitter created. Those photons can not be tampered with, what means they
can not be relayed, or reflected by most surfaces.

