Hacker News new | past | comments | ask | show | jobs | submit login
Practical Cryptography (practicalcryptography.com)
93 points by zerognowl on Nov 14, 2016 | hide | past | web | favorite | 20 comments

Skimming through it this seems largely a description of historic and broken cryptography and almost no information about practical modern cryptography.

(also the obligatory note: no HTTPS for a webpage about cryptography?)

Think of it as "cryptography in practice." And in practice, it's often broken, whether from poor implementation or design flaws.

Except that it's not even that. You're right that a lot of crypto is broken, but usually because of implementation bugs, not because people use vigenere ciphers.

> Cryptography refers almost exclusively to encryption

Ooof first line. That's like saying math refers almost exclusively to physics. Grabbing that name from a well respected and popular book as well.

Tsk. Tsk.

There is a section dedicated to hashes, but ooof indeed.

Well, one could argue that cryptographic hashing is like encryption which isn't meant to be reversible.

Copyright James Lyons © 2009-2012 Latest reference is Stinson, Douglas (2005). "Cryptography: Theory and Practice"

intro to classic crypto. Not so practical in 2016?

Wheres the circa 2016 https?

This site contains little practical information about cryptography.

[...]cryptography is the study and practice of obscuring information

What about authentication?

So what type of job can you get if you specialize in cryptography?

This is a surprisingly tricky question.

If you are _really_ good at cryptography engineering --- that is to say, top-of-your-field good simultaneously at systems engineering and cryptography --- then there are fairly lucrative jobs you can get either as a consultant for a firm like Rambus/CRI, or as a crypto engineer at one of the big tech firms.

Unfortunately, if you're not that person, or you can't live in California, the answer is a bit fuzzier.

There are some big obstacles to working in the field:

* The overwhelming majority of crypto is built (poorly, dangerously) by amateurs, and there's no real force in the industry to change that.

* The overwhelming majority of crypto is built as, at best, a feature of a much larger product. Even when crypto is critically important to the value proposition of a product, in terms of lines of code or commits per year, it's usually not that big a factor. This means that even projects that need good crypto tend not to have a headcount allocated just for crypto (it's also a major reason why most crypto is done by amateurs).

* There are good jobs breaking crypto, but not that many of them. Being able to reliably find cross-site scripting is --- at the firm level at least --- more lucrative than being able to reason through a practical exploit for an unknown key share bug. There are crypto pentesters (with extremely high bill rates), but that brings you back to "top-of-field for multiple disciplines".

* You can, of course, make an academic career. You'd go for a PhD in cryptography, and then either stay in school as a professor, or join a research group at one of the big tech firms (this is a different job than crypto engineering at one of the big tech firms; your principle job will probably still be to publish) --- so far as I can tell, those research group positions are exclusively staffed with PhDs.

That's not to say people shouldn't study crypto! They absolutely should: it is mind-expanding in ways orthogonal to the other specialities engineers take on to expand their minds. It will make you a better systems programmer. It might make you better at software security, too (it might not, though). It will, at least, mean that when your project is called on to, I don't know, encrypt a password reset token, you'll be able to do that competently.

This is a great reply, but as I was reading it I was thinking how odd it is that is much more lucrative and simple to learn JavaScript for 12 months or so compared to have a math degree and solid crypto programming skills.

This is what I was thinking too, if a big firm hires a amateur cryptographer to make a new cipher it can be very costly later. So you need to be very good at it to get a job. Secondly the jobs mostly exist on the cutting edge of research and revolve around future cryptography implementations.

Part of engineering the future of computer security. It is now widely recognized that you can't have computer security without crypto. (Can we have computer security with crypto? Different question, not so clear.)

Cryptography is a huge field. Pure mathematics? Cipher implementation? Systems design using crypto? Hardware concerns involved when implementing crypto? Crypto vendor? Crypto consumer? Analyst of crypto systems (compliance, approval, etc)? And yeah, as your snarky interlocutor says, the IT guy that handles the "hard stuff" like certificate renewal[sarc]? The choices are so enormous that even "specializing in crypto" isn't much of a specialization at all!

i'm not employed in the field, so this is mostly uninformed guessimation.

a) there are companies working on products with tight security requirements. if this is a respectable company, you'd probably spend most of your time examining and evaluating existing solutions and maybe review the use of said solutions by your own programmers. (i'd say this is usually more "security" than "cryptography" though)

b) there are companies working on their own cryptography schemes. those are not per-se snake oil, but ... it's complicated. few have the resources and the structure to do this right. skype, for example, rolled their own closed source implementation. back then we've been told: "trade secret, but trust us, we've done it right and we had independent experts review this."

c) security review: be the company/expert that skype hires to evaluate their cryptography while under an NDA (?)

d) pen-testing: maybe? not sure if this is realistic. get paid to check company security (network, servers, general infrastructure) for weaknesses. they might employ cryptographers?

e) research: probably the most likely area. crypto development usually has to happen in the open, otherwise it's not trustworthy.

f) intelligence agencies. NSA and co.

There are people who can answer this question better than me, but here's my take:

1. If you're super amazing and a math wiz, you might get to design some algorithms.

2. Implement algorithms correctly or advise companies about implementations.

3. Teach crypto.

4. Bully companies that implemented something incorrectly (jk).

That IT support guy who babbles about password entropy and security but nobody listens to him. ducksforcoverandruns

What you're describing isn't crypto. You're describing an ineffective IT organization. Either the management hasn't made clear the policies they prefer, or the guy isn't listening and/or doesn't trust them.

Interesting that Sir Francis Bacon counted in binary, which wasn't formally invented until after his death:


edit: Binary "invention" - http://www.computinghistory.org.uk/det/5913/Gottfried-Wilhel...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact