Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Seeking Cryptography Certification
29 points by mfbx9da4 on June 25, 2022 | hide | past | favorite | 24 comments
I would like to do some training in cryptography and information security. The goal is that I would have the credentials, confidence and toolkit to write my own cryptographic protocols.

Are there any industry recognised courses or exams that I can sit?

Beyond doing a masters, as I don’t really have the option to ditch my full time work, as much as I would like to.




For the specific topic of cryptography: every professional cryptographer I know not only started with a master in mathematics, but completed it with a PhD in cryptography afterwards. Trying to do it professionally with neither diplomas feels like a non-starter to me.

Of course, that doesn't mean you can't study the field on your own for the sake of knowledge. And it will certainly make you a better infosec professionnal, whatever subfield you want to specialize in.

Also, keep in mind there are maybe 1000 people working in information security for 1 person working as a professional cryptographer. Cryptography is a bit tricky, but information security is a broad field with many interesting things to do.


From my experience, most academic cryptographers are quite bad at building real-world cryptographic protocols or systems as they often lack the practical knowledge of software engineering / industry standards. Designing cryptographic systems rarely involves coming up with novel cryptographic mechanisms and mostly revolves around carefully implementing and combining established methods. For example, in an audit of an E2EE system I built, the auditor (who had a PhD and PostDoc in cryptography) had never even heard of the term ECIES (elliptic curve integrated encryption scheme) so I had to point him to the IETF doc and explain that it's a standardized system.

The failures you see like the recent vulnerabilities in the MEGA cryptography could have been avoided if MEGA had simply followed established best practices, no cryptographer needed. So I'd argue we need many more people with applied cryptography experience, and a university PhD in cryptography will not necessarily provide such experience.


I was thinking just the same, there is no cryptography certification or exam that would give someone credentials.

If someone wants to be implementing cryptography solutions such exam/course is breaking existing solution with peer reviewed publication and finishing PhD based on that.


Also math is a bit like music or sports. To get to a level where you can be successful in a professional environment you have to start early.

There are certainly exceptions and I don't mean to be discouraging - but I guess most people who studied math would agree that it is a lot of work and takes a lot of time. "There is no royal road to mathematics" as they say.


Sounds a bit discouraging to be honest but fair.


With respect, you really shouldn't be designing your own cryptographic protocols if they are going into a product. Even the best of the best make serious mistakes. A course is not going to give you the confidence that you need. There are so many peer reviewed protocols out there that there's almost no need to make one yourself unless you're in a very specialised or niche scenario. That said, if you just want to learn about them, there are plenty of good, readable books like Real World Cryptography and Applied Cryptography (Schneier).


And "peer reviewed" is a big key here. I don't use RSA because someone certified the protocol's authors, I use it because the details have been so heavily looked into by the whole industry and accepted by virtually everyone.


May I ask why you use RSA and not ECC?

https://latacora.micro.blog/2018/04/03/cryptographic-right-a...


The link did not contain any compelling arguments against RSA. So turning the question around, what's wrong with RSA?


https://blog.trailofbits.com/2019/07/08/fuck-rsa/


One link to an article without comment deserves another:

* https://articles.59.ca/doku.php?id=pgpfan:rsabad


You could easily write a blog post called fuck-ecc and describe the difficulties in implementing ECC correctly. RSA has a good share of band aids but ECC implementations are, in my opinion, just as hard to get right.


Elliptic curves provide more long-term security.


Not if you're thinking about early quantum computers https://security.stackexchange.com/questions/33069/why-is-ec...


https://cryptopals.com/


https://toc.cryptobook.us/

http://swarm.cs.pub.ro/~mbarbulescu/cripto/Understanding%20C...

and "Applied cryptography" by Bruce Schneier.

the credential is "I understand cryptography" which you can print on a piece of paper if you like


> confidence and toolkit to write my own cryptographic protocols

One of the first things I ever learned in Dan Boneh's Crypto MOOC is to not write your own crypto protocols for your product.

Because old solutions exist for a long time, and have been open for a long time, experts and scholars have had much more time to find faults in them. They are also tested in the industry.

No matter how smart you are, you shouldn’t use your own cryptographic solution.

Use open, long-existed, tried and true solutions.


I have followed his course. I’m not talking about writing my own crypto algorithms simply plugging together battle tested crypto algorithms and storing encrypted data securely.


Depending on which country you’re in, it’s possible to do a masters degree part time. I’ve known a few people who have done this. Even with a masters degree you’re probably not going to want to run around solo doing crypto protocol design though. These things are usually better done as part of a team or with years of experience.


Which part time masters degrees? I've looked hard for part time masters but didn't find one which seemed very appealing.


A masters isn't even enough. The industry recognizes PhDs. "Your own cryptographic protocol" would be a doctoral dissertation or postdoctoral work.

You may as well ask about a certification to give you "the confidence to make your own neurosurgery protocols."

At least the damage is much more limited with faulty brain surgery.


Join a study group around the book Real World Cryptography?

https://community.zeroknowledge.fm/t/new-study-group-real-wo...


Writing your own cryptoprotocol has nothing in common with infosec certification...


This is a bit like asking if you can become a neurosurgeon by taking online classes. But if you're aiming to do it for fun, just jump in and study the field (deeply) on your own.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: