Practical Cryptography Corrected

[bramcohen]

The book 'Practical Cryptography' is perfectly good for giving an overview of basic concepts in cryptography, but its immediate practical advice to implementers is not terribly to the point or accurate. Here is much more to the point and accurate advice.

• For a block cipher you should use AES-128. If you don't understand your protocol well enough

Comments

[dossy]

The coding challenge implicitly asks for a brute-force search based solution?

It also seems to assume that it's a straight line or at least a one-dimensional space - a curve is certainly a line. If it's not a straight line, then there isn't sufficient information to solve the problem in two dimensions.

Overall, this problem sounds an awful lot like a variant of the 8 Queens puzzle.

[bramcohen]

Yes, the test is to see if you can write the code to brute force it. There's no gimmick.

[jered]

Right, this is an optimal golumb ruler; it's NP-complete.

[bramcohen]

Not exactly optimal golomb ruler - that would disallow the same distance between any two pairs, where this is just disallowing arithmetic progressions of length 3.

[allonymist]

For an RSA modulus, you should always use 2.

I don't think you mean modulus here.

[bramcohen]

Yes, of course I meant exponent. Corrected now, thanks for pointing that out.

[cypherpunk95]

You should always do encryption as a layer outside of authentication.Strongly disagree

[bramcohen]

RSA in particular has vicious attacks when you do authentication checks the wrong way, but that's really an argument in favor of doing authentication properly rather than changing the order, particularly because checking that high order byte is something a naive implementer might do anyway.

That more complicated stuff you mention really shouldn't be done by people who don't already know these issues well, and my advice is for people who don't really know what they're doing by are trying to do something simple (which still might not be a good idea, but they're better off with good advice than without).

[ext_565579]

I certainly agree that Practical Cryptography feels outdated, and readers should be warned about the problematic parts. Here are a few thoughts and questions from a theoretical crypto POV:

For an encryption mode, you should always use CTR, and always use a nonce of zero, and never reuse keys.

I'm interested to hear more about why this is true. Certainly there are times when you want to reuse keys and use modes that provide more security than that :-).

You should always do encryption as a layer outside of authentication.

It sounds like you are suggesting the opposite of what you should do, which is encrypt first, and then authenticate the ciphertext. Authenticating the plaintext before encrypting is not safe.

For an RSA exponent, you should always use 2. Technically that's Rabin-Williams, and requires slightly different implementation, but that actually works in its favor. Rabin-Williams has a reduction to factoring, RSA does not.I think suggesting that practitioners dig into implementations of the number-theoretic algorithms

[bramcohen]

CTR is the simplest, easiest to analyze and least error-prone mode there is, and doesn't require padding and allows for random access. The added security of other modes is mostly fallacious, and ones where it isn't are way too complicated for me to feel comfortable using them

[dossy]

Interestingly, I just came across this article from 2 years ago --

http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html

Seems somewhat similar at times to what you wrote. Interesting how the recommendations then are still pretty much the same you made above, now.