Practical Cryptography,
Niels Ferguson and Bruce Schneier

Wiley, 2003.
ISBN 0-471-22357-3 0-471-22357-3. 410 pages. Bibliography, index. $50.00.

Reviewed by  Robert Bruen   June 7, 2003 

Bruce Schneier's Applied Cryptography, which became the standard for cryptography sources was published in 1996. A lot has happened in the past seven years, such as the AES competition and the selection of the Rijndael algorithm. Interesting new approaches to attacks have also appeared, for example, the equation-solving attacks. Although I would like to see the third edition of Applied Cryptography to pull together the progress in the field, I will have to settle for Practical Cryptography.

Practical Cryptography works well as a companion to Applied Cryptography, as well as a standalone book. It is smaller, but still pretty comprehensive in its coverage and it provides lots of details on how things work and their implementation. It also has a good bibliography.

Ferguson and Schneier make a point in the book in several places about the problems created by Applied Cryptography and those expected to be generated by this book. Cryptography in general is difficult, these two books, and others, make cryptography more accessible to the non-professionals, but often readers believe that after reading them they know all there is to know. Armed with that belief, they start designing algorithms and implementing systems, usually with less than desirable outcomes. I will not make too of WEP, except to note it as an illustration of the problem

The authors also make the point that although cryptography is clearly part of any solution, it is not the final answer to all security issues. Crypto has been in the public eye for almost a decade thanks to people like Schneier, Phil Zimmermann, Whit Diffie and others. In spite of the publicity and availability of free tools, most people do not implement any crypto for email or files. Some inherent problems still exist, such key storage on your PC, which is a weakness that could make all of your efforts meaningless.

It looks like there is still much work ahead of everyone interested in protecting communications using cryptography. Leaders like the authors need to have the rest of us learn as much as possible from their efforts, if we are all going to benefit. Practical Cryptography goes a long way toward that end. In addition to the caveats of how hard it is, the explanations of the various techniques are understandable, and yes, the math is still present. They also discuss the problem of writing secure code and running secure systems. There are a few good books available on writing secure code, but it is still a problem. (see Viega & McGraw, Building Secure Software and Howard & LaBlanc, Writing Secure Code).

If one were able to follow all the principles in writing secure code, the languages and the operating systems will still work against you. For example, in Java, the objects may not be cleaned up when the program is finished, only the references to the object will be handled. No application will clean up the swap file after it terminates, so important data may be left behind. The problem is pervasive in the digital environment, something along the lines of a contaminant getting into the ground water.

Great book. Buy it, read it, do your part.