Real-World Cryptography
David Wong
  • MEAP began June 2019
  • Publication in Spring 2021 (estimated)
  • ISBN 9781617296710
  • 388 pages (estimated)
  • printed in black & white

Contains one of the most understandable introductions to cryptography I have ever read.

Harald Kuhn
If you’re browsing the web, using public APIs, making and receiving electronic payments, registering and logging in users, or experimenting with blockchain, you’re relying on cryptography. And you’re probably trusting a collection of tools, frameworks, and protocols to keep your data, users, and business safe. It’s important to understand these tools so you can make the best decisions about how, where, and why to use them. Real-World Cryptography teaches you applied cryptographic techniques to understand and apply security at every level of your systems and applications.

About the Technology

Cryptography is the foundation of information security. This simultaneously ancient and emerging science is based on encryption and secure communication using algorithms that are hard to crack even for high-powered computer systems. Cryptography protects privacy, secures online activity, and defends confidential information, such as credit cards, from attackers and thieves. Without cryptographic techniques allowing for easy encrypting and decrypting of data, almost all IT infrastructure would be vulnerable.

About the book

Real-World Cryptography helps you understand the cryptographic techniques at work in common tools, frameworks, and protocols so you can make excellent security choices for your systems and applications. There’s no unnecessary theory or jargon—just the most up-to-date techniques you’ll need in your day-to-day work as a developer or systems administrator. Cryptography expert David Wong takes you hands-on with cryptography building blocks such as hash functions and key exchanges, then shows you how to use them as part of your security protocols and applications. Alongside modern methods, the book also anticipates the future of cryptography, diving into emerging and cutting-edge advances such as cryptocurrencies, password-authenticated key exchange, and post-quantum cryptography. Throughout, all techniques are fully illustrated with diagrams and real-world use cases so you can easily see how to put them into practice.
Table of Contents detailed table of contents

1 Introduction

1.1 A Peek Into the World of Cryptography

1.1.1 Symmetric Cryptography: Symmetric Encryption

1.1.2 Kerckhoff’s Principle: Only the Key is Kept Secret

1.1.3 Asymmetric Cryptography

1.1.4 A Map of Cryptography

1.1.5 Two Goals: Confidentiality and Authentication

1.2 Real-world Cryptography

1.2.1 Theoretical Cryptography Versus real-world Cryptography

1.2.2 From Theoretical to Practical

1.3 A Word of Warning

1.4 Summary

Part 1: Primitives - the Ingredients of Cryptography

2 Hash functions

2.1 What Is a Hash Function?

2.2 Security Properties of a Hash Function

2.3 Security Considerations for Hash Functions

2.4 Hash Functions in practice

2.5 Standardized Hash Functions

2.5.1 The SHA-2 Hash Function

2.5.2 The SHA-3 Hash Function

2.5.3 SHAKE and cSHAKE, Two eXtendable Output Functions (XOF)

2.5.4 Ambiguous Hashing and TupleHash

2.6 Hashing Passwords

2.7 Summary

3 Message authentication codes

3.1 What is a Message Authentication Code?

3.2 Security Properties of a Message Authentication Code

3.2.1 Forgery of Authentication Tag

3.2.2 Lengths of Authentication Tag

3.2.3 Replay Attacks

3.2.4 Verifying Authentication Tags in Constant-Time

3.3 MAC in the real-world

3.4 Message Authentication Codes in Practice

3.4.1 HMAC, a Hash-Based Message Authentication Code

3.4.2 KMAC, a hash based on cSHAKE

3.5 SHA-2 and Length-Extension Attacks

3.6 Summary

4 Authenticated encryption

4.1 What Is a Cipher?

4.2 Symmetric Encryption in the real-world

4.3 The AES-CBC-HMAC Encryption Algorithm

4.3.1 The Advanced Encryption Standard (AES)

4.3.2 Mode of operation and integrity: How AES-CBC-HMAC works

4.4 Authenticated Encryption with Associated Data (AEAD)

4.4.1 What is an AEAD?

4.4.2 The AES-GCM AEAD

4.4.3 Chacha20-Poly1305

4.5 Key Wrapping and Nonce-Misuse Resistance

4.5.1 Wrapping Keys: How To Encrypt Secrets

4.5.2 AES-GCM-SIV and Nonce-Misuse Resistance Authenticated Encryption

4.6 A Map of Authenticated Encryption

4.7 Other Kinds of Symmetric Encryption

4.8 Summary

5 Key exchanges

5.1 What is a Key Exchange?

5.2 Key Exchange Standards

5.2.1 Diffie-Hellman (DH)

5.2.2 Diffie-Hellman Standards

5.2.3 Elliptic Curve Diffie-Hellman (ECDH)

5.3 Summary

6 Asymmetric encryption and hybrid encryption

6.1 What is Asymmetric Encryption?

6.2 Asymmetric Encryption in Practice and Hybrid Encryption

6.3 Standards for Asymmetric Encryption and Hybrid Encryption

6.3.1 Textbook RSA

6.4 Why Not To Use RSA PKCS#1 v1.5

6.5 Asymmetric Encryption with RSA-OAEP

6.6 Hybrid Encryption with ECIES

6.7 Summary

7 Signatures and zero-knowledge proofs

7.1 What Is a Signature?

7.2 What Are Zero-Knowledge Proofs? And What Does This Have To Do With (Schnorr) Signatures?

7.3 The Signature Algorithms You Should Use (Or Not)

7.3.1 RSA Signatures, What Standard To Use? PKCS#1 v1.5 Or RSA-PSS?

7.3.2 The Elliptic Curve Digital Signature Algorithm (ECDSA)

7.3.3 The Edwards-curve Digital Signature Algorithm (EdDSA)

7.4 Subtle Behaviors in Signatures

7.4.1 How Let’s Encrypt Used Signatures

7.4.2 How Did The Let’s Encrypt Attack Worked

7.4.3 Key Substitution Attacks On RSA

7.4.4 Subtle Behaviors of Signature Schemes

7.5 Summary

8 Randomness and secrets

8.1 What is Randomness?

8.2 What is a Pseudo-Random Number Generator (PRNG)?

8.3 Obtaining Randomness in Practice

8.4 Randomness Generation and Security Considerations

8.5 Public Randomness

8.6 Key Derivation With HKDF

8.7 Managing Keys and Secrets

8.8 Avoiding Key Management, Or How To Split Trust

8.9 Summary

Part 2: Protocols - The recipes of cryptography

9 Secure transport

9.1 What is SSL/TLS?

9.2 How Does TLS Work?

9.2.1 The TLS Handshake

9.2.2 How TLS 1.3 Encrypts Application Data

9.3 The State of the Encrypted Web Today

9.4 Other Secure Transport Protocols

9.4.1 The Noise Protocol Framework: A Modern Alternative To TLS

9.4.2 Wireguard

9.5 Summary

10 End-to-end encryption

10.1 Why end-to-end encryption?

10.2 A root of trust nowhere to be found

10.3 The failure of encrypted email

10.3.1 PGP or GPG? And how does it work?

10.3.2 Scaling trust between users with the web of trust

10.3.3 Key discovery is a real issue

10.3.4 If not PGP, then what?

10.4 Secure messaging, a modern look at end-to-end encryption with Signal

10.4.1 Trust but verify

10.4.2 X3DH, the Signal protocol’s handshake

10.4.3 Double ratchet: Signal’s post-handshake protocol

10.5 The state of end-to-end encryption

10.6 Summary

11 User authentication

11.1 A recap on authentication

11.2 User authentication, or the quest to get rid of passwords

11.2.1 One password to rule them all, single sign-on (SSO) and password managers

11.2.2 Don’t want to see their passwords? Use an asymmetric password-authenticated key exchange

11.2.3 One-time passwords aren’t really passwords, going passwordless with symmetric keys

11.2.3 Replacing Passwords With Asymmetric Keys

11.3 User-aided authentication, pairing devices using some human help

11.3.1 Pre-Shared Keys

11.3.2 Symmetric Password-Authenticated Key Exchanges with CPace

11.3.3 Was my key exchange man-in-the-middled? Just check a short authenticated string (SAS)

11.4 Summary

12 Crypto as in cryptocurrency?

12.1 A gentle introduction to byzantine fault tolerant consensus algorithms

12.1.1 A problem of resilience - distributed protocols to the rescue

12.1.2 A problem of trust - decentralization helps

12.2 How does Bitcoin work?

12.2.1 Accounts and transactions

12.2.2 Mining and Proof of Work and Forks

12.2.3 Forking hell!

12.2.4 Reducing a block’s size by using merkle trees

12.3 A tour of cryptocurrencies

12.4 How does Libra work?

12.4.1 LibraBFT: a byzantine fault tolerant consensus protocol

12.5 Summary

13 Hardware cryptography

13.1 Modern cryptography attacker model

13.2 Untrusted environments: hardware to the rescue

13.2.1 Whitebox cryptography, a bad idea

13.2.2 You probably have one in your wallet: smart cards

13.2.3 Secure elements: a generalization of smart cards

13.2.4 Enforcing user intent with hardware security tokens

13.2.5 Trusted Platform Modules (TPMs): a useful standardization of secure elements

13.2.6 Banks love them: hardware security modules (HSMs)

13.2.7 Modern integrated solutions: Trusted Execution Environment (TEE)

13.3 What solution is good for me?

13.4 Leakage-resilient cryptography - or how to mitigate side-channel attacks in software

13.4.1 Constant-Time Programming

13.4.2 Don’t use the secret! Masking and blinding

13.4.3 What about fault attacks?

13.5 Summary

14 Next Generation and post-quantum cryptography

Part 3: Conclusion

15 Final words: The dangers of implementing and using cryptography

What's inside

  • Best practices for using cryptography
  • Diagrams and explanations of cryptographic algorithms
  • Identifying and fixing cryptography bad practices in applications
  • Picking the right cryptographic tool to solve problems

About the reader

For cryptography beginners with no previous experience in the field.

About the author

David Wong is a senior engineer working on Blockchain at Facebook. He is an active contributor to internet standards like Transport Layer Security and to the applied cryptography research community. David is a recognized authority in the field of applied cryptography; he’s spoken at large security conferences like Black Hat and DEF CON and has delivered cryptography training sessions in the industry.

placing your order...

Don't refresh or navigate away from the page.
Manning Early Access Program (MEAP) Read chapters as they are written, get the finished eBook as soon as it’s ready, and receive the pBook long before it's in bookstores.
print book $29.99 $59.99 pBook + eBook + liveBook
Additional shipping charges may apply
Real-World Cryptography (print book) added to cart
continue shopping
go to cart

eBook $24.99 $47.99 3 formats + liveBook
Real-World Cryptography (eBook) added to cart
continue shopping
go to cart

Prices displayed in rupees will be charged in USD when you check out.

FREE domestic shipping on three or more pBooks