Applied Cryptography

When I was growing up, at around age seven, my parents gave me as a present a copy of the “The Golden Encyclopedia”.  It took me a couple years to read the sixteen volumes.  I spent about an hour every night reading the encyclopedia.  For a kid reading from Aardvark to Zurich was quite educational and interesting.

Earlier this year I purchased a copy of “Applied Cryptography” by Bruce Schneier.  The cover claims over 100,000 copies sold.  After reading the book and spending some time experimenting with some of the source code I could relate to my experience as a child reading an encyclopedia, this time about the single topic of cryptography.  The author definitely has a vast experience in the subject and has spent time researching the different topics.  The book includes a vast list of references for those who wish to expand on the different topics.  The book deals with protocols and algorithms.  What a great book on the subject!

I read the second edition of “Applied Cryptography”.  The copyright on the book is from 1996.  It is a shame that the book does not cover current topics like the Advanced Encryption Standard (AES).  Encyclopedias used to add volumes every so often.  Perhaps that would be something the author and publisher (John Wiley & Sons, Inc.) might consider.

Towards the end of the book there is a section that contains source code listings.  That is OK if you are good at copying and not making mistakes.  I am from the “hunt-and-peck” school.  For those like me, Bruce Schneier provides source code on a disc.  If you are interested (like I am), for a nominal fee listed in the book you can request a disc with the source code and additional goodies.  I sent the check to the wrong address.  It was returned by the postal service.  A couple weeks ago I sent it to the proper address, which happens to be in the Twin Cities in Minnesota.  I am currently waiting for the disc.

While waiting for the software I started reading my next book on the list, which also happens to be authored by Bruce Schneier “Secrets and Lies”.  Will provide comments when done with it.

While reading “Applied Cryptography” two items called my attention.  They did not because of their technological interest but because of past experience.  These were a comment on SHA and a comment by Matt Blaze.

The design of the Secure Hash Algorithm (SHA) briefly described in section 18.7 Secure Hash Algorithm (SHA) of the “Applied Cryptography” book mentions that a 64-bit representing the length of the message before padding is used.  This reminded me when I was designing the first Content Addressable Storage (CAS) server.  At that time the MD5 was made public.  Before using it as a handle to an object stored in the CAS, the software architect spoke with Ronald Rivest about the chances of a digest collision from two distinct messages.  Professor Rivest mentioned that it would be possible but highly unlikely to experience a collision.  Based on the candid response from Dr. Rivest John used the MD5 digest, a regular incremental checksum, and the size of the object to verify if objects were different.  Given that at this time I am not that familiar with SHA I will find out the implications of generating the same digest using a different file size.

The comment made by professor Matt Blaze.  Not knowing whom Matt Blaze is (rather new to the field) I looked him up on the Web.  I found the following link http://www.crypto.com/blog/afterword/ which believe it or not had an entry made on 09, April 2010 (about two months ago) commenting on the AFTER WORD in the second edition of “Applied Cryptography”.  What called my attention was his comment (#1) regarding the sorry state of software “Everyone knows that nobody knows how to write software”.   I do have a hard time accepting such comment.  I do believe based on many years of experience in software development that the vast majority of people writing software who not know what they are doing.  The reason is that they do not have the necessary background in  [1] the specific field,  [2] in Computer Science, and  [3] do not have a clue of what software engineering is.  I once met a developer (good looking gal) who a month ago was a receptionist at a software development house in Minneapolis, MN.  She read a book on Visual Basic and when done her salary went from $10 an hour up to $35.  What type of software could such person develop?  Most people believe that because they learn a programming language they can develop software and computer systems.  A programming language is like a natural language.  I might be able to speak four natural languages, but if I have nothing to say in English, what would change if I speak Italian?

All Computer Science curricula should have at least four semesters in software engineering.  My two sons attended a private military school in the Twin Cities.  When they handed a paper on any subject they would get points off for using improper grammar and spelling errors.  After two offenses in a manuscript the paper was returned even if the contents deserved an A+.  The paper had to be corrected and presented to get at best a B+.  If universities would follow this simple procedure with all assignments the quality of software products would probably go up a notch or two.  I fully understand that there is no silver bullet nor like I read earlier today in “Secrets and Lies” also by Bruce Schneier, there is no single The Answer™.

I believe that young and capable Naïve Americans that decide to make a professional career embracing security, storage and software engineering will have a bright future.

The Naïve American

Be Sociable, Share!

Leave a comment

Your comment