topic Re: Cryptography, need to go down the rabbit hole, suggestions ? in Tech Talk

Cryptography, need to go down the rabbit hole, suggestions ?

benjaminb — Sun, 05 Aug 2018 20:56:15 GMT

My dear fellow colleagues,

After having passed CISSP last year I would like to get more knowledge on cryptography. Practical stuff like lifecycle, key management, crypto-period, best type of algo for specific usage, cloud & in-house HSM for keygen and signing etc...

The intro in CISSP was great but I want more hands on, use-case knowledge etc... Any books or online courses that you could recommend me ? Fyi, I'm less interested in the mathematical side of things.

Thank you for your advice

Re: Cryptography, need to go down the rabbit hole, suggestions ?

Caute_cautim — Sun, 05 Aug 2018 22:26:28 GMT

Hi @benjaminb

There is a stack of resources available on this subject: Just doing an Amazon.com look for books on cryptography for instance will turn up:

Serious Cryptography: A Practical Introduction to Modern Encryption - November 2017

https://www.amazon.com/gp/product/1593278268/ref=s9_acsd_zwish_hd_bw_b10V_c_x_2_w/143-9844400-5655918?pf_rd_m=ATVPDKIKX0DER&pf_rd_s=merchandised-search-8&pf_rd_r=GYFVV9MNR3E5YAWDV337&pf_rd_t=101&pf_rd_p=050ec37d-d025-58af-b019-051dfb9ea4bb&pf_rd_i=3875#reader_1593278268

Applied Cryptography: Protocols, Algorithms and Source Code in C - 20th edition

https://www.amazon.com/dp/1119096723/ref=rdr_ext_tmb#reader_1119096723

But if you have access to University or IEEE resources, they have plenty of resources open to you to study with the appropriate level of mathematics.

Regards

Cautim_Cautim

But whilst you at it, I suggest you also look at Quantum Cryptography, which will make most of the traditional algorithms redundant.

Re: Cryptography, need to go down the rabbit hole, suggestions ?

benjaminb — Sun, 05 Aug 2018 23:47:26 GMT

Thanks for your input. Yeah it seems quantum crypto will also be a killer for some cryptocurrency.

https://thenextweb.com/contributors/2018/04/14/quantum-computing-wreak-havoc-cryptocurrency/

PCI DSS standard seems like a very good place to start too. Most HSM's are used in the financial industry anyways.

Re: Cryptography, need to go down the rabbit hole, suggestions ?

Flyslinger2 — Mon, 06 Aug 2018 11:57:20 GMT

If you have a CA you need HSM's to protect your private keys. Cloud HSM's are in their infancy and VERY costly. I am still recommending on-prem HSM's until the market has more competition/saturation/security to be able to recommend cloud solutions for that. One of my close fishing buddies is with a leading HSM vendor and over plastic baits and missed hooksets we discuss this. Amazon uses this vendors gear and I know firsthand how it is designed. Remember that unless the HSM is FULLY in YOUR control you are NOT in control of your private keys.

In my world, as contractor to FEDCIV and DoD, I'm always supporting the internal CA for those tokens issued to admins and internal certs issued to servers (SSL).

Personally, I read vendor literature more then I do anything else. That is where you learn the technology. Key in on MS AD and CA tech. When you have LDAP, CA and auth all tied together you learn a lot!

Re: Cryptography, need to go down the rabbit hole, suggestions ?

janespa — Mon, 06 Aug 2018 13:48:48 GMT

Is a good rabbit hole to go into. I have worked both offensive and defensive security in my 15 yrs. Currently focusing on Cryptographic solutions for a financial services organization. I recommend further reading as suggested, but to also follow what some of the vendors are doing.

https://software.microfocus.com/en-us/products/voltage-data-encryption-security/overview

https://www.pkware.com/

https://www.ibm.com/us-en/marketplace/guardium-file-and-database-encryption

In the grand scheme of things it is all about data protection. Protecting data at rest, data in use, data in transit. Congrats on passing your exam and welcome to the ISC2 family....

Re: Cryptography, need to go down the rabbit hole, suggestions ?

benjaminb — Mon, 06 Aug 2018 13:56:37 GMT

Great advice thank you. We went for an onprem solution too. Have requested all the documentation for the HSM's that my customer has bought so that I can dive into it.

Re: Cryptography, need to go down the rabbit hole, suggestions?

rslade — Mon, 06 Aug 2018 19:09:13 GMT

> benjaminb (Viewer) posted a new topic in Tech Talk on 08-05-2018 04:56 PM in the

> My dear fellow colleagues, After having passed CISSP last year I would like
> to get more knowledge on cryptography.

OK, since you've already passed, I won't recommend "Internet Cryptography" by
Richard E. Smith and "Cryptography Decrypted" by H. X. Mel and Doris Baker.

> Practical stuff like lifecycle, key
> management, crypto-period, best type of algo for specific usage, cloud &
> in-house HSM for keygen and signing etc... The intro in CISSP was great but
> I want more hands on, use-case knowledge etc... Any books or online courses that
> you could recommend me ? Fyi, I'm less interested in the mathematical side of
> things.

Ah, it's always the implementation details. Sadly, those are not one-size-fits-all,
so you won't find them directly in the literature. But:

"Applied Cryptography" by Bruce Schneier is an excellent and thorough text,
intro or reference for professional or serious hobbyist. And *I* say it's readable,
too, as is pretty much anything Schneier writes. (I find the simpler texts do not
have sufficient depth in one area or another.) Yes, it has a lot of math, but it also
has explanations of the math, so, if you don't like math, just read the
explanations. You will find that anyone who is into programming of crypto hates
Schneier, and says that his code is crap, which is true. Depends on if you just want
to steal someone's code, or actually understand crypto.
http://victoria.tc.ca/int-grps/books/techrev/bkapcryp.rvw

"Decrypted Secrets", F. L. Bauer
good general coverage.
http://victoria.tc.ca/int-grps/books/techrev/bkdecsec.rvw

One general cryptography textbook, "The Handbook of Applied Cryptography,"
by Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, is available
online, but it is heavily into mathematics, with very little in the way of general
explanations.
http://www.cacr.math.uwaterloo.ca/hac/

"Information Security: Principles and Practice" by Mark Stamp is solid.

"The Codebreakers" by David Kahn, will give you nothing about the technology,
but, being a history, will give you pointers to the implementation dangers you
want.

For more specialized areas:

"Cryptography and Network Security", William Stallings
able reference and tutorial, also:
http://victoria.tc.ca/int-grps/books/techrev/bkcrntsc.rvw

"Network and Internetwork Security", William Stallings
another classic from Stallings, primarily on encryption.
http://victoria.tc.ca/int-grps/books/techrev/bkntinsc.rvw

"SSL and TLS: Theory and Practice", Rolf Oppliger
SSL is a bit specialized, but it is widely used and important. More significantly,
however, Oppliger's work is exemplary in both explaining the technology, and
dealing with the practicalities and implementations. (In fact, I'm not sure whether
this should be here or in telecom.)
http://victoria.tc.ca/int-grps/books/techrev/bksslttp.rvw

"Cryptanalysis", Helen Fouche Gaines
was written in 1939, so it will NOT help you through the exam, but it's an
intriguing look at the various ciphers developed over the years, and the great ways
people have created to break them. Again, implementation details.
http://victoria.tc.ca/int-grps/books/techrev/bkcrptan.rvw

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If men use their liberty in such a way as to surrender their
liberty, are they thereafter any the less slaves? If people by a
plebiscite elect a man despot over them, do they remain free
because the despotism was of their own making? Are the coercive
edicts issued by him to be regarded as legitimate because they
are the ultimate outcome of their own votes?
- Herbert Spencer (1820-1903), The Man versus the State (1884)
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

Re: Cryptography, need to go down the rabbit hole, suggestions ?

rslade — Mon, 06 Aug 2018 19:17:43 GMT

@Caute_cautim wrote:

But whilst you at it, I suggest you also look at Quantum Cryptography, which will make most of the traditional algorithms redundant.

QUANTUM CRYPTOGRAPHY IS NOT CRYPTOGRAPHY, IT'S JUST *^^*%$^&*& KEY EXCHANGE!

As I have tried diligently to point out in numerous articles, postings, and conference presentations ...

(Sorry. I have to go lie down, now ...)

Re: Cryptography, need to go down the rabbit hole, suggestions ?

rslade — Mon, 06 Aug 2018 19:21:53 GMT

And Alice and Bob both agree with me ...

Re: Cryptography, need to go down the rabbit hole, suggestions ?

Caute_cautim — Mon, 06 Aug 2018 19:25:09 GMT

Relax, keep taking the heart pills. I agree by the way.

Re: Cryptography, need to go down the rabbit hole, suggestions?

benjaminb — Thu, 27 Sep 2018 22:29:00 GMT

@rslade , thank you. Am definitely going to go through these book reviews of yours . Bit of a treasure trove !

Re: benjaminb mentioned you in (ISC)Â² Community

rslade — Fri, 28 Sep 2018 17:46:00 GMT

> benjaminb (Newcomer I) mentioned you in a post! Join the conversation below:

> @rslade , thank you. Am definitely going to go through these book reviews of
> yours . Bit of a treasure trove !

Quite welcome ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Every gun that is made, every warship launched, every rocket
fired, signifies in the final sense a theft from those who hunger
and are not fed, those who are cold and are not clothed.
- President Dwight Eisenhower
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

Re: Cryptography, need to go down the rabbit hole, suggestions?

Markonweb — Sun, 30 Sep 2018 06:08:23 GMT

Some great resources listed in this thread. I would add NIST's guidance on:

key management (SP 800-57 parts 1, 2 and 3 as well as SP 800-131A) https://csrc.nist.gov/projects/key-management/key-management-guidelines

and key establishment https://csrc.nist.gov/Projects/Key-Management/Key-Establishment

The Cloud Security Alliance is accepting contributions to their draft Cloud Key Management charter up until the end of next month. https://cloudsecurityalliance.org/group/cloud-key-management/#_overview If you have time, you may want to get involved in that working group. I learned a great deal from my involvement in the NIST Cloud Computing Security working group and the NIST Cloud Forensic Science working group.

Re: Cryptography, need to go down the rabbit hole, suggestions?

Early_Adopter — Sun, 30 Sep 2018 15:35:11 GMT

More stuffs here:

http://download.pgp.com/pdfs/Intro_to_Crypto_040600_F.PDF chapter two is a a bit of a product pitch, but even though it’s long in the tooth it’s a nice primer. Written by some interesting folks it’s a nice read in of itself.

https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip Didn’t see this added by previous posters, and it’s in the rabbit hole, so I’ll put it in. A lot of conference material was put online as well, and is pretty searchable.