cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
benjaminb
Newcomer I

Cryptography, need to go down the rabbit hole, suggestions ?

My dear fellow colleagues,

 

After having passed CISSP last year I would like to get more knowledge on cryptography. Practical stuff like lifecycle, key management, crypto-period, best type of algo for specific usage, cloud & in-house HSM for keygen and signing etc...

 

The intro in CISSP was great but I want more hands on, use-case knowledge etc... Any books or online courses that you could recommend me ? Fyi, I'm less interested in the mathematical side of things. 

Thank you for your advice

13 Replies
Caute_cautim
Community Champion

Hi @benjaminb

 

There is a stack of resources available on this subject:  Just doing an Amazon.com look for books on cryptography for instance will turn up: 

 

Serious Cryptography:  A Practical Introduction to Modern Encryption - November 2017

 

https://www.amazon.com/gp/product/1593278268/ref=s9_acsd_zwish_hd_bw_b10V_c_x_2_w/143-9844400-565591...

 

Applied Cryptography:  Protocols, Algorithms and Source Code in C - 20th edition

 

https://www.amazon.com/dp/1119096723/ref=rdr_ext_tmb#reader_1119096723

 

But if you have access to University or IEEE resources, they have plenty of resources open to you to study with the appropriate level of mathematics.

 

Regards

 

Cautim_Cautim

 

But whilst you at it, I suggest you also look at Quantum Cryptography, which will make most of the traditional algorithms redundant. 

 

 

benjaminb
Newcomer I

 

Thanks for your input. Yeah it seems quantum crypto will also be a killer for some cryptocurrency.

 

https://thenextweb.com/contributors/2018/04/14/quantum-computing-wreak-havoc-cryptocurrency/

 

PCI DSS standard seems like a very good place to start too. Most HSM's are used in the financial industry anyways.

Flyslinger2
Community Champion

If you have a CA you need HSM's to protect your private keys.  Cloud HSM's are in their infancy and VERY costly. I am still recommending on-prem HSM's until the market has more competition/saturation/security to be able to recommend cloud solutions for that.  One of my close fishing buddies is with a leading HSM vendor and over plastic baits and missed hooksets we discuss this.  Amazon uses this vendors gear and I know firsthand how it is designed.  Remember that unless the HSM is FULLY in YOUR control you are NOT in control of your private keys.  

 

In my world, as contractor to FEDCIV and DoD, I'm always supporting the internal CA for those tokens issued to admins and internal certs issued to servers (SSL).  

 

Personally, I read vendor literature more then I do anything else.  That is where you learn the technology.  Key in on MS AD and CA tech. When you have LDAP, CA and auth all tied together you learn a lot!

janespa
Viewer II

Is a good rabbit hole to go into. I have worked both offensive and defensive security in my 15 yrs. Currently focusing on Cryptographic solutions for a financial services organization. I recommend further reading as suggested, but to also follow what some of the vendors are doing. 

 

https://software.microfocus.com/en-us/products/voltage-data-encryption-security/overview

https://www.pkware.com/

https://www.ibm.com/us-en/marketplace/guardium-file-and-database-encryption

 

In the grand scheme of things it is all about data protection. Protecting data at rest, data in use, data in transit. Congrats on passing your exam and welcome to the ISC2 family....

benjaminb
Newcomer I

Great advice thank you. We went for an onprem solution too. Have requested all the documentation for the HSM's that my customer has bought so that I can dive into it.
rslade
Influencer II

> benjaminb (Viewer) posted a new topic in Tech Talk on 08-05-2018 04:56 PM in the

> My dear fellow colleagues,   After having passed CISSP last year I would like
> to get more knowledge on cryptography.

OK, since you've already passed, I won't recommend "Internet Cryptography" by
Richard E. Smith and "Cryptography Decrypted" by H. X. Mel and Doris Baker.

> Practical stuff like lifecycle, key
> management, crypto-period, best type of algo for specific usage, cloud &
> in-house HSM for keygen and signing etc...   The intro in CISSP was great but
> I want more hands on, use-case knowledge etc... Any books or online courses that
> you could recommend me ? Fyi, I'm less interested in the mathematical side of
> things.

Ah, it's always the implementation details. Sadly, those are not one-size-fits-all,
so you won't find them directly in the literature. But:

"Applied Cryptography" by Bruce Schneier is an excellent and thorough text,
intro or reference for professional or serious hobbyist. And *I* say it's readable,
too, as is pretty much anything Schneier writes. (I find the simpler texts do not
have sufficient depth in one area or another.) Yes, it has a lot of math, but it also
has explanations of the math, so, if you don't like math, just read the
explanations. You will find that anyone who is into programming of crypto hates
Schneier, and says that his code is crap, which is true. Depends on if you just want
to steal someone's code, or actually understand crypto.
http://victoria.tc.ca/int-grps/books/techrev/bkapcryp.rvw

"Decrypted Secrets", F. L. Bauer
good general coverage.
http://victoria.tc.ca/int-grps/books/techrev/bkdecsec.rvw

One general cryptography textbook, "The Handbook of Applied Cryptography,"
by Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, is available
online, but it is heavily into mathematics, with very little in the way of general
explanations.
http://www.cacr.math.uwaterloo.ca/hac/

"Information Security: Principles and Practice" by Mark Stamp is solid.

"The Codebreakers" by David Kahn, will give you nothing about the technology,
but, being a history, will give you pointers to the implementation dangers you
want.

For more specialized areas:

"Cryptography and Network Security", William Stallings
able reference and tutorial, also:
http://victoria.tc.ca/int-grps/books/techrev/bkcrntsc.rvw

"Network and Internetwork Security", William Stallings
another classic from Stallings, primarily on encryption.
http://victoria.tc.ca/int-grps/books/techrev/bkntinsc.rvw

"SSL and TLS: Theory and Practice", Rolf Oppliger
SSL is a bit specialized, but it is widely used and important. More significantly,
however, Oppliger's work is exemplary in both explaining the technology, and
dealing with the practicalities and implementations. (In fact, I'm not sure whether
this should be here or in telecom.)
http://victoria.tc.ca/int-grps/books/techrev/bksslttp.rvw

"Cryptanalysis", Helen Fouche Gaines
was written in 1939, so it will NOT help you through the exam, but it's an
intriguing look at the various ciphers developed over the years, and the great ways
people have created to break them. Again, implementation details.
http://victoria.tc.ca/int-grps/books/techrev/bkcrptan.rvw

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If men use their liberty in such a way as to surrender their
liberty, are they thereafter any the less slaves? If people by a
plebiscite elect a man despot over them, do they remain free
because the despotism was of their own making? Are the coercive
edicts issued by him to be regarded as legitimate because they
are the ultimate outcome of their own votes?
- Herbert Spencer (1820-1903), The Man versus the State (1884)
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II


@Caute_cautim wrote:

But whilst you at it, I suggest you also look at Quantum Cryptography, which will make most of the traditional algorithms redundant.


QUANTUM CRYPTOGRAPHY IS NOT CRYPTOGRAPHY, IT'S JUST *^^*%$^&*& KEY EXCHANGE!

 

As I have tried diligently to point out in numerous articles, postings, and conference presentations ...

 

(Sorry.  I have to go lie down, now ...)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

And Alice and Bob both agree with me ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

Relax, keep taking the heart pills. I agree by the way.