David Wong - Real-World Cryptography

David Wong

To comment go to liveBook

Manning

Shelter Island

For more information on this and other Manning titles go to

www.manning.com

For online information and ordering of these and other Manning books, please visit www.manning.com. The publisher offers discounts on these books when ordered in quantity.

For more information, please contact

Special Sales Department

Manning Publications Co.

20 Baldwin Road

PO Box 761

Shelter Island, NY 11964

Email: orders@manning.com

2021 by Manning Publications Co. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher.

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps.

Recognizing the importance of preserving what has been written, it is Mannings policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine.

ISBN: 9781617296710

To my parents, Anne Cerclet and Henry Wong, who nurtured curiosity in me.

To my wife, Felicia Lupu, who supported me throughout this journey.

As youve picked up this book, you might be wondering, why another book on cryptography? Or even, why should I read this book? To answer this, you have to understand when it all started.

Today, if you want to learn about almost anything, you Google it, or Bing it, or Baidu ityou get the idea. Yet, for cryptography, and depending on what youre looking for, resources can be quite lacking. This is something I ran into a long time ago and which has been a continuous source of frustration since then.

Back when I was in school, I had to implement a differential power analysis attack for a class. This attack was a breakthrough in cryptanalysis at that time, as it was the first side-channel attack to be published. A differential power analysis attack is something magical: by measuring the power consumption of a device while it encrypts or decrypts something, youre able to extract its secrets. I realized that great papers could convey great ideas, while putting little effort in clarity and intelligibility. I remember banging my head against the wall trying to figure out what the author was trying to say. Worse, I couldnt find good online resources that explained the paper. So I banged my head a wee more, and finally I got it. And then, I thought, maybe I could help others like me who will have to go through this ordeal.

Motivated, I drew some diagrams, animated them, and recorded myself going over them. That was my first YouTube video on cryptography: https://www.youtube.com/watch?v=gbqNCgVcXsM .

Years later, after I uploaded the video, I still receive praises from random people on the internet. Just yesterday, as Im writing this preface, someone posted, Thank you, really a great explanation that probably saved me hours of trying to understand that paper.

What a reward! This baby step in adventuring myself on the other side of the educational landscape was enough to make me want to do more. I started recording more of these videos, and then I started a blog to write about cryptography. You can check it out here: https://cryptologie.net .

Before starting this book, I had amassed nearly 500 articles explaining the many concepts that stand beyond this intro. This was all just practice. In the back of my mind, the idea of writing a book was slowly maturing years before Manning Publications would reach out to me with a book proposal.

I finished my bachelors in theoretical mathematics and didnt know what was next for me. I had also been programming my whole life, and I wanted to reconcile the two. Naturally, I became curious about cryptography, which seemed to have the best of both worlds, and started reading the different books at my disposal. I quickly discovered my lifes calling.

Some things were annoying, though: in particular, the long introductions that would start with history; I was only interested in the technicalities and always had been. I swore to myself, if I ever wrote a book about cryptography, I would not write a single line on Vigenre ciphers, Caesar ciphers, and other vestiges of history. And so, after obtaining a master of cryptography at the University of Bordeaux, I thought I was ready for the real world. Little did I know.

I believed that my degree was enough, but my education lacked a lot about the real-world protocols I was about to attack. I had spent a lot of time learning about the mathematics of elliptic curves but nothing about how these were used in cryptographic algorithms. I had learned about LFSRs, and ElGamal, and DES, and a series of other cryptographic primitives that I would never see again.

When I started working in the industry at Matasano, which then became NCC Group, my first gig was to audit OpenSSL, the most popular SSL/TLS implementationthe code that basically encrypted the whole internet. Oh boy, did it hurt my brain. I remember coming back home every day with a strong headache. What a trainwreck of a library and a protocol! I had no idea at the time that I would, years later, become a coauthor of TLS 1.3, the latest version of the protocol.

But, at that point, I was already thinking, This is what I should have learned in school. The knowledge Im gaining now is what would have been useful to prepare me for the real world! After all, I was now a specialized security practitioner in cryptography. I was reviewing real-world cryptographic applications. I was doing the job that one would wish they had after finishing a cryptography degree. I implemented, verified, used, and advised on what cryptographic algorithms to use. This is the reason Im the first reader of the book Im writing. This is what I would have written to my past self in order to prepare him for the real world.

My consulting job led me to audit many real-world cryptographic applications such as OpenSSL, the encrypted backup system of Google, the TLS 1.3 implementation of Cloudflare, the certificate authority protocol of Lets Encrypt, the sapling protocol of the Zcash cryptocurrency, the threshold proxy re-encryption scheme of NuCypher, and dozens of other real-world cryptographic applications that I unfortunately cannot mention publicly.