Is Bruce Schneier Applied Cryptography, Second ed. up to date?

Question

I like Applied Cryptography, and I am returning to cryptography after a while. So I am wondering if that book is up to date or can be complemented with other references.

I am looking for a book, authoritative, well documented. Possibly including code.

I would prefer to have a book as a reference, instead of asking naive questions to the community for something I could find in a book like Schneier’s. I wish to ask the community for help to understanding what’s in the book or ask for help on specific real world problems.

I have a background in cryptography, number theory, data, and coding.

What do you mean by "Something to use on the side of puzzling the community with already answered questions"? — Modal Nest, Dec 12 '20 at 10:38
Sorry, I meant, to ask about state of art of applied cryptography I would prefer to have a book as a reference, instead of asking naive questions to the community for something I could find in a book like Schneier. I wish to ask the community for help on understand what’s in the book or specific real world problems. I don’t like waste people time :) Thanks for asking. I will update the query. — user7338039, Dec 12 '20 at 11:32
Are we talking the old book or the new book? This is rather a chat subject! — kelalaka, Dec 12 '20 at 12:00
I like Bruce Schneier's Applied Cryptography, but it's dated. In the table of contents of the 20th Anniversary ed., there's nothing on AES, and little on Elliptic Curve Cryptography, which are the modern bread and butter of applied crypto. It stopped at SHA-1, when that's broken and we use SHA-2. It's short on side-channel attacks. And it mentions sci.crypt, not crypto-SE, which is the new place to be :-) Too bad I have no replacement to suggest. — fgrieu, Dec 12 '20 at 12:02
@fgrieu Are you sure about ECC? Something about it is in chapter 19.8. — user7338039, Dec 12 '20 at 12:10
@user7338039: you are right, there is one page. I fixed my comment. — fgrieu, Dec 12 '20 at 12:17
The new book is the Cryptography Engineering: Design Principles and Practical Applications. And also you might look at the Serious Cryptography: A Practical Introduction to Modern Encryption — kelalaka, Dec 12 '20 at 12:42
I'll second both kelalaka's recommendations, and add the upcoming book Real World Cryptography by David Wong. https://www.manning.com/books/real-world-cryptography — SAI Peregrinus, Dec 12 '20 at 15:43

score 17 · Accepted Answer · answered Dec 12 '20 at 16:17

17

The Applied Cryptography Second Edition goes back to 1996. Although there is a 20th-anniversary edition, 2015, it is not updated as one thought. If you look for Schneier's style, you may look at the

Cryptography Engineering: Design Principles and Practical Applications, 2010

There is also another nice practical book by Jean-Philippe Aumasson

Serious Cryptography: A Practical Introduction to Modern Encryption, 2017

And, another one by David Wong as pointed by SAI Peregrinus

Real-World Cryptography, 2019

All three books are good for one to understand the cryptographic techniques at work in common tools, frameworks, and protocols. This will help to make excellent security choices for systems and applications. They are especially good for engineers and IT.

answered Dec 12 '20 at 16:17

kelalaka

48,443
11
116
196

1

Many thanks — I didn’t knew those more recent books. Will look at them. – user7338039 Dec 12 '20 at 16:32
I was not able to find anything about elliptic curve cryptography in Cryptography Engineering. Are you sure it's up to date? – Andrew Savinykh Dec 30 '20 at 06:56
@AndrewSavinykh updated doesn't mean it must be included ECC. Aumasson's book may enough for you. – kelalaka Jan 07 '21 at 19:24

score 5 · Answer 2 · answered Dec 12 '20 at 22:37

Well, you asked for a reference, and that's what Applied Cryptography (AC) is. But you also mentioned real world problems, so note that if you're going to actually do anything, a reference book will not tell you what to do, and how to do it, it will just give a pile of parts and a box of tools and leave the responsibility to you. Given we're talking cryptography, that's a somewhat important point, not because you might hurt yourself building a shed with those parts, but because you may well leave an invisible gaping hole in the bottom letting anyone sneak in.

Regarding AC in particular, Schneier has himself stated that the approach of AC was in hindsight not the best. The preface to his later book, Cryptography Engineering states:

But such books are also one step removed from the needs of cryptography and security engineers in practice. Cryptography and security engineers need to know more than how current cryptographic protocols work; they need to know how to use cryptography.

There's even a stronger phrasing, referred to and accepted as true by Schneier in his blog (Cryptography Engineering an updated version of Practical Cryptography):

But in the introduction to Bruce Schneier’s book, Practical Cryptography, he himself says that the world is filled with broken systems built from his earlier book. In fact, he wrote Practical Cryptography in hopes of rectifying the problem.

Even as a reference, AC is almost 25 year old now, counting from the second edition published in 1996. It predates AES by 5 years, and accordingly spends a full chapter on the Data Encryption Standard (DES). Obviously, it is also missing such things as elliptic curve cryptography (ECC) and AEAD encryption modes, etc. Of course, Cryptography Engineering isn't much of a reference at all, it describes real-world issues and one design, but only mentions other subjects like RSA padding or GCM in passing.

As Matthew Green puts it,

you should [own a copy], if only to be awed by Bruce’s knowledge of bizarre, historical ciphers and all of the ways they’ve been broken.

but of course also that:

Unfortunately, some readers, abetted by Bruce’s detailed explanations and convenient source code examples, felt that they were now ready to implement crypto professionally. Inevitably their code made its way into commercial products, which shipped full of horribly ridiculous, broken crypto implementations.

And those aren't the only commentators with a similar tone, so be careful with it.

If you do need a reference though, the confusingly similarly named Handbook of Applied Cryptography by Menezes et al is also sometimes useful, and freely available. It's also originally from 1996, so the same caveats apply, even though it's far less often mentioned than AC. — ilkkachu, Dec 12 '20 at 22:41
Thanks for confirming the value of Cryptography Engineering and referencing the blog posts. Lot of insights there. My interest is more about code breaking than on vulnerabilities of online services or else. When I mentioned real world problems, I should have mentioned the code breaking. So, — user7338039, Dec 13 '20 at 18:27
@user7338039 well, yeah, if you're interested in breakable ciphers, then AC probably is a good resource. I haven't actually read it in ages, but those "eleven devastating attacks culminating in the total demolition of FEAL" Green mentions do sound interesting in a puzzling sense. Some newer resource could tell the details of MD5 and SHA-1 weaknesses. Hard to find such for AES. :) But the real-world weaknesses I can think of, like the TLS exploits with all the FUNNYNAMES, had to do with something around the cipher itself, like padding failures. — ilkkachu, Dec 13 '20 at 19:06

Is Bruce Schneier Applied Cryptography, Second ed. up to date?

2 Answers2