Cryptography is an ancient art about techniques used to secure communication in the presence of adversaries. From the early hieroglyphic inscriptions to the latest digital age, it has evolved in sync with the communication. It is no longer constrained by the definition of idea sharing between individuals. With the advent of Internet, it has become an integral part of commercial activities and personal information sharing.
However, it has also triggered a need for solutions regarding secrecy, authentication, integrity, and dishonesty. And it has inspired me to explore cryptography as a subject.
From day one, that is my first encounter with the concept of cryptography, I was intrigued by its structure, nuances, and application. The learning part has become easier now. As a senior engineer working in cryptography projects, I get to learn a lot from first-hand experiences. But the starting days were not easy.
Before delving deep into the discussion about the best ways to learn cryptography, let’s see what makes it so crucial.
Why It is Important
It is better to leave parts like designing cryptographic algorithms/protocols and coming up with the standards to the cryptography community and institutions like NIST. On the other hand, a developer working on the security aspects of an application would need an understanding of the core concepts and implementation experience to make the system robust and hack-proof. The developer should know how to utilize the best available technique and provide the desired level of secrecy along with expected performance. He should be aware of the common mistakes that occur while implementing techniques and security tools to verify the application and a good test-case suite.
I recently came across this article by Columbia University wherein they discussed a new tool developed by the university team. With the tool, they discovered basic cryptographic misuse and unsafe security practices in popular android apps from Google Play Store.
Not all misuses will result in a possible attack. However, it exposes the lack of proper security guidelines in the software community. Most developers are not aware of the cryptography fundamentals and treat it as a black box just like any other software library. The problem with cryptography code is that it does not mean it’s secure even if it is working perfectly.
Where to get started
In case a developer is motivated enough to learn cryptography, there are not many structured resources available to cover the basics for a developer. Below are the resources that helped me a lot when I started exploring the area.
- Cryptography I: This online course is offered on Coursera by Stanford Prof. Dan Boneh and it covers most of the basic topics. One of my colleagues recommended it, so I decided to take it up to understand cryptography behind the scenes. From a developer’s point of view, some of the highlights of this course are:
- It covers most of the topics such as Block Ciphers, MAC, Hashing, Authenticated encryption, Public key cryptography, PRG, PRP and PRFs.
- A quick revision of number theory and discreet probability and in-depth treatment were given along with the link to relevant textbooks for further reading to absorb the concepts better.
- It was explained with the use of drawings and examples. Even the security holes are explained using simplified examples.
- A generic approach to proving any theorem is given so that the same can be applied to their variations as well.
- Fast-paced. I had to pause and review most of the videos.
- The Programming assignments are really interesting though they are optional to keep the course duration under control.
A capstone project with hands-on experience will indeed help you better. But this course provides a good insight into cryptographic algorithms and has hands-on assignment work to make it interesting within a given time for the developers.
- Video lecture series: If you are looking for a more thorough treatment of the subject, something like a graduate course, there is a video lecture series on YouTube ‘Introduction to Cryptography by Christof Paar’ that I found to be very useful. The book “Understanding Cryptography” by the same author is an excellent reference to this lecture series.
- Online reading: To devise simple encryption or set up the certificate authority, or exchange signed documents, you don’t need to be a cryptography expert. This site is a good resource for understanding the common tools and techniques that you can use to implement these in your system and enhance security. There are code examples given for better understanding.
Depending upon your involvement and time availability, you can pick up these resources. These resources are good even for DevOps and QA engineers if they deal with crypto algorithms setup and testing.
Some of the libraries I used for learning are CryptoPP (C++) and gmpy2 (python) and libsodium (rust).
I would recommend these resources to anyone who is either starting a career in the cybersecurity domain or deals with cryptography daily.
If you find these sources useful, feel free to share it. You can also post your queries for further discussions.