9

I asked a question earlier where it was recommended that I describe my issue using standard cryptography notation.

  • How do I learn this notation and how to convey my approach?

  • How can I annotate this notation to indicate implementation specific issues?

Although the wording of the second bullet may seem strange, I do need to describe these real world factors that affect my design:

  • I'm deploying on Windows Azure and the only secure location for cryptographic material is located within the Certificate Store (uploaded by the management portal). Only solutions that use x509 certificates are supported.

  • I need to store private keys of my customers securely on Azure Blob storage. Since these certificates are browsable by many tech support folk @MSFT, I want to encrypt the data at rest, indirectly using an x509 certificate.

  • The reason I'm saying indirectly by an x509 certificate is because I may store payloads that are larger than the modulus of the cert, or may want faster performance using a symmetric key.

Community
  • 1
makerofthings7
  • 50,090
  • 54
  • 250
  • 536

1 Answers1

4

One approach is to read a good crypto textbook. I highly recommend Cryptography Engineering by Ferguson, Schneier, and Kohno. You could follow the notation they use in that book, and that'd be one reasonable way to go. (You'll learn lots of other practical, useful stuff along the way.)

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    Thanks; what are your thoughts on this book? Some sources on S.O. say it's full of errors and mis-information http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099/ref=wl_mb_hu_m_1_dp – makerofthings7 May 14 '11 at 15:39
  • @makerofthings, Not misinformation, per se, but it is kinda out of date. There were mistakes and such, but it's an "oldish" book. The "Cryptography Engineering" book that @D.W. recomended is considered the 3rd edition of the book you mentioned, so the mistakes and and such were cleaned up, and overall it is supposed to be better (still on my reading list, though...) – AviD May 14 '11 at 22:51
  • @makerofthings, *Cryptography Engineering* is a totally different book than *Applied Cryptography*. Comments you may have read about *Applied Cryptography* do not apply to *Cryptography Engineering*. (*Applied Cryptography* had enormous impact, but it was written a long time ago and it's starting to show. *Cryptography Engineering* is more recent and is guided by the practical problems that developers most commonly have to solve, and dives into the nitty gritty details, in a way that reflects the best practices of the field.) – D.W. May 15 '11 at 02:22
  • 1
    Would you recommend I read Applied Cryptography... or what is a modern book I should start with? Crypto Engineering first, then Applied Crypto? – makerofthings7 May 15 '11 at 20:16
  • @makerofthings, I'd recommend starting with Crypto Engineering. It's probably more relevant to the practicing developer/engineer. After you've read Crypto Engineering, there's probably not much point to read Applied Cryptography; for a practicing engineer, it probably won't add much. – D.W. May 15 '11 at 23:02
  • @D.W., What about the inverse? Is there much point in reading Cryptography Engineering after having read Applied Cryptography? – Pacerier Dec 08 '15 at 10:49