Crypto 101 - A Free Ebook
Written by Nikos Vaggalis
Friday, 08 July 2016

Who said that quality comes always at cost? Crypto 101 is proof that there are exceptions to this rule. It is a free guide to the science of cryptography, that, in everyday language, addresses every software developer's need in correctly incorporating and applying cryptographic elements into the building of their software.

Cryptography is a necessary evil that one way or another becomes an integral part of a developer's daily activity. Despite compacting crypto algorithmic implementations into modules, libraries or functions, that make knowledge in maths unnecessary in order to use them, their effective handling still requires a lot of effort.

Block vs Stream chiphers, Encrypting vs Signing, Symmetric vs Asymmetric encryption, are just some of the aspects you ought to understand, otherwise you're not only running the risk of degraded performance, but also the risk of causing the exact opposite of what cryptography was invented to safeguard, that is, confidentiality, authenticity and integrity.

Therefore every developer out there should at the very least have a grasp on the basics: what cryptography is, what it aims at, how to make the correct choice and application of the algorithms, as well as how the components work and interoperate.

You would think that such an essential educational service would come at a cost, but that's not always the case. Fortunately there are also free, reliable and quality solutions out there, like the Crypto 101 book.

Crypto 101 is a comprehensive and easy to follow guide to the world of cryptography, a conception of Laurens Van Houtven (lvh), principal engineer at Rackspace Managed Security where he works on information security, cryptography and distributed systems. He has
kindly made it available under the permissive Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0) license.

Glimpsing through the index, it looks as though his book has everything covered:

Exclusive or/XOR, looks at this pillar of cryptography
from both theoretical  :

"You can apply XOR in any order: a ⊕ b = b ⊕ a, no matter what values a and b are."

and practical perspectives :

"Python, for example, provides the ^ (caret) operator that performs bitwise XOR on integers. It does this by first expressing those two integers in binary4 , and then performing XOR on their respective bits.Hence the name, bitwise XOR."

Block ciphers, investigates the notions of the plaintext and ciphertext, while the first references on symmetric-key encryption, AES, DES and 3DES, make their appearance. They're followed with deep technical details of the algorithm's inner workings ( SubBytes ,ShiftRows
,MixColumns AddRoundKey etc), that despite their educational value, are marked as not essential to comprehend, since they don't offer much to the process of writing better software, as such they can be thoughtlessly skipped.

Stream ciphers is a chapter that highlights the 'building up' style that the author adopts; isolating and deconstructing a topic for demonstrating how it works and what sort of issues it faces, and then builds upon it by presenting its better successor that holds the solutions to those issues.

That is the exact case when explaining the EBC mode and the ways it can be attacked, such as the oracle attack in which an attacker can decrypt messages given access to the encryption oracle, a problem that was subsequently addressed by shifting to the CBC mode, something that subsequently lead to the CBC padding attacks, which subsequently lead to....you get the drift.

Key exchange uses the classic of Alice and Bob trying to figure out a a way of securely exchanging  messages over an untrusted network.
This discussion led to the Diffie-Hellman protocol and its variations, Discrete logarithms and Elliptic curves, and explains that despite them being capable of guaranteeing a shared secret across an insecure medium, they still lack message integrity, being prone to the man-in-the-middle (MITM) attacks.

The rest of the chapters then look at Public-key encryption and the components that need to cooperate in order to maintain the secret message's confidentiality, integrity and authenticity.

Therefore on the way to the Key derivation functions and secure password storage, it goes from Hash functions to
Message authentication codes and then to Signature algorithms, where everything is detailed  and classified depending on the functionality:

"Just like encryption, authentication comes in both private-key (symmetric) and public-key (asymmetric) forms. Symmetric authentication schemes are typically called message authentication codes, while the public-key equivalent is typically called a signature."

or:

"Note that we say ”message” here instead of ”plaintext” or ”ciphertext”. This ambiguity is intentional. In this book we’re mostly interested in MACs as a way to achieve authenticated encryption, so the message will always be a ciphertext. That said, there’s nothing wrong with a MAC being applied to a plaintext message."

I'm quoting those two paragraphs as representatives of the level of scrutiny the material has undergone, the simple  language employed, and the effective way of conveying the concepts.

The book then ends with examples of complete cryptosystems,
such as SSL and TLS, OpenPGP and GPG, and OTR.

Summing up, it's not just a good book, it's a great book.
And most of all, what do you pay for it? Zero. That lifts the notion of value for money to another level. The truth is, it's a steal; I would definitely pay the price for this kind of work. The only downside is that there are quite a few 'TO-DO' placeholders here and there as it's a work in progress, continuously edited and added upon.

I would certainly recommend the option of crowd funding the book so the author gets supported into adding more material in a timely fashion,  along the lines of Help Kickstart First Ever PerlDancer Book. What do you think?

Crypto 101 book

Crypto 101 on Github

lvh's blog

#### Related Articles

Help Kickstart First Ever PerlDancer Book

 W3C Promotes Web Audio API13/07/2021The Web Audio API has been promoted by the W3C and is now an official standard as a JavaScript API for creating and manipulating audio content directly within web browsers. + Full Story The Linux Upskill Challenge15/07/2021A compact and previously paid course is now free and open source. It teaches everything someone needs in order to transition to Linux. + Full Story More News