Author: Jean-Philippe Aumasson
Publisher: No Starch
Date: October 2024
Pages: 376
ISBN:978-1718503847
Print:1718503849
Kindle: B0CZ94T2Q3
Audience: Programmers wanting to understand cryptography
Rating: 5
Reviewer: Harry Fairhead
Cryptography is so important - can you afford not to read a good book on the subject?

I am always put off by a cryptography book that starts off with the Caesar cipher because it indicates the level that the book is set at, i.e. low. This book starts off with exactly this, but do not worry it quickly ramps up. The only problem here is that after a gentle introduction you will need to have a certain sophistication to deal with everything this book tells you. It starts off spoon-feeding you equations, but slowly assumes that you are fine with reading Boolean expressions and so on.

It is important to know what sort of book this is. It isn't a DIY book and anyway DIY crypto is a bad idea. It isn't practical in the sense that it doesn't include code to do anything, but it also isn't a theory book in that it doesn't go that deep. What it does is explain the ideas and techniques that you will find in packages such as OpenSSL or mbedTLS which, if you are not up to speed on the ideas of modern cryptography, can seem next to impossible to understand. This book is ideal if you are trying to do anything with almost any cryptography library.  

The first part of the book goes over the fundamentals. It starts off with an introduction to encryption in Chapter 1 and, yes, if you have read any other book on crypto you will probably know everything included, but you might have missed some of the nuances. There is a good discussion of attack modes and what it means for a cipher to be secure in different senses. 

Chapter 2 moves on to randomness and it is a good account of practical crypto random number generators  including Windows and Linux generators. Chapter 3 goes into the topic of what makes a secure cryptographic procedure. There is a good discussion of what can go wrong.   

Part II is an introduction to symmetric crypto including block and stream ciphers which are still vitally important despite the popular focus on public key crypto. The AES cypher is covered in enough detail for you to understand the different modes of application which are one of the most confusing parts of using any crypto package. It covers hash functions and does a good job of explaining the different ways that they can fail. The SHA1, SHA2, SHA3, BLAKE2, BLAKE3 functions are all covered along with what can go wrong. This part of the book ends with a look at keyed hashing and authentication. The technical level of the book has increases quite a lot in this part of the book but as long as you work at it this shouldn't be a problem.

Part III is about asymmetric crypto, which as already mentioned is the glamorous end of the subject. After a basic introduction to hard problems - NP, factoring and the discrete logarithm problems. After this it introduces RSA and Diffie-Hellman which are now so old as to be considered classical asymmetric algorithms. The part finishes with a look at elliptic curves which most people seem to find harder to understand than the "classic" algorithms. This part also helps understanding the options in OpenSSL and mbedTLS.

The final part, Part IV, deals with applications. A whole chapter on TLS is very appropriate as this is the protocol that we encounter most in our efforts to create secure connections on the web. The next chapter is less practically relevant as covers quantum and post-quantum security which given we haven't managed to create a quantum computer and perhaps never will is a bit theoretical. On the other hand as a "what if" it is interesting. The final chapter on cryptocurrencies isn't really on the same topic a the rest of the book. Even so, finding out about Merkle trees, proof of work and zero knowledge proofs is probably worthwhile if only because you might notice a new application of any of them.

This is a very good book but only if you want to understand crypto enough to make sensible use of existing crypto packages. This is not a hands on using crypto packages but it will give you enough knowledge to understand the options that you have to choose between when using these. If it has a weakness it is probably that it is light on discussion of certificates and things that can go wrong using them but don't let this put you off a really good book - but set aside six months to read it. 

To keep up with our coverage of books for programmers, follow @bookwatchiprog on Twitter or subscribe to I Programmer's Books RSS feed for each day's new addition to Book Watch and for new reviews.