47,99 €
From the world's most renowned security technologist, Bruce Schneier, this 20th Anniversary Edition is the most definitive reference on cryptography ever published and is the seminal work on cryptography. Cryptographic techniques have applications far beyond the obvious uses of encoding and decoding information. For developers who need to know about capabilities, such as digital signatures, that depend on cryptographic techniques, there's no better overview than Applied Cryptography, the definitive book on the subject. Bruce Schneier covers general classes of cryptographic protocols and then specific techniques, detailing the inner workings of real-world cryptographic algorithms including the Data Encryption Standard and RSA public-key cryptosystems. The book includes source-code listings and extensive advice on the practical aspects of cryptography implementation, such as the importance of generating truly random numbers and of keeping keys secure. ". . .the best introduction to cryptography I've ever seen. . . .The book the National Security Agency wanted never to be published. . . ." -Wired Magazine ". . .monumental . . . fascinating . . . comprehensive . . . the definitive work on cryptography for computer programmers . . ." -Dr. Dobb's Journal ". . .easily ranks as one of the most authoritative in its field." -PC Magazine The book details how programmers and electronic communications professionals can use cryptography-the technique of enciphering and deciphering messages-to maintain the privacy of computer data. It describes dozens of cryptography algorithms, gives practical advice on how to implement them into cryptographic software, and shows how they can be used to solve security problems. The book shows programmers who design computer applications, networks, and storage systems how they can build security into their software and systems. With a new Introduction by the author, this premium edition will be a keepsake for all those committed to computer and cyber security.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 1484
Cover
Introduction
Foreword by Whitfield Diffie
Preface
HOW TO READ THIS BOOK
ACKNOWLEDGMENTS
About the Author
CHAPTER 1: FOUNDATIONS
1.1 TERMINOLOGY
1.2 STEGANOGRAPHY
1.3 SUBSTITUTION CIPHERS AND TRANSPOSITION CIPHERS
1.4 SIMPLE XOR
1.5 ONE-TIME PADS
1.6 COMPUTER ALGORITHMS
1.7 LARGE NUMBERS
PART I: CRYPTOGRAPHIC PROTOCOLS
CHAPTER 2: PROTOCOL BUILDING BLOCKS
2.1 INTRODUCTION TO PROTOCOLS
2.2 COMMUNICATIONS USING SYMMETRIC CRYPTOGRAPHY
2.3 ONE-WAY FUNCTIONS
2.4 ONE-WAY HASH FUNCTIONS
2.5 COMMUNICATIONS USING PUBLIC-KEY CRYPTOGRAPHY
2.6 DIGITAL SIGNATURES
2.7 DIGITAL SIGNATURES WITH ENCRYPTION
2.8 RANDOM AND PSEUDO-RANDOM-SEQUENCE GENERATION
CHAPTER 3: BASIC PROTOCOLS
3.1 KEY EXCHANGE
3.2 AUTHENTICATION
3.3 AUTHENTICATION AND KEY EXCHANGE
3.4 FORMAL ANALYSIS OF AUTHENTICATION AND KEY-EXCHANGE PROTOCOLS
3.5 MULTIPLE-KEY PUBLIC-KEY CRYPTOGRAPHY
3.6 SECRET SPLITTING
3.7 SECRET SHARING
3.8 CRYPTOGRAPHIC PROTECTION OF DATABASES
CHAPTER 4: INTERMEDIATE PROTOCOLS
4.1 TIMESTAMPING SERVICES
4.2 SUBLIMINAL CHANNEL
4.3 UNDENIABLE DIGITAL SIGNATURES
4.4 DESIGNATED CONFIRMER SIGNATURES
4.5 PROXY SIGNATURES
4.6 GROUP SIGNATURES
4.7 FAIL-STOP DIGITAL SIGNATURES
4.8 COMPUTING WITH ENCRYPTED DATA
4.9 BIT COMMITMENT
4.10 FAIR COIN FLIPS
4.11 MENTAL POKER
4.12 ONE-WAY ACCUMULATORS
4.13 ALL-OR-NOTHING DISCLOSURE OF SECRETS
4.14 KEY ESCROW
CHAPTER 5: ADVANCED PROTOCOLS
5.1 ZERO-KNOWLEDGE PROOFS
5.2 ZERO-KNOWLEDGE PROOFS OF IDENTITY
5.3 BLIND SIGNATURES
5.4 IDENTITY-BASED PUBLIC-KEY CRYPTOGRAPHY
5.5 OBLIVIOUS TRANSFER
5.6 OBLIVIOUS SIGNATURES
5.7 SIMULTANEOUS CONTRACT SIGNING
5.8 DIGITAL CERTIFIED MAIL
5.9 SIMULTANEOUS EXCHANGE OF SECRETS
CHAPTER 6: ESOTERIC PROTOCOLS
6.1 SECURE ELECTIONS
6.2 SECURE MULTIPARTY COMPUTATION
6.3 ANONYMOUS MESSAGE BROADCAST
6.4 DIGITAL CASH
PART II: CRYPTOGRAPHIC TECHNIQUES
CHAPTER 7: KEY LENGTH
7.1 SYMMETRIC KEY LENGTH
7.2 PUBLIC-KEY KEY LENGTH
7.3 COMPARING SYMMETRIC AND PUBLIC-KEY KEY LENGTH
7.4 BIRTHDAY ATTACKS AGAINST ONE-WAY HASH FUNCTIONS
7.5 HOW LONG SHOULD A KEY BE?
7.6 CAVEAT EMPTOR
CHAPTER 8: KEY MANAGEMENT
8.1 GENERATING KEYS
8.2 NONLINEAR KEYSPACES
8.3 TRANSFERRING KEYS
8.4 VERIFYING KEYS
8.5 USING KEYS
8.6 UPDATING KEYS
8.7 STORING KEYS
8.8 BACKUP KEYS
8.9 COMPROMISED KEYS
8.10 LIFETIME OF KEYS
8.11 DESTROYING KEYS
8.12 PUBLIC-KEY KEY MANAGEMENT
CHAPTER 9: ALGORITHM TYPES AND MODES
9.1 ELECTRONIC CODEBOOK MODE
9.2 BLOCK REPLAY
9.3 CIPHER BLOCK CHAINING MODE
9.4 STREAM CIPHERS
9.5 SELF-SYNCHRONIZING STREAM CIPHERS
9.6 CIPHER-FEEDBACK MODE
9.7 SYNCHRONOUS STREAM CIPHERS
9.8 OUTPUT-FEEDBACK MODE
9.9 COUNTER MODE
9.10 OTHER BLOCK-CIPHER MODES
9.11 CHOOSING A CIPHER MODE
9.12 INTERLEAVING
9.13 BLOCK CIPHERS VERSUS STREAM CIPHERS
CHAPTER 10: USING ALGORITHMS
10.1 CHOOSING AN ALGORITHM
10.2 PUBLIC-KEY CRYPTOGRAPHY VERSUS SYMMETRIC CRYPTOGRAPHY
10.3 ENCRYPTING COMMUNICATIONS CHANNELS
10.4 ENCRYPTING DATA FOR STORAGE
10.5 HARDWARE ENCRYPTION VERSUS SOFTWARE ENCRYPTION
10.6 COMPRESSION, ENCODING, AND ENCRYPTION
10.7 DETECTING ENCRYPTION
10.8 HIDING CIPHERTEXT IN CIPHERTEXT
10.9 Destroying Information
PART III: CRYPTOGRAPHIC ALGORITHMS
CHAPTER 11: MATHEMATICAL BACKGROUND
11.1 INFORMATION THEORY
11.2 COMPLEXITY THEORY
11.3 NUMBER THEORY
11.4 FACTORING
11.5 PRIME NUMBER GENERATION
11.6 DISCRETE LOGARITHMS IN A FINITE FIELD
CHAPTER 12: DATA ENCRYPTION STANDARD (DES)
12.1 BACKGROUND
12.2 DESCRIPTION OF DES
12.3 SECURITY OF DES
12.4 DIFFERENTIAL AND LINEAR CRYPTANALYSIS
12.5 THE REAL DESIGN CRITERIA
12.6 DES VARIANTS
12.7 HOW SECURE IS DES TODAY?
CHAPTER 13: OTHER BLOCK CIPHERS
13.1 LUCIFER
13.2 MADRYGA
13.3 NEWDES
13.4 FEAL
13.5 REDOC
13.6 LOKI
13.7 KHUFU AND KHAFRE
13.8 RC2
13.9 IDEA
13.10 MMB
13.11 CA-1.1
13.12 SKIPJACK
CHAPTER 14: STILL OTHER BLOCK CIPHERS
14.1 GOST
14.2 CAST
14.3 BLOWFISH
14.4 SAFER
14.5 3-WAY
14.6 CRAB
14.7 SXAL8/MBAL
14.8 RC5
14.9 OTHER BLOCK ALGORITHMS
14.10 THEORY OF BLOCK CIPHER DESIGN
14.11 USING ONE-WAY HASH FUNCTIONS
14.12 CHOOSING A BLOCK ALGORITHM
CHAPTER 15: COMBINING BLOCK CIPHERS
15.1 DOUBLE ENCRYPTION
15.2 TRIPLE ENCRYPTION
15.3 DOUBLING THE BLOCK LENGTH
15.4 OTHER MULTIPLE ENCRYPTION SCHEMES
15.5 CDMF KEY SHORTENING
15.6 WHITENING
15.7 CASCADING MULTIPLE BLOCK ALGORITHMS
15.8 COMBINING MULTIPLE BLOCK ALGORITHMS
CHAPTER 16: PSEUDO-RANDOM-SEQUENCE GENERATORS AND STREAM CIPHERS
16.1 LINEAR CONGRUENTIAL GENERATORS
16.2 LINEAR FEEDBACK SHIFT REGISTERS
16.3 DESIGN AND ANALYSIS OF STREAM CIPHERS
16.4 STREAM CIPHERS USING LFSRS
16.5 A5
16.6 HUGHES XPD/KPD
16.7 NANOTEQ
16.8 RAMBUTAN
16.9 ADDITIVE GENERATORS
16.10 GIFFORD
16.11 ALGORITHM M
16.12 PKZIP
CHAPTER 17: OTHER STREAM CIPHERS AND REAL RANDOM-SEQUENCE GENERATORS
17.1 RC4
17.2 SEAL
17.3 WAKE
17.4 FEEDBACK WITH CARRY SHIFT REGISTERS
17.5 STREAM CIPHERS USING FCSRS
17.6 NONLINEAR-FEEDBACK SHIFT REGISTERS
17.7 OTHER STREAM CIPHERS
17.8 SYSTEM-THEORETIC APPROACH TO STREAM-CIPHER DESIGN
17.9 COMPLEXITY-THEMATIC APPROACH TO STREAM-CIPHER DESIGN
17.10 OTHER APPROACHES TO STREAM-CIPHER DESIGN
17.11 CASCADING MULTIPLE STREAM CIPHERS
17.12 CHOOSING A STREAM CIPHER
17.13 GENERATING MULTIPLE STREAMS FROM A SINGLE PSEUDO-RANDOM-SEQUENCE GENERATOR
17.14 REAL RANDOM-SEQUENCE GENERATORS
CHAPTER 18: ONE-WAY HASH FUNCTIONS
18.1 BACKGROUND
18.2 SNEFRU
18.3 N-HASH
18.4 MD4
18.5 MD5
18.6 MD2
18.7 SECURE HASH ALGORITHM (SHA)
18.8 RIPE-MD
18.9 HAVAL
18.10 OTHER ONE-WAY HASH FUNCTIONS
18.11 ONE-WAY HASH FUNCTIONS USING SYMMETRIC BLOCK ALGORITHMS
18.12 USING PUBLIC-KEY ALGORITHMS
18.13 CHOOSING A ONE-WAY HASH FUNCTION
18.14 MESSAGE AUTHENTICATION CODES
CHAPTER 19: PUBLIC-KEY ALGORITHMS
19.1 BACKGROUND
19.2 KNAPSACK ALGORITHMS
19.3 RSA
19.4 POHLIG-HELLMAN
19.5 RABIN
19.6 ELGAMAL
19.7 MCELIECE
19.8 ELLIPTIC CURVE CRYPTOSYSTEMS
19.9 LUC
19.10 FINITE AUTOMATON PUBLIC-KEY CRYPTOSYSTEMS
CHAPTER 20: PUBLIC-KEY DIGITAL SIGNATURE ALGORITHMS
20.1 DIGITAL SIGNATURE ALGORITHM (DSA)
20.2 DSA VARIANTS
20.3 GOST DIGITAL SIGNATURE ALGORITHM
20.4 DISCRETE LOGARITHM SIGNATURE SCHEMES
20.5 ONG-SCHNORR-SHAMIR
20.6 ESIGN
20.7 CELLULAR AUTOMATA
20.8 OTHER PUBLIC-KEY ALGORITHMS
CHAPTER 21: IDENTIFICATION SCHEMES
21.1 FEIGE-FIAT-SHAMIR
21.2 GUILLOU-QUISQUATER
21.3 SCHNORR
21.4 CONVERTING IDENTIFICATION SCHEMES TO SIGNATURE SCHEMES
CHAPTER 22: KEY-EXCHANGE ALGORITHMS
22.1 DIFFIE-HELLMAN
22.2 STATION-TO-STATION PROTOCOL
22.3 SHAMIR’S THREE-PASS PROTOCOL
22.4 COMSET
22.5 ENCRYPTED KEY EXCHANGE
22.6 FORTIFIED KEY NEGOTIATION
22.7 CONFERENCE KEY DISTRIBUTION AND SECRET BROADCASTING
CHAPTER 23: SPECIAL ALGORITHMS FOR PROTOCOLS
23.1 MULTIPLE-KEY PUBLIC-KEY CRYPTOGRAPHY
23.2 SECRET-SHARING ALGORITHMS
23.3 SUBLIMINAL CHANNEL
23.4 UNDENIABLE DIGITAL SIGNATURES
23.5 DESIGNATED CONFIRMER SIGNATURES
23.6 COMPUTING WITH ENCRYPTED DATA
23.7 FAIR COIN FLIPS
23.8 ONE-WAY ACCUMULATORS
23.9 ALL-OR-NOTHING DISCLOSURE OF SECRETS
23.10 FAIR AND FAILSAFE CRYPTOSYSTEMS
23.11 ZERO-KNOWLEDGE PROOFS OF KNOWLEDGE
23.12 BLIND SIGNATURES
23.13 OBLIVIOUS TRANSFER
23.14 SECURE MULTIPARTY COMPUTATION
23.15 PROBABILISTIC ENCRYPTION
23.16 QUANTUM CRYPTOGRAPHY
PART IV: THE REAL WORLD
CHAPTER 24: EXAMPLE IMPLEMENTATIONS
24.1 IBM SECRET-KEY MANAGEMENT PROTOCOL
24.2 MITRENET
24.3 ISDN
24.4 STU-III
24.5 KERBEROS
24.6 KRYPTOKNIGHT
24.7 SESAME
24.8 IBM COMMON CRYPTOGRAPHIC ARCHITECTURE
24.9 ISO AUTHENTICATION FRAMEWORK
24.10 PRIVACY-ENHANCED MAIL (PEM)
24.11 MESSAGE SECURITY PROTOCOL (MSP)
24.12 PRETTY GOOD PRIVACY (PGP)
24.13 SMART CARDS
24.14 PUBLIC-KEY CRYPTOGRAPHY STANDARDS (PKCS)
24.15 UNIVERSAL ELECTRONIC PAYMENT SYSTEM (UEPS)
24.16 CLIPPER
24.17 CAPSTONE
24.18 AT&T MODEL 3600 TELEPHONE SECURITY DEVICE (TSD)
CHAPTER 25: POLITICS
25.1 NATIONAL SECURITY AGENCY (NSA)
25.2 NATIONAL COMPUTER SECURITY CENTER (NCSC)
25.3 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST)
25.4 RSA DATA SECURITY, INC.
25.5 PUBLIC KEY PARTNERS
25.6 INTERNATIONAL ASSOCIATION FOR CRYPTOGRAPHIC RESEARCH (IACR)
25.7 RACE INTEGRITY PRIMITIVES EVALUATION (RIPE)
25.8 CONDITIONAL ACCESS FOR EUROPE (CAFE)
25.9 ISO/IEC9979
25.10 PROFESSIONAL, CIVIL LIBERTIES, AND INDUSTRY GROUPS
25.11 SCI.CRYPT
25.12 CYPHERPUNKS
25.13 PATENTS
25.14 U.S. EXPORT RULES
25.15 FOREIGN IMPORT AND EXPORT OF CRYPTOGRAPHY
25.16 LEGAL ISSUES
Afterword by Matt Blaze
PART V: SOURCE CODE
References
Index
End User License Agreement
CHAPTER 1
Figure 1.1 Encryption and Decryption.
Figure 1.2 Encryption and decryption with a key.
Figure 1.3 Encryption and decryption with two different keys.
Figure 1.4 Columnar transposition cipher.
CHAPTER 2
Figure 2.1 Types of protocols.
CHAPTER 5
Figure 5.1 The zero-knowledge cave.
CHAPTER 8
Figure 8.1 ANSI X9.17 key generation.
Figure 8.2 Key distribution via parallel channels.
CHAPTER 9
Figure 9.1 Ciphertext stealing in ECB mode.
Figure 9.2 Encryption blocks for an example record.
Figure 9.3 Cipher block chaining mode.
Figure 9.4 Encrypting the last short block in CBC mode.
Figure 9.5 Ciphertext stealing in CBC mode.
Figure 9.6 Stream cipher.
Figure 9.7 Inside a keystream generator.
Figure 9.8 A self-synchronizing keystream generator.
Figure 9.9 8-bit cipher-feedback mode.
Figure 9.10 n-bit CFB with an n-bit algorithm.
Figure 9.11 8-bit output-feedback mode.
Figure 9.12 n-bit OFB with an n-bit algorithm.
Figure 9.13 A keystream generator in output-feedback mode.
Figure 9.14 A keystream generator in counter mode.
Figure 9.15 Propagating cipher block chaining mode.
Figure 9.16 Interleaving three CFB encryptions.
CHAPTER 10
Figure 10.1 Link encryption.
Figure 10.2 End-to-end encryption.
Figure 10.3 Encryption with compression and error control.
CHAPTER 11
Figure 11.1 Complexity classes.
CHAPTER 12
Figure 12.1 DES.
Figure 12.2 One round of DES.
Figure 12.3 Expansion permutation.
Figure 12.4 S-box substitution.
Figure 12.5 DES round function.
Figure 12.6 DES characteristics.
Figure 12.7 A two-round DES characteristic.
Figure 12.8 A 1-round linear approximation for DES.
Figure 12.9 A 3-round linear approximation for DES.
Figure 12.10 Triple-DES.
Figure 12.11 GDES.
CHAPTER 13
Figure 13.1 One iteration of Madryga.
Figure 13.2 NewDES.
Figure 13.3 One round of FEAL.
Figure 13.4 Function f.
Figure 13.5 Key processing part of FEAL.
Figure 13.6 Function f
K
.
Figure 13.7 FEAL-NX key schedule.
Figure 13.8 LOKI91.
Figure 13.9 IDEA.
Figure 13.10 PES.
CHAPTER 14
Figure 14.1 One round of GOST.
Figure 14.2 Blowfish.
Figure 14.3 Function F.
Figure 14.4 One round of SAFER.
Figure 14.5 Message Digest Cipher (MDC).
CHAPTER 15
Figure 15.1 Triple encryption in CBC mode.
Figure 15.2 Triple encryption with padding.
Figure 15.3 Doubling the block length.
Figure 15.4 One round of xDES
2
.
CHAPTER 16
Figure 16.1 Feedback shift register.
Figure 16.2 Linear feedback shift register.
Figure 16.3 4-bit LFSR.
Figure 16.4 32-bit long maximal-length LFSR.
Figure 16.5 Galois LFSR.
Figure 16.6 Geffe generator.
Figure 16.7 Generalized Geffe generator.
Figure 16.8 Jennings genera tor.
Figure 16.9 Beth-Piper stop-and-go generator.
Figure 16.10 Alternating stop-and-go generator.
Figure 16.11 Bilateral stop-and-go generator.
Figure 16.12 Threshold generator.
Figure 16.13 Rueppel’s self-decimated generator.
Figure 16.14 Chambers’s and Gollmann’s self-decimated generator.
Figure 16.15 Multispeed inner-product generator.
Figure 16.16 Gollmann cascade.
Figure 16.17 Gifford.
CHAPTER 17
Figure 17.1 The inner loop of SEAL.
Figure 17.2 Wake.
Figure 17.3 Feedback with carry shift register.
Figure 17.4 3-bit FCSR.
Figure 17.5 Combining Generators.
Figure 17.6 Concoction Generator.
Figure 17.7 Alternating stop-and-go generators.
Figure 17.8 A nonlinear-feedback shift register (probably insecure).
Figure 17.9 3-bit nonlinear feedback shift register.
Figure 17.10 Rip van Winkle cipher.
Figure 17.11 Multiple-bit generator.
CHAPTER 18
Figure 18.1 One-way function.
Figure 18.2 Outline of N-Hash.
Figure 18.3 One processing stage of N-Hash.
Figure 18.4 Function f.
Figure 18.5 MD5 main loop.
Figure 18.6 One MD5 operation.
Figure 18.7 One SHA operation.
Figure 18.8 General hash function where the hash length equals the block size.
Figure 18.9 The four secure hash functions where the block length equals the has...
Figure 18.10 Modified Davies-Meyer.
Figure 18.11 Tandem Davies-Meyer.
Figure 18.12 Abreast Davies-Meyer.
Figure 18.13 MDC-2.
Figure 18.14 MDC-4.
Figure 18.15 Stream cipher MAC.
CHAPTER 19
Figure 19.1 Encryption with knapsacks.
CHAPTER 24
Figure 24.1 Kerberos authentication steps.
Figure 24.2 An X.509 certificate.
Figure 24.3 Sample certification hierarchy.
Figure 24.4 Example of an encapsulated message (symmetric case).
Figure 24.5 Example of an encapsulated ENCRYPTED message (asymmetric case).
Figure 24.6 Example of an encapsulated MIC-ONLY message (asymmetric case).
Figure 24.7 PGP trust model.
Cover
Table of Contents
Begin Reading
v
i
iii
iv
xiii
xiv
xv
xvii
xviii
xix
xx
xxi
xxii
xxiii
xxiv
xxv
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
from reviews of the first edition of
“… the definitive text on the subject….”
—Software Development Magazine
“… good reading for anyone interested in cryptography.”
—BYTE
“This book should be on the shelf of any computer professional involved in the use or implementation of cryptography.”
—IEEE Software
“… dazzling … fascinating…. This book absolutely must be on your bookshelf …”
—PC Techniques
“… comprehensive … an encyclopedic work …”
—The Cryptogram
“… a fantastic book on cryptography today. It belongs in the library of anyone interested in cryptography or anyone who deals with information security and cryptographic systems.”
—Computers & Security
“An encyclopedic survey … could well have been subtitled ‘The Joy of Encrypting’ … a useful addition to the library of any active or would-be security practitioner.”
—Cryptologia
“… encyclopedic … readable … well-informed … picks up where Dorothy Denning’s classic Cryptography and Data Security left off a dozen years ago…. This book would be a bargain at twice the price.”
—;login:
“This is a marvelous resource—the best book on cryptography and its application available today.”
—Dorothy DenningGeorgetown University
“… Schneier’s book is an indispensable reference and resource…. I recommend it highly.”
—Martin HellmanStanford University
BRUCE SCHNEIER
20th Anniversary Edition
Applied Cryptography: Protocols, Algorithms and Source Code in C
Published byJohn Wiley & Sons, Inc.10475 Crosspoint BoulevardIndianapolis, IN 46256www.wiley.com
Copyright © 1996 by Bruce Schneier. All rights reserved.
New foreword copyright © 2015 by Bruce Schneier. All rights reserved.
Published by John Wiley & Sons, Inc.
Published simultaneously in Canada
ISBN: 978-1-119-09672-6
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or website may provide or recommendations it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Control Number: 2015932956
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.
I first wrote Applied Cryptography in 1993. Two years later, I wrote the greatly expanded second edition. At this vantage point of two decades later, it can be hard to remember how heady cryptography’s promise was back then. These were the early days of the Internet. Most of my friends had e-mail, but that was because most of my friends were techies. Few of us used the World Wide Web. There was nothing yet called electronic commerce.
Cryptography was being used by the few who cared. We could encrypt our e-mail with PGP, but mostly we didn’t. We could encrypt sensitive files, but mostly we didn’t. I don’t remember having the option of a usable full-disk encryption product, at least one that I would trust to be reliable.
What we did have were ideas—research and engineering ideas—and that was the point of Applied Cryptography. My goal in writing the book was to collect all the good ideas of academic cryptography under one cover and in a form that non-mathematicians could read and use.
What we also had, more important than ideas, was the unshakable belief that technology trumped politics. You can see it in John Perry Barlow’s 1996 “Declaration of the Independence of Cyberspace,” where he told governments, “You have no moral right to rule us, nor do you possess any methods of enforcement that we have reason to fear.” You can see it three years earlier in cypherpunk John Gilmore’s famous quote: “The Net interprets censorship as damage and routes around it.” You can see it in the pages of Applied Cryptography. The first paragraph of the Preface, which I wrote in 1993, says, “There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.”
This was the promise of cryptography. It was the promise behind everything—from file and e-mail encryption to digital signatures, digital certified mail, secure election protocols, and digital cash. The math would give us all power and security, because math trumps everything else. It would topple everything from government sovereignty to the music industry’s attempts at stopping file sharing.
The “natural law” of cryptography is that it’s much easier to use than it is to break. To take a hand-waving example, think about basic encryption. Adding a single bit to a key, say from a 64-bit key to a 65-bit key, adds at most a small amount of work to encrypt and decrypt. But it doubles the amount of work to break. Or, more mathematically, encryption and decryption work grows linearly with key length, but cryptanalysis work grows exponentially. It’s always easier for the communicators than the eavesdropper.
It turned out that this was all true, but less important than we had believed. A few years later, we realized that cryptography was just math, and that math has no agency. In order for cryptography to actually do anything, it has to be embedded in a protocol, written in a programming language, embedded in software, run on an operating system and computer attached to a network, and used by living people. All of those things add vulnerabilities and—more importantly—they’re more conventionally balanced. That is, there’s no inherent advantage for the defender over the attacker. Spending more effort on either results in linear improvements. Even worse, the attacker generally has an inherent advantage over the defender, at least today.
So when we learn about the NSA through the documents provided by Edward Snowden, we find that most of the time the NSA breaks cryptography by circumventing it. The NSA hacks the computers doing the encryption and decryption. It exploits bad implementations. It exploits weak or default keys. Or it “exfiltrates”—NSA-speak for steals—keys. Yes, it has some mathematics that we don’t know about, but that’s the exception. The most amazing thing about the NSA as revealed by Snowden is that it isn’t made of magic.
This doesn’t mean that cryptography is useless: far from it. What cryptography does is raise both the cost and risk of attack. Data zipping around the Internet unencrypted can be collected wholesale with minimal effort. Encrypted data has to be targeted individually. The NSA—or whoever is after your data—needs to target you individually and attack your computer and network specifically. That takes time and manpower, and is inherently risky. No organization has enough budget to do that to everyone; they have to pick and choose. While ubiquitous encryption won’t eliminate targeted collection, it does have the potential to make bulk collection infeasible. The goal is to leverage the economics, the physics, and the math.
There’s one more problem, though—one that the Snowden documents have illustrated well. Yes, technology can trump politics, but politics can also trump technology. Governments can use laws to subvert cryptography. They can sabotage the cryptographic standards in the communications and computer systems you use. They can deliberately insert backdoors into those same systems. They can do all of those, and then forbid the corporations implementing those systems to tell you about it. We know the NSA does this; we have to assume that other governments do the same thing.
Never forget, though, that while cryptography is still an essential tool for security, cryptography does not automatically mean security. The technical challenges of implementing cryptography are far more difficult than the mathematical challenges of making the cryptography secure. And remember that the political challenges of being able to implement strong cryptography are just as important as the technical challenges. Security is only as strong as the weakest link, and the further away you get from the mathematics, the weaker the links become.
The 1995 world of Applied Cryptography, Second Edition, was very different from today’s world. That was a singular time in academic cryptography, when I was able to survey the entire field of research and put everything under one cover. Today, there’s too much, and the task of compiling it all is just too great. For those who want a more current book, I recommend Cryptography Engineering, which I wrote in 2010 with Niels Ferguson and Tadayoshi Kohno. But for a review of those heady times of the mid-1990s, and an introduction to what has become an essential technology of the Internet, Applied Cryptography still holds up surprisingly well.
—Minneapolis, Minnesota, and Cambridge, Massachusetts, January 2015
The literature of cryptography has a curious history. Secrecy, of course, has always played a central role, but until the First World War, important developments appeared in print in a more or less timely fashion and the field moved forward in much the same way as other specialized disciplines. As late as 1918, one of the most influential cryptanalytic papers of the twentieth century, William F. Friedman’s monograph The Index of Coincidence and Its Applications in Cryptography, appeared as a research report of the private Riverbank Laboratories [577]. And this, despite the fact that the work had been done as part of the war effort. In the same year Edward H. Hebern of Oakland, California filed the first patent for a rotor machine [710], the device destined to be a mainstay of military cryptography for nearly 50 years.
After the First World War, however, things began to change. U.S. Army and Navy organizations, working entirely in secret, began to make fundamental advances in cryptography. During the thirties and forties a few basic papers did appear in the open literature and several treatises on the subject were published, but the latter were farther and farther behind the state of the art. By the end of the war the transition was complete. With one notable exception, the public literature had died. That exception was Claude Shannon’s paper “The Communication Theory of Secrecy Systems,” which appeared in the Bell System Technical Journal in 1949 [1432]. It was similar to Friedman’s 1918 paper, in that it grew out of wartime work of Shannon’s. After the Second World War ended it was declassified, possibly by mistake.
From 1949 until 1967 the cryptographic literature was barren. In that year a different sort of contribution appeared: David Kahn’s history, The Codebreakers [794]. It didn’t contain any new technical ideas, but it did contain a remarkably complete history of what had gone before, including mention of some things that the government still considered secret. The significance of The Codebreakers lay not just in its remarkable scope, but also in the fact that it enjoyed good sales and made tens of thousands of people, who had never given the matter a moment’s thought, aware of cryptography. A trickle of new cryptographic papers began to be written.
At about the same time, Horst Feistel, who had earlier worked on identification friend or foe devices for the Air Force, took his lifelong passion for cryptography to the IBM Watson Laboratory in Yorktown Heights, New York. There, he began development of what was to become the U.S. Data Encryption Standard; by the early 1970s several technical reports on this subject by Feistel and his colleagues had been made public by IBM [1482,1484,552].
This was the situation when I entered the field in late 1972. The cryptographic literature wasn’t abundant, but what there was included some very shiny nuggets.
Cryptology presents a difficulty not found in normal academic disciplines: the need for the proper interaction of cryptography and cryptanalysis. This arises out of the fact that in the absence of real communications requirements, it is easy to propose a system that appears unbreakable. Many academic designs are so complex that the would-be cryptanalyst doesn’t know where to start; exposing flaws in these designs is far harder than designing them in the first place. The result is that the competitive process, which is one strong motivation in academic research, cannot take hold.
When Martin Hellman and I proposed public-key cryptography in 1975 [496], one of the indirect aspects of our contribution was to introduce a problem that does not even appear easy to solve. Now an aspiring cryptosystem designer could produce something that would be recognized as clever—something that did more than just turn meaningful text into nonsense. The result has been a spectacular increase in the number of people working in cryptography, the number of meetings held, and the number of books and papers published.
In my acceptance speech for the Donald E. Fink award—given for the best expository paper to appear in an IEEE journal—which I received jointly with Hellman in 1980, I told the audience that in writing “Privacy and Authentication,” I had an experience that I suspected was rare even among the prominent scholars who populate the IEEE awards ceremony: I had written the paper I had wanted to study, but could not find, when I first became seriously interested in cryptography. Had I been able to go to the Stanford bookstore and pick up a modern cryptography text, I would probably have learned about the field years earlier. But the only things available in the fall of 1972 were a few classic papers and some obscure technical reports.
The contemporary researcher has no such problem. The problem now is choosing where to start among the thousands of papers and dozens of books. The contemporary researcher, yes, but what about the contemporary programmer or engineer who merely wants to use cryptography? Where does that person turn? Until now, it has been necessary to spend long hours hunting out and then studying the research literature before being able to design the sort of cryptographic utilities glibly described in popular articles.
This is the gap that Bruce Schneier’s Applied Cryptography has come to fill. Beginning with the objectives of communication security and elementary examples of programs used to achieve these objectives, Schneier gives us a panoramic view of the fruits of 20 years of public research. The title says it all; from the mundane objective of having a secure conversation the very first time you call someone to the possibilities of digital money and cryptographically secure elections, this is where you’ll find it.
Not satisfied that the book was about the real world merely because it went all the way down to the code, Schneier has included an account of the world in which cryptography is developed and applied, and discusses entities ranging from the International Association for Cryptologic Research to the NSA.
When public interest in cryptography was just emerging in the late seventies and early eighties, the National Security Agency (NSA), America’s official cryptographic organ, made several attempts to quash it. The first was a letter from a long-time NSA employee allegedly, avowedly, and apparently acting on his own. The letter was sent to the IEEE and warned that the publication of cryptographic material was a violation of the International Traffic in Arms Regulations (ITAR). This viewpoint turned out not even to be supported by the regulations themselves—which contained an explicit exemption for published material—but gave both the public practice of cryptography and the 1977 Information Theory Workshop lots of unexpected publicity.
A more serious attempt occurred in 1980, when the NSA funded the American Council on Education to examine the issue with a view to persuading Congress to give it legal control of publications in the field of cryptography. The results fell far short of NSAs ambitions and resulted in a program of voluntary review of cryptographic papers; researchers were requested to ask the NSAs opinion on whether disclosure of results would adversely affect the national interest before publication.
As the eighties progressed, pressure focused more on the practice than the study of cryptography. Existing laws gave the NSA the power, through the Department of State, to regulate the export of cryptographic equipment. As business became more and more international and the American fraction of the world market declined, the pressure to have a single product in both domestic and offshore markets increased. Such single products were subject to export control and thus the NSA acquired substantial influence not only over what was exported, but also over what was sold in the United States.
As this is written, a new challenge confronts the public practice of cryptography. The government has augmented the widely published and available Data Encryption Standard, with a secret algorithm implemented in tamper-resistant chips. These chips will incorporate a codified mechanism of government monitoring. The negative aspects of this “key-escrow” program range from a potentially disastrous impact on personal privacy to the high cost of having to add hardware to products that had previously encrypted in software. So far key escrow products are enjoying less than stellar sales and the scheme has attracted widespread negative comment, especially from the independent cryptographers. Some people, however, see more future in programming than politicking and have redoubled their efforts to provide the world with strong cryptography that is accessible to public scrutiny.
A sharp step back from the notion that export control law could supersede the First Amendment seemed to have been taken in 1980 when the Federal Register announcement of a revision to ITAR included the statement: “… provision has been added to make it clear that the regulation of the export of technical data does not purport to interfere with the First Amendment rights of individuals.” But the fact that tension between the First Amendment and the export control laws has not gone away should be evident from statements at a conference held by RSA Data Security. NSA’s representative from the export control office expressed the opinion that people who published cryptographic programs were “in a grey area” with respect to the law. If that is so, it is a grey area on which the first edition of this book has shed some light. Export applications for the book itself have been granted, with acknowledgement that published material lay beyond the authority of the Munitions Control Board. Applications to export the enclosed programs on disk, however, have been denied.
The shift in the NSA’s strategy, from attempting to control cryptographic research to tightening its grip on the development and deployment of cryptographic products, is presumably due to its realization that all the great cryptographic papers in the world do not protect a single bit of traffic. Sitting on the shelf, this volume may be able to do no better than the books and papers that preceded it, but sitting next to a workstation, where a programmer is writing cryptographic code, it just may.
Whitfield Diffie
Mountain View, CA
There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.
If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world’s best safecrackers can study the locking mechanism—and you still can’t open the safe and read the letter—that’s security.
For many years, this sort of cryptography was the exclusive domain of the military. The United States’ National Security Agency (NSA), and its counterparts in the former Soviet Union, England, France, Israel, and elsewhere, have spent billions of dollars in the very serious game of securing their own communications while trying to break everyone else’s. Private individuals, with far less expertise and budget, have been powerless to protect their own privacy against these governments.
During the last 20 years, public academic research in cryptography has exploded. While classical cryptography has been long used by ordinary citizens, computer cryptography was the exclusive domain of the world’s militaries since World War II. Today, state-of-the-art computer cryptography is practiced outside the secured walls of the military agencies. The layperson can now employ security practices that can protect against the most powerful of adversaries—security that may protect against military agencies for years to come.
Do average people really need this kind of security? Yes. They may be planning a political campaign, discussing taxes, or having an illicit affair. They may be designing a new product, discussing a marketing strategy, or planning a hostile business takeover. Or they may be living in a country that does not respect the rights of privacy of its citizens. They may be doing something that they feel shouldn’t be illegal, but is. For whatever reason, the data and communications are personal, private, and no one else’s business.
This book is being published in a tumultuous time. In 1994, the Clinton administration approved the Escrowed Encryption Standard (including the Clipper chip and Fortezza card) and signed the Digital Telephony bill into law. Both of these initiatives try to ensure the government’s ability to conduct electronic surveillance.
Some dangerously Orwellian assumptions are at work here: that the government has the right to listen to private communications, and that there is something wrong with a private citizen trying to keep a secret from the government. Law enforcement has always been able to conduct court-authorized surveillance if possible, but this is the first time that the people have been forced to take active measures to make themselves available for surveillance. These initiatives are not simply government proposals in some obscure area; they are preemptive and unilateral attempts to usurp powers that previously belonged to the people.
Clipper and Digital Telephony do not protect privacy; they force individuals to unconditionally trust that the government will respect their privacy. The same law enforcement authorities who illegally tapped Martin Luther King Jr.’s phones can easily tap a phone protected with Clipper. In the recent past, local police authorities have either been charged criminally or sued civilly in numerous jurisdictions—Maryland, Connecticut, Vermont, Georgia, Missouri, and Nevada—for conducting illegal wiretaps. It’s a poor idea to deploy a technology that could some day facilitate a police state.
The lesson here is that it is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics. Encryption is too important to be left solely to governments.
This book gives you the tools you need to protect your own privacy; cryptography products may be declared illegal, but the information will never be.
I wrote Applied Cryptography to be both a lively introduction to the field of cryptography and a comprehensive reference. I have tried to keep the text readable without sacrificing accuracy. This book is not intended to be a mathematical text. Although I have not deliberately given any false information, I do play fast and loose with theory. For those interested in formalism, there are copious references to the academic literature.
Chapter 1 introduces cryptography, defines many terms, and briefly discusses precomputer cryptography.
Chapters 2 through 6 (Part I) describe cryptographic protocols: what people can do with cryptography. The protocols range from the simple (sending encrypted messages from one person to another) to the complex (flipping a coin over the telephone) to the esoteric (secure and anonymous digital money exchange). Some of these protocols are obvious; others are almost amazing. Cryptography can solve a lot of problems that most people never realized it could.
Chapters 7 through 10 (Part II) discuss cryptographic techniques. All four chapters in this section are important for even the most basic uses of cryptography. Chapters 7 and 8 are about keys: how long a key should be in order to be secure, how to generate keys, how to store keys, how to dispose of keys, and so on. Key management is the hardest part of cryptography and often the Achilles’ heel of an otherwise secure system. Chapter 9 discusses different ways of using cryptographic algorithms, and Chapter 10 gives the odds and ends of algorithms: how to choose, implement, and use algorithms.
Chapters 11 through 23 (Part III) list algorithms. Chapter 11 provides the mathematical background. This chapter is only required if you are interested in public-key algorithms. If you just want to implement DES (or something similar), you can skip ahead. Chapter 12 discusses DES: the algorithm, its history, its security, and some variants. Chapters 13, 14, and 15 discuss other block algorithms; if you want something more secure than DES, skip to the section on IDEA and triple-DES. If you want to read about a bunch of algorithms, some of which may be more secure than DES, read the whole chapter. Chapters 16 and 17 discuss stream algorithms. Chapter 18 focuses on one-way hash functions; MD5 and SHA are the most common, although I discuss many more. Chapter 19 discusses public-key encryption algorithms, Chapter 20 discusses public-key digital signature algorithms, Chapter 21 discusses public-key identification algorithms, and Chapter 22 discusses public-key key exchange algorithms. The important algorithms are RSA, DSA, Fiat-Shamir, and Diffie-Hellman, respectively. Chapter 23 has more esoteric public-key algorithms and protocols; the math in this chapter is quite complicated, so wear your seat belt.
Chapters 24 and 25 (Part IV) turn to the real world of cryptography. Chapter 24 discusses some of the current implementations of these algorithms and protocols, while Chapter 25 touches on some of the political issues surrounding cryptography. These chapters are by no means intended to be comprehensive.
Also included are source code listings for 10 algorithms discussed in Part III. I was unable to include all the code I wanted to due to space limitations, and cryptographic source code cannot otherwise be exported. (Amazingly enough, the State Department allowed export of the first edition of this book with source code, but denied export for a computer disk with the exact same source code on it. Go figure.) An associated source code disk set includes much more source code than I could fit in this book; it is probably the largest collection of cryptographic source code outside a military institution. I can only send source code disks to U.S. and Canadian citizens living in the U.S. and Canada, but hopefully that will change someday. If you are interested in implementing or playing with the cryptographic algorithms in this book, get the disk. See the last page of the book for details.
One criticism of this book is that its encyclopedic nature takes away from its readability. This is true, but I wanted to provide a single reference for those who might come across an algorithm in the academic literature or in a product. For those who are more interested in a tutorial, I apologize. A lot is being done in the field; this is the first time so much of it has been gathered between two covers. Even so, space considerations forced me to leave many things out. I covered topics that I felt were important, practical, or interesting. If I couldn’t cover a topic in depth, I gave references to articles and papers that did.
I have done my best to hunt down and eradicate all errors in this book, but many have assured me that it is an impossible task. Certainly, the second edition has far fewer errors than the first. An errata listing is available from me and will be periodically posted to the Usenet newsgroup sci.crypt. If any reader finds an error, please let me know. I’ll send the first person to find each error in the book a free copy of the source code disk.
The list of people who had a hand in this book may seem unending, but all are worthy of mention. I would like to thank Don Alvarez, Ross Anderson, Dave Balenson, Karl Barrus, Steve Bellovin, Dan Bernstein, Eli Biham, Joan Boyar, Karen Cooper, Whit Diffie, Joan Feigenbaum, Phil Karn, Neal Koblitz, Xuejia Lai, Tom Leranth, Mike Markowitz, Ralph Merkle, Bill Patton, Peter Pearson, Charles Pfleeger, Ken Pizzini, Bart Preneel, Mark Riordan, Joachim Schurman, and Marc Schwartz for reading and editing all or parts of the first edition; Marc Vauclair for translating the first edition into French; Abe Abraham, Ross Anderson, Dave Banisar, Steve Bellovin, Eli Biham, Matt Bishop, Matt Blaze, Gary Carter, Jan Camenisch, Claude Crépeau, Joan Daemen, Jorge Davila, Ed Dawson, Whit Diffie, Carl Ellison, Joan Feigenbaum, Niels Ferguson, Matt Franklin, Rosario Gennaro, Dieter Gollmann, Mark Goresky, Richard Graveman, Stuart Haber, Jingman He, Bob Hogue, Kenneth Iversen, Markus Jakobsson, Burt Kaliski, Phil Karn, John Kelsey, John Kennedy, Lars Knudsen, Paul Kocher, John Ladwig, Xuejia Lai, Arjen Lenstra, Paul Leyland, Mike Markowitz, Jim Massey, Bruce McNair, William Hugh Murray, Roger Needham, Clif Neuman, Kaisa Nyberg, Luke O’Connor, Peter Pearson, René Peralta, Bart Preneel, Yisrael Radai, Matt Robshaw, Michael Roe, Phil Rogaway, Avi Rubin, Paul Rubin, Selwyn Russell, Kazue Sako, Mahmoud Salmasizadeh, Markus Stadler, Dmitry Titov, Jimmy Upton, Marc Vauclair, Serge Vaudenay, Gideon Yuval, Glen Zorn, and several anonymous government employees for reading and editing all or parts of the second edition; Lawrie Brown, Leisa Condie, Joan Daemen, Peter Gutmann, Alan Insley, Chris Johnston, John Kelsey, Xuejia Lai, Bill Leininger, Mike Markowitz, Richard Outerbridge, Peter Pearson, Ken Pizzini, Colin Plumb, RSA Data Security, Inc., Michael Roe, Michael Wood, and Phil Zimmermann for providing source code; Paul MacNerland for creating the figures for the first edition; Karen Cooper for copyediting the second edition; Beth Friedman for proofreading the second edition; Carol Kennedy for indexing the second edition; the readers of sci.crypt and the Cypherpunks mailing list for commenting on ideas, answering questions, and finding errors in the first edition; Randy Seuss for providing Internet access; Jeff Duntemann and Jon Erickson for helping me get started; assorted random Insleys for the impetus, encouragement, support, conversations, friendship, and dinners; and AT&T Bell Labs for firing me and making this all possible. All these people helped to create a far better book than I could have created alone.
Bruce Schneier
BRUCE SCHNEIER is an internationally renowned security technologist, called a “security guru” by The Economist. He is the author of twelve books — including his seminal work, Applied Cryptography: Protocols, Algorithms, and Source Code in C, and Secrets & Lies: Digital Security in a Networked World which has become a classic as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and blog “Schneier on Security” are read by over 250,000 people. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation’s Open Technology Institute, a board member of the Electronic Frontier Foundation, and an Advisory Board member of the Electronic Privacy Information Center. He is also the Chief Technology Officer of Resilient Systems, Inc. You can read his blog, essays, and academic papers at www.schneier.com. He tweets at @schneierblog.