This is Stuff

As was concluded in the first part of this series, security without randomness is impossible. Deterministic ciphers are unable to protect against strong attackers and true random generators are impractical or hard to get, so cryptography is build on pseudorandom generators.

First two chapters of this post define what they are and explain what kind of pseudorandom generators secure cryptography needs. Third chapter introduces yet another way how to talk and think about pseudorandom generators and ciphers in general.

Cryptography & Theory is series of blog posts on things I learned in coursera stanford online crypto class. The class contained just right mixture of theory, math and programming and I enjoyed it a lot.

This first part explains what is meant by expression "good cipher". It contains definition of a cipher and multiple definitions of cipher security. Although it does not sounds like much, it is one of the most important things I learned there.

It is important because ciphers are designed to protect against well defined attacks and are vulnerable to anything else. One can not just take random cipher from build-in ciphers list of his favorite framework and call it a day. One has to understand what is he choosing and why.

The free online cryptography course I attended this April was taught by Stanford professor Dan Boneh. Its infrastructure and organization are provided by coursera company.

The course was everything I expect from an university course. It explains both the theory and its practical consequences. It shows how ciphers work, how to use them, what are their limitations and why they have been designed the way they have been designed.

Last time I wrote about cryptography, I outlined Apache Shiro crypto API and shown how to use its two symmetric ciphers. I also wrote that "You do not need more to encrypt and decrypt sensitive data in your applications."

I learned more about cryptography and found out that you need to know more. What I wrote is true to some extend, but unless you are careful your sensitive data may not be secure against all attackers.

Out of the box Shiro provides Blowfish-CBC and AES-CBC encryption methods and I recommended to use them. Both have been designed to protect against passive eavesdropping attacker and are good at it. Unfortunately, real attackers are more sophisticated and may break the system based on them.