Chapter 6. Cryptography

Only amateurs attack machines; professionals target people.

Bruce Schneier

The purpose of this chapter is not to make you an expert in cryptography but to give you a basic overview, focusing on the most important issues to wireless developers. After reading this chapter, you should have a general understanding of the following:

What applied cryptography is (and is not)

What it can (and cannot) accomplish

How it should (and should not) be used

What a secure encryption mode looks like

Which common pitfalls are associated with the use of cryptography in secure applications

This chapter is based on the unpublished work Introduction to Applied Cryptography by Tadayoshi Kohno (tkohno@acm.org). We have simplified certain concepts to make them more understandable to the noncryptographer. Therefore, it would be a mistake to read this chapter and then go off and spin your own cryptographic algorithms. Portions of this chapter may delve beyond the extent of your mathematical knowledge, or some concepts may be difficult to grasp. However, there are two primary lessons to be learned and kept in mind when working with cryptographic issues:

1. Cryptography is not security. In particular, application security is more than just cryptography. Strong cryptography is usually a prerequisite for secure applications, but the mere use of cryptography cannot guarantee that an application will be secure.

2. Cryptography is not easy. Because cryptography is so difficult (yet so important for the security of many applications), developers should not invent their own cryptographic algorithms. They should use only well-known, trusted algorithms in their applications. When this is not possible, they should seek the advice of experienced cryptographers.