I completely disagree. A person who is really passionate about IT security will know about cryptography because they are interested in how security works, not because it's a requirement for the job interview. In fact, I am surprised at the number of highly paid security 'professionals' who are little more than auditors with a pen and a form to tick.
Asking about crypto is a great way to weed out the auditors from the pros. There is also a difference between cryptographic algorithms and cryptographic implementations. I wouldn't expect you to write algorithms, but I definitely would like you to explain real-life implementations. A good set of crypto questions to ask, that are quite basic and yet will trip up lots of security pros:
* What's the difference between a Verisign certificate and a self-signed certificate?
* In which environment would I use the Verisign cert and in which one would I use a self-signed?
* In what cases would I expect the Verisign cert to generate warnings in my browser? What about the self-signed? How do I fix these errors?
Questions about Verisign certs vs. self-signed certs are good, because that's an issue that actually comes up in infosec.
There definitely are good crypto questions to ask. But these questions aren't those. They demonstrate only enough of a command of cryptography to pass an interview. They're signalling questions, not assessment questions.
And, with the exception of things like "what's wrong with self-signed certificates", the real crypto questions will weed out essentially 100% of your candidates (and 99% of appsec candidates as well). Note: the "real" questions I'm thinking of have very little to do with algorithms.
There's a word for things you ask about because a person who was really a member of your club would be fascinated by them: shibboleth.
Asking about crypto is a great way to weed out the auditors from the pros. There is also a difference between cryptographic algorithms and cryptographic implementations. I wouldn't expect you to write algorithms, but I definitely would like you to explain real-life implementations. A good set of crypto questions to ask, that are quite basic and yet will trip up lots of security pros:
* What's the difference between a Verisign certificate and a self-signed certificate?
* In which environment would I use the Verisign cert and in which one would I use a self-signed?
* In what cases would I expect the Verisign cert to generate warnings in my browser? What about the self-signed? How do I fix these errors?