Hacker News new | past | comments | ask | show | jobs | submit login

FWIW, I got way more value out of the Matasano challenges than studying classic ciphers.

Do you think it'd be a not-terrible idea for newcomers to focus entirely on studying this? http://www.daemonology.net/blog/2009-06-11-cryptographic-rig...




That is a pretty good list of recommendations, but I have a couple criticisms.

The recommendations are mostly low-level. None of them are wrong, but they put undue burden on developers to get details right. For example, the AES-CTR recommendation doesn't talk about nonce management, but this is critical to the security of the construction. Application developers should always use the highest-level cryptographic constructions they can get away with. As such, many of these bullet points could be replaced with a recommendation to use PGP or NaCl.

Also, the list skimps on random number recommendations. It talks a bit about how big numbers should be, but it doesn't discuss sources. This is really important as RNG is a weak point in many systems. Short answer: use /dev/urandom.


I think it depends on what your end-goal is.

If you're interested in creating a production application that uses Crypto, you should use existing high-level systems, and learn how to minimize your own areas of vulnerability. (Similar to your link)

But some people enjoy algorithms, and enjoy playing with information. That's a different goal, and a different objective, and would understandably have a different reading list.

For example, I went through a period a while ago when I was really enjoying learning about the development of the Apple II. As part of that, I read through the reference manual, and enjoyed learning various memory locations and what they did (None of which I remember, fwiw..)

I had a fun and relaxing Sunday afternoon reading the manual.. But I wouldn't expect those "skills" in Apple II memory locations to be particularly applicable to modern application development.

If you want to write an app, use tools. If you want to learn for the sake of enjoyment, that's awesome! Just remember the historical context, rather than trying to re-implement older bad practices.


I've emailed for the Matasano challenges three times from two different email address and never received anything.

Is it okay if I ask somebody here to send me a copy?


> I come from a proud academic background and am sufficiently optimistic about humankind that I think it's a good idea to spread some knowledge around.

This is a funny way of pointing out the arrogance in the opposing position: "You aren't smart enough to do this right (and I am talking to you specifically), so don’t even waste your time."




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: