The art and craft of secrets: Using the cryptographic toolbox

Description

In 1970, a small group of activists broke into a draft board office in Delaware to steal records. These records were stored in a secure room, and none of them were able to pick the lock. Instead, hours before the planned robbery one of them pasted a note on the door reading “Please don’t lock this door tonight.” After hours when they arrived, the door was open.

The moral of the story is that security is not about picking the right lock. It’s about how the different pieces all come together to make a complete system.

Securing any software system usually isn’t about picking a better cipher algorithm (i.e., a better lock). It’s about the way that cipher works with a sophisticated suite of related security tools to provide trust and privacy. Michael Swieton explores how the cryptographic ecosystem—which includes tools such as public key cryptography, signatures, password hashes, key exchange, and stream ciphers—provides security for our applications and explains how these tools come together to enable user-visible functionality like secure sessions, user authentication, and single sign-ons. Along the way, you’ll learn about real implementations by digging under the hood of HTTP requests to popular websites.

These tools and technologies are not new, shiny, or hip, but they are complicated, critical, and ubiquitous. Understanding the tools in the toolbox will make you better equipped to create, debug, and deploy your applications.