Hacker News new | past | comments | ask | show | jobs | submit login

If you come from a computer science/math background, and want an intro to cryptography in general, I can strongly recommend the Coursera course from Stanford University by professor Dan Boneh - https://www.coursera.org/learn/crypto. To really understand the implementations of security libraries and tools, one should be at least familiar with the fundamentals and terminology of crypto. Otherwise you are blindly encrypting things without being aware of whether you are actually securing things.

The course is free and takes 6 weeks long, and is very interesting if you had never dwelled too deep into security or crypto. There's also a new cryptography class that will be available in September of 2017 - https://www.coursera.org/learn/crypto2.




TBH this doesn't really give you anything about best practices though. It's a bunch of base theory without anything about timing analysis, etc. It's nice to know information but I don't think it makes you a better 'secure' programmer.


This was a complaint I heard from several people I work with who took the course.


To my knowledge there has never been a timing attack documented in the wild on a remote server. They are only practical in offline scenarios with host access


Funny you should mention this in a thread about Dan Boneh's crypto class.

David Brumley and Dan Boneh, "Remote Timing Attacks Are Practical." In Proc. USENIX Security Symposium, 2003. https://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

Abstract

Timing attacks are usually used to attack weak computing devices such as smartcards. We show that timing attacks apply to general software systems. Specifically, we devise a timing attack against OpenSSL. Our experiments show that we can extract private keys from an OpenSSL-based web server running on a machine in the local network. Our results demonstrate that timing attacks against network servers are practical and therefore all security systems should defend against them.


Depends on what you mean by timing attack.

The only vulnerability of Tor, which heavily depends on cryptography, is timing analysis.

One of the most important lessons of cryptography is that it doesn't exist in a vacuum. Timing between messages and message sizes can be enough to end you.


I guess "timing analysis" means something else, more akin to correlation of meta-data. https://en.wikipedia.org/wiki/Timing_attack is pretty clear, so maybe I was referring to something else than the OP.


I loved the first crypto course.

I have been enrolled in the crypto2 class for several years now. I hope they finally offer the course, but I have low hopes.


any day now :^)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: