Chapter 7. Cryptography

Cryptography may be a science unto itself, but it also plays a major role in the science of cybersecurity. Bruce Schneier described it this way: “Traditional cryptography is a science—applied mathematics—and applied cryptography is engineering.” Gauss famously called mathematics “the queen of the sciences.” Like other sciences, there are pure mathematics (with no specific application in mind) and applied mathematics (the application of its knowledge to applications and other fields).

Whether cryptography is a science, there is value in looking at how to use the scientific method to evaluate the design and application of cryptography. In this chapter, we will look at provably secure cryptography. However, those proofs have limitations because the proofs deal with very specific attacks. And despite provable security, people break or find flaws in cryptographic systems all the time. They’re broken because of flaws in implementation, a true and often cited reason. Cryptographic systems also suffer from defects in other noncryptographic systems, such as cryptographic keys left unsecured in memory, lazy operating system practices, and side-channel attacks (information leaks from the physical hardware running the cryptography).

Though there are open problems in the mathematical aspects of cryptography, you are more likely interested in ways to use cybersecurity science to evaluate and improve products and services. So, in this chapter we will ignore the fundamental ...