Further Reading: Cryptography Fundamentals

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order below; you do not need to read everything before Chapter 5, which puts these primitives to work.

A reminder before you go deeper: the goal is to use cryptography correctly, not to become a cryptographer. The most valuable thing you can take from any of these is judgment about how crypto fails in practice — which is mostly engineering and operations, not mathematics.

Suggested order

  1. Read Serious Cryptography (Aumasson) selectively — the chapters on hashing, authenticated encryption, and RSA/ECC — for the best modern, practitioner-friendly grounding of this chapter.
  2. Skim the NIST standards below to see what "use AES/SHA-2/digital signatures" actually points to in authoritative form; treat them as references, not cover-to-cover reads.
  3. Browse OWASP's cryptographic-storage and password-storage guidance for the concrete "what to do" that operationalizes §4.4 and §4.7.
  4. Keep your Security+ / CISSP study guide nearby for the exam framing of the terms.

Standards & primary documents (Tier 1)

  • NIST, FIPS 197: Advanced Encryption Standard (AES). 🏗️📜 The standard that defines AES, the symmetric cipher you will use for essentially all encryption. You will not read it for pleasure, but know it is the authoritative source behind "use AES-256."
  • NIST, FIPS 180-4: Secure Hash Standard (SHS). 🏗️📜 Defines the SHA-2 family (including SHA-256), the hashing you use for integrity. (FIPS 202 defines the newer SHA-3 family.)
  • NIST, FIPS 186: Digital Signature Standard (DSS). 🏗️📜 The authoritative source for the digital- signature algorithms (RSA, ECDSA) behind §4.5. (HMAC is specified in FIPS 198-1.)
  • NIST SP 800-57, Recommendation for Key Management. 🏗️📋 The standard treatment of the topic §4.7 calls "where defenders actually win or lose" — key lengths, lifecycles, and crypto-period guidance. Skim Part 1; return to it when you operate keys in Chapters 5 and 20.
  • NIST SP 800-63B, Digital Identity Guidelines (authentication). 🏗️📋📜 The authoritative modern guidance on password and secret storage (salting, memory-hard hashing) that underpins §4.4; central again in Chapter 16.
  • OWASP Cryptographic Storage Cheat Sheet and Password Storage Cheat Sheet. 🏗️🛡️ The most practical free "do this, not that" for §4.4 and §4.7 — concrete algorithm and parameter recommendations (Argon2, bcrypt) you can apply directly.

Books (Tier 1)

  • Aumasson, J.-P., Serious Cryptography (2nd ed.). 🏗️📜 The best single modern book for a defender: rigorous but readable, focused on how real cryptography works and fails (authenticated encryption, randomness, RSA/ECC, common pitfalls). If you read one book from this chapter, read this.
  • Katz, J., & Lindell, Y., Introduction to Modern Cryptography. 🏗️ The standard rigorous textbook for the mathematics and definitions behind everything here. Dip in when you want the why under a primitive; more formal than a defender strictly needs, invaluable when you want depth.
  • Ferguson, N., Schneier, B., & Kohno, T., Cryptography Engineering. 🏗️📋 Focused precisely on the gap this chapter lives in — how to use cryptography correctly in real systems and avoid the engineering mistakes that cause breaches. Excellent on key management and "don't roll your own."
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide / Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜📋 The exam-aligned framing of this chapter's vocabulary (symmetric/asymmetric, hashing, PKI, key management) at the depth the certifications test.

Free online & talks (Tier 1 / Tier 2)

  • Cryptopals Crypto Challenges (cryptopals.com). 🏗️ A hands-on, defender-friendly way to internalize why weak modes (ECB), bad randomness, and missing integrity fail — by working with them in your own environment. The single best way to make §4.2 and §4.7 stick. (Tier 2: community resource; the lessons are sound.)
  • The SHA-1 collision ("SHAttered") announcement. 🏗️🛡️ A reputable write-up of the first practical SHA-1 collision. Concretely grounds why §4.4 retires SHA-1 from signing and integrity. (Tier 2: read a well-sourced account; the underlying result is real and widely documented.)
  • Have I Been Pwned (haveibeenpwned.com). 🛡️📋 A live demonstration of Case Study 2's reality — the scale of leaked credentials feeding credential stuffing. Previews the breached-password defenses of Chapter 16.

Tools to explore (in your own lab only)

  • Your platform's standard crypto library (e.g., Python's cryptography package; libsodium). 🏗️ The correct way to apply this chapter — high-level, hard-to-misuse APIs that make the safe path the default (authenticated encryption, CSPRNG nonces). The best lab is implementing §4.2 correctly with one of these.
  • A password-hashing library (Argon2 / bcrypt bindings). 🏗️ Hash a password with an appropriate work factor and observe how long it takes — feel the §4.4 "slow on purpose" property directly.

⚖️ Authorization & Ethics reminder: Several of these resources (Cryptopals, collision demos) involve attacking weak cryptography. Study them to understand how crypto fails so you can prevent it — and apply these techniques only to systems and data you own or are explicitly authorized to test (Chapter 39).