Chapter 28 Further Reading: Cryptography for Hackers

Essential References

Foundational Cryptography Texts

  • Ferguson, Niels, Bruce Schneier, and Tadayoshi Kohno. "Cryptography Engineering: Design Principles and Practical Applications." Wiley (2010). The most practical cryptography textbook for engineers and security professionals. Covers design principles, implementation pitfalls, and real-world considerations without requiring deep mathematical background. Essential reading for anyone assessing cryptographic implementations.

  • Schneier, Bruce. "Applied Cryptography: Protocols, Algorithms, and Source Code in C." Wiley (2015, 20th Anniversary Edition). The classic reference that introduced practical cryptography to the security community. While some specific algorithm recommendations are dated, the protocol analysis and design principles remain invaluable.

TLS/SSL Deep Dives

  • Rescorla, Eric. "The Transport Layer Security (TLS) Protocol Version 1.3." RFC 8446 (2018). The authoritative specification for TLS 1.3. Reading an RFC may seem daunting, but this one is well-written and provides the definitive understanding of how modern TLS works and why specific design decisions were made.

  • Ristov, Ivan. "Bulletproof TLS and PKI." Feisty Duck (2022, 2nd Edition). The most comprehensive guide to TLS deployment, configuration, and testing. Written by the creator of SSL Labs, it covers every aspect of TLS security assessment and hardening.

Books

  • Aumasson, Jean-Philippe. "Serious Cryptography: A Practical Introduction to Modern Encryption." No Starch Press (2017). Bridges the gap between theoretical cryptography textbooks and practical application. Covers all major primitives with clear explanations of why certain approaches are secure and others are not.

  • Wong, David. "Real-World Cryptography." Manning Publications (2021). Modern treatment of cryptography focused on practical application. Excellent coverage of TLS 1.3, post-quantum cryptography, and common implementation pitfalls.

  • Menezes, Alfred, Paul van Oorschot, and Scott Vanstone. "Handbook of Applied Cryptography." CRC Press (2018). The comprehensive academic reference for applied cryptography. Available free online (cacr.uwaterloo.ca/hac/). Useful for deep dives into specific algorithms and protocols.

  • Sweigart, Al. "Cracking Codes with Python." No Starch Press (2018). An accessible introduction to classical and modern cryptography through Python programming. Excellent for building intuition about encryption and cryptanalysis.

Research Papers and Technical Reports

Historical TLS Attacks

  • Duong, T. and Rizzo, J. "Here Come The XOR Ninjas." ekoparty 2011. The original BEAST paper. Technical but readable. Understanding this attack provides deep insight into CBC mode vulnerabilities.

  • Moller, B., Duong, T., and Kotowicz, K. "This POODLE Bites: Exploiting the SSL 3.0 Fallback." Google (2014). The POODLE paper. Clearly explains both the SSL 3.0 padding vulnerability and the downgrade attack mechanism.

  • Aviram, N. et al. "DROWN: Breaking TLS using SSLv2." USENIX Security 2016. The DROWN paper. Demonstrates cross-protocol attacks and the danger of shared keys. Essential reading for understanding why PFS matters.

  • Böck, H. et al. "Return Of Bleichenbacher's Oracle Threat (ROBOT)." USENIX Security 2018. Shows that a 20-year-old attack still affects modern implementations. Excellent case study in the persistence of implementation flaws.

Password Security

  • Provos, N. and Mazieres, D. "A Future-Adaptable Password Scheme." USENIX 1999. The original bcrypt paper. Still relevant for understanding why password hashing must be computationally expensive.

  • Biryukov, A., Dinu, D., and Khovratovich, D. "Argon2: New Generation of Memory-Hard Functions for Password Hashing and Other Applications." Euro S&P 2016. The Argon2 paper, describing the Password Hashing Competition winner.

Post-Quantum Cryptography

  • NIST. "Post-Quantum Cryptography: Selected Algorithms 2024." NIST FIPS 203, 204, 205. The official NIST post-quantum standards. FIPS 203 covers ML-KEM (Kyber), FIPS 204 covers ML-DSA (Dilithium), and FIPS 205 covers SLH-DSA (SPHINCS+).

  • Bernstein, D. and Lange, T. "Post-Quantum Cryptography." Nature (2017). Accessible overview of the quantum threat and post-quantum approaches for a general technical audience.

Online Resources and Tools

TLS Testing Tools

  • testssl.sh (testssl.sh). The most comprehensive TLS assessment tool. Open source, actively maintained, and extremely thorough. The primary tool for TLS penetration testing.
  • sslyze (github.com/nabla-c0d3/sslyze). Python-based TLS scanner with fast parallel scanning and Python API for automation.
  • SSL Labs Server Test (ssllabs.com/ssltest). Qualys's free online TLS assessment service. Provides detailed reports with letter grades. Useful for quick assessments.
  • Mozilla SSL Configuration Generator (ssl-config.mozilla.org). Generates secure TLS configurations for Apache, Nginx, HAProxy, and other servers. The go-to reference for TLS hardening.

Cryptographic Analysis Tools

  • CyberChef (gchq.github.io/CyberChef). "The Cyber Swiss Army Knife." Browser-based tool for encoding, decoding, encrypting, decrypting, hashing, and analyzing data. Indispensable for cryptographic analysis during penetration tests.
  • Hashcat (hashcat.net). The world's fastest password recovery tool. Supports hundreds of hash types and leverages GPU acceleration.
  • John the Ripper (openwall.com/john). The classic password cracker. Supports many hash types and integrates with various hash extraction tools.
  • RsaCtfTool (github.com/RsaCtfTool/RsaCtfTool). Automated tool for attacking weak RSA keys. Useful for CTF challenges and testing RSA implementations.

Learning Platforms

  • CryptoPals (cryptopals.com). The definitive set of practical cryptography challenges. Progresses from basic XOR through to implementing real attacks (padding oracle, CBC bit-flipping, Bleichenbacher). Highly recommended.
  • CryptoHack (cryptohack.org). Modern, gamified cryptography challenge platform. Covers RSA, elliptic curves, hash functions, and more with interactive challenges.
  • PortSwigger Web Security Academy - JWT Attacks (portswigger.net/web-security/jwt). Free, interactive labs for practicing JWT vulnerabilities including none algorithm, algorithm confusion, and weak keys.

Conferences and Talks

  • Bernstein, D. "25 Years of Attacks on RSA." CRYPTO 2019 Invited Talk. Comprehensive overview of RSA attacks from Wiener's small private exponent attack through Coppersmith, Bleichenbacher, and modern variants.

  • Bhargavan, K. and Leurent, G. "Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH." NDSS 2016. Advanced analysis of how hash collisions affect protocol security.

  • Sullivan, N. "A Primer on TLS 1.3." Cloudflare Blog (2018). Accessible introduction to TLS 1.3 from Cloudflare's head of cryptography. Excellent for understanding the practical implications of the protocol changes.

  • Langley, A. "The POODLE Attack and the End of SSL 3.0." Imperial Violet Blog (2014). Google's Adam Langley explains POODLE with clarity and context. His blog is an excellent ongoing resource for practical cryptography topics.

Standards and Specifications

  • RFC 8446: TLS 1.3 specification
  • RFC 8555: ACME protocol (Let's Encrypt)
  • RFC 7507: TLS Fallback SCSV (downgrade protection)
  • RFC 7366: Encrypt-then-MAC extension for TLS
  • NIST SP 800-52 Rev. 2: Guidelines for TLS Implementations (2019)
  • NIST SP 800-57: Key Management Recommendations
  • NIST SP 800-63B: Digital Identity Guidelines (password storage requirements)
  • PCI DSS v4.0: Payment Card Industry requirements for TLS (Section 4)

Blogs and Regular Publications

  • Matthew Green's Blog (blog.cryptographyengineering.com). A Johns Hopkins cryptography professor who writes accessible, insightful posts about cryptographic attacks, protocol design, and industry developments. His posts on Dual_EC_DRBG, Apple's iMessage encryption, and TLS attacks are essential reading.

  • Trail of Bits Blog (blog.trailofbits.com). Regular posts on applied cryptography, including audit findings, implementation flaws, and novel attacks.

  • Cloudflare Blog - Security Category (blog.cloudflare.com/tag/security). Practical posts about TLS deployment, certificate management, and cryptographic implementation at scale.

  • Adam Langley's Imperial Violet (imperialviolet.org). Deeply technical posts on TLS, certificate validation, and practical cryptography from a Google engineer.

💡 Study Recommendation: Begin with "Serious Cryptography" by Aumasson for a solid conceptual foundation. Then work through the CryptoPals challenges to develop practical skills. Use testssl.sh to practice TLS assessment on your lab servers. Finally, read the BEAST, POODLE, and DROWN papers to understand how protocol attacks work in practice. This progression will give you both the theoretical knowledge and practical skills needed for cryptographic assessment during penetration tests.