In Review: Practical Cryptography with Go
  • Tawhid Hannan
    Retweet
    Created
    Last Updated
  • Tags:

    Practical Cryptography with Go wastes no time in making it's intent clear. The book aims to arm the reader with enough information such that they can use cryptography in their day to day, correctly, safely and with a good level of understanding.

    I reckon it does this pretty well, for my money. Note that I am not a cryptographer, and what follows is by no means a review of the crypto itself. I didn't spot anything egregiously incorrect, for what it's worth.

    Let's dig into it.

    Starting Slowly

    The book builds steam slowly across chapter 1 and 2 as it aims to build up an arsenal of concepts in the readers mind that it relies on heavily throughout the rest of the book. Chapter 1 is super short, FYI, and gives you a brief description of some of the most basic terminology in cryptography. For a book named "Practical Cryptography With Go", it's hard to knock it too much for the brevity here.

    Chapter 2 discusses a lot but goes for breadth over depth. It's a general review of things that engineers might be concerned with when trying to secure a system. For instance, you'll understand why it's so important that a number should be cryptographically random, and how to get one in Go. There is some discussion of things that aren't touched again in the book, like side channels. Whilst interesting, without building on them in some way, these don't add a lot.

    Generally speaking, this chapter would do well to focus more on concepts used in the book. This book isn't a textbook reference, and nor should it be. To that end, making this chapter more focused would have benefited it I felt.

    The Practical Bit

    Here is where I think the book does well. It starts to cover the practicalities of securing systems. Chapter 3 runs through various cipher suites, implementation first, without bogging themselves down into the theory that makes them all tick. It tackles different block cipher modes in a way that distinguishes them from a user-first perspective. The examples demonstrated these different user scenarios pretty clearly to me. The theory behind them is pretty cool, but especially for general application development, probably not so useful. Here, the book starts living up to its promise of practical cryptography for me. I would recommend reading deeper into the implementation differences here if you're interested. Whilst this book can't give you that, it does give you a good jumping-off point.

    It builds on this with a review of asymmetric key exchange in chapter 4, setting up a set of problems and then solving them step by step, starting from the core problem of setting up a secure channel over an insecure medium. It would have been nice to see a more extensive example in the book, but it covers this via a practical task. At the end of the chapter, it sets the task of building such a file encryption tool, with a solution provided by the author. One thing I enjoyed here was the breadcrumbing of problems it would solve in the final chapter, to do with identity. In some sense, chapter 1 and 2 feel like a different book almost.

    Which brings us onto chapter 5, which aims to solve the problem of identity with digital signatures. One thing that was sort of curious to me was to spend so little time discussing RSA. Now, the book explains that, as it's shown to have various vulnerabilities, it's preferred we don't use RSA. For me, RSA feels a little too common to relegate to a footnote. I have mixed feelings with this chapter. It probably covers what it needs to, yet I'm not sure how useful this chapter is to a practising application developer on its own. Here it feels like a discussion on how digital signatures are used in real-world protocols could have fit neatly just to contextualise the use of digital signatures a bit more. It comes very close to doing this in a brief nod at the Playstation 3 when discussing ECDSA but doesn't quite commit to telling the story. These real world stories helped my own understanding a bunch, so it feels like a missed opportunity.

    Calling it

    I can easily recommend reading this book for someone more on the green side when it comes to cryptography. You may need a little material to supplement it here and there, but it gives a good overview of core cryptography concepts in a practical way. Whilst the book does use Go, the amount of code is not too heavy at all, and Go is fairly C-like, so I'd recommend this book even if you're not a Gopher. I'd expect someone who had read this book to have no issues understanding real-world protocols such as TLS on a reasonably detailed level. The book is a little brief, and it would have been nice for the book to cover some real-world examples, but I can understand if those topics were considered out of scope. The book is free to read online, or ten dollars minimum, so pretty good value for money.