There are comments flying around as to whether cryptography should be approached as a science or as engineering. It apparently started on Twitter. Bruce Schneier has weighed in and linked to an interesting essay by Colin Percival.
The actual border lands might not be surveyed yet, but I believe there's a distinct field of cryptographic engineering, just as computer architecture can be independent of circuit design. In both cases we try to establish design rules so that engineers can build things with predictable properties. In both cases we can push the envelope of those rules and yield disaster.
We establish an engineering discipline by trying to codify the design rules, teach them, build with them, and assess the results. That's what we see in security/cryptographic engineering these days. It's healthy even though we end up with occasional vulnerabilities.
I received the email displayed at the right. While Larry Grinnell is indeed a friend of mine who sends me email, the sender's email address was not his. This is one of several emails I've received, all extremely brief, and all with the exact same, format. The Subject line contains an exclamation. The body text contains my name and a single URL. I started saving them and experimenting with the URLs.
The first URL led to a place in Russia that displayed a weight-loss ad. I used a VM running Chrome to open it. When I used the same VM to open the more recent one (shown above) the VM crashed. I expected that. What I didn't expect was for it to take my whole desktop down, too.
Researchers at UCSB have demonstrated a "quantum processor" that correctly operates "Schor's algorithm for factoring primes" all of 48% of the time (Photo left, courtesy of UCSB). This has produced all sorts of dire predictions about existing cryptographic mechanisms.
This is nonsense. We don't know enough about quantum computing to believe that a practical quantum computer architecture can follow Moore's law. And so-called "quantum cryptography" is not the answer.
Students can earn CPE credits and a US Government-endorsed training certificate in information security. They study the textbook (Elementary Information Security, of course), discuss topics with me on the book's discussion forums if they want, and take on-line tests on the material. Once they pass all exams, they earn the certificate.
The U.S. government certifies courses of study in information security under the Information Assurance Courseware Evaluation (IACE) program. If a course is certified under one of the approved standards, then students are eligible to receive a certificate that carries the seal of the U.S. Committee on National Security Systems (CNSS, left) to indicate they have completed an approved course of study.
It can be challenging for an institution to get its course of study certified. Many of the topics are obvious ones for information security training, but others are relatively obscure. Several topics, like TEMPEST, COMSEC, and transmission security, have lurked in the domain of classified documents for decades.
This new text provides a comprehensive and widely available source for all topics required for NSTISSI 4011 certification. An institution can use the textbook along with the details of its NSTISSI 4011 topic mapping to establish its own certified course of study.
Elementary Information Security has been certified to conform fully to to the Committee on National Security System’s national training standard for information security professionals (NSTISSI 4011). To do this, I had to map each topic required by the standard to the information as it appears in the textbook. Instructors who map their courses to the standard must map the topics to lectures, readings, or other materials used in those courses.
I have exported the textbook's mapping to an Excel spreadsheet file. Curriculum developers may use this information to develop a course of study that complies with NSTISSI 4011 and is eligible for certification. I'm describing the courseware mapping process in another post. Read that post first.
This morning I received a flurry of unexpected email messages from Best Buy's "Reward Zone," one of those preferred customer programs. I was reading email when the messages arrived, so I immediately tried to log in to the account and check its status. I couldn't log in, so I immediately called Best Buy.