Slashdot Mirror
Cryptography and Network Security: Principles and Practice, 2nd ed.
So, after reading Applied Cryptography and the Handbook of Applied Cryptography, you want to see some real systems at work. Enough with this academic stuff, you say. Cryptography and Network Security may be just the book for you. It covers Kerberos, X.509, PGP, S/MIME, IPSec, SSL/TLS, and SET, in much greater detail than you will find in books such as Applied Cryptography. This is a book for "real world" crypto. Even if this would be your first book on cryptography, Stallings provides most of the background you need to understand what's going on.
What's Bad?
There are a few rather annoying omissions in the book's coverage, including no mention of Optimal Asymmetric Encryption Padding (OAEP), which is used in many of the most important new cryptography standards, and only passing references to IEEE P1363, a very important proposed standard which has already produced copious industry and academic support.
Part 4 was less interesting, and also did not seem to delve as deeply into its topics as earlier chapters did.
What's Good?
Almost everything. Stallings' writing style makes for reasonably easy reading, though those without a good background in math and programming may have problems in the denser areas.
While the focus is on practical applications, the author gives you all the information you need. Instead of covering a large number of algorithms (most of which are never used in real applications) in a very brief manner like Applied Cryptography, Stallings examines in detail a small number of popular and commonly used algorithms, including IDEA, RC5, CAST-128, and Blowfish, and devotes a full chapter for DES. Public-key encryption is not ignored either, with coverage of RSA, Diffie-Hellman, DSA, and Elliptic Curve Cryptography.
But the really good stuff is in the second half of the book. Want a clear and thorough description of the IPSec protocols? Flip to chapter 13 and read away! Not to leave you hanging if you haven't been keeping up with the latest RFCs (for shame!), he also describes both the IPv4 and IPv6 packet formats. Similarly, in the section on S/MIME, before jumping straight into the cryptographic aspects, he helpfully first describes what MIME does, why it was invented, and how it works.
Handily enough, the book also makes a good introductory textbook. The explanations are clear, and little background is assumed. Also, there are problems at the end of each chapter which cover practical applications of and attacks on cryptographic systems.
So What's In It For Me?If you want a good introduction to practical cryptography, get this book. It supplements the more theoretical focus of other popular books in the area, while still being fairly complete.
Purchase this book at ThinkGeek.
Table of Contents Chapter 1: Introduction
- Attacks, Services, and Mechanisms
- Security Attacks
- Security Services
- A Model for Internetwork Security
- Outline of this Book
- Recommended Reading
Chapter 2: Classical Techniques
- Conventional Encryption Model
- Steganography
- Classical Encryption Techniques
- Simplified DES
- Block Cipher Principles
- The Data Encryption Standard
- The Strength of DES
- Differential and Linear Cryptanalysis
- Block Cipher Design Principles
- Block Cipher Modes of Operation
- Appendix: Bent Functions
- Triple DES
- IDEA
- Blowfish
- RC5
- CAST-128
- RC2
- Characteristics of Advanced Symmetric Block Ciphers
- Placement of Encryption Function
- Traffic Confidentiality
- Key Distribution
- Random Number Generation
Chapter 6: Public-Key Cryptography
- Principles of Public-Key Cryptosystems
- The RSA Algorithm
- Key Management
- Diffie-Hellman Key Exchange
- Elliptic Curve Cryptography
- Prime and Relatively Prime Numbers
- Modular Arithmetic
- Fermat's and Euler's Theorems
- Testing for Primality
- Euclid's Algorithm
- The Chinese Remainder Theorem
- Discrete Logarithms
- Authentication Requirements
- Authentication Functions
- Message Authentication Functions
- Hash Functions
- Security of Hash Functions and MACs
- Appendix: Mathematical Basis of the Birthday Attack
- MD5
- SHA-1
- RIPEMD-160
- HMAC
- Digital Signatures
- Authentication Protocols
- Digital Signature Standard
- Appendix: Proof of the DSS Algorithm
Chapter 11: Authentication Applications
- Kerberos
- X.509 Directory Authentication Service
- Appendix: Kerberos Encryption Techniques
- Pretty Good Privacy
- S/MIME
- Appendix: Data Compression Using ZIP
- Appendix: Radix-64 Conversion
- Appendix: PGP Random Number Generation
- IP Security Overview
- IP Security Architecture
- Authentication Header
- Encapsulating Security Payload
- Combining Security Associations
- Key Management
- Appendix: Internetworking and Internet Protocols
- Web Security Requirements
- Secure Sockets Layer and Transport Layer Security
- Secure Electronic Transaction
Chapter 15: Intruders, Viruses, and Worms
- Intruders
- Viruses and Related Threats
- Firewall Design Principles
- Trusted Systems
- Research Projects
- Programming Projects
- Reading/Report Assignments
Standard disclaimers apply, as always. (I hate living in a lawsuit-happy culture.)
:)
What also might be good is to include protocols which, while working today, are not scalable to future systems. Right now I'm employed by a company working in the electronic publishing market, and it's surprising how many otherwise-good ideas are completely impracticable. (The good news is, the worst offenders are all proprietary. The open systems have fared the best.)
Last year during CRYPTO99, some IBM researchers released a paper which was lauded as having provable security. Caused a minor media uproar, up until it was broken. Turns out that if you can create an environment where just one of the assumptions behind the protocol is no longer valid, the entire protocol fell apart. I can't think of the name of it for the life of me, though. It didn't exactly impress me as being the Holy Grail, and I wasn't exactly surprised when it was broken.
Another good example is Microsoft's Virtual Private Networking. Version 1.0 was horribly broken; version 2.0 was a considerable improvement, but since it was (is) downwardly-compatible with 1.0, it's also bug-compatible with 1.0.
Then there's Netscape's SSL difficulties from version 3 (?). Although the SSL protocol was implemented correctly, Netscape's random number generator was deterministic.
Then there was the telco which was using the standard C rand() function to create random session keys (company name withheld, but yes, it's a big one).
A major credit-card company (you probably have one of their cards in your wallet) depends on nobody being able to break repeated-XOR encryption and having enough knowledge of IBM's SNA in order to eavesdrop on their network.
... I don't know as much about academic protocols being broken through the standard literature as I do about brain-damaged implementations of protocols. I'm a practical cryptographer, not a theoretical one. But good God, if you were to make a top ten list of the stupidest protocols (and implementations thereof), you'd spend years just trying to whittle the list of thousands of candidates down to the ten worst.
I don't know. I'd have to think about it for a while to come up with my own list of candidates for the Provably Stupid award. Ask me again tomorrow and I might have a better idea.
Violent agreement on the idea of a book on
s /fall96/G22.3033.02/
failed protocols. I think protocol design one of the areas which is needed most and understood least in cryptography. We're a long way from Bellare's "a cryptographer is a machine which turns primitives into protocols"...
Can we start compiling some examples of protocols, exercises, and material
which would go into such a book?
Avi Rubin and Matt Franklin had a course on "Protocol Design" at NYU
http://cs.nyu.edu/cs/dept_info/course_home_page
which has an list of references and some problem sets. In particular, there's a reference to
some papers like
J. Moore, "Protocol Failures in Cryptosystems," Proceedings of the
IEEE, 5(76), 1988, 594-602.
and
P. Syverson, "Limitations on Design Principles for Public Key
Protocols," IEEE Symposium on Security and Privacy, Oakland, CA, 1996, 62-72.
which look very interesting.
The differences between SSL 1.0, 2.0 and 3.0
should be in such a book as well. Especially the
attacks in which an adversary can force use of a weaker cipher.
You'd probably also want a discussion of "security proofs" and "definitions of security."
In particular, pointing out limitations in such things as BAN logic. I don't know much about specific failures here; anyone have an example?
A while back I asked on sci.crypt about "provably stupid protocols" -- protocols where the proofs were _correct_, but according to misguided definitions. Looking that up in Deja would produce some possible examples (though maybe not protocols in the sense you may be using).
What else?
I took a data security class last semester, and our books for it were this one and Applied Cryptography. AC was a better book, hands down. It seemed that everything that was in the Stallings book was also in Applied Crypto, and more. Maybe AC was just easier for me to read, or something, but if you are going to buy a book on cryptography I would recommend Applied Cryptography over Cryptography and Net Security.
Just my $.02
I am an InfoSec consultant in real life, but I am not speaking in any professional capacity here.
First, I've got to say that I'm glad that someone has come out with a companion to Applied Cryptography; where Applied Cryptography talks about ciphers in some detail, it's woefully light on protocols--and most of the interesting security attacks out there are protocol attacks, not cipher attacks. If the review posted is accurate, then we can use it as an adjunct to Menezes and Schneier, not as a replacement. This is a Good Thing(tm).
Second, for all that I'm looking forward to buying this book, I think that it ignores a very rich and informative part of the subject. Why not take a book of the same size and cover failed protocols, and explain where the protocols failed and why? I like to joke that there are only three or four different protocol attacks; software authors just insist on renaming them for every new system. An awful lot of good could be done by educating software engineers about what has failed, in the hopes that people will learn and not make those same mistakes again.
I'm grateful to Bruce Schneier and Alfred Menezes for their introductory works in crypto (and compared to graduate-level mathematics, Schneier's and Menezes' books are introductory), but I sometimes fear that they lull software engineers into a false sense of security; people think that "well, since Schneier says 3DES is secure, I can just use that and be safe". It's very tempting to do that, but security is not something which can be added into a piece of software like you can add salt to a recipe. It is a mistake to take a cookbook approach to security, which is the unintended consequence of books such as these.
What I'd really love to see is a book which shows failed protocols, and the dangers of cookbook security.
Having a cookbook available doesn't guarantee that what you cook will be edible.
It's a shame, but not too surprising, to hear that the book doesn't
cover OAEP. Especially as Coron, Naccache, Joye, and Pailler have a paper in EUROCRYPT '00 about
"New Attacks on PKCS #1 v1.5 Encryption"
abstract at :
http://www.eleves.ens.fr:8080/home/coron/scienc
I have not read the paper yet, but the abstract is scary.
Some background : the RSA function x^e mod n
should not be used directly for encrypting data.
For one thing, it's deteministic; the same x produces the same x^e always. An adversary can use this to look for common plaintexts (consider what happens if you encipher a message letter-by-letter this way...). For another, there are all kinds of clever attacks which can recover messages which are related, or can break the scheme if you send too many messages, and so on.
Dan Boneh has a cool overview of these attacks and others in his "Twenty Years of Attacks on RSA" paper
http://crypto.stanford.edu/~dabo/abstracts/RSAa
Some kind of padding scheme is necessary. Some padding schemes are better than others. The scheme which pads with random garbage at the end of the message, for instance, is not very good.
The Public Key Crypto Standard (PKCS) #1 specifies the padding scheme used for RSA encryption. Version 1.5 had this scheme which was kind of thought to be sort of OK but nobody knew really. Now we are finding that it wasn't quite
as good as we thought...
Optimal Asymmetric Encryption Padding (OAEP)
is another padding scheme. It is specified in version 2 of PCKS #1 because it seems to resist the attacks which killed version 1.5 . The neat thing about it is that you would expect it to resist these attacks and others because there is a "proof of security" which relates breaking the padding to breaking the RSA problem.
That is, there's a proof which shows that extracting *any* information from the encrypted padded messages is just as hard as breaking the RSA problem on random instances. The scheme may still fail, but only if the RSA problem "underlying it" happens to be easy...like if we chose a too short modulus. We don't have to worry about stupid things like sending the wrong kind of messages any more.
Is it important that OAEP was omitted in a "practical" handbook? In my opinion, yes and no.
There's no need for the proof of security to be included. But the *reason* for the proof, that is, the existence of these really subtle and weird attacks which can leak information when you're not expecting it...that seems quite important in practice. Along with an explanation of how to use schemes like OAEP to cut out as many of these attacks as possible.
It's worth noting, however, that OAEP *is* described in the _Handbook of Applied Cryptography_, which is available for download at
http://cacr.math.uwaterloo.ca/hac/
No proofs here, just a straightforward diagram and "how to implement." For the actual proof, you can check out Bellare and Rogaway's paper at
http://www-cse.ucsd.edu/users/mihir/papers/pke.
OAEP is also specified in the IEEE P1363 standard, which has its website here :
http://www.manta.ieee.org/groups/1363/
the standard covers other algorithms and protocols as well. The website's worth checking out.
While we're at it, does anyone know of a good treatment/introduction to the proofs of security involved in OAEP and similar?