Slashdot Mirror
Cryptography and Network Security: Principles and Practice, 2nd ed.
So, after reading Applied Cryptography and the Handbook of Applied Cryptography, you want to see some real systems at work. Enough with this academic stuff, you say. Cryptography and Network Security may be just the book for you. It covers Kerberos, X.509, PGP, S/MIME, IPSec, SSL/TLS, and SET, in much greater detail than you will find in books such as Applied Cryptography. This is a book for "real world" crypto. Even if this would be your first book on cryptography, Stallings provides most of the background you need to understand what's going on.
What's Bad?
There are a few rather annoying omissions in the book's coverage, including no mention of Optimal Asymmetric Encryption Padding (OAEP), which is used in many of the most important new cryptography standards, and only passing references to IEEE P1363, a very important proposed standard which has already produced copious industry and academic support.
Part 4 was less interesting, and also did not seem to delve as deeply into its topics as earlier chapters did.
What's Good?
Almost everything. Stallings' writing style makes for reasonably easy reading, though those without a good background in math and programming may have problems in the denser areas.
While the focus is on practical applications, the author gives you all the information you need. Instead of covering a large number of algorithms (most of which are never used in real applications) in a very brief manner like Applied Cryptography, Stallings examines in detail a small number of popular and commonly used algorithms, including IDEA, RC5, CAST-128, and Blowfish, and devotes a full chapter for DES. Public-key encryption is not ignored either, with coverage of RSA, Diffie-Hellman, DSA, and Elliptic Curve Cryptography.
But the really good stuff is in the second half of the book. Want a clear and thorough description of the IPSec protocols? Flip to chapter 13 and read away! Not to leave you hanging if you haven't been keeping up with the latest RFCs (for shame!), he also describes both the IPv4 and IPv6 packet formats. Similarly, in the section on S/MIME, before jumping straight into the cryptographic aspects, he helpfully first describes what MIME does, why it was invented, and how it works.
Handily enough, the book also makes a good introductory textbook. The explanations are clear, and little background is assumed. Also, there are problems at the end of each chapter which cover practical applications of and attacks on cryptographic systems.
So What's In It For Me?If you want a good introduction to practical cryptography, get this book. It supplements the more theoretical focus of other popular books in the area, while still being fairly complete.
Purchase this book at ThinkGeek.
Table of Contents Chapter 1: Introduction
- Attacks, Services, and Mechanisms
- Security Attacks
- Security Services
- A Model for Internetwork Security
- Outline of this Book
- Recommended Reading
Chapter 2: Classical Techniques
- Conventional Encryption Model
- Steganography
- Classical Encryption Techniques
- Simplified DES
- Block Cipher Principles
- The Data Encryption Standard
- The Strength of DES
- Differential and Linear Cryptanalysis
- Block Cipher Design Principles
- Block Cipher Modes of Operation
- Appendix: Bent Functions
- Triple DES
- IDEA
- Blowfish
- RC5
- CAST-128
- RC2
- Characteristics of Advanced Symmetric Block Ciphers
- Placement of Encryption Function
- Traffic Confidentiality
- Key Distribution
- Random Number Generation
Chapter 6: Public-Key Cryptography
- Principles of Public-Key Cryptosystems
- The RSA Algorithm
- Key Management
- Diffie-Hellman Key Exchange
- Elliptic Curve Cryptography
- Prime and Relatively Prime Numbers
- Modular Arithmetic
- Fermat's and Euler's Theorems
- Testing for Primality
- Euclid's Algorithm
- The Chinese Remainder Theorem
- Discrete Logarithms
- Authentication Requirements
- Authentication Functions
- Message Authentication Functions
- Hash Functions
- Security of Hash Functions and MACs
- Appendix: Mathematical Basis of the Birthday Attack
- MD5
- SHA-1
- RIPEMD-160
- HMAC
- Digital Signatures
- Authentication Protocols
- Digital Signature Standard
- Appendix: Proof of the DSS Algorithm
Chapter 11: Authentication Applications
- Kerberos
- X.509 Directory Authentication Service
- Appendix: Kerberos Encryption Techniques
- Pretty Good Privacy
- S/MIME
- Appendix: Data Compression Using ZIP
- Appendix: Radix-64 Conversion
- Appendix: PGP Random Number Generation
- IP Security Overview
- IP Security Architecture
- Authentication Header
- Encapsulating Security Payload
- Combining Security Associations
- Key Management
- Appendix: Internetworking and Internet Protocols
- Web Security Requirements
- Secure Sockets Layer and Transport Layer Security
- Secure Electronic Transaction
Chapter 15: Intruders, Viruses, and Worms
- Intruders
- Viruses and Related Threats
- Firewall Design Principles
- Trusted Systems
- Research Projects
- Programming Projects
- Reading/Report Assignments
I am an InfoSec consultant in real life, but I am not speaking in any professional capacity here.
First, I've got to say that I'm glad that someone has come out with a companion to Applied Cryptography; where Applied Cryptography talks about ciphers in some detail, it's woefully light on protocols--and most of the interesting security attacks out there are protocol attacks, not cipher attacks. If the review posted is accurate, then we can use it as an adjunct to Menezes and Schneier, not as a replacement. This is a Good Thing(tm).
Second, for all that I'm looking forward to buying this book, I think that it ignores a very rich and informative part of the subject. Why not take a book of the same size and cover failed protocols, and explain where the protocols failed and why? I like to joke that there are only three or four different protocol attacks; software authors just insist on renaming them for every new system. An awful lot of good could be done by educating software engineers about what has failed, in the hopes that people will learn and not make those same mistakes again.
I'm grateful to Bruce Schneier and Alfred Menezes for their introductory works in crypto (and compared to graduate-level mathematics, Schneier's and Menezes' books are introductory), but I sometimes fear that they lull software engineers into a false sense of security; people think that "well, since Schneier says 3DES is secure, I can just use that and be safe". It's very tempting to do that, but security is not something which can be added into a piece of software like you can add salt to a recipe. It is a mistake to take a cookbook approach to security, which is the unintended consequence of books such as these.
What I'd really love to see is a book which shows failed protocols, and the dangers of cookbook security.
Having a cookbook available doesn't guarantee that what you cook will be edible.
It's a shame, but not too surprising, to hear that the book doesn't
cover OAEP. Especially as Coron, Naccache, Joye, and Pailler have a paper in EUROCRYPT '00 about
"New Attacks on PKCS #1 v1.5 Encryption"
abstract at :
http://www.eleves.ens.fr:8080/home/coron/scienc
I have not read the paper yet, but the abstract is scary.
Some background : the RSA function x^e mod n
should not be used directly for encrypting data.
For one thing, it's deteministic; the same x produces the same x^e always. An adversary can use this to look for common plaintexts (consider what happens if you encipher a message letter-by-letter this way...). For another, there are all kinds of clever attacks which can recover messages which are related, or can break the scheme if you send too many messages, and so on.
Dan Boneh has a cool overview of these attacks and others in his "Twenty Years of Attacks on RSA" paper
http://crypto.stanford.edu/~dabo/abstracts/RSAa
Some kind of padding scheme is necessary. Some padding schemes are better than others. The scheme which pads with random garbage at the end of the message, for instance, is not very good.
The Public Key Crypto Standard (PKCS) #1 specifies the padding scheme used for RSA encryption. Version 1.5 had this scheme which was kind of thought to be sort of OK but nobody knew really. Now we are finding that it wasn't quite
as good as we thought...
Optimal Asymmetric Encryption Padding (OAEP)
is another padding scheme. It is specified in version 2 of PCKS #1 because it seems to resist the attacks which killed version 1.5 . The neat thing about it is that you would expect it to resist these attacks and others because there is a "proof of security" which relates breaking the padding to breaking the RSA problem.
That is, there's a proof which shows that extracting *any* information from the encrypted padded messages is just as hard as breaking the RSA problem on random instances. The scheme may still fail, but only if the RSA problem "underlying it" happens to be easy...like if we chose a too short modulus. We don't have to worry about stupid things like sending the wrong kind of messages any more.
Is it important that OAEP was omitted in a "practical" handbook? In my opinion, yes and no.
There's no need for the proof of security to be included. But the *reason* for the proof, that is, the existence of these really subtle and weird attacks which can leak information when you're not expecting it...that seems quite important in practice. Along with an explanation of how to use schemes like OAEP to cut out as many of these attacks as possible.
It's worth noting, however, that OAEP *is* described in the _Handbook of Applied Cryptography_, which is available for download at
http://cacr.math.uwaterloo.ca/hac/
No proofs here, just a straightforward diagram and "how to implement." For the actual proof, you can check out Bellare and Rogaway's paper at
http://www-cse.ucsd.edu/users/mihir/papers/pke.
OAEP is also specified in the IEEE P1363 standard, which has its website here :
http://www.manta.ieee.org/groups/1363/
the standard covers other algorithms and protocols as well. The website's worth checking out.
While we're at it, does anyone know of a good treatment/introduction to the proofs of security involved in OAEP and similar?