Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Practical Cryptography", Bruce Schneier/Niels Ferguson

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKPRCCRP.RVW 20030918 Practical Cryptography , Bruce Schneier/Niels Ferguson, 2003, 0-471-22357-3, U$50.00/C$76.95/UK#34.95 %A Bruce Schneier
    Message 1 of 1 , Nov 17, 2003
    • 0 Attachment
      BKPRCCRP.RVW 20030918

      "Practical Cryptography", Bruce Schneier/Niels Ferguson, 2003,
      0-471-22357-3, U$50.00/C$76.95/UK#34.95
      %A Bruce Schneier schneier@...
      %A Niels Ferguson niels@...
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2003
      %G 0-471-22357-3
      %I John Wiley & Sons, Inc.
      %O U$50.00/C$76.95/UK#34.95 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0471223573/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0471223573/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0471223573/robsladesin03-20
      %P 410 p.
      %T "Practical Cryptography"

      The preface points out that cryptography has done more harm than good
      in terms of securing information systems, not because cryptography
      fails in and of itself, but, rather, due to the improper use or
      implementation of the technology. This book is intended to provide
      concrete advice to those designing and implementing cryptographic
      systems. As such, it is not the usual introduction to cryptography,
      and is aimed at a fairly limited group.

      Chapter one asserts that we should be engineering for security, rather
      than speed or bells and whistles. Security is only as strong as the
      weakest link, we are told in chapter two, and (following from the idea
      of defence in depth) we need to have engineering in depth (and
      probably breadth, as well). The issues are important, but there is
      some lack of clarity to the organization and flow of the text and
      arguments: the reader may start to wonder what the essence of the
      message is. (I see that I should have trademarked "professional
      paranoia" when I started using it years ago, but it is nice to note
      that the point is being taken.) Chapter three is a rather unusual
      "Introduction to Cryptography" (and the mathematical format of the
      text doesn't make it easier for the math-phobic to concentrate on the
      meaning), but focussing on the applications and problems, the
      cryptanalytic attacks, and repeating the injunctions against
      complexity and the sacrifice of security for performance is a
      reasonable position.

      Having come this far, it is interesting to note that we are only
      starting part one, reviewing message security. Chapter four compares
      and reviews various existing block ciphers. The modes, and attacks
      against specific modes, of block algorithms are described in chapter
      five. (This material appears to be what would, in a more traditional
      book, be the introduction to cryptography.) Hash functions are
      explained, compared, and assessed in chapter six, while seven extends
      the concept to message authentication codes, which ensure not only
      detection of accidental alteration, but are also resistant to outsider
      modification attacks on the data or transmission. We therefore have
      the basic tools that we need to consider a channel that is secure from
      eavesdropping and manipulation by anyone not party to the
      communications, in chapter eight. Implementation, and the engineering
      or software development considerations, are examined in chapter nine.

      Part two deals with key negotiation, partly by introducing the concept
      of asymmetric (more commonly, if less accurately, referred to as
      "public key") cryptography, the major strength of which involves the
      handling of keys. Chapter ten raises the issue of randomness, which
      is vital in the choice of keys, and also talks about the components of
      the Fortuna system for generating pseudo-random numbers. Prime
      numbers are explained in chapter eleven, due to their importance in
      asymmetric cryptography. The venerable Diffie-Hellman algorithm is
      reviewed, along with the math that makes it work, in chapter twelve.
      (If you want to follow the material all the way, you'll have to be
      good at mathematics, but the discussion, while interesting, is not
      vital to the use of the system.) A similar job is done on RSA in
      chapter thirteen. Chapter fourteen is entitled an "Introduction to
      Cryptographic Protocols" but really talks about trust, risk, and more
      requirements for the secure channel. The high level design of a key
      negotiation protocol is incrementally developed in chapter fifteen.
      Implementation issues specific to asymmetric systems are reviewed in
      chapter sixteen.

      Part three looks at key management, and various approaches to the
      problem. Chapter seventeen discusses the use, and risks of using,
      clocks and time in cryptosystems. The idea of the key server is
      illustrated by Kerberos in chapter eighteen, but almost no detail is
      included. A quick introduction to PKI (Public Key Infrastructure) is
      given in chapter nineteen, followed by a philosophical review of other
      considerations in twenty, and additional practical concerns in twenty
      one. (While the division is not unreasonable, these three could,
      without seriously distorting the book, have been one big chapter.)
      Storing secrets, important for key and password reliability, is
      contemplated in chapter twenty two.

      Part four contains miscellaneous topics, including the futility of
      standards (twenty three), the questionable utility of patents (twenty
      four), and the need for involving real experts (twenty five).

      As noted, this book is not simply another introduction to
      cryptography. The content is for those involved in the guts of a
      cryptosystem, and the material provides significant guidance for the
      concerns of people in that position.

      copyright Robert M. Slade, 2003 BKPRCCRP.RVW 20030918


      ======================
      rslade@... slade@... rslade@...
      Computer Security Day, November 30 http://www.computersecurityday.com/
      victoria.tc.ca/techrev/mnbksc.htm sun.soci.niu.edu/~rslade/secgloss.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.