Oct 99 Bookshelf
Volume Number: 15
Issue Number: 10
Column Tag: Programmer's Bookshelf
Review: Cryptography and Network Security
by Paul E. Sevinc, Switzerland
Principles and Practice, 2nd edition
Cryptology is a topic more and more people in the IT business have to be familiar with.
If you already know the basics and only need a reference manual so to speak, choosing
the right book is easy: [Menezes et al. 1997]. But if you're looking for an introductory
text book, you have an ordeal of choice. One book you'll often see recommended is
[Schneier 1996]. In this article we're going to take a closer look at another one,
namely the 2nd edition of Cryptography and Network Security: Principles and Practice
[Stallings 1999].
The Big Picture
Cryptography and Network Security (CaNS for short) has been published by Prentice
Hall and was written by William Stallings, an author with quite an impressive
publication list (see <http://www.prenhall.com/stallings/>). Besides, famous
cryptographers like Xuejia Lai, Ron Rivest, Phil Zimmermann and many others
reviewed Stallings' treatment of their special fields. In my opinion, this makes the
book very trustworthy.
Between the introduction and the appendix (for teachers), CaNS is organized in four
parts: Conventional Encryption, Public-Key Encryption and Hash Functions, Network
Security Practice, and System Security. The introduction discusses network security
models and computer security threats, thereby motivating the remainder of the text.
From the very beginning, it is obvious that CaNS is not intended to be a
popular-science book but rather for (prospective) scientists and engineers.
Conventional Encryption
The first part, chapters 2 to 5, deals with symmetric cryptography, i.e. schemes in
which the same key is used for both encryption and decryption. Actually, the main
focus is on so-called block ciphers while stream ciphers are hardly an issue. (There
are two ways how to use block ciphers as stream ciphers, though, and Stallings
explains both when he treats the four block-cipher modes of operation.) The math used
in this part ñmodular arithmetic, linear equations, matricesñ should be basic to most
programmers.
Chapters 2 & 3 treat the building blocks of both classical and modern symmetric
algorithms and show how these are used within DES, the Data Encryption Standard.
With the exception of the one-time pad, the classical algorithms are nowadays
insecure, but still interesting for more than just historical reasons. Chapter 3 ends
with general design principles of and attacks on block ciphers. I find this to be useful
to practitioners who have to decide on and implement an algorithm, not to hackers :-)
Unless interested in details of different algorithms currently in use, the reader can
safely skip most of chapter 4. Nevertheless, the first section is important because it
contains information about the Men-in-the-Middle attack, and the last section is a
good summary of the rest of the chapter.
Most of us don't really need to know how exactly encryption works. But if we use it, we
better use it right. In chapter 5, Stallings explains where and how symmetric schemes
can be used in an internetwork, including the non-trivial task of key distribution. One
problem in this context is generating good pseudo-random numbers. Different
approaches are mentioned, but only very briefly.
Public-Key Encryption and Hash Functions
The second part, chapters 6 to 10, deals with functions that map variable-length data
into a fixed-length value and with asymmetric cryptography, i.e. schemes in which
different keys are used for encryption and decryption. This part is more mathematical
than the last as public-key cryptosystems are heavily based on number theory, the
subject of chapter 7. (Stallings only introduces what is necessary for understanding
CaNS. If you're not familiar with number theory, I suggest you read this chapter
before the 6th.)
Starting with the principles of public-key cryptography, chapter 6 presents RSA, the
Rivest-Shamir-Adleman algorithm, the Diffie-Hellman key-exchange protocol, and
key-management issues in general. At the end of this chapter, there's a short section
about elliptic-curve cryptography, a hot topic of growing importance, which I highly
appreciated.
Similar to chapters 3 & 4, chapter 8 first treats requirements and design principles
of, as well as attacks on cryptographic hash functions and message authentication codes
(key-dependent hash functions so to speak), and then chapter 9 describes four
concrete algorithms in detail: MD5, SHA-1, RIPEMD-160 (that's what I call an
acronym!), and HMAC.
Chapter 10 concludes the second part with a discussion of authentication protocols and
digital signatures. The former include such based on symmetric cryptography, the
latter DSS, the Digital Signature Standard.
Network Security Practice
The chapters in the third part (11-14) can be consulted in any order the reader likes.
The prerequisites have been covered in the first two parts. This part is a nice add-on
to older, in terms of IT years, computer-network books that don't cover network
security (in enough detail). It includes sections on Kerberos, X.509, PGP, S/MIME,
IPSec, SSL/TLS, and SET.
Kerberos and X.509 are for authentication purposes. PGP, Pretty Good Privacy, and
S/MIME, Secure/Multipurpose Internet Mail Extensions, provide e-mail security.
IPSec comprises the security features that have been defined for IPv6, but that can
also be used with IPv4. (Those of you familiar with IP, the Internet Protocol, know
that we're currently making the [slow] transition from IPv4 to IPv6.) SSL is
Netscape's Secure Socket Layer which has become Transport Layer Security, an
Internet standard. Finally, SET, Secure Electronic Transaction, is a specification
initiated by MasterCard and Visa for credit-card payments over the internet.
By carefully reading several of these case studies, one gets a good idea of the trade-offs
(e.g., security vs. complexity) involved in the design of cryptographic protocols. This
is supported by Stallings' clear and concise writing and his judicious use of figures and
tables.
System Security
The last part, chapters 15 & 16, is very high-level and easy to understand. However,
it only provides an overview and can't replace an in-depth (and more technical)
treatment of the same topics.
I was blown away by chapter 15. It is about intruders (i.e., hackers and crackers) and
malicious programs, especially viruses. The many ñsometimes ingeniousñ ways of
attacking a computer system and their countermeasures make for very exciting
reading; look forward to a rainy Sunday!
Chapter 16 is a short chapter about the principles and goals underlying firewalls. It
ends with a section on so-called trusted systems and how these can be used to defend
against trojan horses.
Conclusion
CaNS is a very good introduction to cryptography, enabling you to understand and
discuss the security of practical cryptosystems (e.g., the Mac OS keychain). But if you
intend to develop or consult on cryptosystems yourself, you need to know more about
number and information theory (see the seminal [Shannon 1948]) than is covered by
Stallings. The parts about network and system security are good, too, even though they
might not be applied enough for some readers (e.g., system administrators).
Every chapter ends with a set of non-trivial problems (the solutions are not part of
the book). Some chapters additionally feature an appendix of their own, for example
about ZIP's compression algorithm, the Birthday paradox, IPv4 and IPv6, etc. These
appendices increase CaNS' usefulness and are thus worth being studied.
Finally, a five-page glossary and a one-page list of acronyms conclude this highly
recommendable book.
Acknowledgments
I would like to thank Neso Atanasoski for his comments on this article and Andrew S.
Downs for his editing of my Core Java review (May issue). Sorry for the delay,
Andrew!
References
• [Menezes et al. 1997] MENEZES, Alfred J., VAN OORSCHOT Paul C.,
VANSTONE, Scott A. ñ Handbook of Applied Cryptography, CRC Press, 1997.
• [Schneier 1996] SCHNEIER, Bruce. ñ Applied Cryptography, Wiley, 2nd
ed. 1996.
• [Shannon 1948] SHANNON, Claude E. ñ A Mathematical Theory of
Communication, pp. 379-423 (623-656) in: The Bell System Technical
Journal, volume 27, July (October) 1948.
• [Stallings 1999] STALLINGS, William. ñ Cryptography and Network
Security: Principles and Practice, Prentice Hall, 2nd ed. 1999.
______________________________
Paul is an EE student at the Swiss Federal Institute of Technology Zurich (ETHZ)
where he might spend another three years if he accepts the Ph.D. position offered to
him. But as he feels like living in the US for some time, he's wondering whether he
should rather join a R&D department in Silicon Hills or Silicon Valley. While he's
thinking about this, visit his homepage at http://www.stud.ee.ethz.ch/~psevinc/.