Browse Books

Reviewer: Claire Vishik

This book evolved from the lecture notes that were used to teach an undergraduate computer security course at the University of Wollongong, Australia. The resulting volume is much too extensive and sophisticated to be used in the same environment, but preserves its characteristics as a teaching tool and textbook. It would be an appropriate required textbook for many courses (more likely graduate than undergraduate), and is flexible enough to support an elective on cryptography for nonmathematicians or serve as a guide for an introductory computer science class. The flavor is distinctly academic, and it would not be too helpful for developers writing crypto applications, or for security architects designing the enterprise security infrastructure. Although this is not a developer's handbook, it consolidates the core knowledge that every practitioner must possess. The 18 discrete chapters feature content ranging from the elements of number theory in the early chapters to the description of electronic elections and digital money in chapter 15. Chapters 2 to 14 include problems and exercises at the end. The wide range of topics addressed ensures that the book can have many uses. At first, the book appears to focus exclusively on cryptography. In fact, the terminology in chapter 1 is cryptography oriented, and the background theory in chapter 2 contains elements of mathematics that will help nonmathematicians to understand fundamental cryptography, but contains no references to other fundamental or theoretical issues relevant to computer and data security. Gradually, the content is expanded to more applied topics. The reader needs to understand that this is a collection rather than a textbook focusing on one area. Chapter 1 introduces some of the terminology and provides information about the history of cryptography and modern developments. The reader learns about steganography, early European ciphers, first cipher machines, such as German ENIGMA, and the first efforts of cryptanalysis. The section on modern cryptography starts with Shannon's work in the late 1940s and ends with references to RSA. After the concise introduction, chapter 2 focuses on background theory. This chapter is written for nonmathematicians, and describes a few elements of number theory (such as the Euclid algorithm, the sieve of Eratosthenes, and congruence); relevant components of information theory; and complexity theory. Chapter 2 does not presuppose extensive knowledge of mathematics, and novice readers will benefit from relatively consistent descriptions, with some proofs and interconnections. Following this coverage of the supporting theory, chapter 3, "Private-Key Cryptosystems," starts with sections on classical ciphers, and moves on to the DES Family and other private-key algorithms (FEAL, IDEA, RC6, and others). The chapter concludes with sections on differential and linear cryptanalysis, and S-box theory. Public key cryptosystems are thoroughly described in chapter 4, starting with RSA, and information is provided on Merkle-Hellman, ElGamal, and elliptic cryptosystems. Short sections on probabilistic encryption and best practices for public-key encryption system are also included. Although chapters 3 and 4 contain information that is different from what you may find in a practitioner's handbook, the academic description is useful for all readers, although the brief practical section in chapter 4 did not quite meet my expectations. While the first four chapters focused on cryptography, the next two contain information about processing techniques. Chapter 5 describes pseudorandomness, including bit generators and function generators, and chapter 6 provides a thorough review of hashing, from theory to MD family sections, keyed hashing, serial and parallel hashing, and so on. The next four chapters deal with some technologies and approaches used for various types of authentication of both users and data. Chapter 7 analyzes digital signatures, starting with basic information that a digital signature scheme needs to have means for signing and signature verification. The chapter explains generic signature schemes and proceeds to some fairly sophisticated information on RSA and ElGamal signatures. The chapter concludes with sections on blind and undeniable signatures, and timestamping. Chapter 8 describes the basics of authentication. It presents fundamentals of active opponents, outlines some elements of game theory, and talks about A-codes. Chapter 9 focuses on secret sharing. Basics of Shamir and Blackley schemes begin the chapter, followed by a thorough explanation of the information rates. Chapter 10, drawing on the previous chapters, provides information about group-oriented encryption. The following two chapters describe key establishment protocols (chapter 11) and zero-knowledge proof systems (chapter 12). Starting from chapter 13, "Identification," the book moves in the direction of practical applications (of basic approaches in security, rather than computer applications). The chapter presents the theory of authentication, starting with the basic question of the parameters constituting proper identification of a user. Although the early sections are too elementary for a reader with some knowledge of computer systems, such a reader will still benefit from the description and analysis of the identification protocols that follows. Similarly, a more academic reader who will find information on protocols and schemes too simplistic may find useful knowledge in the earlier, more practically oriented sections. The next chapter deals with intrusion detection, describing the theoretical view on this class of applications rather than practical approaches and actual systems. Chapter 15 introduces a variety of schemes for electronic elections and digital money. Chapter 16 is a combination of views on the theory of database security and practical advice, including a section on a few security related routines in Oracle 8 (the current version of the Oracle database is 10). Chapter 17 focuses on various models of access control, such as the access matrix model and role-based access models, and describes a few actual implementations, such as Unix and Multics, its predecessor. The final chapter on network security gives equal space to Internet key exchange and secure socket layer (SSL), and provides some information about the most common threats, such as Trojans and viruses. The strongest point of the book is the breadth of coverage. Although it is impossible to describe everything relevant to security in a single volume, even a novice reader will be able to glean information about many subjects, which can then be pursued at a greater level of detail elsewhere. The weakest point of the book is a somewhat superficial description of material, lack of coverage of the practical applications, and a somewhat naive understanding of pragmatic issues. Due to this dissociation from the pragmatic side, the choice of topics is somewhat random, because their importance was not gauged in the practical areas, and the description of applications and technologies is somewhat elementary. However, this same dissociation allows the authors to cover the basic theory behind everyday security functions familiar to all, such as password management. The consistent theory angle would not be possible if the authors delved deeply into the practical security issues and applications. Overall, I strongly recommend the book. It does justice to its title, and provides basics that all future scholars in security and computer practitioners absolutely need to know. Online Computing Reviews Service

Reviewer: Naga R Narayanaswamy

The widespread use of the Internet for serious applications makes this book particularly relevant. It is of utmost importance that information is protected against hackers and rogue nations because individual users and governments are conducting more Internet banking, trade, and commerce, as well as proprietary inter-company business on the Web. Several vulnerabilities are found in different operating systems, and, because Internet routing occurs across administrative domains, control traffic needs to be protected. This is why this book is particularly effective for designers of security mechanisms. A very rigorous treatise on the mathematics of different cryptographic algorithms and security aspects is contained in this book. For this reason, a more apt title would have been Mathematical foundations to computer security . The book contains 18 detailed chapters, and can be used independently by engineers, scientists, and researchers, or by students in introductory courses to cryptography, electronic commerce, advanced cryptography, and computer and network security. The book is very comprehensive, with the first two chapters dealing with general mathematical principles needed for understanding cryptography, such as modular arithmetic, complexity of algorithms, and so on. The next two chapters delve into a myriad of details of private key and public key cryptosystems. The chapter on the data encryption standard (DES) class of algorithms explains this subject in depth. Other modern private key cryptosystems like RC6 and Rijndael are addressed, and cryptanalysis of the algorithms is offered. On the public key front, RSA cryptosystems are addressed, as well as Merkle-Hellman, McEliece, elliptic cryptosystems, and several others. The popular MD family of hash functions is mathematically dealt with in a separate chapter. Digital signatures, authentication, secret sharing, and group-oriented cryptography are all described in separate chapters as well. Key establishment protocols and key agreement protocols are clearly explained, including the popular kerberos. Computer and network security pertaining to computer systems are explained in depth in the last five chapters. Mathematical principles of intrusion detection (ID) are explained before giving specific ID systems, and a detailed summary of popular ID systems is given at the end of the chapter. The mathematical concepts of electronic elections, digital money, database protection, security, and access control are illustrated in detail, and Internet protocol security (IPSec) is described in detail, as is the secure sockets layer (SSL) scheme. Throughout the book, where necessary, theorems, lemmas, and proofs are given. The problems and exercises at the end of each chapter are very stimulating. The extensive bibliography (containing over 500 items) is sure to satisfy anyone, particularly doctoral candidates in computer security, who want to explore the area further. In summary, the book is an excellent source of mathematical fundamentals of computer security, and can be used to study weaknesses in existing methods, and study the current set of cryptographic algorithms. Online Computing Reviews Service