REVIEW

RSA Security's Official Guide to Cryptography
by Steve Burnett and Stephen Paine
$59.99 USA / $95 CAN
419 pages, softbound
CD-ROM included

In this second book in the RSA Press series, authors Steve Burnett and Stephen Paine take a first-principles approach to cryptography, guiding the reader through a survey of the field.

Cryptography opens with an explanation of why cryptography is necessary for data security, briefly describing some of the attacks that cryptography can help to defeat. The book proceeds to detail what the authors describe as the "building blocks of crypto."

Burnett and Paine begin by describing symmetric keys and key management; the strengths and weaknesses of password-based encryption to protect the key, password attacks and how to generate a strong password; and a brief look at various cryptographic storage devices.

They then explain the key distribution problem when using symmetric keys, the pros and cons of using trusted third parties to solve this issue, and how public (asymmetric) key cryptography works and addresses the problem. A relatively involved deconstruction of the RSA, Diffie-Hellman (DH), and Elliptic Curve Diffie-Hellman (ECDH) algorithms follows, leading to a comparison and analysis of the three algorithms. Various key recovery methods are also discussed.

The book continues with an exploration of digital signatures, their composition, a look at three message digest algorithms (MD2, MD5 and SHA-1), three signature algorithms (RSA, DSA and ECDSA) and the related issues of authentication, data integrity and non-repudiation.

Having established a solid foundation, Cryptography builds on the prior material and extends the discussion to more advanced subjects, beginning with a chapter dedicated to PKI and the X.509 public key certificate standard. The X.509 certificate structure is illustrated in detail, followed by an explanation of the required components of a PKI. Certificate revocation and certificate revocation lists (CRLs), PKI trust models, key pair management, and certificate policies and certification practice statements close the chapter.

With the PKI concept introduced to the readers, the authors launch into a description of network and transport-layer security protocols and how they tie into the basic infrastrucure of securing a network. Some of the protocols discussed include IPSec, ESP comparisons between implementaions of IPv4 and IPv6, IKE, and SSL.

Continuing on their cryptographic journey, readers move beyond the network and transport layers to the application-layer security protocols, focusing on S/MIME (Secure/ Multipurpose Internet Mail Extensions) and SET (Secure Electronic Transaction).

After letting the readers get a taste of the topic earlier in the book, Cryptography spends a chapter on hardware solutions, including cryptographic accelerators, authentication tokens, smart cards, JavaCards and tokens, biometrics and combined solutions.

The remainder of the book explains some of the legal issues surrounding digital sigantures and the United States' ESIGN Act, some information security threats, standards, as well as case studies where cryptography was used well and -- perhaps more importantly -- poorly. Three technical appendices close the book.

A welcome feature of Cryptography is a series of asides that explain technical details, historical context, and cryptography-related societal issues.

In what could easily be overwhelming subject matter for a layperson, several illustrations, photographs, diagrams and tables also help readers grasp the concepts and ideas that the authors are explaining.

The book suffers from the minor problem of referencing material and terminology not yet introduced to the reader to illustrate examples, then paranthetically asking the reader to be patient and wait for explanations later in the book. This is common to technical literature so it is somewhat disappointing if not surprising to see this error repeated here.

Cryptography comes with an accompanying reference CD-ROM that significantly complements the book, even though many of the documents on it are available online for free. The CD contains the RSA Labs FAQ (Frequently Asked Questions), documents describing the Public Key Cryptography Standards (PKCS), a set of RSA's Crypto-Gram quarterly technical newsletters and an archive of presenter's notes from the 2000 RSA Conference.

The conference archive is perhaps the most valuable section of the CD because it captures a point-in-time snapshot of the general thinking of people involved in the digital security industry. With a slick Flash interface, the CD presents the conference agenda and various study tracks along with abstracts, presenter biographies and PDF versions of the speakers' notes and slides.

While the preponderance of those slide packages are included, sadly most of the presentations from the general information sessions are not included. This is disappointing particularly because Cryptography's authors state in the preface that the "book is an introduction to crypto." The presentations from the general sessions would be well-suited to the intended audience for this book, not to mention that some of the most interesting sessions described on the CD seem to be from the conference's general track. At times some of the slides are illegible or unintelligible because of overlapping layers of text and graphics. Presumably this is due to a common problem with converting the slides from Microsoft's PowerPoint format to Adobe's Acrboat PDF.

One hopes that RSA will continue to issue similar CDs with conference proceedings in the future, but with the relatively minor issues discussed above resolved.

Readers who are interested in cryptography but daunted by a relative lack of formal technical education can think of Cryptography as a friendly textbook and reference guide for the uninitiated. For those who crave technical details they can refer to the appendices and the standards documents on the CD.

As a whole, RSA Security's Official Guide to Cryptography delivers on its promise to describe "the basic concepts of the most widely used crypto in the world today."

 LINKS

Excerpts from RSA Security's Official Guide to Cryptography

• Table of Contents [PDF]
• Chapter 3: Symmetric-Key Management [PDF]
• Chapter 8: Application-Layer Security Protocols [PDF]

 Copyright © PKIForum.com^TM 1999-2002. All Rights Reserved.  The PKIForum.com logo, "PKIForum.com", "PKI Forum.com" and "PKI Forum" are trademarks of PKIForum.com and its proprietors.