REVIEW: "Practical Cryptography", Bruce Schneier/Niels Ferguson

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Nov 17, 2003.

  1. BKPRCCRP.RVW 20030918

    "Practical Cryptography", Bruce Schneier/Niels Ferguson, 2003,
    0-471-22357-3, U$50.00/C$76.95/UK#34.95
    %A Bruce Schneier
    %A Niels Ferguson
    %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
    %D 2003
    %G 0-471-22357-3
    %I John Wiley & Sons, Inc.
    %O U$50.00/C$76.95/UK#34.95 416-236-4433 fax: 416-236-4448
    %P 410 p.
    %T "Practical Cryptography"

    The preface points out that cryptography has done more harm than good
    in terms of securing information systems, not because cryptography
    fails in and of itself, but, rather, due to the improper use or
    implementation of the technology. This book is intended to provide
    concrete advice to those designing and implementing cryptographic
    systems. As such, it is not the usual introduction to cryptography,
    and is aimed at a fairly limited group.

    Chapter one asserts that we should be engineering for security, rather
    than speed or bells and whistles. Security is only as strong as the
    weakest link, we are told in chapter two, and (following from the idea
    of defence in depth) we need to have engineering in depth (and
    probably breadth, as well). The issues are important, but there is
    some lack of clarity to the organization and flow of the text and
    arguments: the reader may start to wonder what the essence of the
    message is. (I see that I should have trademarked "professional
    paranoia" when I started using it years ago, but it is nice to note
    that the point is being taken.) Chapter three is a rather unusual
    "Introduction to Cryptography" (and the mathematical format of the
    text doesn't make it easier for the math-phobic to concentrate on the
    meaning), but focussing on the applications and problems, the
    cryptanalytic attacks, and repeating the injunctions against
    complexity and the sacrifice of security for performance is a
    reasonable position.

    Having come this far, it is interesting to note that we are only
    starting part one, reviewing message security. Chapter four compares
    and reviews various existing block ciphers. The modes, and attacks
    against specific modes, of block algorithms are described in chapter
    five. (This material appears to be what would, in a more traditional
    book, be the introduction to cryptography.) Hash functions are
    explained, compared, and assessed in chapter six, while seven extends
    the concept to message authentication codes, which ensure not only
    detection of accidental alteration, but are also resistant to outsider
    modification attacks on the data or transmission. We therefore have
    the basic tools that we need to consider a channel that is secure from
    eavesdropping and manipulation by anyone not party to the
    communications, in chapter eight. Implementation, and the engineering
    or software development considerations, are examined in chapter nine.

    Part two deals with key negotiation, partly by introducing the concept
    of asymmetric (more commonly, if less accurately, referred to as
    "public key") cryptography, the major strength of which involves the
    handling of keys. Chapter ten raises the issue of randomness, which
    is vital in the choice of keys, and also talks about the components of
    the Fortuna system for generating pseudo-random numbers. Prime
    numbers are explained in chapter eleven, due to their importance in
    asymmetric cryptography. The venerable Diffie-Hellman algorithm is
    reviewed, along with the math that makes it work, in chapter twelve.
    (If you want to follow the material all the way, you'll have to be
    good at mathematics, but the discussion, while interesting, is not
    vital to the use of the system.) A similar job is done on RSA in
    chapter thirteen. Chapter fourteen is entitled an "Introduction to
    Cryptographic Protocols" but really talks about trust, risk, and more
    requirements for the secure channel. The high level design of a key
    negotiation protocol is incrementally developed in chapter fifteen.
    Implementation issues specific to asymmetric systems are reviewed in
    chapter sixteen.

    Part three looks at key management, and various approaches to the
    problem. Chapter seventeen discusses the use, and risks of using,
    clocks and time in cryptosystems. The idea of the key server is
    illustrated by Kerberos in chapter eighteen, but almost no detail is
    included. A quick introduction to PKI (Public Key Infrastructure) is
    given in chapter nineteen, followed by a philosophical review of other
    considerations in twenty, and additional practical concerns in twenty
    one. (While the division is not unreasonable, these three could,
    without seriously distorting the book, have been one big chapter.)
    Storing secrets, important for key and password reliability, is
    contemplated in chapter twenty two.

    Part four contains miscellaneous topics, including the futility of
    standards (twenty three), the questionable utility of patents (twenty
    four), and the need for involving real experts (twenty five).

    As noted, this book is not simply another introduction to
    cryptography. The content is for those involved in the guts of a
    cryptosystem, and the material provides significant guidance for the
    concerns of people in that position.

    copyright Robert M. Slade, 2003 BKPRCCRP.RVW 20030918


    "If you do buy a computer, don't turn it on." - Richards' 2nd Law
    ============= for back issues:
    [Base URL] site
    or mirror
    CISSP refs: [Base URL]mnbksccd.htm
    Security Dict.: [Base URL]secgloss.htm
    Security Educ.: [Base URL]comseced.htm
    Book reviews: [Base URL]mnbk.htm
    [Base URL]review.htm
    Security Educ.:
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Nov 17, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. Bruce Sommerfeld


    Bruce Sommerfeld, Feb 2, 2005, in forum: Computer Support
    Toolman Tim
    Feb 3, 2005
  2. Bruce Sommerfeld


    Bruce Sommerfeld, Feb 9, 2005, in forum: Computer Support
    Feb 9, 2005
  3. DVD Specials
    DVD Specials
    Jul 22, 2003
  4. Bratboy
  5. Gerald Geerdsen

    bruce almighty

    Gerald Geerdsen, Oct 22, 2003, in forum: DVD Video
    Oct 24, 2003
  6. Wade365

    Bruce Lee: Warrior's Journey

    Wade365, Oct 27, 2003, in forum: DVD Video
    Oct 27, 2003
  7. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Mac OS X Security", Bruce Potter/Preston Norvell/Brian Wotring

    Rob Slade, doting grandpa of Ryan and Trevor, Feb 6, 2004, in forum: Computer Security
    Rob Slade, doting grandpa of Ryan and Trevor
    Feb 6, 2004
  8. Rob Slade, doting grandpa of Ryan and Trevor

    REVIEW: "Beyond Fear", Bruce Schneier

    Rob Slade, doting grandpa of Ryan and Trevor, May 25, 2004, in forum: Computer Security
    Rob Slade, doting grandpa of Ryan and Trevor
    May 25, 2004