- Shopping Bag ( 0 items )
Fundamental security concepts like cryptography and digital signatures are becoming as much a part of our everyday lives as megabytes and the Internet. Anyone working with computer security--security professionals, network administrators, IT managers, CEOs, and CIOs--need to have a comfortable understanding of the cryptographic concepts in this book.
Cryptography Decrypted shows you how to safeguard digital possessions. It is a clear, comprehensible, and practical guide to the essentials of computer cryptography, from Caesar's Cipher through modern-day public key. Cryptographic capabilities like detecting imposters and stopping eavesdropping are thoroughly illustrated with easy-to-understand analogies, visuals, and historical sidebars.
You need little or no background in cryptography to read Cryptography Decrypted. Nor does it require technical or mathematical expertise. But for those with some understanding of the subject, this book is comprehensive enough to solidify knowledge of computer cryptography and challenge those who wish to explore the high-level math appendix.
Divided into four parts, the book explains secret keys and secret key methods like DES, public and private keys, and public key methods like RSA; how keys are distributed through digital certificates; and three real-world systems. Numerous graphics illustrate and clarify common cryptographic terminology throughout.
You will find coverage of such specific topics as:
"Even after ten years working in the field of information protection for a major electronics manufacturing company, I learned a lot from this book. I think you will too."
--From the Foreword by John Kinyon
Alice and Bob have developed secure secret keys.Alice encrypts her computer files and feels secure that no one can decrypt the files without her individual secret key. Alice and Bob's digital conversations use their shared secret key to authenticate each other, confidentially exchange files, and validate the integrity of the files (ensure that the files have not been altered during transit).
But as you saw in Chapter 8, sharing secret keys is difficult and expensive. Alice must either personally deliver the shared secret key to Bob or unequivocally trust a courier. Trustworthy couriers are expensive. And if Bob forgets their shared secret key, Alice must repeat the same key delivery process.
The goal was to create a problem that would take BlackHat a long time to solve even with the aid of a computer. Here's what Merkle devised.
If Alice then sends Bob a plaintext electronic copy of that database, he can easily pick a serial number (say, serial number 500,121) and its paired secret key (1yt8a42x35); then he calls Alice to tell her to use the secret key associated with serial number 500,121. But as Figure 9-2 shows, what's easy for Alice is also easy for the eavesdropping BlackHat. BlackHat has copied the database Alice sent to Bob—remember that it was sent over public lines—and quickly figures out the secret key. So this secret key exchange doesn 't work for Alice and Bob....
Each secret key/serial number pair (second column, Table 9-1) is encrypted with a unique secret key (third column, Table 9-1) to make the encrypted pair (final column, Table 9-1). Alice uses a million different secret keys to encrypt the 1,000,000 individual secret key/serial number pairs. Table 9-1 shows each secret key/serial number pair encrypted with a separate key.
Bob gets 1,000,000 encrypted secret key/serial number pairs and picks one encrypted pair—say,Pair3. He spends an hour deciphering it and learns that Pair3 means secret key 1yt8a42x35 and serial number 500,121 (see Figure 9-5). As before,he tells Alice that he will encrypt with the secret key matching the serial number 500,121. Alice quickly matches the serial number to the corresponding secret key in her database.
As before, Alice and Bob assume that BlackHat is listening, has copied all 1,000,000 encrypted pairs Alice sent to Bob, and has heard Bob tell Alice to use the secret key associated with serial number 500,121.
1. Obviously, Alice does not choose a "strong" cryptographic method to encrypt her database. Recall from Chapter 4 that a strong encryption method is one in which the most practical attack is to try each possible key and there are so many possible keys that it's infeasible to try even half of them.
I. SECRET KEY CRYPTOGRAPHY.
1. Locks and Keys.
Locks and Combinations.
Defining Cryptographic Terms.
Making and Solving Puzzles.
2. Substitution and Caesar's Cipher.
Cryptanalysis of Caesar's Cipher.
Empowering the Masses.
The Importance of Separating the Method and the Key.
A Weakness of Caesar's Ciphers: The Failure to Hide Linguistic Patterns.
More Complex Substitution: Vigenere's Cipher.
3. Transposition Ciphers: Moving Around.
Patterns and Cryptanalysis.
Combining Substitution and Transposition.
4. Diffuse and Confuse: How Cryptographers Win the End Game.
The Polybius Cipher.
The Principle of Confusion.
Cryptographic Locks and Keys.
5. DES Isn't Strong Anymore.
The Historical Need for an Encryption Standard.
Cycling Through Computer Keys.
Double and Triple DES.
DES (and Other Block Cipher) Modes.
The Avalanche Effect.
Supplement: Binary Numbers and Computer Letters.
6. Evolution of Cryptography: Going Global.
Commercial and Military Needs.
Entering the Computer Age.
7. Secret Key Assurances.
An Authentication Attack.
Not Really Random Numbers.
Using the MAC for Message Integrity Assurance.
Why Bother Using a Message Authentication Code?
File and MAC Compression.
Nonrepudiation: Secret Keys Can't Do It.
8. Problems with Secret Key Exchange.
The Problem and the Traditional Solution.
Using a Trusted Third Party.
Key Distribution Center and Key Recovery.
Problems with Using a Trusted Third Party.
Growth in the Number of Secret Keys.
Trust and Lifetime.
II. PUBLIC KEY CRYPTOGRAPHY.
9. Pioneering Public Key: Public Exchange of Secret Keys.
The Search for an Innovative Key Delivery Solution.
Developing an Innovative Secret Key Delivery Solution.
First Attempt: A Database of Key/Serial Number Pairs.
Second Attempt: An Encrypted Database of Key/Serial Number Pairs.
Merkle's Insight: Individually Encrypted Key/Serial Number Pairs.
Black Hat's Frustrating Problem.
The Key to Public Key Technology.
A New Solution: Diffie-Hellman-Merkle Key Agreement.
Alice and Bob Openly Agree on a Secret Key.
Problems with the Diffie-Hellman Method.
Separate Encryption and Decryption Keys.
10. Confidentiality Using Public Keys.
New Twists on Old Security Issues.
Distribution of Public Keys.
11. Making Public Keys: Math Tricks.
Alice's Easy Problem.
Grade School Math Tricks.
More Grade School Math.
Division and Remainders: Modular Math.
Using Modular Inverses to Make a Public Key.
Putting It All Together.
Giving BlackHat a Difficult, Time-Consuming Problem.
Trapdoor to the Easy Problem.
Exercise: Find Which Numbers Sum to 103.
12. Creating Digital Signatures Using the Private Key.
Written and Digital Signature Assurances.
Reviewing and Comparing Authentication.
Secret Key Authentication.
Private Key Authentication 117
Authentication and Integrity Using Private and Secret Keys.
Private Key Authentication Methods.
Assurances in Both Directions.
Summary of Public Key Assurances.
Public Key Means Public / Private Key.
Compressing before Signing.
13. Hashes: Non-keyed Message Digests.
Detecting Unintentional Modifications.
Detecting Intentional Modifications.
Signing the Message Digest.
Detecting BlackHat's Forgery.
Supplement: Unsuccessfully Imitating a Message Digest.
14. Message Digest Assurances.
Two Message Digest Flavors.
Non-keyed Message Digest Assurances.
Weak Collision Resistance.
Examples of One-way and Weak Collision Resistance.
Strong Collision Resistance.
Non-keyed Digest Implementations.
Keyed Message Digest Assurances.
A MAC Made with DES.
Message Digest Compression.
Digest Speed Comparisons.
15. Comparing Secret Key, Public Key, and Message Digests.
Ease of Key Distribution.
Symmetric (Secret) Key.
Asymmetric (Public) Key.
III. DISTRIBUTION OF PUBLIC KEYS.
16. Digital Certificates.
Verifying a Digital Certificate.
Attacking Digital Certificates.
Attacking the Creator of the Digital Certificate.
Malicious Certificate Creator.
Attacking the Digital Certificate User.
The Most Devastating Attack.
Understanding Digital Certificates: A Familiar Comparison.
Issuer and Subject.
Transfer of Trust from the Issuer to the Subject.
Issuer's Limited Liability.
More than One Certificate.
Fees for Use.
The Needs of Digital Certificate Users.
Getting Your First Public Key.
Certificates Included in Your Browser.
17. X.509 Public Key Infrastructure.
Why Use X.509 Certificate Management?
What Is a Certificate Authority?
Application, Certification, and Issuance.
Polling and Pushing: Two CRL Delivery Models.
Building X.509 Trust Networks.
More Risks and Precautions.
Certification Practice Statement.
X.509 Certificate Data.
Challenge Response Protocol.
18. Pretty Good Privacy and the Web of Trust.
The History of PGP.
Comparing X.509 and PGP Certificates.
Building Trust Networks.
Bob Validates Alice's Key.
Casey Validates Alice's Key Sent by Bob.
Dawn Validates Alice's Key Sent by Casey via Bob.
Web of Trust.
PGP Certificate Repositories and Revocation.
Compatibility of X.509 and PGP
IV. REAL-WORLD SYSTEMS.
E-mail Cryptographic Parameters.
Negotiation of SSL and IPsec Cryptographic Parameters.
User Initiation of Cryptographic E-mail, SSL, and Ipsec.
19. Secure E-mail.
Generic Cryptographic E-mail Messages.
Invoking Cryptographic Services.
Confidentiality and Authentication.
Deterring E-mail Viruses.
20. Secure Socket Layer and Transport.
History of SSL.
Overview of an SSL Session.
An SSL Session in Detail.
Hello and Negotiate Parameters.
Key Agreement (Exchange).
Confidentiality and Integrity.
Fixed and Ephemeral Diffie-Hellman.
Comparing TLS, SSL v3, and SSL v2.
A Big Problem with SSL v2.
A Possible Problem with TLS and SSL.
Generating Shared Secrets.
Bob Authenticates Himself to AliceDotComStocks.
21. IPsec Overview.
IPsec Part 1: User Authentication and Key Exchange Using IKE.
SSL/TLS and IPsec Key Agreement.
Benefits of Two-Phase Key Exchange.
IPsec Part 2: Bulk Data Confidentiality and Integrity for Message or File Transport.
Protocol and Mode.
Implementation Incompatibilities and Complications.
22. Cryptographic Gotchas.
Finding Your Keys in Memory.
Does Confidentiality Imply Integrity?
Example 2: Cut-and-Paste Attack.
Public Key as a Cryptanalysis Tool.
Example 1: The Chosen Plaintext Attack.
Public Key Cryptographic Standards.
Example 2: The Bleichenbacher Attack.
BlackHat Uses Bob's RSA Private Key.
23. Protecting Your Keys.
Types of Smart Cards.
What's Inside a Smart Card.
Protections and Limitations.
Smart Card Attacks.
Appendix A. Public Key Mathematics (and Some Words on Random Numbers).
Appendix B. (A Few) IPsec Details.
In the past, cryptography was used mainly to secure the communications of the powerful and influential, the military and royalty. But the widespread use of computers, and the attacks to which they are vulnerable, has expanded the need for secure communications around the globe. This book describes the protection afforded by modern computer cryptographic systems and explains how the pace of modern technology requires continuing attention to the security of those systems.
The advent of computers changed a great many things, but not the fundamentals of cryptography. Through stories and pictures, Cryptography Decrypted presents cryptography's evolution into a modern-day science, laying out patterns from the past that are applicable today. It also gives you a thorough understanding of terms that are destined to become as much a part of our language and life as megabyte and Internet. As you begin to think about controlling various aspects of your life using wired or wireless communication, on line all the time, your understanding of cryptography--its benefits and its pitfalls--will make you feel a little more in control of a rapidly changing world.
Because rapid advances in the speed of hardware will continue to threaten the security of current cryptographic methods, it's essential that you choose appropriate techniques and perform ongoing assessment if you want to maintain your digital security. You can make such choices and assessments only if you know the basic concepts of cryptography. Cryptography Decrypted offers you that knowledge through visual representation of difficult concepts, an easy-to-use reference for reviewing key cryptographic terminology, and instructive historical information.
You need little or no background in cryptography to read this book. Neither does it require technical or math genius. It's designed so that anyone from CIOs to self-taught computer enthusiasts--and everyone in between--can pick up this book without any knowledge of encryption and find it fascinating, understandable, and instructive.
If you have some understanding of computer cryptography, Cryptography Decrypted is systematic and comprehensive enough to solidify your knowledge. It provides a simple description of the component parts of secret key and public key cryptography. (Those who already understand and don't wish to cover any more material about secret key cryptography may choose to read only Parts II through IV, bypassing Part I.)
Throughout the book, we use images to clarify cryptographic terms. After explaining the basic cryptographic components, we describe real-world cryptographic systems, some possible attacks on those systems, and ways to protect your keys.
The book provides a historical framework on which to build your understanding of how and why computer cryptography works. After a discussion of how cryptography has evolved into an essential Internet tool, we analyze secret key exchange problems and then explain the evolution of public key cryptography, with its solution to the key exchange problem. Along the way we explain some simple background on the math tricks that make public key cryptography secure. Traditionally, those who have thoroughly understood cryptography have been trained as mathematicians or scientists. Our goal here is to explain computer cryptography with rather little discussion of math. If the esoteric details aren't of immediate concern to you, you can skip Chapter 11 ("Making Public Keys: Math Tricks"), Chapter 14 ("Message Digest Assurances"), and the appendixes without diminishing your understanding of the basic concepts. Appendix A describes some aspects of public key mathematics, including inverses, primes, the Fermat test, Diffie-Hellman, DSA, elliptic curve, and pseudo-random number generation. Appendix B provides details of IPsec, a security system introduced in Chapter 21.
If your computer is connected to or transmits over an electronic network, your data is on the front line. Attackers are getting more competent by the month, and their attacks more intrusive, virulent, and widespread--from Melissa to the Love Bug to the unknown virus that ate your hard drive.
Although few of us leave our valuables unlocked, few of us know how to use cryptographic locks to secure our digital possessions. By the time you finish reading this book, you will.
Most governments, including those of Canada, China, France, Saudi Arabia, and the United States, consider cryptographic tools to be munitions of war, so it's reasonable to think of potential attacks on your data as a kind of war. Your opponent is anyone who wants to read, modify, or destroy your private documents.
In large part, this is a book about the cryptographic keys and methods you use to safeguard your digital possessions. Figure I-1 shows cryptographic keys and the symbols we use to portray them. Part I of this book explains secret keys and secret key methods. Part II describes public and private keys and public key methods. Part III explains how keys are distributed, and Part IV shows how three real-world systems--secure mail, Secure Socket Layer (SSL), and Internet Protocol Security (IPsec)--use cryptographic keys and methods.
A Devastating Opponent
|In World War II the German Observation Service--Beobachtungs-Dienst, or B-Dienst--was a small group of codebreakers who played a powerful role in the Battle of the Atlantic. B-Dienst uncovered the positions of Allied convoys that German submarines then destroyed, devastating the Allied Atlantic forces from 1941 to 1943. For example, during three days in March 1943, the Germans sank 21 Allied vessels while losing only one submarine. Better communications security and new technologies such as sonar helped the Allies turn the tide.|
Need a Quick Read?
|Section||Chapter(s)||Major Points Covered|
|Part I: Secret Key||1-4||The difference between cryptographic methods and cryptographic keys. The security of modern cryptographic methods. Best feasible attack against a modern method: trying each key|
|5||Effect of technology in weakening DES|
|6||Historical insights into cryptography|
|7||Secret key assurances: confidentiality, authentication, and integrity|
|8||Maintenance and management problems in sharing secret keys|
|Part II: Public Key||9||Foundation of public key cryptography: easy and hard problems|
|10||Public key encryption and public key assurances|
|11||Simple cryptographic mathematics|
|12||Private key encryption and private key assurances|
|13||Detecting message modification with nonkeyed message digests and hashes|
|14||Message digest assurances|
|15||Comparing secret key, public key, and message digests|
|Part III: Distribution||16||Digital certificates: digitally signed public keys of Public Keys|
|17||x.509 digital certificates, certificate authorities, and certificate revocation|
|18||Pretty Good Privacy (PGP) compared to x.509|
|Part IV: Real-World||19-21||Examples of real-world systems (secure e-mail, SSL, IPsec) Systems|
|22||Some cryptographic attacks|
|23||Protecting your keys with smartcards|
|Appendixes||A||Mathematics underlying public key technology|
Every January for the past 10 years, members of a cult from all over the world have headed to Silicon Valley for a summit. In the early years, only a few cryptographers, mathematicians, and forward thinkers in the relatively new field of computer security showed up for this then-obscure event, known as the RSA Security Conference. Imagine, if you will, a group of distinguished eggheads and computer nerds getting together to talk about cryptographic algorithms and how they might one day be used to solve security problems.
In Internet years, that first event was a very long time ago. A decade for everyday people, it was an Internet generation for those of us involved with computer technology. The problems were small and often theoretical then. We couldn't imagine the looming frenzied pace of change, the way the World Wide Web (World Wide what?--it wouldn't be invented for another year) would explode, and the e-izing of everything and anything. With those changes came what those original visionaries predicted: e-fraud, e-theft, e-vandalism, e-scams, e-viruses, and e-everything-else bad along with e-everything good.
Nowadays, there are dozens of computer security conferences and exhibits. Even so, our understanding of cryptography is weak, often only abstract. Practical applications of cryptography are just beginning to become commonplace. These solutions are still young. It is a struggle for an information technology professional, and often an information protection professional, to understand how security technology works and how to apply cryptography appropriately to solve real business problems.
The RSA Security Conference is bigger than ever. Hidden among the product demos, sales pitches, and seminars, interesting technical papers are still presented. It was at RSA 2000 that I met the joyful and energetic H. X. Mel. Like many others, he and Doris Baker had a vision of how to improve security. Their vision, however, was not product implementation, but education--to make cryptography understandable to the people who need it. Their book, this book, is more than "Alice and Bob" diagrams and yet less than a tome full of math. Instead, it is filled with examples of the principles behind today's solutions, explained with an interesting historical perspective.
Even after 10 years as an IT architect in the field of information protection for a major electronics manufacturing company, I learned a lot from this book. I think you will, too.
Posted May 9, 2001
This is one of the best crypto books I've read. Although cryptography is a rather dry subject, this engaging book makes it accessible, even to those without mathematics degrees. I liked the structure of the book: it starts with a brief history of cryptography, moves through crypto theory, and ends with useful information about real-world practical applications. I learnt new stuff throughout. Personally, I found the diagrams a little hard to follow. The authors use a consistent symbolic style throughout but I think the book cover could have done with a fold-out flap showing the key to all the symbols. That said, it's a valiant attempt to explain the steps in complex crypto processes, and better than most others. To end with another compliment, my copy is now replete with scribbled comments in the margins, a good sign that it was a stimulating read.Was this review helpful? Yes NoThank you for your feedback. Report this reviewThank you, this review has been flagged.
Posted March 18, 2001
If you are working in health care and are overwhelmed with the technical requirements imposed by the Health Insurance Portability and Accountability Act (HIPAA), then you are going to love this book. If you are involved in e-commerce you will find this book essential reading and the key to understanding the underpinnings of web and e-commerce security. Technical writers who do not care about cryptography or security can learn much from this book. The authors set the highest standards in document design, clear writing and integration of prose and illustration. The foundation is laid in Part I with the basics: defining terms, the evolution of ciphers and how they worked, and the fundamentals of the data encryption standard (DES) and secret keys. I found this stuff fascinating because the authors used easy-to-follow examples and illustrations showing how everything works. For example, a quick explanation of Polybius square numbers and how to transpose them to diffuse a cipher was something completely new to me. However, I was able to thoroughly understand it after reading less than three pages of this book! I am sure that a professional cryptographer would find this material basic. I found it empowering because I began to see a larger picture of this obscure science unfold while learning some interesting numerical manipulation techniques.For the first time I really understood this stuff to the degree that I could explain it to non-technical people. I liked the historical anecdotes that made the subject interesting. Highlights of this part of the book include transposition ciphers, diffusion and confusion strategies, and a discussion of DES in its various forms, and its strengths and vulnerabilities. In parts II and III the book thoroughly covers public keys and digital certificates - essential if you are among the primary audience of this book. These sections will give you a good grasp of public keys and how they work, digital certificates and how they fit into the scheme of things and message digest mechanics. If you are struggling with HIPAA requirements you will be armed to fully understand the issues and factors. Part IV addresses electronic commerce security technologies: secure e-mail, secure socket layer (SSL)/transport layer security (TLS) and IP security. Like sections II and III, these complex technologies are explained in an incredibly clear manner. I learned a lot and came away with a strong understanding. The best part is the chapter on cryptographic gotchas - it covered some common attacks and how to safeguard against them. I also enjoyed the treatment of smart cards and their particular vulnerabilities. I love this book for a number of reasons. First, the authors know their subject. More importantly they have produced a book that epitomizes how to communicate highly technical subjects to not-so-technical people. The author's web site has a single entry for errata, making this book remarkably error-free considering the many numeric examples. If you need to quickly get learn HIPAA or e-commerce security this book is the best place to start.Was this review helpful? Yes NoThank you for your feedback. Report this reviewThank you, this review has been flagged.