- Shopping Bag ( 0 items )
From Barnes & NobleThe Barnes & Noble Review
Cryptography, as Bruce Schneier keeps pointing out to anyone who’ll listen, is even harder than it looks. Of course, it doesn’t help that many books on the subject are intensely academic. Such books do little for folks who actually have to implement crypto-based security. No wonder so many implementations are so poor.
Schneier, president of Counterpane Internet Security, Inc., is arguably the world’s leading crypto expert. His firm’s lead cryptographer, Niels Ferguson, isn’t far behind. Together, they’ve written Practical Cryptography to give implementers what they need to do the job right.
As Schneier often notes, excellent algorithms and protocols do exist: The devil’s in the implementation details, and plenty of companies get them wrong. Worse, the algorithms and protocols are the “easy” part. Once you get people into the loop -- as with key management -- things get really tough. Still worse, nonspecialists often treat crypto as an afterthought, to be bolted on once everything else is done. That’s a recipe for failure, considering that you have to secure your entire system: Your adversary need only find one weak link.
These are the types of issues Practical Cryptography takes on.
Schneier and Ferguson begin with some serious attitude adjustment. To build secure systems, security must come first, with other priorities (like performance or new features) way down the list. “If you are ever tempted to cut a security corner in the name of efficiency, just repeat to yourself: ‘We already have enough fast, insecure systems. We don’t need another one.’ ”
They also focus on keeping things simple -- which means lots of modularization. To that end, they present (and in some cases, create) simple interfaces for cryptographic primitives: “No features, no options, no special cases, no extra things to remember, just the simplest definition we could come up with.”
After introducing cryptography from the implementer’s standpoint, they present several key elements of cryptography systems. In two full chapters on block ciphers, they help you compare and choose amongst solutions like AES, Serpent, and Twofish; then cover block cipher modes, and help you limit the risks of information leakage. There’s a full chapter on hash functions, their weaknesses, solutions -- and tradeoffs.
Next, the authors move on to solving real-world problems, starting with one of the most common: creating secure connections. There’s detailed coverage of secure software development: everything from wiping state to handling swap files and caches -- not to mention buffer overflows, side-channel attacks, and the like.
A section on key negotiation addresses everything from generating randomness to working with primes; using Diffie-Hellman and RSA algorithms to handling crypto protocols. The authors cover key management in comparable depth: implementing reliable clocks; Kerberos and its alternatives; and the practical realities of PKI implementation (for example, why keys “wear out.”)
Practical Cryptography reaches far and wide, from algorithms and protocols to standards and patents -- with plenty of cautions to make sure you never get overconfident. Because, when it comes to security, overconfidence is fatal. Bill Camarda
Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks for Dummies, Second Edition.