Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More


Password sniffing, spoofing, buffer overflows, and denial of service: these are only a few of the attacks on today's computer systems and networks. At the root of this epidemic is poorly written, poorly tested, and insecure code that puts everyone at risk. Clearly, today's developers need help figuring out how to write code that attackers won't be able to exploit. But writing such code is surprisingly difficult.

Secure Programming Cookbook for C and C++ is an important new ...

See more details below
Paperback (First Edition)
$66.76 price
(Save 10%)$74.99 List Price
Other sellers (Paperback)
  • All (14) from $38.49   
  • New (6) from $38.47   
  • Used (8) from $39.25   
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$34.49 price
(Save 42%)$59.99 List Price


Password sniffing, spoofing, buffer overflows, and denial of service: these are only a few of the attacks on today's computer systems and networks. At the root of this epidemic is poorly written, poorly tested, and insecure code that puts everyone at risk. Clearly, today's developers need help figuring out how to write code that attackers won't be able to exploit. But writing such code is surprisingly difficult.

Secure Programming Cookbook for C and C++ is an important new resource for developers serious about writing secure code. It contains a wealth of solutions to problems faced by those who care about the security of their applications. It covers a wide range of topics, including safe initialization, access control, input validation, symmetric and public key cryptography, cryptographic hashes and MACs, authentication and key exchange, PKI, random numbers, and anti-tampering. The rich set of code samples provided in the book's more than 200 recipes will help programmers secure the C and C++ programs they write for both Unix® (including Linux®) and Windows® environments. Readers will learn:

  • How to avoid common programming errors, such as buffer overflows, race conditions, and format string problems
  • How to properly SSL-enable applications
  • How to create secure channels for client-server communication without SSL
  • How to integrate Public Key Infrastructure (PKI) into applications
  • Best practices for using cryptography properly
  • Techniques and strategies for properly validating input to programs
  • How to launch programs securely
  • How to use file access mechanisms properly
  • Techniques for protecting applications from reverse engineering
The book's web site supplements the book by providing a place to post new recipes, including those written in additional languages like Perl, Java, and Python. Monthly prizes will reward the best recipes submitted by readers.

Secure Programming Cookbook for C and C++ is destined to become an essential part of any developer's library, a code companion developers will turn to again and again as they seek to protect their systems from attackers and reduce the risks they face in today's dangerous world.

Read More Show Less

Product Details

  • ISBN-13: 9780596003944
  • Publisher: O'Reilly Media, Incorporated
  • Publication date: 7/21/2003
  • Edition description: First Edition
  • Edition number: 1
  • Pages: 792
  • Product dimensions: 7.02 (w) x 9.25 (h) x 1.51 (d)

Meet the Author

John Viega, Founder and Chief Scientist of Secure Software (, is a well-known security expert, and coauthor of Building Secure Software (Addison-Wesley) and Network Security with OpenSSL (O'Reilly). John is responsible for numerous software security tools, and is the original author of Mailman, the GNU mailing list manager. He holds a B.A. and M.S. in Computer Science from the University of Virginia. Mr. Viega is also an Adjunct Professor of Computer Science at Virginia Tech (Blacksburg, VA) and a Senior Policy Researcher at the Cyberspace Policy Institute, and he serves on the Technical Advisory Board for the Open Web Applications Security Project. He also founded a Washington, D.C. area security interest group that conducts monthly lectures presented by leading experts in the field. He is the author or coauthor of nearly 80 technical publications, including numerous refereed research papers and trade articles.

Matt Messier, Director of Engineering at Secure Software, is a security authority who has been programming for nearly two decades. Besides coauthoring Network Security with OpenSSL, Matt coauthored the Safe C String Library, RATS, and EGADS, an Entropy Gathering and Distribution System used for securely seeding pseudo-random number generators. Prior to joining Secure Software, Matt worked for IBM and Lotus, on source and assembly level debugging techniques, and operating system concepts.

Read More Show Less

Table of Contents

More Than Just a Book;
We Can't Do It All;
Organization of This Book;
Recipe Compatibility;
Conventions Used in This Book;
Comments and Questions;
Chapter 1: Safe Initialization;
1.1 Sanitizing the Environment;
1.2 Restricting Privileges on Windows;
1.3 Dropping Privileges in setuid Programs;
1.4 Limiting Risk with Privilege Separation;
1.5 Managing File Descriptors Safely;
1.6 Creating a Child Process Securely;
1.7 Executing External Programs Securely;
1.8 Executing External Programs Securely;
1.9 Disabling Memory Dumps in the Event of a Crash;
Chapter 2: Access Control;
2.1 Understanding the Unix Access Control Model;
2.2 Understanding the Windows Access Control Model;
2.3 Determining Whether a User Has Access to a File on Unix;
2.4 Determining Whether a Directory Is Secure;
2.5 Erasing Files Securely;
2.6 Accessing File Information Securely;
2.7 Restricting Access Permissions for New Files on Unix;
2.8 Locking Files;
2.9 Synchronizing Resource Access Across Processes on Unix;
2.10 Synchronizing Resource Access Across Processes on Windows;
2.11 Creating Files for Temporary Use;
2.12 Restricting Filesystem Access on Unix;
2.13 Restricting Filesystem and Network Access on FreeBSD;
Chapter 3: Input Validation;
3.1 Understanding Basic Data Validation Techniques;
3.2 Preventing Attacks on Formatting Functions;
3.3 Preventing Buffer Overflows;
3.4 Using the SafeStr Library;
3.5 Preventing Integer Coercion and Wrap-Around Problems;
3.6 Using Environment Variables Securely;
3.7 Validating Filenames and Paths;
3.8 Evaluating URL Encodings;
3.9 Validating Email Addresses;
3.10 Preventing Cross-Site Scripting;
3.11 Preventing SQL Injection Attacks;
3.12 Detecting Illegal UTF-8 Characters;
3.13 Preventing File Descriptor Overflows When Using select( );
Chapter 4: Symmetric Cryptography Fundamentals;
4.1 Representing Keys for Use in Cryptographic Algorithms;
4.2 Generating Random Symmetric Keys;
4.3 Representing Binary Keys (or Other Raw Data) as Hexadecimal;
4.4 Turning ASCII Hex Keys (or Other ASCII Hex Data) into Binary;
4.5 Performing Base64 Encoding;
4.6 Performing Base64 Decoding;
4.7 Representing Keys (or Other Binary Data) as English Text;
4.8 Converting Text Keys to Binary Keys;
4.9 Using Salts, Nonces, and Initialization Vectors;
4.10 Deriving Symmetric Keys from a Password;
4.11 Algorithmically Generating Symmetric Keys from One Base Secret;
4.12 Encrypting in a Single Reduced Character Set;
4.13 Managing Key Material Securely;
4.14 Timing Cryptographic Primitives;
Chapter 5: Symmetric Encryption;
5.1 Deciding Whether to Use Multiple Encryption Algorithms;
5.2 Figuring Out Which Encryption Algorithm Is Best;
5.3 Selecting an Appropriate Key Length;
5.4 Selecting a Cipher Mode;
5.5 Using a Raw Block Cipher;
5.6 Using a Generic CBC Mode Implementation;
5.7 Using a Generic CFB Mode Implementation;
5.8 Using a Generic OFB Mode Implementation;
5.9 Using a Generic CTR Mode Implementation;
5.10 Using CWC Mode;
5.11 Manually Adding and Checking Cipher Padding;
5.12 Precomputing Keystream in OFB, CTR, CCM, or CWC Modes (or with Stream Ciphers);
5.13 Parallelizing Encryption and Decryption in Modes That Allow It (Without Breaking Compatibility);
5.14 Parallelizing Encryption and Decryption in Arbitrary Modes (Breaking Compatibility);
5.15 Performing File or Disk Encryption;
5.16 Using a High-Level, Error-Resistant Encryption and Decryption API;
5.17 Performing Block Cipher Setup (for CBC, CFB, OFB, and ECB Modes) in OpenSSL;
5.18 Using Variable Key-Length Ciphers in OpenSSL;
5.19 Disabling Cipher Padding in OpenSSL in CBC Mode;
5.20 Performing Additional Cipher Setup in OpenSSL;
5.21 Querying Cipher Configuration Properties in OpenSSL;
5.22 Performing Low-Level Encryption and Decryption with OpenSSL;
5.23 Setting Up and Using RC4;
5.24 Using One-Time Pads;
5.25 Using Symmetric Encryption with Microsoft's CryptoAPI;
5.26 Creating a CryptoAPI Key Object from Raw Key Data;
5.27 Extracting Raw Key Data from a CryptoAPI Key Object;
Chapter 6: Hashes and Message Authentication;
6.1 Understanding the Basics of Hashes and MACs;
6.2 Deciding Whether to Support Multiple Message Digests or MACs;
6.3 Choosing a Cryptographic Hash Algorithm;
6.4 Choosing a Message Authentication Code;
6.5 Incrementally Hashing Data;
6.6 Hashing a Single String;
6.7 Using a Cryptographic Hash;
6.8 Using a Nonce to Protect Against Birthday Attacks;
6.9 Checking Message Integrity;
6.10 Using HMAC;
6.11 Using OMAC (a Simple Block Cipher-Based MAC);
6.12 Using HMAC or OMAC with a Nonce;
6.13 Using a MAC That's Reasonably Fast in Software and Hardware;
6.14 Using a MAC That's Optimized for Software Speed;
6.15 Constructing a Hash Function from a Block Cipher;
6.16 Using a Block Cipher to Build a Full-Strength Hash Function;
6.17 Using Smaller MAC Tags;
6.18 Making Encryption and Message Integrity Work Together;
6.19 Making Your Own MAC;
6.20 Encrypting with a Hash Function;
6.21 Securely Authenticating a MAC (Thwarting Capture Replay Attacks);
6.22 Parallelizing MACs;
Chapter 7: Public Key Cryptography;
7.1 Determining When to Use Public Key Cryptography;
7.2 Selecting a Public Key Algorithm;
7.3 Selecting Public Key Sizes;
7.4 Manipulating Big Numbers;
7.5 Generating a Prime Number (Testing for Primality);
7.6 Generating an RSA Key Pair;
7.7 Disentangling the Public and Private Keys in OpenSSL;
7.8 Converting Binary Strings to Integers for Use with RSA;
7.9 Converting Integers into Binary Strings for Use with RSA;
7.10 Performing Raw Encryption with an RSA Public Key;
7.11 Performing Raw Decryption Using an RSA Private Key;
7.12 Signing Data Using an RSA Private Key;
7.13 Verifying Signed Data Using an RSA Public Key;
7.14 Securely Signing and Encrypting with RSA;
7.15 Using the Digital Signature Algorithm (DSA);
7.16 Representing Public Keys and Certificates in Binary (DER Encoding);
7.17 Representing Keys and Certificates in Plaintext (PEM Encoding);
Chapter 8: Authentication and Key Exchange;
8.1 Choosing an Authentication Method;
8.2 Getting User and Group Information on Unix;
8.3 Getting User and Group Information on Windows;
8.4 Restricting Access Based on Hostname or IP Address;
8.5 Generating Random Passwords and Passphrases;
8.6 Testing the Strength of Passwords;
8.7 Prompting for a Password;
8.8 Throttling Failed Authentication Attempts;
8.9 Performing Password-Based Authentication with crypt( );
8.10 Performing Password-Based Authentication with MD5-MCF;
8.11 Performing Password-Based Authentication with PBKDF2;
8.12 Authenticating with PAM;
8.13 Authenticating with Kerberos;
8.14 Authenticating with HTTP Cookies;
8.15 Performing Password-Based Authentication and Key Exchange;
8.16 Performing Authenticated Key Exchange Using RSA;
8.17 Using Basic Diffie-Hellman Key Agreement;
8.18 Using Diffie-Hellman and DSA Together;
8.19 Minimizing the Window of Vulnerability When Authenticating Without a PKI;
8.20 Providing Forward Secrecy in a Symmetric System;
8.21 Ensuring Forward Secrecy in a Public Key System;
8.22 Confirming Requests via Email;
Chapter 9: Networking;
9.1 Creating an SSL Client;
9.2 Creating an SSL Server;
9.3 Using Session Caching to Make SSL Servers More Efficient;
9.4 Securing Web Communication on Windows Using the WinInet API;
9.5 Enabling SSL without Modifying Source Code;
9.6 Using Kerberos Encryption;
9.7 Performing Interprocess Communication Using Sockets;
9.8 Performing Authentication with Unix Domain Sockets;
9.9 Performing Session ID Management;
9.10 Securing Database Connections;
9.11 Using a Virtual Private Network to Secure Network Connections;
9.12 Building an Authenticated Secure Channel Without SSL;
Chapter 10: Public Key Infrastructure;
10.1 Understanding Public Key Infrastructure (PKI);
10.2 Obtaining a Certificate;
10.3 Using Root Certificates;
10.4 Understanding X.509 Certificate Verification Methodology;
10.5 Performing X.509 Certificate Verification with OpenSSL;
10.6 Performing X.509 Certificate Verification with CryptoAPI;
10.7 Verifying an SSL Peer's Certificate;
10.8 Adding Hostname Checking to Certificate Verification;
10.9 Using a Whitelist to Verify Certificates;
10.10 Obtaining Certificate Revocation Lists with OpenSSL;
10.11 Obtaining CRLs with CryptoAPI;
10.12 Checking Revocation Status via OCSP with OpenSSL;
Chapter 11: Random Numbers;
11.1 Determining What Kind of Random Numbers to Use;
11.2 Using a Generic API for Randomness and Entropy;
11.3 Using the Standard Unix Randomness Infrastructure;
11.4 Using the Standard Windows Randomness Infrastructure;
11.5 Using an Application-Level Generator;
11.6 Reseeding a Pseudo-Random Number Generator;
11.7 Using an Entropy Gathering Daemon-Compatible Solution;
11.8 Getting Entropy or Pseudo-Randomness Using EGADS;
11.9 Using the OpenSSL Random Number API;
11.10 Getting Random Integers;
11.11 Getting a Random Integer in a Range;
11.12 Getting a Random Floating-Point Value with Uniform Distribution;
11.13 Getting Floating-Point Values with Nonuniform Distributions;
11.14 Getting a Random Printable ASCII String;
11.15 Shuffling Fairly;
11.16 Compressing Data with Entropy into a Fixed-Size Seed;
11.17 Getting Entropy at Startup;
11.18 Statistically Testing Random Numbers;
11.19 Performing Entropy Estimation and Management;
11.20 Gathering Entropy from the Keyboard;
11.21 Gathering Entropy from Mouse Events on Windows;
11.22 Gathering Entropy from Thread Timings;
11.23 Gathering Entropy from System State;
Chapter 12: Anti-Tampering;
12.1 Understanding the Problem of Software Protection;
12.2 Detecting Modification;
12.3 Obfuscating Code;
12.4 Performing Bit and Byte Obfuscation;
12.5 Performing Constant Transforms on Variables;
12.6 Merging Scalar Variables;
12.7 Splitting Variables;
12.8 Disguising Boolean Values;
12.9 Using Function Pointers;
12.10 Restructuring Arrays;
12.11 Hiding Strings;
12.12 Detecting Debuggers;
12.13 Detecting Unix Debuggers;
12.14 Detecting Windows Debuggers;
12.15 Detecting SoftICE;
12.16 Countering Disassembly;
12.17 Using Self-Modifying Code;
Chapter 13: Other Topics;
13.1 Performing Error Handling;
13.2 Erasing Data from Memory Securely;
13.3 Preventing Memory from Being Paged to Disk;
13.4 Using Variable Arguments Properly;
13.5 Performing Proper Signal Handling;
13.6 Protecting against Shatter Attacks on Windows;
13.7 Guarding Against Spawning Too Many Threads;
13.8 Guarding Against Creating Too Many Network Sockets;
13.9 Guarding Against Resource Starvation Attacks on Unix;
13.10 Guarding Against Resource Starvation Attacks on Windows;
13.11 Following Best Practices for Audit Logging;

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted August 17, 2003

    Voluminous and comprehensive

    f you are interested in encryption, you should probably get Bruce Schneier's Applied Cryptography, which is generally considered the standard summary of the field. But suppose you actually want to use some of the symmetric key or public key methods he describes? If you want to code from scratch, his book is a good starting point. But if you want to quickly avail yourself of the best existing methods and you don't want to reinvent the wheel by recoding? Also, it can be risky to do that. A mistake made in coding a crypto algorithm might render it insecure. Better to use reviewed, tested code. If this describes your needs and you code in C or C++, then this book will be invaluable. Extensive code fragments that show how you can interface to existing crypto packages. Very detailed. You won't find theorems or any elegant maths here. No Chinese Remainder Theorem or Fermat's theorems. You have to already know or accept the theoretical underpinnings. Given this, the book takes you into the nitty gritty of every major publicly available cryptosystem. With up to date assessments of their comparative strengths. All of the above is aimed at application developers. The book also has sections for sysadmins of both unix and Microsoft operating systems, replete with suggestions on patching and good practice. Don't be daunted by the book's heft. It is encyclopaedic in scope, and access is reasonably random access. The authors have striven to comprehensively span the field. You don't have to read from start to finish before you can commence using it.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)