PREFACE
"The tie, if I might suggest it, sir, a shade more tightly knotted. One aims at the perfect butterfly effect. If you will permit me—"
"What does it matter, Jeeves, at a time like this? Do you realize that Mr. Little's domestic happiness is hanging in the scale?"
"There is no time, sir, at which ties do not matter." —
Very Good Jeeves! P. G. Wodehouse In this age of universal electronic connectivity, of viruses and hackers, of electronic eavesdropping and electronic fraud, there is indeed no time at which security does not matter. Two trends have come together to make the topic of this book of vital interest. First, the explosive growth in computer systems and their interconnections via networks has increased the dependence of both organizations and individuals on the information stored and communicated using these systems. This, in turn, has led to a heightened awareness of the need to protect data and resources from disclosure, to guarantee the authenticity of data and messages, and to protect systems from network-based attacks. Second, the disciplines of cryptography and network security have matured, leading to the development of practical, readily available applications to enforce network security.
OBJECTIVES
It is the purpose of this book to provide a practical survey of both the principles and practice of cryptography and network security. In the first two parts of the book, the basic issues to be addressed by a network security capability are explored by providing a tutorial and survey of cryptography and network security technology. The latter part of the book deals with the practice of networksecurity: practical applications that have been implemented and are in use to provide network security.
The subject, and therefore this book, draws on a variety of disciplines. In particular, it is impossible to appreciate the significance of some of the techniques discussed in this book without a basic understanding of number theory and some results from probability theory. Nevertheless, an attempt has been made to make the book self-contained. The book presents not only the basic mathematical results that are needed but provides the reader with an intuitive understanding of those results. Such background material is introduced as needed. This approach helps to motivate the material that is introduced, and the author considers this preferable to simply presenting all of the mathematical material in a lump at the beginning of the book.
INTENDED AUDIENCE
The book is intended for both an academic and a professional audience. As a textbook, it is intended as a one-semester undergraduate course in cryptography and network security for computer science, computer engineering, and electrical engineering majors. The book also serves as a basic reference volume and is suitable for self-study.
PLAN OF THE BOOK
The book is organized in four parts:
Part One. Conventional Encryption: A detailed examination of conventional encryption algorithms and design principles, including a discussion of the use of conventional encryption for confidentiality.
Part Two. Public-Key Encryption and Hash Functions: A detailed examination of public-key encryption algorithms and design principles. This part also examines the use of message authentication codes and hash functions, as well as digital signatures and public-key certificates.
Part Three. Network Security Practice: Covers important network security tools and applications, including Kerberos, X.509v3 certificates, PGP, S/MIME, IP Security, SSL/TLS, and SET.
Part Four. System Security: Looks at system-level security issues, including the threat of and countermeasures for intruders and viruses, and the use of firewalls and trusted systems.
In addition, the book includes an extensive glossary, a list of frequently used acronyms, and a bibliography. Each chapter includes homework problems, review questions, a list of key words. suggestions for further reading, and recommended Web sites.
A more detailed, chapter-by-chapter summary of each part appears at the beginning of that part.
INTERNET SERVICES FOR INSRUCTORS AND STUDENTS
There is a Web page for this book that provides support for students and instructors. The site includes links to other relevant sites, copies of the figures and tables from the book in PDF (Adobe Acrobat) format, and sign-up information for the book's Internet mailing list. The Web page is at WilliamStallings.com/Crypto3e.html. An Internet mailing list has been set up so that instructors using this book can exchange information, suggestions, and questions with each other and with the author. As soon as typos or other errors are discovered, an errata list for this book will be available at WilliamStallings.com. In addition, the Computer Science Student Resource site, at WilliamStallings.com/StudentSupport.html, provides documents, information, and useful links for computer science students and professionals.
PROJECTS FOR TEACHING CRYPTOGRAPHY AND NETWORK SECURITY
For many instructors, an important component of a cryptography or security course is a project or set of projects by which the student gets hands-on experience to reinforce concepts from the text. This book provides an unparalleled degree of support for including a projects component in the course. The instructor's manual not only includes guidance on how to assign and structure the projects, but also includes a set of suggested projects that covers a broad range of topics from the text:
- Research Projects: A series of research assignments that instruct the student to research a particular topic on the Internet and write a report
- Programming Projects: A series of programming projects that cover a broad range of topics and that can be implemented in any suitable language on any platform
- Reading/Report Assignments: A list of papers in the literature, one for each chapter, that can be assigned for the student to read and then write a short report
See Appendix B for details.
WHAT"S NEW IN THE THIRD EDITION
In the four years since the second edition of this book was published, the field has seen continued innovations and improvements. In this new edition, I try to capture these changes while maintaining a broad and comprehensive coverage of the entire field. To begin this process of revision, the second edition was extensively reviewed by a number of professors who teach the subject. In addition, a number of professionals working in the field reviewed individual chapters. The result is that, in many places, the narrative has been clarified and tightened, and illustrations have been improved. Also, a number of new "field-tested" problems have been added.
Beyond these refinements to improve pedagogy and user friendliness, there have been major substantive changes throughout the book. Highlights include the following:
- New—Advanced Encryption Standard: The most important event in this field in the past four years is the adoption of the Advanced Encryption Standard (AES). This conventional encryption algorithm is designed to replace DES and triple DES and is likely to soon become the most widely used conventional encryption algorithm. A detailed discussion of AES has been added.
- New—Finite Fields: Both AES and elliptic curve cryptography rely, on the use of finite fields. A new chapter provides a clear, succinct description of the necessary concepts in this area.
- New—RC4: RC4 is the most widely used stream cipher. It is part of the SSL/TLS (Secure Sockets Layer/Transport Layer Security) standards that have been defined for communication between web browsers and servers. It is also used in the WEP (Wired Equivalent Privacy) protocol that is part of the IEEE 802.11 wireless LAN standard.
- New—CTR Mode: NIST has recently approved the counter (CTR) mode for block cipher encryption, intended for high-speed applications.
- Expanded—Treatment of Elliptic Curve Cryptography: ECC is a public-key technique that is becoming increasingly important and widespread. Reflecting this, the coverage of ECC has been expanded considerably.
