Cryptography and Network Security: Principles and Practice / Edition 7 available in Paperback
The Principles and Practice of Cryptography and Network Security
Stallings’ Cryptography and Network Security, Seventh Edition, introduces the reader to the compelling and evolving field of cryptography and network security. In an age of viruses and hackers, electronic eavesdropping, and electronic fraud on a global scale, security is paramount. The purpose of this book is to provide a practical survey of both the principles and practice of cryptography and network security. In the first part of the book, the basic issues to be addressed by a network security capability are explored by providing a tutorial and survey of cryptography and network security technology. The latter part of the book deals with the practice of network security: practical applications that have been implemented and are in use to provide network security.
The Seventh Edition streamlines subject matter with new and updated material — including Sage, one of the most important features of the book. Sage is an open-source, multiplatform, freeware package that implements a very powerful, flexible, and easily learned mathematics and computer algebra system. It provides hands-on experience with cryptographic algorithms and supporting homework assignments. With Sage, the reader learns a powerful tool that can be used for virtually any mathematical application. The book also provides an unparalleled degree of support for the reader to ensure a successful learning experience.
|Edition description:||New Edition|
|Product dimensions:||7.40(w) x 9.20(h) x 1.20(d)|
About the Author
Dr. William Stallings has authored 18 titles, and counting revised editions, over 40 books on computer security, computer networking, and computer architecture. His writings have appeared in numerous publications, including the Proceedings of the IEEE, ACM Computing Reviews and Cryptologia. He has 13 times received the award for the best Computer Science textbook of the year from the Text and Academic Authors Association.
In over 30 years in the field, he has been a technical contributor, technical manager, and an executive with several high-technology firms. He has designed and implemented both TCP/IP-based and OSI-based protocol suites on a variety of computers and operating systems, ranging from microcomputers to mainframes. As a consultant, he has advised government agencies, computer and software vendors, and major users on the design, selection, and use of networking software and products.
He created and maintains the Computer Science Student Resource Site at ComputerScienceStudent.com. This site provides documents and links on a variety of subjects of general interest to computer science students (and professionals). He is a member of the editorial board of Cryptologia, a scholarly journal devoted to all aspects of cryptology.
Dr. Stallings holds a PhD from MIT in computer science and a BS from Notre Dame in electrical engineering.
Read an Excerpt
From Chapter 11: Authentication Applications
1. ...The Subject filed is inadequate to convey the identity of a key owner to a public key user. X.509 names may be relatively short and lacking in obvious identification details that may be needed by the user.
2.The Subject field is also inadequate for many applications, which typically recognize entities by an Internet e-mail address, a URL, or some other Internet-related identification.
3. There is a need to indicate security policy information. This enables a security application or function, such as IPSec, to relate an X.509 certificate to a given policy.
4. There is a need to limit the damage that can result from a faulty or malicious CA by settings constraints on the applicability of a particular certificate.
5. It is important to be able to identify separately different keys used by the same owner at different times. This feature supports key life cycle management--in particular, the ability to update key pairs for users and CAs on a regular basis or under exceptional circumstances.
Rather than continue to add fields to a fixed format, standards developers felt that a more flexible approach was needed. Thus, version 3 includes a number of optional extensions that may be added to the version 2 format. Each extension consists of an extension identifier, a criticality indicator indicates whether an extension can be safely ignored. If the indicator has a value of TRUE and an implementation does not recognize the extension, it must treat the certificate as invalid.
The certificate extensions fall into three main categories: key and policy information,subject and issuer attributes, and certification path constraints.
Key and Policy Information
These extensions convey additional information about the subject and issuer keys, plus indicators of certificate policy. A certificate policy is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. For example, a policy might be applicable to the authentication of electronic data interchange (EDI) transactions for the trading of goods within a given price range.
This area includes the following:
- Authority key identifier: Identifies the public key to be used to verify the signature on this certificate or CRL. Enables distinct keys of the same CA to be differentiated. One use of this field is to handle CA key pair updating.
- Subject key identifier: Identifies the public key being certified. Useful for subject key pair updating. Also, a subject may have multiple key pairs and, correspondingly, different certificates for different purposes (e.g., digital signature and encryption key agreement).
- Key usage: Indicates a restriction imposed as to the purposes for which, and the policies under which, the certified public key may be used. May indicate one or more of the following: digital signature, nonrepudiation, key encryption, data encryption, key agreement, CA signature verification on certificates, CA signature verification on CRLs.
- Private-key usage period: Indicates the period of use of the private key corresponding to the public key. Typically, the private key is used over a different period from the validity of the public key. For example, with digital signature keys, the usage period for the signing private key is typically shorter than that for the verifying public key.
- Certificate policies: Certificates may be used in environments where multiple policies apply. This extension lists policies that the certificate is recognized as supporting, together with optional qualifier information.
- Policy mappings: Used only in certificates for CAs issued by other CAs. Policy mappings allow an issuing CA to indicate that one or more of that issuer's policies can be considered equivalent to another policy used in the subject CA's domain.
These extensions support alternative names, in alternative formats, for a certificate subject or certificate issuer and can convey additional information about the certificate subject, to increase a certificate user's confidence that the certificate subject is a particular person or entity. For example, information such as postal address, position within a corporation, or picture image may be required.
The extension fields in this area include the following:
- Subject alternative name: Contains one or more alternative names, using any of a variety of forms. This field is important for supporting certain applications, such as electronic mail, EDI, and IPSec, which may employ their own name forms.
- Issuer alternative name: Contains one or more alternative names, using any of a variety of forms.
- Subject directory attributes: Conveys any desired X.500 directory attribute values for the subject of this certificate.
These extensions allow constraint specifications to be included in certificates issued for CAs by other CAs. The constraints may restrict the types of certificates that can be issued by the subject CA or that may occur subsequently in a certification chain.
The extension fields in this area include the following:
- Basic constraints:Indicates if the subject may act as a CA. If so, a certification path length constraint may be specified.
- Name constraints: Indicates a name space within which all subject names in subsequent certificates in a certification path must be located.
- Policy constraints: Specifies constraints that may require explicit certificate policy identification or inhibit policy mapping for the remainder of the certification path...
Table of Contents
1. Computer and Network Security Concepts
2. Introduction to Number Theory
3. Classical Encryption Techniques
4. Block Ciphers and the Data Encryption Standard
5. Finite Fields
6. Advanced Encryption Standard
7. Block Cipher Operation
8. Random Bit Generation and Stream Ciphers
9. Public-Key Cryptography and RSA
10. Other Public-Key Cryptosystems
11. Cryptographic Hash Functions
12. Message Authentication Codes
13. Digital Signatures
14. Key Management and Distribution
15. User Authentication Protocols
16. Network Access Control and Cloud Security
17. Transport-Level Security
18. Wireless Network Security
19. Electronic Mail Security
20. IP Security
Appendix A Projects for Teaching Cryptography and Network Security
Appendix B Sage Examples
"What does it matter, Jeeves, at a time like this? Do you realize that Mr. Little's domestic happiness is hanging in the scale?"
"There is no time, sir, at which ties do not matter."
Very Good Jeeves! P. G. Wodehouse
In this age of universal electronic connectivity, of viruses and hackers, of electronic eavesdropping and electronic fraud, there is indeed no time at which security does not matter. Two trends have come together to make the topic of this book of vital interest. First, the explosive growth in computer systems and their interconnections via networks has increased the dependence of both organizations and individuals on the information stored and communicated using these systems. This, in turn, has led to a heightened awareness of the need to protect data and resources from disclosure, to guarantee the authenticity of data and messages, and to protect systems from network-based attacks. Second, the disciplines of cryptography and network security have matured, leading to the development of practical, readily available applications to enforce network security.
It is the purpose of this book to provide a practical survey of both the principles and practice of cryptography and network security. In the first two parts of the book, the basic issues to be addressed by a network security capability are explored by providing a tutorial and survey of cryptography and network security technology. The latter part of the book deals with the practice of networksecurity: practical applications that have been implemented and are in use to provide network security.
The subject, and therefore this book, draws on a variety of disciplines. In particular, it is impossible to appreciate the significance of some of the techniques discussed in this book without a basic understanding of number theory and some results from probability theory. Nevertheless, an attempt has been made to make the book self-contained. The book presents not only the basic mathematical results that are needed but provides the reader with an intuitive understanding of those results. Such background material is introduced as needed. This approach helps to motivate the material that is introduced, and the author considers this preferable to simply presenting all of the mathematical material in a lump at the beginning of the book.
The book is intended for both an academic and a professional audience. As a textbook, it is intended as a one-semester undergraduate course in cryptography and network security for computer science, computer engineering, and electrical engineering majors. The book also serves as a basic reference volume and is suitable for self-study.
PLAN OF THE BOOK
The book is organized in four parts:
Part One. Conventional Encryption: A detailed examination of conventional encryption algorithms and design principles, including a discussion of the use of conventional encryption for confidentiality.
Part Two. Public-Key Encryption and Hash Functions: A detailed examination of public-key encryption algorithms and design principles. This part also examines the use of message authentication codes and hash functions, as well as digital signatures and public-key certificates.
Part Three. Network Security Practice: Covers important network security tools and applications, including Kerberos, X.509v3 certificates, PGP, S/MIME, IP Security, SSL/TLS, and SET.
Part Four. System Security: Looks at system-level security issues, including the threat of and countermeasures for intruders and viruses, and the use of firewalls and trusted systems.
In addition, the book includes an extensive glossary, a list of frequently used acronyms, and a bibliography. Each chapter includes homework problems, review questions, a list of key words. suggestions for further reading, and recommended Web sites.
A more detailed, chapter-by-chapter summary of each part appears at the beginning of that part.
INTERNET SERVICES FOR INSRUCTORS AND STUDENTS
There is a Web page for this book that provides support for students and instructors. The site includes links to other relevant sites, copies of the figures and tables from the book in PDF (Adobe Acrobat) format, and sign-up information for the book's Internet mailing list. The Web page is at WilliamStallings.com/Crypto3e.html. An Internet mailing list has been set up so that instructors using this book can exchange information, suggestions, and questions with each other and with the author. As soon as typos or other errors are discovered, an errata list for this book will be available at WilliamStallings.com. In addition, the Computer Science Student Resource site, at WilliamStallings.com/StudentSupport.html, provides documents, information, and useful links for computer science students and professionals.
PROJECTS FOR TEACHING CRYPTOGRAPHY AND NETWORK SECURITY
For many instructors, an important component of a cryptography or security course is a project or set of projects by which the student gets hands-on experience to reinforce concepts from the text. This book provides an unparalleled degree of support for including a projects component in the course. The instructor's manual not only includes guidance on how to assign and structure the projects, but also includes a set of suggested projects that covers a broad range of topics from the text:
- Research Projects: A series of research assignments that instruct the student to research a particular topic on the Internet and write a report
- Programming Projects: A series of programming projects that cover a broad range of topics and that can be implemented in any suitable language on any platform
- Reading/Report Assignments: A list of papers in the literature, one for each chapter, that can be assigned for the student to read and then write a short report
See Appendix B for details.
WHAT"S NEW IN THE THIRD EDITION
In the four years since the second edition of this book was published, the field has seen continued innovations and improvements. In this new edition, I try to capture these changes while maintaining a broad and comprehensive coverage of the entire field. To begin this process of revision, the second edition was extensively reviewed by a number of professors who teach the subject. In addition, a number of professionals working in the field reviewed individual chapters. The result is that, in many places, the narrative has been clarified and tightened, and illustrations have been improved. Also, a number of new "field-tested" problems have been added.
Beyond these refinements to improve pedagogy and user friendliness, there have been major substantive changes throughout the book. Highlights include the following:
- NewAdvanced Encryption Standard: The most important event in this field in the past four years is the adoption of the Advanced Encryption Standard (AES). This conventional encryption algorithm is designed to replace DES and triple DES and is likely to soon become the most widely used conventional encryption algorithm. A detailed discussion of AES has been added.
- NewFinite Fields: Both AES and elliptic curve cryptography rely, on the use of finite fields. A new chapter provides a clear, succinct description of the necessary concepts in this area.
- NewRC4: RC4 is the most widely used stream cipher. It is part of the SSL/TLS (Secure Sockets Layer/Transport Layer Security) standards that have been defined for communication between web browsers and servers. It is also used in the WEP (Wired Equivalent Privacy) protocol that is part of the IEEE 802.11 wireless LAN standard.
- NewCTR Mode: NIST has recently approved the counter (CTR) mode for block cipher encryption, intended for high-speed applications.
- ExpandedTreatment of Elliptic Curve Cryptography: ECC is a public-key technique that is becoming increasingly important and widespread. Reflecting this, the coverage of ECC has been expanded considerably.