BKDIGSIG.RVW 20020520 "Digital Signatures", Mohan Atreya et al, 2002, 0-07-219482-0, U$59.99 %A Mohan Atreya %A Benjamin Hammond %A Stephen Paine %A Paul Starrett %A Stephen Wu %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2002 %G 0-07-219482-0 %I McGraw-Hill Ryerson/Osborne %O U$59.99 905-430-5000 +1-905-430-5134 fax: 905-430-5020 %P 368 p. %T "Digital Signatures" Although cryptography is generally considered to be useful for hiding information or holding it confidential, cryptographic methods can also be used to determine whether data has been altered. Slightly more specialized means can also be used to provide evidence that a certain individual composed or verified a certain message, in the same way that a handwritten signature is presumed to assert a person's intent or agreement with respect to a contract. Properly used and supported, these digital signatures can be stronger and more flexible than physical signatures as a means of binding an identity to a document. Chapter one is an introduction, both to some basic concepts, and to the book as a whole. (The material is disjointed in places: there is a section entitled "Legislation" on page six and another on page eight, although the content is different.) The overview of cryptography, in chapter two, has some very weak and some very good points: the explanation of the four modes of DES (Data Encryption Standard) is much clearer than in most texts. The description is, however, very generic, and does not address hash or signature topics at all, nor does it address algorithmic and key length strength and weakness. Certificates are a vital part of the common digital signature structure, but chapter three's discussion concentrates on X.509 fields and request procedures, without getting into the underlying concepts. Data integrity is another key (sorry) concept in the creation of digital signatures, but while the material on checksums and hashing starts out well, chapter four ends in something of a confusing mess. Chapter five flits between real and theoretical systems in such a way that no valid assessment of uses and shortcomings is possible. A number of miscellaneous topics are listed in chapter six. Chapter seven looks at various business issues and models, generally with respect to public key infrastructure, but is oddly unhelpful in real world terms. Some standards are listed and tersely described in chapter eight. Definition sections lifted from various pieces of legislation are reproduced in chapter nine. Chapter tens lists a number of legal concepts that may have a bearing on digital signatures: these are more practically related to systems and policies in chapter eleven. The technical and practical aspects of this book fall far short of being useful either to the security professional, or to the manager who may need to address the topic or make decisions about systems. The legal sections, however, might justify, for the professional, the purchase of this otherwise confused work. copyright Robert M. Slade, 2002 BKDIGSIG.RVW 20020520