BKINTCRP.RVW 20021215 "Internet Cryptography", Richard E. Smith, 1997, 0-201-92480-3, U$29.95/C$44.95 %A Richard E. Smith internet-crypto@aw.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 1997 %G 0-201-92480-3 %I Addison-Wesley Publishing Co. %O U$29.95/C$44.95 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0201924803/robsladesinterne %P 356 p. %T "Internet Cryptography" According to the preface, this book is aimed at non-specialists who need to know just enough about cryptography to make informed technical decisions. As an example, Smith suggests systems administrators and managers who, while not formally charged with security, still have to use cryptographic techniques to secure their networks or transmissions. Chapter one is an introduction, contrasting what we want; secure communications; with the environment we have to work in; a wide open Internet. The text also looks at the balance that must be maintained between convenience and requirements. Encryption basics, in chapter two, presents the concepts of symmetric cryptography, use, and choice. There is a clear explanation of the ideas without overwhelming technical details. (It is interesting to note how quickly the cryptographic technology changes: SKIPJACK and ITAR were still important when the book was written, and are now basically irrelevant.) Some random thoughts on network implementation of encryption are given in chapter three. Managing secret keys, in chapter four, provides good conceptual coverage of generation and management, although the discussion of the problems of key escrow is weak. Because of the requirements for technical details when discussing protocols, chapter five, on IPSec, is different from other material in the book. It also includes a brief mention of other protocols. Chapter six discusses the use of IPSec in virtual private networks, while seven examines IPSec in terms of remote access. Chapter eight looks at IPSec in relation to firewalls, but it is difficult to see how this would be used in an actual application. Chapter nine reviews public key encryption and SSL (Secure Sockets Layer). The basic concepts of asymmetric cryptography are presented well, but may be unconvincing due to the lack of mathematical support and details. While there is an introduction to the idea of digital signatures, but SSL is really only mentioned. World Wide Web transaction security, in chapter ten, provides practical examples of the technologies discussed. The same is true of email, in chapter eleven, but digital signatures get a bit more explanation. Chapter twelve builds on the signature concept to introduce PKI (Public Key Infrastructure) notions. The fundamentals are written clearly and well, and are quite suitable for managers and users. Despite the lack of detail, the text may even be suitable for some security professionals who need a rough background without needing to work with the technology itself. The work is easy to read, although the idiosyncratic structure may be confusing, and the value of some chapters questionable. copyright Robert M. Slade, 2002 BKINTCRP.RVW 20021215