BKMDNCRP.RVW 20041207 "Modern Cryptography: Theory and Practice", Wenbo Mao, 2004, 0-13-066943-1, U$54.99/C$82.99 %A Wenbo Mao %C One Lake St., Upper Saddle River, NJ 07458 %D 2004 %G 0-13-066943-1 %I Prentice Hall %O U$54.99/C$82.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130669431/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0130669431/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0130669431/robsladesin03-20 %O tl s rl 1 tc 3 ta 3 tv 0 wq 1 %P 707 p. %T "Modern Cryptography: Theory and Practice" A "Short Description of the Book" states that it is intended to address the issue of whether various crypto algorithms are "practical," as opposed to just theoretically strong. This seems odd, since no algorithm is ready for implementation as such: it must be made part of a full system, and most problems with cryptography come in the implementation. The preface doesn't make things much clearer: it reiterates a "fit-for-application" mantra, but doesn't say clearly, at any point, why existing algorithms are not appropriate for use. The preface also suggests that this book is for advanced study in cryptography, although it states that security engineers and administrators, with special responsibility for developing or implementing cryptography, are also in the target audience. Part one is an introduction, consisting of two chapters. Chapter one outlines the idea of the first "protocol" of the book: a "fair coin toss" over the telephone, grounding the book firmly in the camp of cryptography for the purpose of secure communications. The remainder of the chapter points out all the requirements to make such an unbiased selector work, acting as a kind of sales pitch or "come on" to make you want to read the rest of the book. The promotion is slightly flawed by the fact that there is very little practical detail in the material (it takes a lot of work on the part of the reader to figure out that, yes, this system might work), excessive verbiage, and poor explanations. The stated "objectives" of the chapter, given at the end, say that you should have a "fundamental understanding of cryptography": this is true only in the most limited sense. Chapter two slowly builds a kind of pseudo-Kerberos system. Part two covers mathematical foundations. Chapter three deals with probability and information theory, four with Turing Machines and the notion of computational complexity, five with the algebraic foundations behind the use of prime numbers and elliptic curves for cryptography, and various number theory topics are touched on in chapter six. Part three addresses basic cryptographic techniques. Chapter seven deals with basic symmetric encryption techniques, touching on substitution and transposition, as well as reviewing the operations of DES (Data Encryption Standard) and AES (Advanced Encryption Standard). The insistence on converting all operations, and giving all explanations, in symbolic logic does not seem to have any utility, does not provide any clarity, and makes the material much more difficult than it could be. Asymmetric techniques, and attacks against them, are outlined in chapter eight. Finding individual bits of the message, a process examined in chapter nine, can, over time, result in an attack on the message or key as a whole. Chapter ten looks at data integrity, hashes, and digital signatures. Part four deals with authentication. Chapter eleven reviews various conceptual protocols, pointing out (for example) that there is a serious problem of key storage for challenge/response systems. A variety of real applications are considered in chapter twelve, and warnings issued about each. Issues of authentication specific to asymmetric systems are covered in chapter thirteen. Part five looks at formal approaches to the establishment of security. There is more asymmetric cryptographic theory in chapter fourteen. Chapter fifteen examines a number of provably secure asymmetric cryptosystems, while sixteen does the same for digital signatures. Formal methods of authentication protocol analysis are given in chapter seventeen. Part six discusses abstract cryptographic protocols. Chapter eighteen reviews a number of zero knowledge protocols, which provide the basis for authentication where the principals are not previously known to each other. The coin flipping protocol, initiated in chapter one, is revisited in chapter nineteen. Chapter twenty wraps up with a summary of the author's intentions for the book. The book is certainly for advanced study, but it is hardly suitable for security administrators, professionals, or even engineers. The mathematical material is quite demanding, and is seldom explained (as opposed to the clear explanations of the implications of the math that is given in, for example, "Applied Cryptography" [cf. BKAPCRYP.RVW], or even the equally advanced but much more comprehensible "Algebraic Aspects of Cryptography" [cf. BKALASCR.RVW]). However, there are points in the material that could be useful for practical cryptographic systems, provided one is dealing primarily with authentication of communications, and the possibility of physical access is ignored. The text would have been much more useful if the author could have been induced to provide some of the basic explanations in English, rather than leaving the reader to work out the math. copyright Robert M. Slade, 2004 BKMDNCRP.RVW 20041207