OpenBSD Journal

Book Review: Cryptography and Network Security

Contributed by jose on from the books-makes-you-smart dept.

Title: Cryptography and Network Security, 3rd ed.
Author: William Stallings
Publisher: Prentice Hall
682 Pages, Summer, 2002
Rating: 8.5/10 (Excellent)
Reviewer: Jose Nazario

I have been an avid fan of Stallings' Cryptography and Network Security for many years now. My copy of the second edition has been useful for many topics and pieces of research since I first recieved it. When the third edition became available, I was excited and eager to see the improvements.

Overall, the book represents a substantial addition to the already good second edition. Coverage of the AES cipher, for example, has been added, as has RC4 stram cipher material. Additional background information for number theory has been added for finite fields and an expanded coverage of elliptical curve cryptography. While I find the book to be overall of excellent quality, I will focus instead on the weaknesses in this edition before I discuss its strengths.

Weaknesses

One of the biggest disappointments was the lack of any discussion of the attacks on the RC4 and AES ciphers. Both of these ciphers have had considerable review in the past two years. AES, being new, has received a considerable amount of coverage from the entire world. RC4, being used in WEP and most transaction layer cryptosystems, has also received a great deal of evaluation and several flaws have been exposed in the cipher.

The protocol descriptions for SSH and WEP are also missing from the book, something I fully expected to see. WEP's popularity (and striking failures) would have been excellent material to cover in the book to show how good primatives cannot simply be blidly assembled. The popularity of the SSH protocol also makes it an important topic to cover, with discussions of the weaknesses in early designs and the current model being noteworthy components missing from the book.

A limited coverage of computer security topics, such as firewalls and intrusion detection, is also noticable. The book is heavy on cryptography and the use of cryptosystems in system and network security. Additional topics are covered only vaguely in some places, meaning the book is a stronger introduction to cryptography than system and network security.

Lastly, I found the book to contain a weak discussion of the ISAKMPD and OAKLEY protocols, used in IPsec session establishment. IPsec is discussed only at the ESP and AH level, with very little coverage of the complexity that is in ISAKMPD. Last fall when I did a lot of IPsec work, I would have appreciated this more (instead I slogged through the RFCs).

Strengths

Perhaps the biggest strength of the book is its clear diagrams. These include encryption ciphers and cryptosystems. Not being a mathematically strong person, I find the presentation of the ciphers in their graphical form to be welcome and more than sufficient for my needs. I usually turn to this book before Applied Cryptography for the major ciphers and even number theory background when I need it.

Overall, the book presents solid coverage of the topics it attempts. This includes a great discussion of Kerberos and X.500 as authentication protocols, the transport security protocols SSL and TLS, and a good background in IPsec (which lacks some, bit is still pretty good).

The overall clarity of the writing and presentation is why I continually use this as a reference for many things. I have reached for it, for example, to figure out the standards in S/MIME, TLS vs SSL, and various similar comparisons.

Conclusions

While lacking in some areas, the book more than makes up for its weaknesses through its excellent and clear coverage of the topics it does focus on. For myself, not being a strong mathematician, I find the presentation style used by Stallings to be effective, concise, and welcome. The book's organization and utility have made it a mainstay on my shelves for the past several years, and I'm happy to replace it with the third edition.

(Comments are closed)


Comments

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]