[ISN] REVIEW: "Personal Encryption Clearly Explained"

From: mea culpa (jerichot_private)
Date: Thu Oct 22 1998 - 14:02:38 PDT

  • Next message: mea culpa: "[ISN] Serb Hackers Declare Computer War"

    Forwarded From: "Jay D. Dyson" <jdysont_private>
    Forwarded Courtesy of RISKS Digest 20.04
    BKPERENC.RVW   980726
    "Personal Encryption Clearly Explained", Pete Loshin, 1998,
    0-12-455837-2, U$39.95/C$55.95
    %A   Pete Loshin petet_private
    %C   525 B Street, Suite 1900, San Diego, CA   92101-4495
    %D   1998
    %G   0-12-455837-2
    %I   Academic Press/Academic Press Professional/Harcourt Brace
    %O   U$39.95/C$55.95 800-321-5068 fax: 619-699-6380 appt_private
    %P   545 p.
    %T   "Personal Encryption Clearly Explained"
    I am getting just a little tired of the car analogy.  "You don't need to
    be a mechanic," so the metaphor goes, "to drive a car.  Therefore, you
    don't need to know anything about the theory behind
    [encryption|networking|programming|etc.] in order to use a computer." 
    This comparison ignores two important points.  One is that in 1912 you
    *did* need to be a fair mechanic to operate a car effectively, and that is
    roughly where we are with regard to the development of the computer.  The
    second point is that while computer programs are generally easy enough for
    a novice to use once they have been set up, the choice, evaluation, and
    configuration of systems requires much more background.  Particularly in
    the field of encryption, in recent times "experts" have been recommending
    systems for which the time needed to crack keys has fallen to literally
    This book purports to give you everything that you need in order to both
    use and understand encryption, specifically with regard to digital
    signatures.  While the text does provide some limited conceptual education
    and a little vicarious experience with a handful of commercial products it
    cannot be said to deliver on its promise. 
    Chapter one is a bit hard to define.  It seems to start out as a sales
    pitch, trying to convince the reader that encryption is important. 
    However, it also looks at the scope of privacy and threats thereto, and
    even starts to develop the background for encryption technologies.  The
    quality is highly uneven.  A discussion of security versus usability is
    excellent and notes that the convenience of modern personal networking
    systems pose tremendous security vulnerabilities.  On the other hand, the
    introduction to information risks cites only computer criminals, without
    considering the possibility of transmission of sensitive information to
    unauthorized recipients through human errors or system failures.  A review
    of types of data that should be secured fails to note that encrypting some
    files and messages while leaving others accessible can, in and of itself,
    provide assistance to the enemy.  The material on security technologies
    and specific threats is fairly mundane. 
    A primer on encryption is presented in chapter two, although it is, as is
    all to usual, more of a history than a real explanation.  Modern computer
    encryption is less than half of the chapter, and most of that space is
    dedicated to describing different applications rather than technologies. 
    Appendix A should probably be considered as an extension of the
    discussion, and does provide a first rate explanation of the mathematical
    underpinnings to modern public-key encryption, but ends just as we get to
    the good bit.  Neither the chapter nor the appendix gives the necessary
    preparation for assessing cryptographic strength. 
    Chapter three is a balanced but relatively superficial examination of the
    debate surrounding the US government's attempts to restrict the
    availability and use of encryption.  The discussion of encryption
    implementation in chapter four touches on a wide range of issues, but none
    in any depth.  A number of disparate products are briefly described (and
    the "installation"  of two is presented in some detail), but the
    foundation for evaluation still has not been provided in chapter five. 
    Chapter six looks at a number of security topics and features related to
    the Netscape Navigator browser, but not all relate to encryption, and
    encryption related topics are passed over quite quickly.  There is, for
    example, no discussion of the ramifications of dealing with either
    "export" copies of Netscape products, or non-US Web servers, both of which
    may be restricted in the cryptographic keys they can deal with. 
    Operational, but not functional, specifics of three e-mail products with
    cryptographic capabilities are detailed in chapter seven.  Similar
    information is given for some file encryption products in chapter eight. 
    Chapter nine's explanation of digital commerce is simplistic and
    surprisingly abrupt.  The review of key management in the Network
    Associates PGP product should be viewed together with the material in
    chapters five and eight (and even then isn't really complete) but
    additional content does begin to address some of the conceptual issues in
    chapter ten. 
    This is yet another example of a book that tries to explain encryption to
    a non-technical audience but seems to feel that a full background is not
    needed.  Loshin does a better job than some other authors with the
    inclusion of Appendix A, but fails to provide either the explanation of
    function or the demonstration of relative strength that Garfinkel
    manifested in "PGP:  Pretty Good Privacy" (cf. BKPGPGAR.RVW). 
    Unfortunately this current work is neither clear not complete enough to be
    recommended for any particular audience. 
    copyright Robert M. Slade, 1998   BKPERENC.RVW   980726
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:08:45 PDT