Next message: mea culpa: "[ISN] Serb Hackers Declare Computer War"
Forwarded From: "Jay D. Dyson" <jdyson�t_private>
Forwarded Courtesy of RISKS Digest 20.04
BKPERENC.RVW 980726
"Personal Encryption Clearly Explained", Pete Loshin, 1998,
0-12-455837-2, U$39.95/C$55.95
%A Pete Loshin pete�t_private
%C 525 B Street, Suite 1900, San Diego, CA 92101-4495
%D 1998
%G 0-12-455837-2
%I Academic Press/Academic Press Professional/Harcourt Brace
%O U$39.95/C$55.95 800-321-5068 fax: 619-699-6380 app�t_private
%P 545 p.
%T "Personal Encryption Clearly Explained"
I am getting just a little tired of the car analogy. "You don't need to
be a mechanic," so the metaphor goes, "to drive a car. Therefore, you
don't need to know anything about the theory behind
[encryption|networking|programming|etc.] in order to use a computer."
This comparison ignores two important points. One is that in 1912 you
*did* need to be a fair mechanic to operate a car effectively, and that is
roughly where we are with regard to the development of the computer. The
second point is that while computer programs are generally easy enough for
a novice to use once they have been set up, the choice, evaluation, and
configuration of systems requires much more background. Particularly in
the field of encryption, in recent times "experts" have been recommending
systems for which the time needed to crack keys has fallen to literally
hours.
This book purports to give you everything that you need in order to both
use and understand encryption, specifically with regard to digital
signatures. While the text does provide some limited conceptual education
and a little vicarious experience with a handful of commercial products it
cannot be said to deliver on its promise.
Chapter one is a bit hard to define. It seems to start out as a sales
pitch, trying to convince the reader that encryption is important.
However, it also looks at the scope of privacy and threats thereto, and
even starts to develop the background for encryption technologies. The
quality is highly uneven. A discussion of security versus usability is
excellent and notes that the convenience of modern personal networking
systems pose tremendous security vulnerabilities. On the other hand, the
introduction to information risks cites only computer criminals, without
considering the possibility of transmission of sensitive information to
unauthorized recipients through human errors or system failures. A review
of types of data that should be secured fails to note that encrypting some
files and messages while leaving others accessible can, in and of itself,
provide assistance to the enemy. The material on security technologies
and specific threats is fairly mundane.
A primer on encryption is presented in chapter two, although it is, as is
all to usual, more of a history than a real explanation. Modern computer
encryption is less than half of the chapter, and most of that space is
dedicated to describing different applications rather than technologies.
Appendix A should probably be considered as an extension of the
discussion, and does provide a first rate explanation of the mathematical
underpinnings to modern public-key encryption, but ends just as we get to
the good bit. Neither the chapter nor the appendix gives the necessary
preparation for assessing cryptographic strength.
Chapter three is a balanced but relatively superficial examination of the
debate surrounding the US government's attempts to restrict the
availability and use of encryption. The discussion of encryption
implementation in chapter four touches on a wide range of issues, but none
in any depth. A number of disparate products are briefly described (and
the "installation" of two is presented in some detail), but the
foundation for evaluation still has not been provided in chapter five.
Chapter six looks at a number of security topics and features related to
the Netscape Navigator browser, but not all relate to encryption, and
encryption related topics are passed over quite quickly. There is, for
example, no discussion of the ramifications of dealing with either
"export" copies of Netscape products, or non-US Web servers, both of which
may be restricted in the cryptographic keys they can deal with.
Operational, but not functional, specifics of three e-mail products with
cryptographic capabilities are detailed in chapter seven. Similar
information is given for some file encryption products in chapter eight.
Chapter nine's explanation of digital commerce is simplistic and
surprisingly abrupt. The review of key management in the Network
Associates PGP product should be viewed together with the material in
chapters five and eight (and even then isn't really complete) but
additional content does begin to address some of the conceptual issues in
chapter ten.
This is yet another example of a book that tries to explain encryption to
a non-technical audience but seems to feel that a full background is not
needed. Loshin does a better job than some other authors with the
inclusion of Appendix A, but fails to provide either the explanation of
function or the demonstration of relative strength that Garfinkel
manifested in "PGP: Pretty Good Privacy" (cf. BKPGPGAR.RVW).
Unfortunately this current work is neither clear not complete enough to be
recommended for any particular audience.
copyright Robert M. Slade, 1998 BKPERENC.RVW 980726
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 13:08:45 PDT