Uncryptic Look at Cryptography
With the world accelerating onto the information superhighway, protection of data’s secrecy and correctness takes on increasing importance. The best tool for that protection is cryptography, a very old tool. Despite the importance and maturity of cryptography, few good reference books accessible to nontheorists have been published. This book is a great resource for the software professional who wants to know more about the subject.
Bruce Schneier covers three cryptographic topics of interest to the software professional: protocols, techniques, and algorithms. Additionally, the book contains C source code for many of the algorithms. Few software professionals will want to read the 600-page book cover to cover, but cryptography is so subtle and interconnected that it is worthwhile to at least skim the entire book and then return to study the parts of most immediate interest.
The first part of the book introduces protocols for secure data exchange assisted by cryptography. This part reveals Schneier’s talent for making a complicated subject seem straightforward. The presentation is tutorial in nature. It omits, as the author admits, rigor and some details. He educates you through a simple protocol to allegedly solve a problem, then shows you how that protocol is flawed.
The second part of the book, cryptographic techniques, is really what you need to know about cryptography in addition to the cryptographic functions themselves, including the important concepts of key management, algorithm types, and encryption modes. A more conventional approach would have been to present the algorithms first, then work on how to use them. Schneier’s ordering sends the important message that key management and protection against replay or substitution attacks may well merit attention before jumping into the algorithms themselves.
The cryptographic algorithms in the book’s third part may be the main reason people will buy this book, if you believe the readers’ comments I’ve seen posted in computer-security newsgroups. The catalog of algorithms is more complete than any I have seen. If nothing else, this rich list should keep software professionals from reinventing simple substitution ciphers or, at least, from using a home-grown algorithm that may or may not provide adequate security. As Schneier says, “Cryptography is a subtle art. Cryptosystems that look perfect are often extremely poor. Strong cryptosystems, with a couple of minor changes, can become weak.” A major software vendor several years ago released a mass-market product with a seriously flawed encryption option. Reading this section of the book would have helped that vendor avoid much embarrassment.
The book’s fourth part, loosely entitled The Real World, is really a jumble of product examples, names in the cryptographic world, and some words about politics, specifically export. This section is somewhat disjointed.
Overall, the book helps make cryptography widely accessible. The algorithms are extremely useful and the first two parts help put them in context. The writing is clear, readable, relaxed, and in some places even funny. The author also gives careful references to the original technical literature, so the reader can work through the original sources to obtain the details the author omits.
Slightly Cracked Code
This book is not without flaws. Most disturbing is the errata sheet. My current copy lists approximately 100 corrections. Some of these are typographical errors that somehow creep into every published work, such as “q code” for “a code” or “Guassian” for “Gaussian.” More worrisome are the errors that come from slips of the fingers, such as replacing “Alice” with “Bob” or “receiver” with “interceptor.” These create syntactically correct sentences that may have no meaning or, worse, may have a meaning opposite that intended by Schneier. Although he is very good about maintaining and distributing an errata list, I worry about the errors that have not been reported.
The book’s encyclopedic nature poses a second difficulty. You can tolerate only so many algorithms. Schneier chose to err on the side of completeness, perhaps at the expense of readability.
We vs. US
Finally, the book is US-centric. The organizations in part four are mainly the familiar US ones involved in cryptography: the National Security Agency, National Institute of Standards and Technology, and RSA Data Security. The discussion of the Data Encryption Standard’s recertification does not address the concerns of users such as financial institutions outside the US. The section on the legal implications of digital signatures refers to the US Uniform Commercial Code of the US General Accounting Office.
This much emphasis on the US perspective could be overlooked, but Schneier goes further. He presents US restrictions on export of cryptography without discussing import or usage restrictions in the rest of the world, or export restrictions from other countries. Security on the information highway is very much an international challenge. Commerce is very much an international concern. And the manufacture, sale, and use of cryptography is very much an international issue. The data items that must be secured with cryptography exist throughout the world and are communicated often from one country to another, passing through or above many others. The concepts in this book are just as valid and important for readers in England, France, Germany, Russia,Japan, or Brazil as they are for readers in the US.
Nevertheless, it is pleasing to see how well Schneier has succeeded at making all aspects of modern cryptography accessible to ordinary software professionals. This book should be on the shelf of any computer professional involved in the use or implementation of cryptography.