--------------------------------------------- From: "Rob Slade, doting grandpa of Ryan and Trevor"Organization: Vancouver Institute for Research into User BKIMPECC.RVW 990115 "Implementing Elliptic Curve Cryptography", Michael Rosing, 1999, 1-884777-69-4, U$47.95/C$67.95 %A Michael Rosing cryptech@mcs.com %C 32 Lafayette Place, Greenwich, CT 06830 %D 1999 %G 1-884777-69-4 %I Manning Publications Co. %O U$47.95/C$67.95 hetr@manning.com 516-887-9747 %P 313 p. %T "Implementing Elliptic Curve Cryptography" Modern asymmetric (or "public") key cryptography uses mathematical operations that are fairly easy to do in one direction, but extremely hard to do in reverse. The standard example used (indeed, the one that is almost synonymous with public key encryption) is that of factoring. Given two large prime numbers, it is a straightforward task to multiply them together and find the resulting multiplicand. However, given a large number that is a product of two large prime factors, it is extremely difficult to find those two primes. Elliptic curves have a similar property. A characteristic of an elliptic curve is that any two points on the curve can be "added," and the resulting point will also be on the curve. However, it is difficult, given only the final point, to find the original two that were added. Thus, this attribute can be used as the basis of an asymmetric encryption system. Rosing doesn't get around to explaining what an elliptic curve is until chapter five, so you have to take a fair amount on faith. In spite of the comments in the first few pages of the book promoting the advantages of understanding the fundamentals, it is quite easy to believe that the text was written to explain some sample code, since there is far more emphasis on dealing with carry bits than there is in the background explanations. He starts in chapter one by talking about exponential curves (as in, a good crypto system is one where the work done to encrypt a message grows more slowly than the work required to crack it) and the enormous magnitude of address spaces. Chapter two doesn't really deal with number theory until halfway through, concentrating on coding for arithmetic with large integers, and rushing through conceptual explanations in order to get into yet more programming. Polynomials are introduced in chapter three, but, again, I couldn't say that the subject is really covered. At one point a new term, undefined, is introduced. The comment, "If you don't know what that means, just remember that it works!" is not terribly helpful when we have no idea what it works for. Normal basis is given a mathematical definition, but almost no explanation, in chapter four. The explanation of elliptic curves, in chapter five, is much better, but, relying as it does on some understanding of polynomial and normal basis, still leaves a lot to be desired. It is interesting to note, in chapter six, that the basics of cryptology is treated every bit as cavalierly as the math. The explanation of public key cryptography is extremely terse, and, in fact, contains several minor errors. Chapter seven looks at some practical building blocks like random number generation and "handshaking" protocols. The elliptic curve encryption scheme and IEEE P1363 standard mask and hash functions are reviewed in chapter eight. Chapters nine and ten discuss advanced topics in key exchange and digital signatures respectively. Fine details for performance enhancement in specific sections of code are covered in chapter eleven. A sample analysis and design is given in chapter twelve. Now, granted, Rosing's purpose is engineering and implementation and not math tutorials. And, to be fair, he does provide information on a number of points of programming not often dealt with in the more academic texts. However, as he points out, you cannot simply use the sample code in the book and expect it to work in all cases and for all purposes. Therefore, if the programmer does not understand, to some extent, how the system works, the eventual system may have flaws and weaknesses. However helpful the programming pointers handed out in every chapter, design must be based on concepts, and these are very poorly provided. If, on the other hand, you learned UNIX by studying the source code, you might do reasonably well with this book. copyright Robert M. Slade, 1999 BKIMPECC.RVW 990115 BKTPSCIN.RVW 990117 "Top Secret Intranet", Fredrick Thomas Martin, 1999, 0-13-080898-9, U$34.99/C$49.95 %A Fredrick Thomas Martin %C One Lake St., Upper Saddle River, NJ 07458 %D 1999 %G 0-13-080898-9 %I Prentice Hall %O U$34.99/C$49.95 800-576-3800, 416-293-3621 %P 380 p. %S Charles F. Goldfarb Series on Open Information Management %T "Top Secret Intranet" Does anyone else think it is ironic that this book is part of a series on *open* information management? No, I didn't think so. Part one is an introduction to Intelink, the intranet connecting the thirteen various agencies involved in the US intelligence community. Chapter one is a very superficial overview of some basics: who are the departments, packet networks, layered protocols, and so forth. The description of Intelink as a combination of groupware, data warehouse, and help desk, based on "commercial, off-the-shelf" (COTS) technology with Internet and Web protocols, in chapter two, should come as no big surprise. Part two looks at the implementation (well, a rather high level design, anyway) of Intelink. Chapter three reviews the various government standards used as reference materials for the system, which boil down to open (known) standards except for the secret stuff, for which we get acronyms. There is a quick look at electronic intruders, encryption, and security policy in chapter four. Various security practices used in the system are mentioned in chapter five, but even fairly innocuous details are lacking. For example, "strong authentication" is discussed in terms of certificates and smartcards, but a challenge/response system that does not send passwords over the net, such as Kerberos, is not, except in the (coded?) word "token." Almost all of chapter six, describing tools and functions, will be immediately familiar to regular Internet users. Chapter seven takes a return look at standards. The case studies in chapter eight all seem to lean very heavily on SGML (Standard Generalized Markup Language) for some reason. Part three is editorial in nature. Chapter nine stresses the importance of information. (Its centerpiece, a look at statements from some of the Disney Fellows from the Imagineering division is somewhat paradoxically loose with the facts.) The book closes with an analysis of intelligence service "agility," using technology as an answer to everything except interdepartmental rivalries. Probably the most interesting aspect of the book is the existence of Intelink at all, and the fact that it uses COTS components and open standard protocols. (Of course, since it was defence money that seeded the development of the Internet in the first place, one could see Intelink simply as a belated recognition of the usefulness of the product.) For those into the details of the US government's more secretive services there is some mildly interesting information in the book. For those charged with building secure intranets there is some good pep talk material, but little assistance. copyright Robert M. Slade, 1999 BKTPSCIN.RVW 990117 ====================== rslade@vcn.bc.ca rslade@sprint.ca robertslade@usa.net p1@canada.com Find virus, book info http://victoria.tc.ca/techrev/rms.htm Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm Linked to bookstore at http://www97.pair.com/robslade/ Comp Sec Weekly: http://www.suite101.com/welcome.cfm/computer_security Robert Slade's Guide to Computer Viruses, 0-387-94663-2 (800-SPRINGER) ---------------------------------------------