 The magazine of the Melbourne PC User Group Computer Security Major Keary |
 |
Computer security is a broad, but useful, term that encompasses a number of disciplines, technologies, and practices. It has to achieve certain things, which can be summarised with the mnemonic, PAIN: privacy, authentication, integrity, and non-repudiation.
Privacy, or confidentiality, is the protection of information by keeping it secret.
Authentication, or authorisation, is the process of positively establishing identity.
Integrity is the process of ensuring that information has not been changed or otherwise tampered with between the sender and receiver.
Non-repudiation means that an entity (a person or organisation) cannot deny having sent something (for example, a buy order emailed to a stock broker).
Closely associated with computer security is the abbreviation, RSA, which stands for Rivest, Shamir, and Adleman and is used to denote the algorithm that enabled public public-key encryption. When Ron Rivest documented the `discovery' in 1977 he listed the authors in alphabetic order, which might have given us the acronym, ARS, for the solution to an asymmetric cipher scheme proposed by Diffie and Hellman in 1975. However, some years earlier James Ellis of GCHQ (the government communications organisation of Britain) had conceived the same idea. Another GCHQ employee, Clifford Cocks, discovered the solution - the same mathematical function as in RSA - in 1973. The Cocks discovery was not made public until 18 December 1997, when he presented a paper at a conference. Few of the American crypto texts published since then mention the work of Ellis and Cocks. They are, however, acknowledged in RSA Security's Official Guide to Cryptography and the fourth edition of the Encyclopedia of Computer Science.
A core technology for protecting data and communications is cryptography. RSA Security Inc. is a well-established company specialising in cryptosystems and has its own publishing arm, RSA Press, which is a joint venture with McGraw-Hill. Three titles from RSA Press present good accounts of modern cryptosystems.
RSA Security's Official Guide to Cryptography
A sound introduction for anyone intending to study the application of cryptography to computer security, this text is also a valuable introduction and ongoing resource for executives and managers who are involved - or may become involved - in the selection or deployment of a computer security system. The material is presented in a way that makes it one of the better introductions for interested lay readers; the descriptions of technical topics are well presented. It contains the best plain-language explanation of XOR - as used in crypto texts - that I have seen; XOR (exclusive OR) is one of those obtuse things that are part of symbolic logic and is often encountered in crypto literature.
The book is about concepts rather than technical detail, and about how systems interlock to deliver a high level of security. Excellent diagrams help the reader visualise complex processes, and the inclusion of case studies further adds to a comprehensible account of current cryptosystems.
Topics covered include symmetric key cryptography and the management of symmetric keys; public-key crypto and key distribution; digital signatures; public-key certificates; network and transport security protocols; application-layer security protocols; hardware solutions; break-ins; and standards.
A very practical approach to security issues with descriptions of current products, both hardware and software. A companion CD contains RSA Laboratories' complete FAQ, public-key standards, and some interesting newsletters.
| Burnett and Paine: RSA Security's Official Guide to Cryptography ISBN 0-07-213139-X Published by RSA Press/McGraw-Hill, 419 pp. + CD, RRP $109.95 incl. GST |
 |
Public Key Infrastructure
Another title in the RSA Press series, PKI: Implementing and Managing E-Security, focuses on Public
Key Infrastructure (PKI), which is at the heart of secure business-to-business and business to consumer
environ- ments. Usually the subject of PKI is dealt with at chapter level in more general computer security
texts. This book presents an in-depth account of PKI, its implementation, and related technologies. There is
no math for readers to struggle with, or any assumption of special technical knowledge.
The book has been written for "anyone who wants to learn about the technology associated with PKI -
particularly if they are involved in deployment, planning, or operation of a Public Key Infrastructure . [or]
. anyone considering building electronic commerce systems . ".
Following an overview of various aspects of cryptography the book deals exclusively with PKI, beginning with
an introduction to the basic components: digital certificates, certification authorities, user
authentication, and authorisation. The following chapters address key management (keys and certificates have
a life cycle after which they must be renewed, and there must be a safe method of issue and verification);
PKI architecture using the PKIX model (based on the X.509 standard); incorporating PKI into applications;
trust models; authentication issues (including a discussion of biometric systems); deployment and operation
of PKI; and a discussion of cost effectiveness.
A thorough and well-written coverage of an important part of any security system. The lead author,
incidentally, is an Australian.
| Andrew Nash et al.: PKI: Implementing and Managing E-Security ISBN 0-07-213123-3 Published by RSA Press/McGraw-Hill, 513 pp., RRP $89.95 incl. GST |
 |
Internet Protocol Security
Internet Protocol Security (IPSec) provides a crypto-based solution for securing IP traffic, the 'IP'
being the familiar initials in TCP/IP and an essential element in the establishment of Virtual Private
Networks (VPN). A third title in the RSA Press series, IPSec: Securing VPNs, is a technically
detailed description of IPSec.
The first half of the book is an overview of TCP/IP, crypto- graphic schemes used in IPSec, PKI, and
Lightweight Directory Access Protocol (LDAP). The relevant chapters are not sim- plified accounts, but well
supported with explanatory code and mathematical explanations.
The second half of the book discusses various aspects of IPSec: IP security architecture; the authentication
header; encap- sulating the security payload; the Internet Security Key Management Protocol (ISAKMP);
Internet key exchange; IP compression; and VPN solutions. Differences between IPv4 and IPv6 are explained in
the context of each topic.
To understand IPSec it is necessary to have a good grasp of TCP/IP, PKI, LDAP, and currently used
cryptosystems; the author has done a good job of introducing each of those topics so as to provide the reader
with the knowledge necessary for comprehending IPSec.
| Carlton Davis: IPSec: Securing VPNs ISBN 0-07-212757-0 Published by RSA Press/McGraw-Hill, 404 pp, RRP $89.95 incl. GST |
 |
Hacking Exposed
Osborne/McGraw-Hill publishes a series of Hacking Exposed titles, the best known of which is
Hacking Exposed: Network Security Secrets & Solutions, now in its third edition. Other tiles in the
group are, Hacking Linux Exposed, Hacking Windows 2000 Exposed, and Hacker's Challenge.
These are practical, real-world guides to vulnerabilities, how they are exploited, and how to take protective
measures.
Bruce Schneier, author of Applied Cryptography and CTO of Counterpane Internet Security, Inc.,
has described Hacking Exposed as "informational gold", which - along with a report that the U.S. Air
Force has developed a curriculum around its contents - is pretty high recommendation. I will be looking at
these in more detail later, but in the meantime they are worth inspection.
Reprinted from the July 2002 issue of PC Update, the magazine of Melbourne PC User Group,
Australia
   |