................................................................. One-Stop Cypher Shop Once and for all, there's a book that collects the history and truth about data encryption and presents it in a no-bullshit, easy- to-understand English. It's the book that the National Security Agency wanted never to be published. Author Bruce Schneier's premise is a simple one: Good encryption should be available to all. Just as people have the right to hide their letters in whatever kind of vault they wish, he reasons, so too should they have the right to protect their digital information with the most impenetrable cryptography. The federal government certainly isn't going to provide citizens with strong encryption tools (the Clipper chip fracas proves that), so Schneier felt a duty to provide a single sourcebook of useful algorithms for people who wish to keep their private business private. The first hundred pages Applied Cryptography contain the best introduction to cryptography I've ever seen. Part two teaches the techniques and tricks necessary to tell a good crypto-system from a bad one. Part three is the down-and-dirty description of each algorithm. And part covers political issues. Roughly a hundred pages of the book is devoted to source code for the most important crypto systems. Anybody seriously interested in cryptography, though, should get the two-disk set for $30 and save all that typing. Because we have a First Amendment in this country, Schneier's book can be printed and exported, despite how the National Security Agency might feel. But, incredibly, since the First Amendment doesn't cover books on floppy disks, it's a federal crime for Schneier to mail the source code on his floppies outside the US. Go figure. --Simson L. Garfinkel, Wired v 2 n 4 (Apr 94). ................................................................. Applied Cryptography Here at OpenVision's security branch (formerly Greer-Zolot Assoc.), we recently got a copy of Bruce Schneier's new book, Applied Cryptography: Protocols, Algorithms and Source Code in C. We immediately ordered two more copies, because our security jocks (me included) didn't want to share it. It is encyclopedic, quite readable, and well-informed, and it more or less picks up where Dorothy Denning's classic Cryptography and Data Security (Addison- Wesley, '82) takes off a dozen years ago. I've often wished lately that such a reference as Schneier's existed. Schneier covers those topics in data security that touch most closely on the encryption algorithms themselves. Thus, the book doesn't discuss authorization, audit, firewalls, or the recent formal logics for proving protocols correct. As far as I can tell, it does cover everything about authentication and key-distribution- -everything. Of the recent flurry of books and articles on data security that I've seen, including some by my old colleagues from Project Athena, and including a couple of others that are still in press, this one has the clearest and most accurate treatment of kerberos. The book is structured like a reference, but written like an undergraduate text. Thus, you can enter anywhere and make sense of what you find, even if you don't already know the material well. It does not include exercises or end-of-chapter summaries, but does include a bibliography of 908 references. This makes it a good place to go, before you dive into the literature on a topic like zero-knowledge proofs and protocols. Schneier also includes licensing and sourcing addresses for encryption algorithms. The index, unfortunately, is a bit weak (though it is available from the author on the net: schneier@chinet.com). This book would be a bargain at twice the price. --Donald T. Davis, ;login: v 19 n 2 (Mar/Apr 94). ................................................................. Applied Cryptography Winner: 1993 Software Development Productivity Award Cryptography may not be of interest to everyone, but this book is the definitive text on the subject. From one-way hash functions to a slew of public-key encryption algorithms, Schneier combines clear descriptions with pseudocode and fully working examples in C. --Software Development v 2 n 5 (May 94). ................................................................. Levels of Secrecy The opening sentence in the preface of Applied Cryptography says it all--I have to quote it: "There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter." This is a book you can use for more than one purpose. You can read it as an introduction to the mathematics of cryptography, as a resource of course code for encryption algorithms or as a guide to how traffic on the information superhighway might remain secure even as the highway (supposedly) becomes more accessible. Cryptography isn't restricted to studying the means by which a digital document is securely encoded for purposes of transmission. It can cover activities as wellþactivities once carried out via the transfer of paperwork, but now carried out by transactions across a network. Take digital signatures, for example. Bank A sends a transaction to Bank B. The transaction is encoded, of course. But how can the clerk at bank B be sure that the transaction was authorized by the proper officer at bank A prior to being encoded and transmitted? This is one of the topics of perhaps my favorite section of the book: cryptographic protocols. It begins with the fundamentals (e.g., authentication and public key cryptography), builds through intermediate protocols (e.g., digital signatures and subliminal channels), and moves to more advanced protocols (e.g., blind signatures). The best material, however, appears in the concluding topic: esoteric protocols. Here, you'll find step-by-step procedures for such operations as secure elections and digital cash. Some of the protocols read like descriptions of Rube Goldberg machines. I followed in fascination the step-by-step process of Alice (a hypothetical character) could use to accomplish the audit- trail-free transfer of digital cash. Alice could send a campaign contribution to her favorite senator, and no one could trace where the money had come from. It gets worse: Alice shows up pages later using digital cash to commit a perfect kidnapping. It also gets better. In a later chapter, we're given a brief glimpse of--no kidding--"quantum cryptography." All it takes it some polarized light and a fiber-optic link; the message is encoded in the polarization angle of the light. What you get is an untappable link--since tapping would require measuring a quantum variable, which affects the outcome of any subsequent measurements. Sender and receiver can compare partial messages and verify the presence or absence of an eavesdropper. Finally, if you want code, you've got it. Not only are code fragments smattered throughout, the rear of the book contains listing after well-documented listing (all in C) of cipher routines, secure hash functions, and so forth. If you want to avoid typist's cramp, you can send $30 to the author and get the disk set that includes all the source code from the book, plus updates and new algorithms. Once more, don't let the presence of so much source code frighten you from the book. The descriptions of the exchange protocolsþintricate though they may beþmake good reading for anyone interested in cryptography. --Rick Grehan Byte v 19 n 6 (Jun 94). ................................................................. Applied Cryptography was also reviewed in the May 1994 issue of Dr. Dobbs Journal. It is a three-page review, so I won't reprint it all. However, here are some choice excerpts: "It is the definitive work on cryptography for computer programmers.... Although Applied Cryptography describes itself as a reference book, it also serves as a wall-to-wall tutorial on cryptography.... Applied Cryptography represents a monumental body of knowledge, particularly to the programmer. I do not know of another work that encapsulates as much information about cryptography and then supplies the computer code to implement the algorithms that it describes. Even a programmer who is only mildly interested in cryptography will find this book fascinating.... No matter how you use the book, though, Applied Cryptography is an interesting and comprehensive explanation of an enigmatic subject, and well worth the time you will spend with it."
From the Mar/Apr 1994 issue of The Cryptogram (the journal of the American Cryptogram Association):
"A comprehensive review of the latest developments in practical cryptographic techniques.... It is an encyclopedic work with more than 900 references...." And from the National Computer Security Association News, Nov/Dec 93: "[A] complete guide to using cryptography to maintain data security...." And finally, from Computer Literacy Bookshops' New Book Bulletin, Spring 1994: "Unquestionably the most modern, popular and up-to-date cryptographic reference.... Highly recommended." My publisher expects to sell out of the second printing sometime in June. Bruce