## REVIEW: Modern Cryptography: Theory and Practice

by Wenbo Mao, 2004, 0-13-066943-1, U$54.99/C$82.99

___________________________________________________________________________________________________________

*A "Short Description of the Book" states that it is intended to
address the issue of whether various crypto algorithms are
"practical," as opposed to just theoretically strong. This seems odd,
since no algorithm is ready for implementation as such: it must be
made part of a full system, and most problems with cryptography come
in the implementation. The preface doesn't make things much clearer:
it reiterates a "fit-for-application" mantra, but doesn't say clearly,
at any point, why existing algorithms are not appropriate for use.
The preface also suggests that this book is for advanced study in
cryptography, although it states that security engineers and
administrators, with special responsibility for developing or
implementing cryptography, are also in the target audience.*

*Part one is an introduction, consisting of two chapters. Chapter one
outlines the idea of the first "protocol" of the book: a "fair coin
toss" over the telephone, grounding the book firmly in the camp of
cryptography for the purpose of secure communications. The remainder
of the chapter points out all the requirements to make such an
unbiased selector work, acting as a kind of sales pitch or "come on"
to make you want to read the rest of the book. The promotion is
slightly flawed by the fact that there is very little practical detail
in the material (it takes a lot of work on the part of the reader to
figure out that, yes, this system might work), excessive verbiage, and
poor explanations. The stated "objectives" of the chapter, given at
the end, say that you should have a "fundamental understanding of
cryptography": this is true only in the most limited sense. Chapter
two slowly builds a kind of pseudo-Kerberos system.*

*Part two covers mathematical foundations. Chapter three deals with
probability and information theory, four with Turing Machines and the
notion of computational complexity, five with the algebraic
foundations behind the use of prime numbers and elliptic curves for
cryptography, and various number theory topics are touched on in
chapter six.*

*Part three addresses basic cryptographic techniques. Chapter seven
deals with basic symmetric encryption techniques, touching on
substitution and transposition, as well as reviewing the operations of
DES (Data Encryption Standard) and AES (Advanced Encryption Standard).
The insistence on converting all operations, and giving all
explanations, in symbolic logic does not seem to have any utility,
does not provide any clarity, and makes the material much more
difficult than it could be. Asymmetric techniques, and attacks
against them, are outlined in chapter eight. Finding individual bits
of the message, a process examined in chapter nine, can, over time,
result in an attack on the message or key as a whole. Chapter ten
looks at data integrity, hashes, and digital signatures.*

*Part four deals with authentication. Chapter eleven reviews various
conceptual protocols, pointing out (for example) that there is a
serious problem of key storage for challenge/response systems. A
variety of real applications are considered in chapter twelve, and
warnings issued about each. Issues of authentication specific to
asymmetric systems are covered in chapter thirteen.*

*Part five looks at formal approaches to the establishment of security.
There is more asymmetric cryptographic theory in chapter fourteen.
Chapter fifteen examines a number of provably secure asymmetric
cryptosystems, while sixteen does the same for digital signatures.
Formal methods of authentication protocol analysis are given in
chapter seventeen.*

*Part six discusses abstract cryptographic protocols. Chapter eighteen
reviews a number of zero knowledge protocols, which provide the basis
for authentication where the principals are not previously known to
each other. The coin flipping protocol, initiated in chapter one, is
revisited in chapter nineteen. Chapter twenty wraps up with a summary
of the author's intentions for the book.*

*The book is certainly for advanced study, but it is hardly suitable
for security administrators, professionals, or even engineers. The
mathematical material is quite demanding, and is seldom explained (as
opposed to the clear explanations of the implications of the math that
is given in, for example, "Applied Cryptography" [cf. BKAPCRYP.RVW],
or even the equally advanced but much more comprehensible "Algebraic
Aspects of Cryptography" [cf. BKALASCR.RVW]). However, there are
points in the material that could be useful for practical
cryptographic systems, provided one is dealing primarily with
authentication of communications, and the possibility of physical
access is ignored. The text would have been much more useful if the
author could have been induced to provide some of the basic
explanations in English, rather than leaving the reader to work out
the math.*

*copyright Robert M. Slade, 2004 *

Read more: http://seclists.org/isn/2005/Feb/5