REVIEW: "Modern Cryptography: Theory and Practice", Wenbo Mao

From: Rob Slade, doting grandpa of Ryan and Trevor (rslade_at_sprint.ca)
Date: 01/31/05 

Date: Mon, 31 Jan 2005 15:43:05 GMT

BKMDNCRP.RVW 20041207

"Modern Cryptography: Theory and Practice", Wenbo Mao, 2004,
0-13-066943-1, U$54.99/C$82.99
%A Wenbo Mao
%C One Lake St., Upper Saddle River, NJ 07458
%D 2004
%G 0-13-066943-1
%I Prentice Hall
%O U$54.99/C$82.99 +1-201-236-7139 fax: +1-201-236-7131
%O http://www.amazon.com/exec/obidos/ASIN/0130669431/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0130669431/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0130669431/robsladesin03-20
%O tl s rl 1 tc 3 ta 3 tv 0 wq 1
%P 707 p.
%T "Modern Cryptography: Theory and Practice"

A "Short Description of the Book" states that it is intended to
address the issue of whether various crypto algorithms are
"practical," as opposed to just theoretically strong. This seems odd,
since no algorithm is ready for implementation as such: it must be
made part of a full system, and most problems with cryptography come
in the implementation. The preface doesn't make things much clearer:
it reiterates a "fit-for-application" mantra, but doesn't say clearly,
at any point, why existing algorithms are not appropriate for use.
The preface also suggests that this book is for advanced study in
cryptography, although it states that security engineers and
administrators, with special responsibility for developing or
implementing cryptography, are also in the target audience.

Part one is an introduction, consisting of two chapters. Chapter one
outlines the idea of the first "protocol" of the book: a "fair coin
toss" over the telephone, grounding the book firmly in the camp of
cryptography for the purpose of secure communications. The remainder
of the chapter points out all the requirements to make such an
unbiased selector work, acting as a kind of sales pitch or "come on"
to make you want to read the rest of the book. The promotion is
slightly flawed by the fact that there is very little practical detail
in the material (it takes a lot of work on the part of the reader to
figure out that, yes, this system might work), excessive verbiage, and
poor explanations. The stated "objectives" of the chapter, given at
the end, say that you should have a "fundamental understanding of
cryptography": this is true only in the most limited sense. Chapter
two slowly builds a kind of pseudo-Kerberos system.

Part two covers mathematical foundations. Chapter three deals with
probability and information theory, four with Turing Machines and the
notion of computational complexity, five with the algebraic
foundations behind the use of prime numbers and elliptic curves for
cryptography, and various number theory topics are touched on in
chapter six.

Part three addresses basic cryptographic techniques. Chapter seven
deals with basic symmetric encryption techniques, touching on
substitution and transposition, as well as reviewing the operations of
DES (Data Encryption Standard) and AES (Advanced Encryption Standard).
The insistence on converting all operations, and giving all
explanations, in symbolic logic does not seem to have any utility,
does not provide any clarity, and makes the material much more
difficult than it could be. Asymmetric techniques, and attacks
against them, are outlined in chapter eight. Finding individual bits
of the message, a process examined in chapter nine, can, over time,
result in an attack on the message or key as a whole. Chapter ten
looks at data integrity, hashes, and digital signatures.

Part four deals with authentication. Chapter eleven reviews various
conceptual protocols, pointing out (for example) that there is a
serious problem of key storage for challenge/response systems. A
variety of real applications are considered in chapter twelve, and
warnings issued about each. Issues of authentication specific to
asymmetric systems are covered in chapter thirteen.

Part five looks at formal approaches to the establishment of security.
There is more asymmetric cryptographic theory in chapter fourteen.
Chapter fifteen examines a number of provably secure asymmetric
cryptosystems, while sixteen does the same for digital signatures.
Formal methods of authentication protocol analysis are given in
chapter seventeen.

Part six discusses abstract cryptographic protocols. Chapter eighteen
reviews a number of zero knowledge protocols, which provide the basis
for authentication where the principals are not previously known to
each other. The coin flipping protocol, initiated in chapter one, is
revisited in chapter nineteen. Chapter twenty wraps up with a summary
of the author's intentions for the book.

The book is certainly for advanced study, but it is hardly suitable
for security administrators, professionals, or even engineers. The
mathematical material is quite demanding, and is seldom explained (as
opposed to the clear explanations of the implications of the math that
is given in, for example, "Applied Cryptography" [cf. BKAPCRYP.RVW],
or even the equally advanced but much more comprehensible "Algebraic
Aspects of Cryptography" [cf. BKALASCR.RVW]). However, there are
points in the material that could be useful for practical
cryptographic systems, provided one is dealing primarily with
authentication of communications, and the possibility of physical
access is ignored. The text would have been much more useful if the
author could have been induced to provide some of the basic
explanations in English, rather than leaving the reader to work out
the math.

copyright Robert M. Slade, 2004 BKMDNCRP.RVW 20041207 

-- 
====================== 
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
      or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs:     [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Book reviews:   [Base URL]mnbk.htm
Review mailing list: send mail to techbooks-subscribe@egroups.com
                       or techbooks-subscribe@topica.com

Relevant Pages

  • REVIEW: "Modern Cryptography: Theory and Practice", Wenbo Mao
    ... "Modern Cryptography: Theory and Practice", Wenbo Mao, 2004, ... outlines the idea of the first "protocol" of the book: ... Part four deals with authentication. ...
    (comp.security.misc)
  • Re: Heuristics for number theory?
    ... |"Cryptography: Theory and Practice" by doug stinson. ... |very beautiful area of mathematics, ... they were just in it for the applications, ...
    (sci.math)
  • Re: Steganography - Encryption challenge
    ... The biggest problem with the world of cryptography is hardly that there ... are too many who know the theory but not how to practice it. ... You won't necessarily know when someone reads your encrypted data, ... Trusting a system because it isn't broken might be a sound idea if you ...
    (borland.public.delphi.non-technical)
  • Re: unprovability of the security of computational cryptography
    ... J. Bernstein wrote: ... > there is no reason to believe that it would have any effect on the ... > practice of cryptography. ...
    (sci.crypt)
  • Re: RSACryptoServiceProvider minimum key-length
    ... I'd suggest pushing back on the spec or looking for different ... cryptography, but consider him/her self capable of writting crypto/ ... As I understand - all they wanted is to have a short authentication ... I'm not even sure that they needed signature as authentication ...
    (microsoft.public.dotnet.security)