IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled



BKNTSCCR.RVW 20030906

".NET Security and Cryptography", Peter Thorsteinson/G. Gnana Arun Ganesh, 2004, 0-13-100851-X, U$49.99/C$75.99
%A Peter Thorsteinson
%A G. Gnana Arun Ganesh
%C One Lake St., Upper Saddle River, NJ 07458
%D 2004
%G 0-13-100851-X
%I Prentice Hall
%O U$49.99/C$75.99 +1-201-236-7139 fax: +1-201-236-7131
%O http://www.amazon.com/exec/obidos/ASIN/013100851X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/013100851X/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/013100851X/robsladesin03-20
%P 466 p.
%T ".NET Security and Cryptography"

For an ancient linear/procedural dinosaur like myself, it is interesting to see the difference between the prehistoric API (Application Programming Interface) library documentation and the descriptions of the new object-oriented classes. Older books were full of icky things such as usage syntax and required parameters. While this work does contain some sample code, generally with comments that merely repeat what is obvious from the name of the method, most of the material simply consists of mentioning that the methods and classes exist. I can only wonder at the marvels of the new age of programming, where everything is so "intuitive" that correct coding is automatic and inevitable.

Chapter one states that this book is intended for programmers who are interested in the security and cryptographic aspects of .NET, and is otherwise a meandering overview of security, with many gaps. The material on the fundamentals of cryptography that we are given in chapter two consists of a lot of (very old) history and sample code for some simplistic (and outdated) ciphers, but has little content on the basics of modern cryptography. Most of the text on symmetric cryptography, in chapter three, incorporates a listing of .NET cryptographic classes and methods in paragraph form. The modes of DES (the Data Encryption Standard) are described, but with confusing figures, and an odd perspective on the stream modes that seems to imply that the modes are only for small pieces of data. Chapter four, on asymmetric cryptography, has flip explanations of the theory, but an interesting example using the RSA algorithm, rather than the more usual Diffie-Hellman. This illustration would be handy for instructors teaching about the subject, but non-specialist readers of the book may find it confusing, and less than compelling. Hybrid symmetric/asymmetric systems are interpreted very awkwardly. The development of modification checks from hashes to keyed hashes to digital signatures is covered in chapter five, but tersely and poorly. Chapter six, on XML, is basically a listing of XML related methods, including a nine page printout of almost completely uncommented, and entirely unexplained, code. User-based security is apparently a new term for the APIs and classes related to good old access control lists (ACLs), in chapter seven. Code access security, in chapter eight, appears to be a complex expansion of the Authenticode ideas. Chapter nine reprises much of the previous material, emphasizing authentication (which is not properly defined, and confused with identification). Chapter ten relates a great deal of the foregoing to the Web.

Oddly, the text seems to provide ample evidence that the authors actually do know the mathematical underpinnings of cryptography: they just don't write about it very well. The material provides examples found in almost no other books on the subject, such as the RSA illustration on pages 109 to 113, the modular arithmetic foundations of digital signatures on pages 142-3, and the outline of the DSA (Digital Signature Algorithm) on pages 144 to 147. However, you will have to be quite competent in mathematical concepts in order to obtain any value from this material: the explanations in the text are clumsy and do not include sufficient background information to assist non- specialist readers.

While the book is poorly written and most of the content is of little use, there are tidbits that may make it worth having. If you are a crypto teacher.

copyright Robert M. Slade, 2003 BKNTSCCR.RVW 20030906