Internet Cryptography, by Richard E. Smith, ISBN 0-201-92480-3, Addison-Wesley, 1998.

[Originally published in Cisco's The Internet Protocol Journal, March, 1999.]

The 1990s might easily be known as the decade of the Internet. The Internet came into the mainstream during this decade, a global frontier with frontier problems and rules. Seemingly overnight, everyone from government agencies to Chinese restaurants had a Web presence. Young children exchanged e-mail with their grandparents and friends, a big change from just a few years ago when it was the domain of technologies and a place where everybody knew your name.

The 1990s could also be known as the decade when cryptography became mainstream. Perhaps because of the change in the Internet community, people became more aware of the need to protect the privacy of internetwork communications. Certainly, the U.S. government's attempt to push government control of cryptographic keys in the Clipper controversy helped to move cryptography and its related issues from science journals to the front pages of our newspapers. Today, while not main-stream, terms such as Virtual Private Networks (VPNs), Secure Sockets Layer (SSL), IP Security (IPSec), Pretty Good Privacy (PGP), Secure Multipurpose Internet Mail Extensions (S/MIME), and related technologies are known among IT professionals, and cryptography is no longer a tool used only by spies and military communication officers.

The Author

Richard E. Smith is well known to members of various security-related forums on the Internet, as well as to security conference attendees. A security consultant with Secure Computing Corporation, Smith's background is in military-grade security. His experience on the lecture circuit, explaining issues of firewalls, cryptography, and other computer and network security topics, has directly contributed to production of a book on a lofty subject that is reachable by the nonscientist.

Organization

The chapters of this book fall into three groupings: an introduction to the basics of cryptography, its terms, methods, and mechanisms; network encryption and a discussion of VPNs, focusing on IPSec; and finally public key cryptography as it is used with message and file encryption and "Web" transactions.

The discussion in the opening chapter on basics may scare some off; Smith tends to oscillate between various levels of complexity. Consequently, some members of the intended audience of (quoting from the Preface) "people who know very little about cryptography but need to make technical decisions about cryptographic security," may, for example, zone out during the discussion of IP protocols. My suggestion would be to press on, and not worry about the random item that might go over your head. Everything there has a purpose, and the important information will fall into place by the end of each chapter.

If this book ended with Chapter 4, it would still be a useful book. The complex basics of cryptography and the issues that should be of concern to an information security officer are clearly presented and explained. The only area that is given less than adequate coverage is that of key recovery. Smith makes no mention of legitimate business reasons for the recovery of encrypted data if the originator is unavailable (the proverbial question, "What if you got hit by a truck?"), nor does he mention any mechanism other than the escrow of secret keys, although there are other, safer, methods. Of particular use are Smith's explanations of the various cryptographic algorithms and his discussions of safe key lengths and risks.

In the sections on VPNs and IPSec, Smith covers everything from mobile users and remote access, to point-to-point encryption, and the issues of key distribution, exchange, and the mechanisms used to automate encrypted communication. Everyone seems to know that IPSec will save the world and is the answer to all our security problems (and I have my tongue firmly planted in my cheek), but few know what IPSec really does, from a "features and benefits" point of view. Of particular use and interest are the sections labeled "Deployment Example." These small case studies show the technology in action and discuss some of the decisions and processes that came before deployment.

The section covering public key cryptography along with file and message encryption is perhaps shorter than it should be, although much of the groundwork is done earlier in the book. Missing is a "how to" on setting up a public key infrastructure (PKI) for a corporation to use. There are "Product Examples" in this section, but not "Deployment Examples." Perhaps those will have to wait for a second edition, for although this is a lack in the book, there are not many real-life examples from which to choose. Although discussed in theory for years, this is still "leading edge" in the real world. The chapter on Web servers should prove informative and useful to any organization thinking of deploying (or having already deployed) a Web server.

In the chapter entitled "Secure Electronic Mail," the fact that Smith covers Privacy Enhanced Mail (PEM) as a technology more than he covers S/MIME is puzzling, but the basics of PEM are useful for discussion, even if PEM as a technology seems to be dead.

Cryptography Is Necessary

The advertisement on the back of the book (not written by the author, of course) states "Here, in one comprehensive, soup-to-nuts book, is the solution for Internet security: modern-day cryptography." Obviously the claim that cryptography is the solution for Internet security is way over-inflated; modern-day cryptography is not the solution, but, cryptography is an important part of a "balanced" security solution. Smith does an admirable job of making this heretofore…well, cryptic… subject, understandable, interesting, and even enjoyable.