Details

<p>Preface xv</p> <p>About The Author xix</p> <p>Acknowledgments xxi</p> <p>1 Introductions 1</p> <p>1.1 The Cast of Characters 1</p> <p>1.2 Alice's Online Bank 2</p> <p>1.2.1 Confidentiality, Integrity, and Availability 2</p> <p>1.2.2 Beyond CIA 2</p> <p>1.3 About This Book 4</p> <p>1.3.1 Cryptography 4</p> <p>1.3.2 Access Control 5</p> <p>1.3.3 Network Security 6</p> <p>1.3.4 Software 6</p> <p>1.4 The People Problem 7</p> <p>1.5 Principles and Practice 7</p> <p>1.6 Problems 8</p> <p>I Crypto 13</p> <p>2 Classic Cryptography 15</p> <p>2.1 Introduction 15</p> <p>2.2 How to Speak Crypto 15</p> <p>2.3 Classic Crypto 17</p> <p>2.3.1 Simple Substitution Cipher 18</p> <p>2.3.2 Cryptanalysis of a Simple Substitution 20</p> <p>2.3.3 Definition of Secure 21</p> <p>2.3.4 Double Transposition Cipher 22</p> <p>2.3.5 One-Time Pad 23</p> <p>2.3.6 Codebook Cipher 27</p> <p>viii CONTENTS</p> <p>2.4 Classic Crypto in History 28</p> <p>2.4.1 Ciphers of the Election of 1876 28</p> <p>2.4.2 Zimmermann Telegram 30</p> <p>2.4.3 Project VENONA 32</p> <p>2.5 Modern Crypto History 33</p> <p>2.6 A Taxonomy of Cryptography 36</p> <p>2.7 A Taxonomy of Cryptanalysis 37</p> <p>2.8 Summary 39</p> <p>2.9 Problems 39</p> <p>3 Symmetric Ciphers 45</p> <p>3.1 Introduction 45</p> <p>3.2 Stream Ciphers 46</p> <p>3.2.1 A5/1 47</p> <p>3.2.2 RC4 49</p> <p>3.3 Block Ciphers 51</p> <p>3.3.1 Feistel Cipher 51</p> <p>3.3.2 DES 52</p> <p>3.3.3 Triple DES 57</p> <p>3.3.4 AES 59</p> <p>3.3.5 TEA 62</p> <p>3.3.6 Block Cipher Modes 64</p> <p>3.4 Integrity 68</p> <p>3.5 Quantum Computers and Symmetric Crypto 70</p> <p>3.6 Summary 72</p> <p>3.7 Problems 72</p> <p>4 Public Key Crypto 79</p> <p>4.1 Introduction 79</p> <p>4.2 Knapsack 82</p> <p>4.3 RSA 85</p> <p>4.3.1 Textbook RSA Example 87</p> <p>4.3.2 Repeated Squaring 88</p> <p>4.3.3 Speeding Up RSA 90</p> <p>4.4 Diffie-Hellman 91</p> <p>4.5 Elliptic Curve Cryptography 93</p> <p>4.5.1 Elliptic Curve Math 93</p> <p>4.5.2 ECC Diffie-Hellman 95</p> <p>4.5.3 Realistic Elliptic Curve Example 96</p> <p>4.6 Public Key Notation 97</p> <p>4.7 Uses for Public Key Crypto 98</p> <p>4.7.1 Confidentiality in the Real World 98</p> <p>4.7.2 Signatures and Non-repudiation 99</p> <p>CONTENTS ix</p> <p>4.7.3 Confidentiality and Non-repudiation 99</p> <p>4.8 Certificates and PKI 102</p> <p>4.9 Quantum Computers and Public Key 104</p> <p>4.10 Summary 106</p> <p>4.11 Problems 106</p> <p>5 Crypto Hash Functions++ 115</p> <p>5.1 Introduction 115</p> <p>5.2 What is a Cryptographic Hash Function? 116</p> <p>5.3 The Birthday Problem 117</p> <p>5.4 A Birthday Attack 119</p> <p>5.5 Non-Cryptographic Hashes 120</p> <p>5.6 SHA-3 121</p> <p>5.7 HMAC 124</p> <p>5.8 Cryptographic Hash Applications 126</p> <p>5.8.1 Online Bids 126</p> <p>5.8.2 Blockchain 127</p> <p>5.9 Miscellaneous Crypto-Related Topics 136</p> <p>5.9.1 Secret Sharing 136</p> <p>5.9.2 Random Numbers 140</p> <p>5.9.3 Information Hiding 143</p> <p>5.10 Summary 147</p> <p>5.11 Problems 147</p> <p>II Access Control 159</p> <p>6 Authentication 161</p> <p>6.1 Introduction 161</p> <p>6.2 Authentication Methods 162</p> <p>6.3 Passwords 163</p> <p>6.3.1 Keys Versus Passwords 164</p> <p>6.3.2 Choosing Passwords 164</p> <p>6.3.3 Attacking Systems via Passwords 166</p> <p>6.3.4 Password Verification 167</p> <p>6.3.5 Math of Password Cracking 168</p> <p>6.3.6 Other Password Issues 173</p> <p>6.4 Biometrics 174</p> <p>6.4.1 Types of Errors 176</p> <p>6.4.2 Biometric Examples 176</p> <p>6.4.3 Biometric Error Rates 181</p> <p>6.4.4 Biometric Conclusions 182</p> <p>6.5 Something You Have 182</p> <p>x CONTENTS</p> <p>6.6 Two-Factor Authentication 183</p> <p>6.7 Single Sign-On and Web Cookies 183</p> <p>6.8 Summary 184</p> <p>6.9 Problems 185</p> <p>7 Authorization 195</p> <p>7.1 Introduction 195</p> <p>7.2 A Brief History of Authorization 196</p> <p>7.2.1 The Orange Book 196</p> <p>7.2.2 The Common Criteria 199</p> <p>7.3 Access Control Matrix 200</p> <p>7.3.1 ACLs and Capabilities 201</p> <p>7.3.2 Confused Deputy 202</p> <p>7.4 Multilevel Security Models 204</p> <p>7.4.1 Bell-LaPadula 206</p> <p>7.4.2 Biba's Model 207</p> <p>7.4.3 Compartments 208</p> <p>7.5 Covert Channels 210</p> <p>7.6 Inference Control 212</p> <p>7.7 CAPTCHA 214</p> <p>7.8 Summary 216</p> <p>7.9 Problems 216</p> <p>III Topics in Network Security 221</p> <p>8 Network Security Basics 223</p> <p>8.1 Introduction 223</p> <p>8.2 Networking Basics 223</p> <p>8.2.1 The Protocol Stack 225</p> <p>8.2.2 Application Layer 226</p> <p>8.2.3 Transport Layer 228</p> <p>8.2.4 Network Layer 231</p> <p>8.2.5 Link Layer 233</p> <p>8.3 Cross-Site Scripting Attacks 235</p> <p>8.4 Firewalls 236</p> <p>8.4.1 Packet Filter 238</p> <p>8.4.2 Stateful Packet Filter 240</p> <p>8.4.3 Application Proxy 240</p> <p>8.4.4 Defense in Depth 242</p> <p>8.5 Intrusion Detection Systems 243</p> <p>8.5.1 Signature-Based IDS 245</p> <p>8.5.2 Anomaly-Based IDS 246</p> <p>CONTENTS xi</p> <p>8.6 Summary 250</p> <p>8.7 Problems 250</p> <p>9 Simple Authentication Protocols 257</p> <p>9.1 Introduction 257</p> <p>9.2 Simple Security Protocols 259</p> <p>9.3 Authentication Protocols 261</p> <p>9.3.1 Authentication Using Symmetric Keys 264</p> <p>9.3.2 Authentication Using Public Keys 267</p> <p>9.3.3 Session Keys 268</p> <p>9.3.4 Perfect Forward Secrecy 270</p> <p>9.3.5 Mutual Authentication, Session Key, and PFS 273</p> <p>9.3.6 Timestamps 273</p> <p>9.4 ``Authentication"" and TCP 275</p> <p>9.5 Zero Knowledge Proofs 278</p> <p>9.6 Tips for Analyzing Protocols 282</p> <p>9.7 Summary 284</p> <p>9.8 Problems 284</p> <p>10 Real-World Security Protocols 293</p> <p>10.1 Introduction 293</p> <p>10.2 SSH 294</p> <p>10.2.1 SSH and the Man-in-the-Middle 295</p> <p>10.3 SSL 296</p> <p>10.3.1 SSL and the Man-in-the-Middle 299</p> <p>10.3.2 SSL Connections 300</p> <p>10.3.3 SSL Versus IPsec 300</p> <p>10.4 IPsec 301</p> <p>10.4.1 IKE Phase 1 302</p> <p>10.4.2 IKE Phase 2 309</p> <p>10.4.3 IPsec and IP Datagrams 310</p> <p>10.4.4 Transport and Tunnel Modes 311</p> <p>10.4.5 ESP and AH 313</p> <p>10.5 Kerberos 314</p> <p>10.5.1 Kerberized Login 316</p> <p>10.5.2 Kerberos Ticket 316</p> <p>10.5.3 Security of Kerberos 318</p> <p>10.6 WEP 319</p> <p>10.6.1 WEP Authentication 319</p> <p>10.6.2 WEP Encryption 320</p> <p>10.6.3 WEP Non-Integrity 320</p> <p>10.6.4 Other WEP Issues 321</p> <p>10.6.5 WEP: The Bottom Line 322</p> <p>xii CONTENTS</p> <p>10.7 GSM 322</p> <p>10.7.1 GSM Architecture 323</p> <p>10.7.2 GSM Security Architecture 324</p> <p>10.7.3 GSM Authentication Protocol 326</p> <p>10.7.4 GSM Security Flaws 327</p> <p>10.7.5 GSM Conclusions 329</p> <p>10.7.6 3GPP 330</p> <p>10.8 Summary 330</p> <p>10.9 Problems 331</p> <p>IV Software 339</p> <p>11 Software Flaws and Malware 341</p> <p>11.1 Introduction 341</p> <p>11.2 Software Flaws 341</p> <p>11.2.1 Buffer Overflow 345</p> <p>11.2.2 Incomplete Mediation 356</p> <p>11.2.3 Race Conditions 356</p> <p>11.3 Malware 358</p> <p>11.3.1 Malware Examples 359</p> <p>11.3.2 Malware Detection 365</p> <p>11.3.3 The Future of Malware 367</p> <p>11.3.4 The Future of Malware Detection 369</p> <p>11.4 Miscellaneous Software-Based Attacks 369</p> <p>11.4.1 Salami Attacks 369</p> <p>11.4.2 Linearization Attacks 370</p> <p>11.4.3 Time Bombs 371</p> <p>11.4.4 Trusting Software 372</p> <p>11.5 Summary 373</p> <p>11.6 Problems 373</p> <p>12 Insecurity in Software 381</p> <p>12.1 Introduction 381</p> <p>12.2 Software Reverse Engineering 382</p> <p>12.2.1 Reversing Java Bytecode 384</p> <p>12.2.2 SRE Example 385</p> <p>12.2.3 Anti-Disassembly Techniques 390</p> <p>12.2.4 Anti-Debugging Techniques 391</p> <p>12.2.5 Software Tamper Resistance 392</p> <p>12.3 Software Development 393</p> <p>12.3.1 Flaws and Testing 395</p> <p>12.3.2 Secure Software Development? 396</p> <p>CONTENTS xiii</p> <p>12.4 Summary 396</p> <p>12.5 Problems 397</p> <p>Appendix 403</p> <p>A-1 Modular Arithmetic 403</p> <p>A-2 Permutations 405</p> <p>A-3 Probability 406</p> <p>A-4 DES Permutations 406</p> <p>Index 418</p>

<p><b>Mark Stamp, PhD, </b>has more than 25 years of experience in the field of information security. He has worked in industry, in academia as Professor of Computer Science, and in government as a cryptologic scientist for the National Security Agency. He has written dozens of academic papers, numerous journal articles, and two books on the topic of information security.

<p><b>Provides systematic guidance on meeting the information security challenges of the 21st century, featuring newly revised material throughout</b></p> <p><i>Information Security: Principles and Practice</i> is the must-have book for students, instructors, and early-stage professionals alike. Author Mark Stamp provides clear, accessible, and accurate information on the four critical components of information security: cryptography, access control, network security, and software. Readers are provided with a wealth of real-world examples that clarify complex topics, highlight important security issues, and demonstrate effective methods and strategies for protecting the confidentiality and integrity of data.</p> <p>Fully revised and updated, the third edition of <i>Information Security</i> features a brand-new chapter on network security basics and expanded coverage of cross-site scripting (XSS) attacks, Stuxnet and other malware, the SSH protocol, secure software development, and security protocols. Fresh examples illustrate the Rivest-Shamir-Adleman (RSA) cryptosystem, elliptic-curve cryptography (ECC), SHA-3, and hash function applications including bitcoin and blockchains. Updated problem sets, figures, tables, and graphs help readers develop a working knowledge of classic cryptosystems, modern symmetric and public key cryptography, cryptanalysis, simple authentication protocols, intrusion and malware detection systems, quantum computing, and more. Presenting a highly practical approach to information security, this popular textbook:</p> <ul> <li>Provides up-to-date coverage of the rapidly evolving field of information security</li> <li>Explains session keys, perfect forward secrecy, timestamps, SSH, SSL, IPSec, Kerberos, WEP, GSM, and other authentication protocols</li> <li>Addresses access control techniques including authentication and authorization, ACLs and capabilities, and multilevel security and compartments</li> <li>Discusses software security issues, ranging from malware detection to secure software development</li> <li>Includes an instructor’s solution manual, PowerPoint slides, lecture videos, and additional teaching resources</li> </ul> <p><i>Information Security: Principles and Practice, Third Edition</i> is the perfect textbook for advanced undergraduate and graduate students in all Computer Science programs, and remains essential reading for professionals working in industrial or government security.<br /><br />To request supplementary materials, please contact <a href="mailto:mark.stamp@sjsu.edu">mark.stamp@sjsu.edu</a> and visit the author-maintained website for more: <a href="https://urldefense.com/v3/__https:/www.cs.sjsu.edu/*stamp/infosec/__;fg!!N11eV2iwtfs!vQiT_RPMbK65YTVJVaaG1i4R6paBRZB91H3juc9ejhGB1vRRIH-7YPUI7_GjtuXF_7mJyM39sfFjrtfZOkSIbw$">https://www.cs.sjsu.edu/~stamp/infosec/</a>.</p>

US