Ben's Book of the Month: Review of "Security without Obscurity: A Guide to Cryptographic Architectures"

Posted on by Ben Rothke

It’s been a little over four years since author J.J. Stapleton wrote the second in his Security without Obscurity series in A Guide to Confidentiality, Authentication and Integrity (Auerbach Publications 978-1466592148).

In the just released third volume of the series, Security without Obscurity: A Guide to Cryptographic Architectures(Auerbach Publications 978-0815396413), Stapleton has again written another pragmatic information security guide. In this brief guide, he deals with some of the most overlooked, albeit critical components in an information security system – that being cryptographic systems. It’s one thing to implement strong crypto. It’s quite another thing to implement it correctly. And that is problem that the book addresses.

When it comes to effective cryptography, the solutions can often be bulletproof. Be it algorithms such as the Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA) or similar public systems, current attack capabilities render them relatively safe. The results from an attack on AES may not be seen for billions of years. For those that can’t wait that long, rather than attacking the algorithms directly, attackers will focus their efforts on how these algorithms are often incorrectly implemented, or vulnerabilities within the human element using these algorithms.

When it comes to cryptography and cryptographic solutions, in addition to the manner in which these technologies are deployed, the devil is always in the details. In the book, Stapleton details how to validate the cryptographic architectures in which these solutions are deployed, and how to ensure they can truly protect an organization.

After a brief introduction to some basic cryptographic topics, the book goes through a whole slew of various topics and shows how these are to be correctly implemented. From digital certificates, to authentication and encryption protocols, and more, there are plenty of details that must be correctly designed and executed if there’s any expectation for the underlying cryptography to work as designed.

The challenge of cryptography is that it can often be deceptively easy to install. But that ease of use, often when it’s done quickly and not in-line with the manufacturer’s instructions, results in good crypto gone bad that only offers the illusion of security. Stapleton has decades of real-world crypto experience and brings that to the book. Using the advice in the book can ensure those expensive crypto devices your procure do more than just look impressive on a data center rack.

This book is written for a serious student of cryptography. For those looking to use and deploy cryptographic solutions so they can actually protect the organization, Security without Obscurity: A Guide to Cryptographic Architectures will be a most welcome guide.

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs