Читать книгу Information Security - Mark Stamp - Страница 10
Preface
ОглавлениеPlease sir or madam won't you read my book?
It took me years to write, won't you take a look?
— Lennon and McCartney
I hate black boxes. My primary goal in writing this book was to illuminate some of those black boxes that are popular in information security books today. On the other hand, I don't want to bore you to death with trivial details—if that's what you want, your can read RFCs. As a result, I'll often ignore details that I deem irrelevant to the point that I'm trying to make. You can judge whether I've struck the proper balance between these two competing goals.
I've strived to keep the presentation moving along so as to cover a broad selection of topics. My objective is to cover each item in just enough detail so that you can appreciate the security issue, while not getting too bogged down in details. I've also attempted to regularly emphasize and reiterate the main points so that crucial information doesn't slip by below the radar screen.
Another goal is to present the topic in a reasonably lively and interesting way. If any computing subject should be exciting and fun, it's information security. Security is happening now, and it's in the news—it's clearly alive and kicking.
I've also tried to inject a little humor. They say that humor is derived from pain, and judging by the quality of the jokes, I'd say that I've definitely led a charmed life. In any case, most of the bad jokes are in footnotes so they shouldn't be too distracting.
Some security textbooks offer a large dollop of dry theory. Reading one of those books is about as exciting as reading a calculus textbook. Other books offer a seemingly random collection of apparently unrelated facts, giving the impression that security is not really a coherent subject at all. Then there are books that present the topic as a bunch of high‐level managerial platitudes. Finally, some texts focus on the human factors in security. While all of these approaches have their place, my bias is that, first and foremost, a security engineer must have a solid understanding of the inherent strengths and weaknesses of the underlying technology.
Information security is a huge topic, and unlike more established fields, it's not entirely clear what material should be included in a book like this, or how best to organize it. I've chosen to organize this book around four major themes:
Cryptography
Access Control
Network Security
Software
In my usage, these themes are fairly elastic. For example, under the heading of access control I've included the traditional topics of authentication and authorization, along with such nontraditional topics as CAPTCHAs. The software theme is particularly flexible, and includes such diverse topics as software development, malware, and reverse engineering.
Although this book is focused on practical issues, I've tried to cover enough of the fundamental principles so that you will be prepared for further study in the field. In addition, I've strived to minimize the background requirements as much as possible. In particular, the mathematical formalism has been kept to a bare minimum (the Appendix contains a review of a few essential math topics). Despite this self‐imposed limitation, I believe this book contains more substantive cryptography than most security books out there. The required computer science background is also minimal—an introductory computer organization course (or comparable experience) is more than sufficient. Some programming experience is assumed and a rudimentary knowledge of assembly language would be helpful in a couple of sections, but is not mandatory. Networking basics are covered, so no previous knowledge or experience in that area is assumed.
If you are an information technology professional who's trying to learn more about security, I would suggest that you read the entire book. Most topics are interrelated, and skipping the few that are not would not save much time anyway. Even if are an expert in a particular area, it is worth at least skimming my presentation, as terminology is often used inconsistently in this field, and this book might provide a different perspective than you have seen elsewhere.
If you are teaching a security class, this book might contain slightly more material than can comfortably be covered in a one‐semester course. The schedule that I generally follow in my undergraduate security class appears in Table 1.
Security is not a spectator sport—solving a large number of the homework problems is an essential aspect of learning the material in this book. Many topics are fleshed out in the problems and additional topics are sometimes introduced. The bottom line is that the more problems you solve, the more you'll learn.
Table 1 Suggested syllabus
| Chapter | Hours | Suggested coverage |
|---|---|---|
| 1. Introduction | 1 | All |
| 2. Classic Cryptography | 3 | All |
| 3. Symmetric Key Crypto | 4 | All |
| 4. Public Key Crypto | 4 | All |
| 5. Hash Functions++ | 4 | Omit attack details |
| in Section 5.7 | ||
| 6. Authentication | 4 | All |
| 7. Authorization | 2 | All |
| 8. Networking Basics | 3 | Omit Section 8.5 |
| 9. Authentication Protocols | 4 | Omit Section 9.4 |
| 10. Real‐World Protocols | 4 | Omit either WEP or GSM |
| 11. Software Flaws and Malware | 4 | All |
| 12. Insecurity in Software | 3 | All |
| Total | 40 |
A security course based on this book is an ideal venue for individual or group projects. The textbook website includes a section on cryptanalysis, which is one possible source for crypto projects. In addition, many homework problems lend themselves well to class discussions or in‐class assignments; see, for example, Problem 16 in Chapter 10 or Problem 17 in Chapter 11.
The textbook website is at
http://www.cs.sjsu.edu/∼stamp/infosec/
where you'll find PowerPoint slides, all of the files mentioned in the homework problems, errata, and many other goodies. If I were teaching this class for the first time, I would particularly appreciate the PowerPoint slides, which have been thoroughly “battle tested” and improved over many iterations. In addition, a solutions manual is available to instructors (sorry, students) directly from your sentinel‐like author.
How does the math found in the Appendix fit in? Elementary modular arithmetic arises in a few sections of Chapters 3 and 5, while the number theory results are needed in Chapter 4 and Section 9.5 of Chapter 9. I've found that the vast majority of my students need to brush up on modular arithmetic basics. It only takes about 20 to 30 minutes of class time to cover the material on modular arithmetic and that will be time well spent prior to diving into public key cryptography. Trust me.
Permutations, which are briefly discussed in the Appendix, are most prominent in Chapter 3. The material in the Appendix on discrete probability is needed in the password cracking section of Chapter 6, for example.
Just as any large and complex software project must have bugs, it is a metaphysical certitude that this book has errors. I would like to hear about any errors—large or small—that you find. I will strive to maintain an up‐to‐date errata list on the textbook website. Also, don't hesitate to provide any suggestions you might have for a future edition of this book.
What's New for the Third Edition?
Several sections of the book have been reorganized and expanded, while other sections (and two entire chapters) have been removed. The major section on Network Security covers a broader range of topics, including an introduction to networking, which makes a course based on this book more self‐contained. Based on feedback from people who have used the book, there are additional examples in the crypto chapters, while the protocol chapters have been modified and expanded. The first and second edition included a chapter on modern cryptanalysis, which has been removed from this edition, but is still available on the textbook website—as are other topics that were deleted.
All figures have been reworked, making them clearer and (hopefully) better. And, of course, all known errors from the second edition have been fixed. The homework problems have been extensively modified throughout.
Information security is an evolving field and there have been some significant changes since this book was originally published in 2005. Nevertheless, the basic structure of that first edition remains essentially intact. I believe the organization and list of topics has held up well over the years. Consequently, for this third edition, the changes to the structure of the book are more evolutionary than revolutionary.
A Note on Typesetting
Cats right themselves; books don't.
— John Aycock
Having typeset many kilo‐pages using Donald Knuth's amazing TE X system and it's numerous add‐ons, your obsessive author decided to typeset this book in “pure” TeX. Specifically, the text is typeset using LaTeX, while the graphics are all generated using PGF and TikZ which, in turn, are written in METAPOST, which is itself based on Knuth's METAFONT. Did you follow all of that? Regardless, the point is that everything in this book is generated directly (more or less) from TeX. Yes, that includes images of fingerprints, pictures from Alice in Wonderland, a visual crypto generator (written entirely in TikZ, no less), and, literally, everything else. Why your eccentric author chose to do this is a mystery for the ages.
Mark Stamp
Los Gatos, California
June 2021
