Preface

In the four years since the sixth edition of this book was published, the field has seen continued innovations and improvements. In this new edition, I try to capture these changes while maintaining a broad and comprehensive coverage of the entire field. To begin this process of revision, the sixth edition of this book was extensively reviewed by a number of professors who teach the subject and by professionals working in the field. The result is that, in many places, the narrative has been clarified and tightened, and illustrations have been improved.
Beyond these refinements to improve pedagogy and user-friendliness, there have been substantive changes throughout the book. Roughly the same chapter organization has been retained, but much of the material has been revised and new material has been added. The most noteworthy changes are as follows:
■■ Fundamental security design principles: Chapter 1 includes a new section discussing the security design principles listed as fundamental by the National Centers of Academic Excellence in Information Assurance/Cyber Defense, which is jointly sponsored by the U.S. National Security Agency and the U.S. Department of Homeland Security.
■■ Attack surfaces and attack trees: Chapter 1 includes a new section describing these two concepts, which are useful in evaluating and classifying security threats.
■■ Number theory coverage: The material on number theory has been consolidated into a single chapter, Chapter 2. This makes for a convenient reference. The relevant portions of Chapter 2 can be assigned as needed.
■■ Finite fields: The chapter on finite fields has been revised and expanded with additional text and new figures to enhance understanding.
■■ Format-preserving encryption: This relatively new mode of encryption is enjoying increasing commercial success. A new section in Chapter 7 covers this method.
■■ Conditioning and health testing for true random number generators: Chapter 8 now provides coverage of these important topics.
■■ User authentication model: Chapter 15 includes a new description of a general model for user authentication, which helps to unify the discussion of the various approaches to user authentication.
■■ Cloud security: The material on cloud security in Chapter 16 has been updated and expanded to reflect its importance and recent developments.
■■ Transport Layer Security (TLS): The treatment of TLS in Chapter 17 has been updated, reorganized to improve clarity, and now includes a discussion of the new TLS version 1.3.
■■ Email Security: Chapter 19 has been completely rewritten to provide a comprehensive and up-to-date discussion of email security. It includes:
—— New: discussion of email threats and a comprehensive approach to email security.
—— New: discussion of STARTTLS, which provides confidentiality and authentication for SMTP.
—— Revised: treatment of S/MIME has been updated to reflect the latest version 3.2.
—— New: discussion of DNSSEC and its role in supporting email security.
—— New: discussion of DNS-based Authentication of Named Entities (DANE) and the use of this approach to enhance security for certificate use in SMTP and S/MIME.
—— New: discussion of Sender Policy Framework (SPF), which is the standardized way for a sending domain to identify and assert the mail senders for a given domain.
—— Revised: discussion of DomainKeys Identified Mail (DKIM) has been revised.
—— New: discussion of Domain-based Message Authentication, Reporting, and Conformance (DMARC) allows email senders to specify policy on how their mail should be handled, the types of reports that receivers can send back, and the frequency those reports should be sent.
It is the purpose of this book to provide a practical survey of both the principles and practice of cryptography and network security. In the first part of the book, the basic issues to be addressed by a network security capability are explored by providing a tutorial and survey of cryptography and network security technology. The latter part of the book deals with the practice of network security: practical applications that have been implemented and are in use to provide network security.
The subject, and therefore this book, draws on a variety of disciplines. In particular, it is impossible to appreciate the significance of some of the techniques discussed in this book without a basic understanding of number theory and some results from probability theory. Nevertheless, an attempt has been made to make the book self-contained. The book not only presents the basic mathematical results that are needed but provides the reader with an intuitive understanding of those results. Such background material is introduced as needed. This approach helps to motivate the material that is introduced, and the author considers this preferable to simply presenting all of the mathematical material in a lump at the beginning of the book.
The book is intended for both academic and professional audiences. As a textbook, it is intended as a one-semester undergraduate course in cryptography and network security for computer science, computer engineering, and electrical engineering majors. The changes to this edition are intended to provide support of the ACM/IEEE Computer Science Curricula 2013 (CS2013). CS2013 adds Information Assurance and Security (IAS) to the curriculum recommendation as one of the Knowledge Areas in the Computer Science Body of Knowledge.
The document states that IAS is now part of the curriculum recommendation because of the critical role of IAS in computer science education. CS2013 divides all course work into three categories: Core-Tier 1 (all topics should be included in the curriculum), Core-Tier-2 (all or almost all topics should be included), and elective (desirable to provide breadth and depth).
In the IAS area, CS2013 recommends topics in Fundamental Concepts and Network Security in Tier 1 and Tier 2, and Cryptography topics as elective. This text covers virtually all of the topics listed by CS2013 in these three categories.
The book also serves as a basic reference volume and is suitable for self-study.
The book is divided into eight parts.
■■ Background
■■ Symmetric Ciphers
■■ Asymmetric Ciphers
■■ Cryptographic Data Integrity Algorithms
■■ Mutual Trust
■■ Network and Internet Security
■■ System Security
■■ Legal and Ethical Issues
The book includes a number of pedagogic features, including the use of the computer algebra system Sage and numerous figures and tables to clarify the discussions. Each chapter includes a list of key words, review questions, homework problems, and suggestions for further reading. The book also includes an extensive glossary, a list of frequently used acronyms, and a bibliography. In addition, a test bank is available to instructors.
The major goal of this text is to make it as effective a teaching tool for this exciting and fast- moving subject as possible. This goal is reflected both in the structure of the book and in the supporting material. The text is accompanied by the following supplementary material that will aid the instructor:
■■ Solutions manual: Solutions to all end-of-chapter Review Questions and Problems.
■■ Projects manual: Suggested project assignments for all of the project categories listed below.
■■ PowerPoint slides: A set of slides covering all chapters, suitable for use in lecturing.
■■ PDF files: Reproductions of all figures and tables from the book.
■■ Test bank: A chapter-by-chapter set of questions with a separate file of answers.
■■ Sample syllabuses: The text contains more material than can be conveniently covered in one semester. Accordingly, instructors are provided with several sample syllabuses that guide the use of the text within limited time. These samples are based on real- world experience by professors with the fifth edition.
All of these support materials are available at the Instructor Resource Center (IRC) for this textbook, which can be reached through the publisher’s Web site www.pearsonhighered .com/stallings or by clicking on the link labeled Pearson Resources for Instructors at this book’s Author Web site at WilliamStallings.com/Cryptography. To gain access to the IRC, please contact your local Pearson sales representative via pearsonhighered.com/educator/ replocator/requestSalesRep.page or call Pearson Faculty Services at 1-800-526-0485.
The Author Web site, at WilliamStallings.com/Cryptography (click on Instructor Resources link), includes the following:
■■ Links to Web sites for other courses being taught using this book.
■■ Sign-up information for an Internet mailing list for instructors using this book to exchange information, suggestions, and questions with each other and with the author.
Projects and Other Student Exercises
For many instructors, an important component of a cryptography or network security course is a project or set of projects by which the student gets hands-on experience to reinforce concepts from the text. This book provides an unparalleled degree of support, including a projects component in the course. The IRC not only includes guidance on how to assign and structure the projects, but also includes a set of project assignments that covers a broad range of topics from the text:
■■ Sage projects: Described in the next section.
■■ Hacking project: Exercise designed to illuminate the key issues in intrusion detection and prevention.
■■ Block cipher projects: A lab that explores the operation of the AES encryption algorithm by tracing its execution, computing one round by hand, and then exploring the various block cipher modes of use. The lab also covers DES. In both cases, an online Java applet is used (or can be downloaded) to execute AES or DES.
■■ Lab exercises: A series of projects that involve programming and experimenting with concepts from the book.
■■ Research projects: A series of research assignments that instruct the student to research a particular topic on the Internet and write a report.
■■ Programming projects: A series of programming projects that cover a broad range of topics and that can be implemented in any suitable language on any platform.
■■ Practical security assessments: A set of exercises to examine current infrastructure and practices of an existing organization.
■■ Firewall projects: A portable network firewall visualization simulator, together with exercises for teaching the fundamentals of firewalls.
■■ Case studies: A set of real-world case studies, including learning objectives, case description, and a series of case discussion questions.
■■ Writing assignments: A set of suggested writing assignments, organized by chapter.
■■ Reading/report assignments: A list of papers in the literature—one for each chapter— that can be assigned for the student to read and then write a short report.
This diverse set of projects and other student exercises enables the instructor to use the book as one component in a rich and varied learning experience and to tailor a course plan to meet the specific needs of the instructor and students. See Appendix A in this book for details.
One of the most important features of this book is the use of Sage for cryptographic examples and homework assignments. Sage is an open-source, multiplatform, freeware package that implements a very powerful, flexible, and easily learned mathematics and computer algebra system. Unlike competing systems (such as Mathematica, Maple, and MATLAB), there are no licensing agreements or fees involved. Thus, Sage can be made available on computers and networks at school, and students can individually download the software to their own personal computers for use at home. Another advantage of using Sage is that students learn a powerful, flexible tool that can be used for virtually any mathematical application, not just cryptography.
The use of Sage can make a significant difference to the teaching of the mathematics of cryptographic algorithms. This book provides a large number of examples of the use of Sage covering many cryptographic concepts in Appendix B, which is included in this book. Appendix C lists exercises in each of these topic areas to enable the student to gain hands-on experience with cryptographic algorithms. This appendix is available to instructors at the IRC for this book. Appendix C includes a section on how to download and get started with Sage, a section on programming with Sage, and exercises that can be assigned to students in the following categories:
■■ Chapter 2—Number Theory and Finite Fields: Euclidean and extended Euclidean algorithms, polynomial arithmetic, GF(24), Euler’s Totient function, Miller–Rabin, factoring, modular exponentiation, discrete logarithm, and Chinese remainder theorem.
■■ Chapter 3—Classical Encryption: Affine ciphers and the Hill cipher.
■■ Chapter 4—Block Ciphers and the Data Encryption Standard: Exercises based on SDES.
■■ Chapter 6—Advanced Encryption Standard: Exercises based on SAES.
■■ Chapter 8—Pseudorandom Number Generation and Stream Ciphers: Blum Blum Shub, linear congruential generator, and ANSI X9.17 PRNG.
■■ Chapter 9—Public-Key Cryptography and RSA: RSA encrypt/decrypt and signing.
■■ Chapter 10—Other Public-Key Cryptosystems: Diffie–Hellman, elliptic curve.
■■ Chapter 11—Cryptographic Hash Functions: Number-theoretic hash function.
■■ Chapter 13—Digital Signatures: DSA.
For this new edition, a tremendous amount of original supporting material for students has been made available online, at two Web locations. The Author Web site, at WilliamStallings. com/Cryptography (click on Student Resources link), includes a list of relevant links organized by chapter and an errata sheet for the book.
Purchasing this textbook new also grants the reader six months of access to the Companion Website, which includes the following materials:
■■ Online chapters: To limit the size and cost of the book, four chapters of the book are provided in PDF format. This includes three chapters on computer security and one on legal and ethical issues. The chapters are listed in this book’s table of contents.
■■ Online appendices: There are numerous interesting topics that support material found in the text but whose inclusion is not warranted in the printed text. A total of 20 online appendices cover these topics for the interested student. The appendices are listed in this book’s table of contents.
■■ Homework problems and solutions: To aid the student in understanding the material, a separate set of homework problems with solutions are available.
■■ Key papers: A number of papers from the professional literature, many hard to find, are provided for further reading.
■■ Supporting documents: A variety of other useful documents are referenced in the text and provided online.
■■ Sage code: The Sage code from the examples in Appendix B is useful in case the student wants to play around with the examples.
To access the Companion Website, follow the instructions for “digital resources for students” found in the front of this book.
This new edition has benefited from review by a number of people who gave generously of their time and expertise. The following professors reviewed all or a large part of the manuscript: Hossein Beyzavi (Marymount University), Donald F. Costello (University of Nebraska–Lincoln), James Haralambides (Barry University), Anand Seetharam (California State University at Monterey Bay), Marius C. Silaghi (Florida Institute of Technology), Shambhu Upadhyaya (University at Buffalo), Zhengping Wu (California State University at San Bernardino), Liangliang Xiao (Frostburg State University), Seong-Moo (Sam) Yoo (The University of Alabama in Huntsville), and Hong Zhang (Armstrong State University). Thanks also to the people who provided detailed technical reviews of one or more chapters: Dino M. Amaral, Chris Andrew, Prof. (Dr). C. Annamalai, Andrew Bain, Riccardo Bernardini, Olivier Blazy, Zervopoulou Christina, Maria Christofi, Dhananjoy Dey, Mario Emmanuel, Mike Fikuart, Alexander Fries, Pierpaolo Giacomin, Pedro R. M. Inácio, Daniela Tamy Iwassa, Krzysztof Janowski, Sergey Katsev, Adnan Kilic, Rob Knox, Mina Pourdashty, Yuri Poeluev, Pritesh Prajapati, Venkatesh Ramamoorthy, Andrea Razzini, Rami Rosen, Javier Scodelaro, Jamshid Shokrollahi, Oscar So, and David Tillemans. In addition, I was fortunate to have reviews of individual topics by “subject-area gurus,” including Jesse Walker of Intel (Intel’s Digital Random Number Generator), Russ Housley of Vigil Security (key wrapping), Joan Daemen (AES), Edward F. Schaefer of Santa Clara University (Simplified AES), Tim Mathews, formerly of RSA Laboratories (S/MIME), Alfred Menezes of the University of Waterloo (elliptic curve cryptography), William Sutton, Editor/Publisher of The Cryptogram (classical encryption), Avi Rubin of Johns Hopkins University (number theory), Michael Markowitz of Information Security Corporation (SHA and DSS), Don Davis of IBM Internet Security Systems (Kerberos), Steve Kent of BBN Technologies (X.509), and Phil Zimmerman (PGP). Nikhil Bhargava (IIT Delhi) developed the set of online homework problems and solutions.
Dan Shumow of Microsoft and the University of Washington developed all of the Sage examples and assignments in Appendices B and C. Professor Sreekanth Malladi of Dakota State University developed the hacking exercises. Lawrie Brown of the Australian Defence Force Academy provided the AES/DES block cipher projects and the security assessment assignments. Sanjay Rao and Ruben Torres of Purdue University developed the laboratory exercises that appear in the IRC. The following people contributed project assignments that appear in the instructor’s supplement: Henning Schulzrinne (Columbia University); Cetin Kaya Koc (Oregon State University); and David Balenson (Trusted Information Systems and George Washington University). Kim McLaughlin developed the test bank.
Finally, I thank the many people responsible for the publication of this book, all of whom did their usual excellent job. This includes the staff at Pearson, particularly my editor Tracy Johnson, program manager Carole Snyder, and production manager Bob Engelhardt. Thanks also to the marketing and sales staffs at Pearson, without whose efforts this book would not be in front of you.
About the Author
Dr. William Stallings has authored 18 titles, and counting revised editions, over 40 books on computer security, computer networking, and computer architecture. His writings have appeared in numerous publications, including the Proceedings of the IEEE, ACM Computing Reviews, and Cryptologia. He has 13 times received the award for the best Computer Science textbook of the year from the Text and Academic Authors Association. In over 30 years in the field, he has been a technical contributor, technical manager, and an executive with several high-technology firms. He has designed and implemented both TCP/IP-based and OSI-based protocol suites on a variety of computers and operating systems, ranging from microcomputers to mainframes. As a consultant, he has advised government agencies, computer and software vendors, and major users on the design, selection, and use of networking software and products.
He created and maintains the Computer Science Student Resource Site at ComputerScienceStudent.com. This site provides documents and links on a variety of subjects of general interest to computer science students (and professionals). He is a member of the editorial board of Cryptologia, a scholarly journal devoted to all aspects of cryptology. Dr. Stallings holds a PhD from MIT in computer science and a BS from Notre Dame in electrical engineering.