We go shopping online, we pay using our phones, we open our hotel rooms and start our cars with an electronic key, we remotely turn on the air conditioner at home, we login to discussion sites or blogs, we make secure calls, and we text privately. All these pervasive actions in our everyday lives require protocols for authentication and cryptographic key establishment. So it was refreshing to see a second edition of Colin Boyd and Anish Mathuria's book, this time with the addition of Douglas Stebila, on this very subject matter of protocols and key establishment.

The first edition of the book was published in 2003, which was quite a different world when it comes to the ubiquity of the Internet or the impact of mobile, personal devices. We find ourselves surrounded by devices, interconnect with them, and constantly interact with online or cloud services in one way or another. Subsequently we require those communications to be authenticated and encrypted, the electronic documents to be signed, and doctors' records or federal tax returns to be secured in transit. Back in 2003, there had already been a plethora of such protocols, but as the Internet and its ecosystem grew, so did the number of protocols, associated cryptographic primitives, and threat models. This new edition of the book, for which writing started in 2010, provides a great insight into this domain with an overview of 225 (sic) concrete protocols.

The second edition of the book is partitioned into 9 chapters and two appendices, featuring three new chapters compared to the first edition. The rich material added to this book shows that protocols and key establishment are still an active area of research to this day. The book provides everything the reader needs to understand about the topic, from the basics to the most recent research and standards. The reader should expect thorough and dense material, with protocol notation, protocol examples, computational model explanations, and lessons learned from many years of protocol development.

The first chapter contains an overview of the basic terms and concepts, such as protocol architectures, key generation, cryptographic tools, adversarial capabilities (what can the adversary do?), and protocol goals (authentication, key establishment, entity authentication, etc.) A worked out example of a protocol with an attack, a fix, and yet another attack on the fix demonstrates the workings of continued protocol analysis. The last part of the chapter has a brief overview of formal protocol verification tools such as the NRL Protocol Analyzer, FDR, Maude-NPA, ProVerif, and Scyther and Tamarin.

The second chapter introduces the importance of computational models in the proof of security of a protocol. This new chapter covers the computational models from two well-known models, the Bellare-Rogaway model (BR93) and Canetti-Krawczyk (CK01) model, up to the most recent extensions (such as LaMacchia et al.'s eCK, Menezes et al.s MU08, Cremers et al.'s eCK-PFS, and Saar et al.'s seCK). These newer computational models add more capabilities to the adversary (e.g. getting intermediate results from a cryptographic computation) and therefore bring a variety of evaluation approaches for protocols. The authors show how these various models can be applied to single and group key exchanges, for example.

The third chapter covers protocols using shared key cryptography and discusses entity authentication protocols (such as the Woo-Lam authentication protocol), server-less key establishment protocols (such as the Andrew Secure RPC protocol), server-based key establishment protocols (such as the Needham-Schroeder Shared Key protocol and the Kerberos protocol), and more. The reader is walked through a series of attacks and fixes, and learns to identify flaws and understand the fixes and their limitations.

The fourth chapter then goes on to talk about authentication and key transport using public key cryptography. Here we find the all too familiar Needham-Schroeder Public Key protocol, the Public Key Kerberos protocol, X.509 protocols, and several protocols from the ISO/IEC standard for entity authentication.

The fifth chapter turns to key agreement protocols, where the reader learns about key derivation function, key-share attacks, classes of key agreement, and generic ways to construct protocols from weaker components. The rest of the chapter is dedicated to discussing a variety of key agreement protocols, including one well-known one from the world of virtual private networks, IKEv2, and approaches to attack these protocols.

The sixth chapter is on transport layer security, the TLS protocol most people will use in their browser, alone. Due to the scrutiny this protocol (along with its predecessor SSL) has received over the last 20+ years, the dedication of a full chapter to this protocol is more than justified. The authors have broken down the attacks by type, focusing on which aspect of the TLS framework the attack works: attacks on the core cryptography (such as Bleichenbacher's attack), crypto usage in ciphersuites (such as the BEAST or POODLE attacks), TLS protocol functionality (such as the DROWN or CRIME attacks), implementation issues (such as "goto fail:", Heartbleed, and weak random number generation), and application-level problems (such as SSL stripping). This chapter covers everything SSL/TLS all the way up to TLSv1.3.

The seventh chapter goes on to identity-based key agreement schemes, another new chapter (along with the second and sixth) to cover new topics such as pairing-based ID-based schemes. There has been much development in this area, hence once again the dedication of an entirely new chapter. Starting from the classical Okamoto scheme, the reader is invited to explore new approaches such as Smart's pairing-based ID-based key agreement scheme and variants thereof, up to ID-based key agreement schemes with additional properties, such as protocols with multiple key generation centers.

The eighth chapter describes the classical PAKE, the Password-based Authenticated Key Exchange protocols, which have been around for about 30 years. From Bellovin and Merritt's EKE to multi-party PAKE, the full spectrum of such protocols with their assumptions and pitfalls is shown.

The ninth chapter rounds off the book with group key establishment, including Diffie-Hellman generalizations, and explorations of variants without Diffie-Hellman or using identity-based approaches. The chapter shows how much progress there has been with group key agreement protocols in the last 10-15 years.

Appendix A lists the relevant standards for these protocols. Both international and US-based standards are discussed, sourcing the information from ISO, IETF, IEEE, NIST, and ANSI. Moreover some purpose-specific protocols are also listed, such as EMV (aka "Chip and PIN" for your credit or bank card), Bluetooth device communications, Tor anonymous browsing, Off-the-Record messaging (OTR), and the Signal protocol for secure messaging and calling.

Appendix B engages the reader in a tutorial on building an actual key establishment protocol. It starts from a naive outlook for a protocol and slowly builds up the security assumptions and requirements, iterating step by step through a series of attacks and fixes up to a workable protocol. The chapter wraps up with Abadi and Needham's design principles for cryptographic protocols.

While some of the old protocols and background have been removed from the second edition, one will have to dust off a first edition copy in order to discover some historical aspects, but this does not take away from the quality of this up-to-date second edition book. The list of references in this second edition, nearing almost 800 entries, is quite an impressive collection for anyone seeking to explore the topic.

Colin Boyd, Anish Mathuria, and Doug Stebila are experts in their field that have delivered a solid technical book on protocols and key establishment. This book is a must-have for the real (or virtual, since there is an e-Book!) library for anyone interested in this area. I truly enjoyed reading this book as it brought me back to the beginning of my academic career, when I looked at formally analyzing security of protocols such as SSL.