Cipher Book Review, Issue E155

Computer Security and the Internet: Tool and Jewels
by Paul C. van Oorschot

Springer International Publishing 2020.
ISBN 978-3-030-33648-6 (Hardcover), ISBN-13: 978-3-030-33649-3 (eBook), XXII, 365 pages

Reviewed by  Sven Dietrich   05/31/2020 

When looking at my library (ok, ok, I have to virtually place myself in my office in this pandemic), my eyes first rest on the name Paul C. van Oorschot on the classic cryptography book Handbook of Applied Cryptography from 1996. Now, he has published a book meant to resolve a challenge with computer security books -- being somewhat complete while being somewhat short -- with his new title Computer Security and the Internet: Tools and Jewels.

In close to 400 pages, Paul has succeeded in writing a book that provides the basic principles of computer security as well as pointing to further materials for those readers eager to absorb more knowledge, or perhaps that had whet their appetite for more "Gedankenexperimente" (thought experiments) and real practice.

The book is divided into eleven chapters, plus a foreword, preface, and epilogue, and a set of contextual references at the end of each chapter in endnote style. The preface labels those chapters or sections that can be skipped without losing continuity in a course or reading seminar. The foreword by Peter G. Neumann, a long-time and well-respected presence in the field of computer security, is difficult to surpass as it sings the praises of this book. The book is a nice middle ground between theory and practice, yet provides the solid foundations needed to start reading and understanding the next levels of computer security in the context of the Internet. It awakens sufficient levels of curiosity to make you want to read that research paper so you understand the question: "how did we get here?" For computer security intents and purposes, of course.

The eleven chapters are 'Basic Concepts and Principles,' 'Cryptographic Building Blocks,' 'User Authentication - Passwords, Biometrics, and Alternatives,' 'Authentication Protocols and Key Establishment.' 'Operating System Security and Access Control,' 'Software Security - Exploits and Privilege Escalation,' 'Malicious Software,' 'Public-Key Certificate Management and Use Cases,' 'Web and Browser Security,' 'Firewalls and Tunnels,' and finally 'Intrusion Detection and Network-Based Attacks.' The text throughout the book is color-coded, with different colors for concepts, program or operating system names, and keywords. Many diagrams and figures illustrating this book are also in color.

The first chapter 'Basic Concepts and Principles' covers the fundamental goals of computer security, talks about computer security policies and attacks, risk assessment, and describes security modeling and the challenges that shake computer security. Already here, we find chapters that are labeled 'optional,' those that go deeper than a regular introduction.

The second chapter 'Cryptographic Building Blocks' discusses generic concepts of encryption and decryption, covering both the symmetic and asymmetric cases, digital signatures, cryptographic hash functions, and message authentication. As a "build-on" topic, the reader is encouraged to read up on authenticated encryption, modes of encryption, certificates and elliptic curves, and the different keylengths that matter.

The third chapter, on 'User authentication', talks about passwords as means of authentication, password cracking, account recovery, one-time systems and hardware tokens, and biometric authentication. The advanced sections look at graphical passwords, password managers, captchas, and entropy.

The fourth chapter about 'Authentication Protocols and Key Establishment' is a very short summary of a large field (such as most other chapters in this book), as I recently reviewed an entire book just on this topic. The journey takes the reader from entity authentication and key establishment (e.g. Diffie-Hellman) to basic authentication protocol concepts , lessons learned, and some examples of Password-authenticated key exchanges (PAKEs such as EKE and SPEKE), and eventually to harder topics such as weak secrets, single sign-on, and cyclic group and subgroup attacks on Diffie-Hellman.

The fifth chapter on 'Operating System Security and Access Control' mentions key concepts such as memory protection, access control matrices, reference monitors, setuid and effective user ids, file and directory permissions, file deletion challenges, and last but not least the RBAC and MAC approaches. As a higher-ground bonus, the reader discovers finer protection mechanisms such as protection rings for isolation, and also protection domains.

The sixth chapter 'Software Security - Exploits and Privilege Elevation' introduces the reader to the fun subject of exploits via race conditions, integer-based vulnerabilities (as contrasted to string-based vulnerabilities), and then the classic stack-based vulnerabilities and its pendants in the heap and elsewhere. While heading to covering defenses against these exploits, the chapter intermingles the advanced sections on return-to-libc attacks and shellcode, rather than saving them for the end, allowing the reader to appreciate the intricacies of the attacks "inline" while reading.

The seventh chapter on 'Malicious Software', as a logical next topic after exploits, describes malware (mal[icious][soft]ware) in its variety, from the early viruses to the latest ransomware, botnets, rootkits, and their stealthy techniques. Wrapping up the chapter, it offers approaches for categorizing malware.

The eighth chapter about 'Public-Key Certificate Management and Use Cases' describes the world of the Public-Key Infrastructure (PKI), certification authorities (CA) , various CA/PKI architectures. It explains how this all fits with your web browser and surfing the Internet. As a bonus, the reader gains insight into specific secure email solutions and certificate revocation.

The ninth chapter 'Web and Browser Security' builds on concepts in the previous chapter to illustrate the problems (and features!) present in the modern web and its many browsers. Terms such as HTML, HTTP/HTTPS, and TLS quickly give way to cookies, same-origin policy, cross-site scripting, and SQL injection. A very important tidbit is left for "additional" reading: the concept of usability in security (aka usable security), and that nicely wraps up the chapter.

The tenth chapter about 'Firewalls and Tunnels' delves into the world of packet-filterr firewalls, various architectures found in the firewall setting, secure shell, and Virtual Private Networks (VPNs). Detailed background in IP security (IPsec) as well as networking and TCP/IP rounds off the chapter.

The eleventh, and last, chapter on 'Intrusion Detection and Network-Based Attacks' saves "the best for last" (ok, so I have a special place for that subject in my 'computer security heart'). The tough subject that intrusion detection is, having fueled many papers and research/practitioner efforts over the years, it's summarized here with methodological overview of its approaches. There is discussion of sniffers, reconnaissance, vulnerability scanners, and attacks on the infrastructure, including denial-of-service attacks (also very dear to my heart) and domain name service (DNS) as well as the address resolution protocol (ARP) attacks. The extra section on TCP session hijacking evokes fond memories of the early days of the Internet.

In the epilogue, in which Paul suggests to the readers that they have attained "walking speed" for computer security, he plants little seeds of interest to pursue further, just as he had done at the end of each chapter. To me that sounds like: "Go brandish that knowledge and join the ranks of security practitioners and researchers!"

Paul C. van Oorschot did an great job with Computer Security and the Internet for producing a concise and (sufficiently) complete computer security book, as he had set out to do. At first, the book seems like a large Cliff Notes, but it is so much more: it supplies a golden thread to follow through the computer security field, with the option to delve deeper at the next strand. I enjoyed reading it and look forward to having this book readily available on my book shelf for many years to come.

Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org