Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity,


Posted on by Ben Rothke

Having worked at the same consulting firm and also on a project with author J.J. Stapleton (yes, that was full disclosure); I knew he was a really smart guy.  In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world.

When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies.  He has been part of cryptographic accreditation committees for many different standard bodies across the globe.  From ANSI, ISO, X9 and more.

The premise of the author and the need for the book is that the traditional information security CIA triad (confidentiality, integrity, availability) has led to the situation where authentication has to a large part gotten short shrift.  This is a significant issue since much of information security is built around the need for strong and effective authentication.  Without effective authentication, networks and data are at direct risk for compromise.

The topic itself is not exactly compelling (that is, unless you like to read standards such as ANSI X9.42-2003: Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, ISO/IEC 9798-1:2010: Information technology -- Security techniques -- Entity authentication, etc.), so the book is more of a detailed technical reference.  Those looking for a highly technical overview, interoperability guidance, and overall reference will find the book most rewarding. 

For those who don’t have a general background on the topic of authentication and advanced security; it may be a book too deep and technical for those looking for something more in line of a CISSP preparation guide.

For those that want to know the deep underpinnings of how encryption algorithms work; they can simply read the RFC’s and standards themselves.  What the book brings to the table are details about how to effectively implement the standards and algorithms in the enterprise; be it in applications, policies; or the specific procedures to meet compliance and standards requirements.  And that is where Stapleton’s many decades of experience provide significant and inestimable value.

There are many reasons why authentication systems fail and many times it is due to interoperability issues.  Stapleton details how to ensure to minimize those faults in order to achieve seamless authentication across multiple technologies and operating systems.

The 7 chapters cover a dense amount of information around the 3 core topics.  The book is for the reader with a solid technical background.  While it may be listed as an exploratory text, it is not like a For Dummies title.

As per its title, it covers confidentiality, authentication and integrity; in addition to other fundamental topics of non-repudiation, privacy and key management.

One of the ways Stapleton brings his broad experience to the book is in the many areas where he compares different types of cryptosystems, technologies and algorithms.  This enables the reader to understand what the appropriate type of authentication is most beneficial for the specific requirement.

For example, in chapter 7, the book provides a really good comparison and summary of different cryptographic modules, including how they are linked to various standards from NIST, NSA, ANSI and ISO.  It does the same for a comparison of cryptographic key strengths against various algorithms.

An interesting observation the book makes when discussing the DES encryption algorithm, is that all of the talk of the NSA placing backdoors in DES are essentially false.  To date, no known flaws have been found against DES, and that after being around for over 30 years, the only attack against DES is an exhaustive key attack.  This type of attack is where an adversary has to try each of the possible 72 quadrillion key (256 permutations – as the key is 56 bits long) until the right key is discovered. 

That means that the backdoor rumors of the NSA shortening the length of the substitution ciphers (AKA s-boxes), was not to weaken it necessarily.  Rather it was meant to block DES against specific types of cryptanalytic attacks.

While the book is tactical; the author does bring in one bit of trivia when he writes that the ISO, often known as the International Organization for Standardization, does not in truth realty stand for that.  He notes that the organizations clearly states on its web page that because International Organization for Standardization would have different acronyms in different languages (IOS in English, OIN in French for Organisation internationale de normalization, etc.); its founders decided to give it the short form ISO.  ISO is derived from the Greek isos, meaning equal.  Whatever the country, whatever the language, the short form of the name is always ISO.

While Stapleton modifies the CIA triad, the book is not one of a security curmudgeon, rather of a security doyen.  For anyone looking for an authoritative text on how to fully implement cross-platform security and authentication across the enterprise, Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity is a valuable reference to get that job done.


Contributors
Ben Rothke

Senior Information Security Manager, Tapad

risk management data security key management

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs