BKPERENC.RVW 980726 "Personal Encryption Clearly Explained", Pete Loshin, 1998, 0-12-455837-2, U$39.95/C$55.95 %A Pete Loshin pete@loshin.com %C 525 B Street, Suite 1900, San Diego, CA 92101-4495 %D 1998 %G 0-12-455837-2 %I Academic Press/Academic Press Professional/Harcourt Brace %O U$39.95/C$55.95 800-321-5068 fax: 619-699-6380 app@acad.com %P 545 p. %T "Personal Encryption Clearly Explained" I am getting just a little tired of the car analogy. "You don't need to be a mechanic," so the metaphor goes, "to drive a car. Therefore, you don't need to know anything about the theory behind [encryption|networking|programming|etc.] in order to use a computer." This comparison ignores two important points. One is that in 1912 you *did* need to be a fair mechanic to operate a car effectively, and that is roughly where we are with regard to the development of the computer. The second point is that while computer programs are generally easy enough for a novice to use once they have been set up, the choice, evaluation, and configuration of systems requires much more background. Particularly in the field of encryption, in recent times "experts" have been recommending systems for which the time needed to crack keys has fallen to literally hours. This book purports to give you everything that you need in order to both use and understand encryption, specifically with regard to digital signatures. While the text does provide some limited conceptual education and a little vicarious experience with a handful of commercial products it cannot be said to deliver on its promise. Chapter one is a bit hard to define. It seems to start out as a sales pitch, trying to convince the reader that encryption is important. However, it also looks at the scope of privacy and threats thereto, and even starts to develop the background for encryption technologies. The quality is highly uneven. A discussion of security versus usability is excellent and notes that the convenience of modern personal networking systems pose tremendous security vulnerabilities. On the other hand, the introduction to information risks cites only computer criminals, without considering the possibility of transmission of sensitive information to unauthorized recipients through human errors or system failures. A review of types of data that should be secured fails to note that encrypting some files and messages while leaving others accessible can, in and of itself, provide assistance to the enemy. The material on security technologies and specific threats is fairly mundane. A primer on encryption is presented in chapter two, although it is, as is all to usual, more of a history than a real explanation. Modern computer encryption is less than half of the chapter, and most of that space is dedicated to describing different applications rather than technologies. Appendix A should probably be considered as an extension of the discussion, and does provide a first rate explanation of the mathematical underpinnings to modern public-key encryption, but ends just as we get to the good bit. Neither the chapter nor the appendix gives the necessary preparation for assessing cryptographic strength. Chapter three is a balanced but relatively superficial examination of the debate surrounding the US government's attempts to restrict the availability and use of encryption. The discussion of encryption implementation in chapter four touches on a wide range of issues, but none in any depth. A number of disparate products are briefly described (and the "installation" of two is presented in some detail), but the foundation for evaluation still has not been provided in chapter five. Chapter six looks at a number of security topics and features related to the Netscape Navigator browser, but not all relate to encryption, and encryption related topics are passed over quite quickly. There is, for example, no discussion of the ramifications of dealing with either "export" copies of Netscape products, or non-US Web servers, both of which may be restricted in the cryptographic keys they can deal with. Operational, but not functional, specifics of three email products with cryptographic capabilities are detailed in chapter seven. Similar information is given for some file encryption products in chapter eight. Chapter nine's explanation of digital commerce is simplistic and surprisingly abrupt. The review of key management in the Network Associates PGP product should be viewed together with the material in chapters five and eight (and even then isn't really complete) but additional content does begin to address some of the conceptual issues in chapter ten. This is yet another example of a book that tries to explain encryption to a non-technical audience but seems to feel that a full background is not needed. Loshin does a better job than some other authors with the inclusion of Appendix A, but fails to provide either the explanation of function or the demonstration of relative strength that Garfinkel manifested in "PGP: Pretty Good Privacy" (cf. BKPGPGAR.RVW). Unfortunately this current work is neither clear not complete enough to be recommended for any particular audience. copyright Robert M. Slade, 1998 BKPERENC.RVW 980726