Cryptography Reference
In-Depth Information
management requirements of symmetric cryptography cannot be easily
supported, which tends to be the case for applications in open environments.
Even then, its use tends to be restricted to the essential operations.
• Key management is absolutely critical to the security of a cryptographic
application. Key management is relatively straightforward in some applications,
but much more complex in others. Indeed, key management issues can often
dictate what kind of cryptography is used in an application.
The applications that we discussed in this chapter were just examples. While
some other topics on cryptography include information on applications, in most
cases details about the cryptography used in a particular application are more
readily obtained from resources directly concerning the application itself. A notable
exception is the wide range of security applications discussed in Anderson [23],
which includes chapters on banking security, telecommunications security and digital
rights management.
There is a vast amount of further information available concerning SSL (TLS).
One of the most comprehensive sources of information is Rescorla [161]. There
are numerous IETF standards covering aspects of TLS, with RFC 5246 [57] being
the most fundamental one. Several more general network security topics include
good coverage of SSL, including Garfinkel and Spafford [88] and Stallings [183], the
latter of which is also a good source of information about SSH and IPsec. Advice on
implementation of TLS is included in NIST 800-52 [136].
The saga behind the cryptography used in WLAN standards is well documented.
An excellent overview of WLAN security, which includes details of all the crypto-
graphic issues, is Edney and Artaugh [67]. The main WLAN security standard is IEEE
802.11 [15], which has numerous more recent amendments. WLAN security is also
covered in a number of other dedicated topics, including the practical perspectives
provided by Cache and Liu [44]. Some more general topics such as Stallings [183]
include chapters on WLAN security. WPA2 entity authentication can be done using
EAP, which is defined in RFC 3748 [20].
A comprehensive discussion of UMTS security is Niemi and Nyberg [130]. A
very accessible introduction to GSM security is Pagliusi [150]. Both GSM and UMTS
are covered by Chandra [46]. The official EMV standards for card payments are
all available online from EMVCo [71]. A good overview of EMV is included as
a chapter in Mayes and Markantonakis [120], where there are also chapters on
mobile telecommunications security and the security of video broadcasting. A more
detailed coverage of technical issues concerning the more general area of digital
rights management is Zeng, Hu and Lin [208]. An overview of security of the eID card
scheme can be found in De Cock et al. [48].
A number of good resources exist relating to cryptography for home users.
NIST 800-111 provides advice on encryption of storage devices, including some
