INFORMATION SECURITY
PRINCIPLESANDPRACTICE
Mark Stamp
San Jose State University
A JOHN WILEY & SONS, INC., PUBLICATION
This book is printed on acid-free paper.
∞
Copyright © 2006 by JohnWiley & Sons, Inc. All rights reserved.
Published by JohnWiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted
under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written
permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978)
750-4470, or on the web at copyright.com. Requests to the Publisher for permission should be
addressed to the Permissions Department, JohnWiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030,
(201) 748-6011, fax (201) 748-6008, e-mail: permcoordinator[at]wiley.com.
Limit of Liability/Disclaimer ofWarranty: While the publisher and author have used their best efforts in
preparing this book, they make no representations or warranties with respect to the accuracy or completeness
of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for
a particular purpose. No warranty may be created or extended by sales representatives or written sales
materials. The advice and strategies contained herein may not be suitable for your situation. The publisher is
not engaged in rendering professional services, and you should consult with a professional where
appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial
damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services please contact our Customer Care Department
within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317)
572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not
be available in electronic format. For more information aboutWiley products, visit our web site at
Library of Congress Cataloging-in-Publication Data:
Stamp, Mark.
Information security: principles and practice / Mark Stamp.
p. cm.
Includes bibliographical references and index.
ISBN-10 0-471-73848-4 (cloth)
ISBN-13 978-0-471-73848-0
1. Computer security. I. Title.
QA76.9.A25S69 2005
005.8--dc22
2005005152
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
To Melody, Austin, and Miles.
PREFACE
I hate black boxes. One of my goals in writing this book was to illuminate some of those
black boxes that are so popular in information security books today. On the other hand,
I don’t want to bore readers to death with trivial details (if that’s what you want, go
read some RFCs). As a result, I sometimes ignore details that I deem irrelevant to the
topic at hand. You can judge whether I’ve struck the proper balance between these two
competing goals.
Another goal of mine was to present the topic in a lively and interesting way. If
any computing subject should be exciting and fun, it’s information security. Security is
happening now, it’s in the news; it’s clearly alive and kicking.
Some security textbooks offer a large dollop of dry useless theory. Reading one of
these books is about as exciting as reading a calculus textbook. Other security books
offer nothing but a collection of apparently unrelated facts, giving the impression that
security is not really a coherent subject at all. Then there are books that present the topic
as a collection of high-level managerial platitudes. These books may have a place, but if
your goal is to design and build secure systems, you’d better understand something about
the underlying technology. Finally, some security books focus on the human factors in
security. While it is certainly critical to understand the role that human nature plays in
security, I would argue that a security engineer must have a solid understanding of the
inherent strengths and weaknesses of the technology before the human factors can be
fully appreciated.
Information security is a huge topic, and unlike more established fields, it’s not clear
what material should be included in a book like this, or how best to organize the selected
material. I’ve chosen to organize this book around the following four major themes.
• Cryptography
• Access Control
• Protocols
• Software
These themes are fairly elastic so that I can include what I consider to be the most significant
material. For example, in my usage, access control includes the traditional topics of
authentication and authorization, along with such nontraditional topics as firewalls and
CAPTCHAs. The software theme is particularly flexible, including such diverse topics
as secure software development, computer viruses, software reverse engineering, and
operating systems.
xv
xvi PREFACE
I’ve strived to keep the presentation moving along in order to cover a reasonable
selection of the most significant material. My goal is to cover each topic in just enough
detail so that a reader can appreciate the basic security issue at hand and to avoid getting
bogged down in trivia. I also attempt to regularly emphasize and reiterate the main points
so that a significant point doesn’t slip past the radar screen undetected.
Although this book is focused on practical issues, I’ve tried to cover enough of the
fundamental principles so that the reader will be prepared for further study in the field.
In addition, I’ve strived to minimize the required background knowledge as much as
possible. In particular, the mathematical formalism has been kept to a bare minimum
(the Appendix contains a review of all necessary math topics). Despite this self-imposed
limitation, this book contains more substantive cryptography than most other security
books. The required computer science background is also minimal—an introductory
computer organization course (or comparable experience) is more than sufficient. Some
programming experience and a rudimentary knowledge of assembly language would be
helpful in a couple of sections, but it’s not mandatory. Networking basics arise in a few
sections. The Appendix contains a brief overview of networking that provides sufficient
background material.
If you are an information technology professional who’s trying to learn more about
security, I would suggest that you read the entire book. Actually, that’s my suggestion
to everyone. But if you want to avoid the material that’s most likely to slow you down
and is not critical to the overall flow of the book, you can safely skip Section 4.5, all of
Chapter 6 (though Section 6.3 is highly recommended), and Section 8.3.
If you are teaching a security class, it’s important to realize that this book has more
material than can be covered in a one semester course. The schedule that I generally
follow in my undergraduate security class appears in the table below. This schedule
allows ample time to cover a few of the optional topics.
Chapter Hours Comments
1. Introduction 1 Cover all.
2. Classic Cryptography 3 Sections 2.3.6 and 2.3.8 are optional.
3. Symmetric Key Crypto 4 Section 3.3.5 is optional.
4. Public Key Crypto 4 Omit 4.5; section 4.8 is optional.
5. Hash Functions 3 Cover 5.1 through 5.6 and 5.7.2.
The remainder of 5.7 is optional.
6. Advanced Cryptanalysis 0 Omit entire chapter.
7. Authentication 4 Cover all.
8. Authorization 2 Cover 8.1 and 8.2.
Sections 8.3 through 8.9 are optional
(though 8.7 is recommended).
9. Authentication Protocols 4 Sections 9.4 and 9.5 are optional
(9.5 is mentioned in Chapter 13).
10. Real-World Protocols 4 Cover all.
11. Software Flaws and Malware 4 Cover all.
12. Insecurity in Software 4 Sections 12.3 and 12.4 are optional.
Recommended to cover part of 12.4.
13. OS and Security 3 Cover all.
Total 40
PREFACE xvii
Many variations on the outline above are possible. For example,
• For a greater emphasis on network security, cover the networking material in the
Appendix and Sections 8.7 through 8.9. Then cover only the bare minimum of
crypto and software topics.
• For a heavier crypto emphasis, cover all of Chapters 2 through 6 and Chapters
9 and 10 (where the crypto is applied) with selected additional topics as time
permits. Although Chapter 6 is somewhat more technical than other chapters, it
provides a solid introduction to cryptanalysis, a topic that is usually not treated
in any substantive way, even in crypto books.
• If you prefer slightly more theory, cover security modeling in Sections 8.3
through 8.6, which can be supplemented by [212]. To stay within the time
constraints, you can de-emphasize the software topics.
In any incarnation, a security course based on this book is an ideal venue for individual
or group projects. The annotated bibliography provides an excellent starting point to
search for suitable projects. In addition, many topics and problems lend themselves well
to class discussions or in-class assignments (see, for example, Problem 13 in Chapter 10
or Problem 11 in Chapter 11).
If I were teaching this class for the first time, I would appreciate the PowerPoint
slides that are available at the textbook website. These slides have all been thoroughly
“battle tested” in a classroom setting and improved over several iterations. In addition,
a solutions manual is available to instructors (sorry students) from the publisher.
It is alsoworth noting howthe Appendices fit into the flowof the text. AppendixA-1,
Network Security Basics, does not play a significant role until Part III. Even if you (or
your students) have a solid foundation in networking, it’s probably worthwhile to review
this material, since networking terminology is not always consistent, and since the focus
here is on security.
The Math Essentials of Appendix A-2 are required in various places. Elementary
modular arithmetic (A-2.1) arises in a few sections of Chapter 3 and Chapter 5, while
some of the more advanced concepts are required in Chapter 4 and Section 9.5. Permutations
(A-2.2) are most prominent in Chapter 3, while elementary discrete probability
(A-2.3) appears in several places. The elementary linear algebra in A-2.4 is only required
in Section 6.4. Appendix A-3 is only used as a reference for problems in Chapter 3.
Just as any large and complex piece of software must have bugs, this book inevitably
has errors. I would like to hear about any errors that you find. I will try to maintain a
reasonably up-to-data errata on the textbook website. Also, I would appreciate a copy
of any software that you develop that is related to the topics in this book. Applets that
illustrate algorithms and protocolswould be especially nice.And I’d appreciate problems
or exercises that you develop and would be willing to share. Finally, don’t hesitate to
provide any suggestions you might have for future editions of this book.
ABOUT THE AUTHOR
I’ve got more than a dozen years of experience in information security, including extensive
work in industry and government. My work experience includes seven years at
the National Security Agency followed by two years at a Silicon Valley startup company
where I helped design and develop a digital rights management security product.
This real-world work was sandwiched between academic jobs. While in academia, my
research interests have included a wide variety of security topics.
With my return to academia in 2002, I quickly realized that none of the available
security textbooks had much connection with the real world. I felt that I could write an
information security book that would fill this gap, while also containing information that
is vital to the working professional. I’ve honed the material by using the manuscript and
notes as the basis for several information security classes I’ve taught over the past three
years. As a result, I’m confident that the book succeeds as a textbook.
I also believe that this book will be valuable to working professionals, but then, I’m
biased. I can say that many of my former students who are now at leading SiliconValley
companies tell me that the information they learned in my course has proved useful in the
real world. And I certainly wish that a book like this had been available when I worked
in industry, since my colleagues and I would have benefitted greatly from it.
I do have a life outside of information security. My family includes my lovely wife,
Melody, and two great sons, Austin, whose initials areAES, and Miles, whose initials are
not DES (thanks to Melody).We enjoy the outdoors, with frequent local trips involving
such activities as bicycling, hiking, camping and fishing. I also spend too much time
watching cartoons. Another favorite activity of mine is complaining about the absurd
price of housing in the San Francisco Bay Area.
xix
ACKNOWLEDGMENTS
My work in information security began when I was in graduate school. I want to thank
my thesis advisor, Clyde F. Martin for introducing me to this fascinating subject.
In my seven years at NSA, I learned more about security than I could have learned
in a lifetime anywhere else. Unfortunately, the people who taught me so much must
remain anonymous.
At my ill-fated startup company, MediaSnap, Inc., I witnessed firsthand the commercial
pressures that all-too-often lead to bad security. In spite of these pressures, we
produced a high-quality digital rights management product that was far ahead of its time.
I want to thank all at MediaSnap, and especially Joe Pasqua and Paul Clarke, for giving
me the chance to work on such a fascinating and challenging project.
This book would not have been possible without the students here at San Jose
State University who helped me to refine my notes over the past three years. Some of
the students who deserve special mention for going above and beyond the call of duty
includeWingWong, Martina Simova, Deepali Holankar, Xufen Gao, Neerja Bhatnager,
Amit Mathur, Ali Hushyar, Smita Thaker, Subha Rajagopalan, Puneet Mishra, Jianning
Yang, Konstantin Skachkov, Jian Dai, Thomas Nikl, Ikai Lan, Thu Nguyen, Samuel
Reed,YueWang, David Stillion, EdwardYin, and Randy Fort.
Richard Low, a colleague here at SJSU, provided helpful feedback on an early
version of the manuscript. David Blockus deserves special mention for givingmedetailed
comments on each chapter at a particularly critical juncture in the writing of this book.
I want to thank all of the people atWiley who applied their vast expertise to make the
book writing process as painless as possible. In particular,Val Moliere, Emily Simmons,
and Christine Punzo were all extremely helpful.
Of course, all remaining flaws are my responsibility alone.

to get information about the topic INFORMATION SECURITY full report ,ppt and related topic refer the page link bellow
http://studentbank.in/report-information...anizations

http://studentbank.in/report-information...ity--20424

http://studentbank.in/report-information...al-hacking

http://studentbank.in/report-information...ndpractice

http://studentbank.in/report-information...are-system

http://studentbank.in/report-information...nd-attacks

http://studentbank.in/report-information...ity--10205

http://studentbank.in/report-information...ganography