The title is full of promise and breadth, but this work, because of its technically uneven, somewhat choppy presentation, would best be considered by the curious novice. The writing and presentation style, while easy to read, is British rather than American and frequently somewhat subtle. The book cannot be recommended for anyone who has serious system design requirements, except as an initial starting point since there is a paucity of implementation detail and recommendation. On the other hand, there is no requirement for computer network competency or banking system background on the part of the reader, and there is some material not easily obtainable elsewhere. This review will comment on the content of each of the 11 chapters. I suggest that readers draw their own conclusions as to specific applicability and interest.
Chapter 1 is titled Data Security. This short, nontechnical chapter defines some terms, introduces a little notation, relates a few security fraud war stories, and thereby justifies the requirement for encryption as a data processing security measure. Chapter 2 presents a classical introduction to Ciphers and Their Properties. It gives some technical insight into encryption techniques and, by inference, cryptanalysis. Attacks against systems and some defenses against them are mentioned.
Chapter 3 deals with The Data Encryption Standard or DES algorithm. It explains how the algorithm works, provides some key exhaustion techniques, and cites examples of some manufacturers’ products at the chip card, box level, and system level. The list is incomplete and somewhat inaccurate; at least one manufacturer, Motorola, has withdrawn products, and the IBM 3848 supports a data transfer rate of 3.0 M bytes/s, not 1.5 as stated. The authors avoid taking a position on the strength of the algorithm and thereby seem to support the detractors’ reported positions.
Chapter 4, Using a Block Cipher in Practice, shows the inherent weaknesses in the casual direct use of block ciphers and introduces the standardized chaining and feedback techniques which provide greater strength in use. Also discussed are padding and related techniques for handling non-modulo 64 data blocks, error extension, and recovery. Techniques to meet special system requirements which could limit the encrypted data representations are discussed. The direction and applicability of these concepts to real systems is barely addressed and it is left as an exercise for the reader to apply. The logic used to reach some conclusions is not necessarily correct, although the conclusions themselves are valid. The novice will never notice this, however.
Chapter 5, Authentication, never crisply defines the term but uses examples. Unfortunately, the first in-depth discussion deals with data entry validity checks as opposed to authentication, leading to potential confusion. General principles are finally discussed and several secret authentication algorithms are mentioned. Significant detail is devoted to an algorithm (attributed to Sievi, in private communication with the authors) known as the Decimal Shift and Add (DSA), which has been proposed to ISO. As of this writing, it has been broken by a chosen plaintext attack. A briefer discussion of one of the authors’ “Main Frame Authenticator Algorithm” follows. It too has been proposed as an ISO standard and has been broken by a chosen plaintext attack. Both good and bad authentication techniques are discussed. These come from a variety of sources, and the reader must ensure catching the authors’ subtle evaluation.
Chapter 6, Key Management, introduces the key hierarchy concept and includes some related techniques for generating random numbers. The concepts of authenticated distribution are addressed to ensure avoidance of replay. The physical security aspects of the Tamper Resistant Module which houses the cryptographic facility are discussed preceding a detailed description of the IBM Cryptographic Subsystem key management scheme and its special key management instructions. A system attributed to Jones [1], which achieves cryptographic key and function separation based on key tags (as opposed to variants), is next described. It is suggested that these tag bits replace some of the parity bits in the 64-bit key representation causing problems with some implementation standards.
Chapter 7, Identity Verification, has nothing to do with encryption per se, but deals with personal recognition, e.g., fingerprints, signature dynamics, voice prints, etc. This lengthy discussion is never set in a teleprocessing or funds transfer context and, as such, would have better been omitted or at least significantly limited. Techniques are discussed but useful, immediate funds transfer applications are not.
Chapter 8 introduces Public Key Ciphers. It covers principles, experimental functions, and key distribution in general using just enough simple mathematics to explain the principle. Some of the more popular algorithms are individually addressed, including the RSA, Trapdoor Knapsack, and McEliece [2] algorithms. This chapter explains the underlying concepts well, but unfortunately has no architectural or implementation meat, although some implementation problems are mentioned.
Chapter 9 deals with Digital Signatures. Like most discussions on this topic, the authors get tangled up by assuming legal implications based on common law relating to handwritten signatures which have no appropriate parallel relating to digital signatures. They never really address the fact that all that can be proved with a digital signature is that a message originator had beneficial use of a secret key. Some architectural methodology is shown, but chaining using PK functions is not recognized as a solution to the problems presented.
Chapter 10 is titled Electronic Funds Transfer and the Intelligent Token. One has to read almost three pages to discover that an Intelligent Token is a chip or smart card. The chapter explains payment methodologies in terms of data flow and systems like SWIFT, primarily a European interbank wholesale funds transfer system, and CHAPS, the London-based clearing system. Then ATM systems are introduced, complete with discussions on one-of-a-kind bank systems. The reader will find little or no reference to US-based systems here. Nevertheless, this chapter is one of the better ones since it portrays the larger system problems and concepts. The section on Intelligent Tokens is somewhat shallow and the analysis is incomplete.
Chapter 11 deals with Data Security Standards. This arena is quite dynamic and the material is already history. However, this is the only published discussion of its type of which I am aware. It lists contacts, agencies, and organizations and presents an overview of some key standards contents. ANSI, ISO, and US Government standards are included.
This book is neither good nor bad and it contains a lot of information. The reader of this review hopefully will now be able to determine its applicability for his/her interests.
