Customer Reviews

Java Cryptography (Java Series)

5 star:		(4)
4 star:		(5)
3 star:		(2)
2 star:		(1)
1 star:		(4)

 

 

This book is intended to teach experienced Java programmers how to add cryptographic elements to their applications. The text is not intended to teach encryption algorithms, basic Java programming, or the overall Java security model: there are other books that fulfill those functions. There is one other limitation: much of the book relies on the Java Cryptography Extensions (JCE) which are only available to those in the United States and Canada (nudge, nudge, wink, wink).

Chapter one lists some fundamentals of encryption and the relationship to security. There are also a couple of programs right off the bat that will let you explore message digests, and encrypting and decrypting messages. The basics of confidentiality, authentication, and some major cryptographic algorithms are outlined in chapter two. The explanations are quite terse, but not out of line with the aim of the book. Java Security Architecture (JCA) is explained in chapter three, along with a quick overview of the API (Application Programming Interface) and SPI (Service Provider Interface). Chapter four introduces Java's own pseudo-random number generator, plus programming for key seeds from keyboard timing. Key management, in chapter five, is somewhat weak. The APIs only deal with hierarchical key certification, but this may simply be an example of Knudsen dealing strictly with the language, and leaving the concepts to others. I was, however, bemused at some passages that may have suffered from a lack of copy editing: for example, one section that seemed to confuse production of Message Authentication Codes with working on Macintosh computers. Authentication of various types is covered quite well in chapter six. Chapter seven's guide to encryption covers details not normally dealt with in cryptography texts because it must handle all matters related to getting an encryption algorithm to actually function in an application.

Chapter eight gives enough detail about signed applets to prove that they are going to be browser specific for a while. Security provider programming is covered in chapter nine, using the ElGamal algorithm as an example. A sample application is created using an encrypted version of the talk utility in chapter ten. An e-mail application is created in chapter eleven using th provider previously generated in chapter nine. Chapter twelve closes off by looking at security design for the system overall.

Appendices review BigInteger arithmetic in Java, the Base64 encoding scheme (an option for converting binary objects to text characters for e-mailing), Java archive files, Javakey, and a quick reference for the Java cryptography classes as covered in the book.

Knudsen states that the book is written, as far as possible, without assuming any prior knowledge of cryptography. In this aim he succeeds rather well. The programmer with no background in encryption can still add a reasonable layer of security to his or her application. Those who study further, of course, will be able to ensure a higher level of protection and reliability.

The goal of this book is to show how to implement a secure application. It does not achieve this. Generally, it is a good idea to rely on algorithms and protocol that are published, well analyzed and preferably standardized. Specially public key cryptography has many pitfalls that are difficult to avoid.

However, the author of this book designs his own key exchange protocol and uses ad-hoc padding schemes. This procedure sets a bad example for the reader. The result is what one has to expect from an ad-hoc design: The applications have serious design flaws. For example the ElGamal signature scheme in chapter 9 does not use a hash function besides other omissions. The padding scheme for the ElGamal encryption simply adds 0's and therefore does not prevent chosen message attacks. The key exchange protocol in chapter 10 constructs a session key from two halves that are sent seperately. Each half can be attacked seperately in a reply attack, etc.

To conclude, this book does certainly not show the proper use of cryptography, and hence is hardly worth reading.

If you're new to cryptography in general, I'd recommend this book. Within the first chapter I was able to understand quite a few concepts that I had been struggling with. Thanks to the author for not trying to talk over everyone's heads and just getting things laid out simply, with good diagrams. Another reader had the opinion that this book does not introduce the Best Way of doing things, so it's not worth reading. I would disagree. You should read this book with the understanding that it's not going to make you a master cryptography expert, but will give a good introduction.

Are you concerned about someone outside your company intercepting a password between your applet and your server? Are you worried about someone inside your company using a packet sniffer to capture the credit card numbers of your customers? No? Well, perhaps you should be! As a first step towards closing your security holes you should pick up a copy of "Java Cryptography". This book is written for the experienced Java developer with no cryptography background who needs to build cryptography into their application. The book starts off with a brief description of secure systems and demonstrates a "Hello zoT1WY1NJA0=!" program. It then gives a fairly detailed description of cryptographic concepts and the Java Cryptography Architecture (JCA). Subsequent chapters discuss how to use the Java Cryptography Extension (JCE). Chapter 5 covers generating and managing symmetric and asymmetric keys with an explanation of the difference. Chapter 6 discusses authenticating users and messages. Signatures and certificates are covered. Chapter 7 covers encryption techniques using different types of ciphers. Chapter 8 covers signing applets. The last chapters include sample encrypted chat and e-mail programs. The end result is a book that provides excellent coverage of cryptography in Java. The only defect in the book is that it is three years old (Java 2 was in beta). Fortunately, the book was written recently enough to include the new utilities used in Java 2. Even though a new edition is desirable, "Java Cryptography" still stands alone as the best book available on this topic.

There's no better first book on cryptography for a programmer to buy. You get a great deal of exposure to an important facet of network security through this little gem. It's friendly and to the point.

The Java API is excellent--but the idea of cryptography is little odd to the everyday web or network application programmer. Having someone to kindly bridge the crypto-what-ja-ma-call-its to a world of how-do-i-wrap-it-around-my-web-or-mail-service is simply priceless. There's NO silly cryptomath (because only those cryptoexperts get the math anyway) but instead it's filled with no-nonsense coverage of how each and every common crypto engine and crypto-"protocol" takes your stream of data and converts them to cryptograms. If you always like to learn as MUCH as you could about a particular computational wonder tool before tackling a project without turning your brain to mush with research mathematics--you'll like this book.

It's just one of those books I wished I read a lot earlier so I won't have an excuse to avoid APIs that exposes applied cryptography to network applications all these years. I highly recommend this book before you head on to the math of it.

It's too bad the SSL/TLS API for Java never made it into this first edition (it did make it into O'Reilly's latest Java network programming book though).

Any one know of a book just like this one but for another language like C or Perl? With a book like this you don't need to explain it all over again--but illustration and snippets of code showing how to use the various APIs in other languages would be useful. I think if the author is willing to dabble into all of these issues and give away his findings on a book website it will be just AWESOME! A second edition of said book with all of these issues covered would be just grand too :-)

P.S. When I started learning Perl I first bought Mastering Regular Expression. Because I felt that with Perl--it really simplifies one's ability to play with streams of text. And what better way to learn the language (especially if you know some basics about it) than to learn what it is brilliant at right away?! That's how I felt about Java Cryptography. The way Java makes network programming not only easy.. but also fun to add in complexities like security and cryptography makes it a very enjoyable programming language to work with as a student or as a programmer. This is the sort of book you'll want to read ASAP once you get the basics of Java the language down! :-)

Good introduction and explanation of cryptography, great for begineers, great view of Java. Specially chapters from 1, 2, 3, 4, 6, 7, 9. The rest is sometimes poor, sometimes obsolete. It's a good job, but since 1998 a lot of things came to this area. Maybe a second edition will be a good idea. For provider architecture I prefer Scott Oaks' Java Security. I miss some explanation of cryptography. But the explanations included are very clear. I agree the average from the rest of the reviews and I think 3 stars is the deserved rate for this book.

This book is a fine introduction to cryptography within the "confines" of the Java API from Sun (I don't expect the information in this book to gain widespread acceptance until the next millenium).

Not even ten pages into the book, and Knudsen is already discussing the undocumented Java classes for encoding/decoding Base64 arrays .... youch !!

I think the author did a commendable job covering the critical issues of this VERY sensitive topic. The author pobably does not expect to get rave reviews after the release of "Applied Java Crytography" -- but then again, THAT book will likey cover the meat and bones that Knudsen's INTRODUCTION didn't touch. He didn't touch it for a reason.

But allow me to say right now, THIS book supplies the rudimentary source code (what's legal to distribute, that is) which will be necessary for the cryptographer/cryptanalyst to MASTER before pursuing his/her own classes.

This is a new and booming -- albeit delicate -- field .... thanks for writing a book for those of us already experienced in crytography, written in a no-nonsense style, reminding us of the sandbox we're really working in. I had forgotten just how senstive information can be.

The reviewer who mentioned this book is out of date is absolutely correct. Worse than that, this book on cryptography is written by someone who doesn't actually understand cryptography very well. Lots of bad practices are recommended, and there are several examples in the book that are insecure as written.

I would also give this book zero stars if it were possible.

Java Cryptography (Java Series)

The book is written very well. It starts simple with explanations of principles of Cryptography and shows its usage on simple examples. Then Java Sun classes for Cryptography are presented and again their usage is demonstrated on examples which are never difficult to understand and thoroughly commented. Then more theory and more examples follow. Terms used and explained are Keys, Key Generators and Translators, Authentication, Integrity, Encryption, Signatures, Certificates.

The strength of the book is in the fact that the reader is able to start with Java Cryptography rather fast. The examples are easy to understand and fully explained. The book is not trivial and it is good to know something about random number generators and have a good grasp of Java programming and Java socket programming in particular, even knowledge of awt GUI principles is useful. Java professionals who intend to devote their work to Cryptography should find this book very helpful.

The coverage of this book ends with JDK 1.2 - we have JDK 1.6 now when this review is being written. It actually may be a strength. Instead of trying to grasp latest software features attention may be more diverted to principles which is always a good thing. Generally, I would recommend this book

Java Cryptography was the first O'Reilly book I found disapointing. I had expected a book like this to contain examples of really cool encryption, demonstrating the usefulness of the Java Cryptography Extensions. I had expected it to at least offer an implementation of RSA, and possibly SSL (secure socket layers). The book was disapointing, there is no CD containing source code or the required Java Cryptography Extensions, and by the books own omission, some of the examples aren't even available online.

I understand that the publishers were limited by US export laws, but without solid examples of things Java developers might want to write (SSL), without the JCE which international readers will be unable to obtain, this book was extremely disappointing.