good books
Timothy Fraser
tfraser at tislabs.com
Tue Apr 11 14:18:04 GMT 2000
Hi!
> Aside from the TCSEC Orange Book (which I'll freely admit that I need to
> re-read) are there any pointers for information which you'd recommend?
> Preferably none more expensive than a good book from a bookstore - I
> don't fancy spending a few thousand dollars on some standards document.
Let me add my favorite to the list of good books previously posted:
Dorothy Denning's "Cryptography and Data Security" Addison-Wesley 1982,
1983. It's out of print, but I found a copy for sale via
www.bibliofind.com. This was the very first book I bought on the Net, via
a telnet-based store just before the Web got big. Yes, I sent my credit
card number in the clear to buy an info security book. I skipped the
crypto chapters (out of laziness), but found the rest to be a firm
grounding in the fundamentals behind info security, with plenty of good
references.
Note that this book pre-dates the `Orange Book'. IMHO, this is a
Good Thing. Ignore the Orange Book. It was a codification of government
procurement requirements geared towards keeping secrets on wopping big
time-sharing systems. It's really not relevant to building the kind of
secure systems needed in the non-DoD and commercial Internet today. For a
(long, dull, but authoritative) discussion of criteria and what is, in
fact, relevant, you may want to browse "Trust in Cyberspace", the book
containing the results of a recent DARPA&NSA-prompted study. It's on-line
at: http://stills.nap.edu/html/trust/.
Reading this report would probably kill a lot of brain-cells,
though. Reading the Boebert & Kain paper whose reference was posted
earlier would probably be a more rewarding experience, particularly if
you're interested in actually pounding out some code.
- Tim Fraser
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message
More information about the trustedbsd-discuss
mailing list