Annotated References
Books that contain introductory material
Applied Cryptography, Bruce Schneier, Second Ed. John Wiley & Sons, Inc.1996
This is the current bible for people trying to implement or understand implementations of cryptographic algorithms. However, its excellent organization allows a novice to get a good introduction to the issues and terms used in secure communications. Contains a section briefly describing most of the current secure communication implementations, including Kerberos, PKCS (RSA's public-key standards), PEM (Privacy Enhanced Mail), and PGP (Pretty Good Privacy). It includes a bibliography of 1653 entries, so whatever you don't find here, you will find a reference to.
Bruce Schneier's Crytpo Links http://www.counterpane.com/hotlist.html
"Collections of Links" contains a list of links to on-line security sources. The "Bibliographies" links to annotated on-line bibliographies and collections of papers.
Web Security & Commerce, Simon Garfinkel with Gene Spafford, O'Reilly & Associates, 1997
Contains chapters on Digital Certificates, cryptography basics, SSL and TLS. A lot of the emphasis is on security and certificate management through your Web browser and how to secure a Web server.
Public Key References.
An Overview of the PKCS Standards http://www.rsa.com/rsalabs/pkcs Under Documents
Section 2, Background information, includes definitions of public-private key cryptography, digital signatures, message digests and secret key cryptography. Section 3 explains how to do digital signatures, digital enveloping, digital certification and key exchange.
RSA Data Security, Inc. is the company that developed and patented the Rivest, Shamir and Adleman public key encryption algorithm.
IETF working group on Public-Key Infrastructure (X.509) (pkix) http://www.ietf.org/html.charters/pkix-charter.html
Public Key Infrastructure PKIX Roadmap http://www.ietf.org/internet-drafts/draft-ietf-pkix-roadmap-04.txt
This document is an overview of all the standards that this working group is attempting to define. Section 2 gives an overview of the terminology and section 3 gives a brief description of how PKI systems are used to effect authentication, non-repudiation, and confidentiality.
X.509 Identity Certificate references
"Internet X.509 Public Key Infrastructure Certificate and CRL Profile". R. Housley, W. Ford, W. Polk,D. Solo ftp://ftp.isi.edu/in-notes/rfc2459.txt
Defines the X.509 v3 certificate and X.509 v2 CRL (Certificate Revocation List)
Example Identity Certificate issued by the Netscape CA http://www-itg.lbl.gov/security/Akenti/docs/IdentityCert.html
LDAP (Lightweight Directory Access Protocol)
LDAP - Programming Directory-Enabled Application with Lightweight Directory Access Protocol, Timothy A. Howes, Mark C. Smith, McMillian Technical Publishing, Indianapolis, In. 1997
Chapter 3 describes the LDAP models, i.e., what LDAP is used for. Most of the rest of the book is on how to program to the LDAP API.
University of Michigan's LDAP documentation page http://www.umich.edu/~dirsvcs/ldap/doc/
From here you can link to RFC-1777 Lightweight Directory Access Protocol http://www.umich.edu/~dirsvcs/ldap/doc/rfc/rfc1777.txt along with a lot of related RFC's. There are also links to some papers about the University of Michigan implementation of the LDAP protocol.
SSL protocol
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm/
The Netscape introduction to the protocol.
http://www.ietf.org/html.charters/tls-charter.html
The IETF Transport Layer Security working group page. (TLS is the IETF name for the SSL protocol)
ftp://ftp.isi.edu/in-notes/rfc2246.txt or
http://www.ietf.org/rfc/rfc2246.txt
The IETF proposed standard for the protocol
http://www.psy.uq.oz.au/~ftp/Crypto
Provides a freely available implementation (ssleay) by Eric Young
Kerberos
"Kerberos: An Authentication Service for Computer Networks", B.C. Neuman and T. Ts'o IEEE Communications Magazine, v.32, n.9, Sep 1994, pp. 33-38
Also available from http://nii.isi.edu/publications/kerberos-neuman-tso.html
According to Bruce Schneier (see ref 1) "This is the best overview of Kerberos"
See http://web.mit.edu/kerberos/www/papers.html for more Kerberos papers.
Other work in policy-based access control
PolicyMaker - a TrustManagment system from AT&T research labs
This system uses certificates to authorize the holder of the certificate to
perform certain actions, thus combining authentication and authorization into
a unified system. The policy is expressed in a set of assertions, which can
include programs (filters) provided by the resource server which are
executed as part of the complience checking when a request is made.
AT&T TR 98.3.2 Compliance Checking in the PolicyMaker Trust Management System
by Matt Blaze, Joan Feigenbaum, and Martin Strauss
abstract ,
.ps
AT&T TR 98.10.1:
Overview of the AT&T Labs Trust Management Project (Position Paper)
by Joan Feigenbaum
abstract ,
.ps
Decentralized Trust Management M. Blaze, J. Feigenbaum, J. Lacy
Proceedings of the 17th IEEE Symp. on Security
and Privacy. pp 164-173. IEEE Computer Society, 1996.
Postscript version available at
ftp://ftp.research.att.com/dist/mab/policymaker.ps
AT&T TR 98.3.2 Compliance Checking in the PolicyMaker Trust Management System
by Matt Blaze, Joan Feigenbaum, and Martin Strauss
abstract ,
.ps
KeyNote - a simplified version of PolicyMaker
AT&T TR 98.11.1:
KeyNote: Trust Management for Public-Key Infrastructures (Position Paper)
by Matt Blaze, Joan Feigenbaum, and Angelos Keromytis
abstract ,
.ps
Angelos Keromytis's KeyNote page
A summary of the KeyNote system, links to the relevant papers, a link to
source code for a reference implementation.
The KeyNote Trust Management System M. Blaze, J.Feignebaum, John Ioannidis and A.D.
Keromytis work in progress, Internet Draft March 1999
<\p>
An Internet draft style specification of the KeyNote system.
SPKI (formerly SDSI)
Simple Public Key Infrastructure (spki) IETF working group
The task of the working group will be to develop Internet standards for an IETF sponsored public key certificate format,
associated signature and other formats, and key acquisition protocols. The key certificate format and associated protocols
are to be simple to understand, implement, and use. For purposes of the working group, the resulting formats and protocols
are to be known as the Simple Public Key Infrastructure, or SPKI.
The SPKI is intended to provide mechanisms to support security in a wide range of internet applications, including IPSEC
protocols, encrypted electronic mail and WWW documents, payment protocols, and any other application which will
require the use of public key certificates and the ability to access them. It is intended that the Simple Public Key
Infrastructure will support a range of trust models.