Sidebar: Information Resources
Online Resources RSA Laboratories Web site (http://www.rsa.com). Here you can find some white papers, standards, and a very comprehensive FAQ on cryptosystems. In particular: RSA Crypto FAQ: http://www.rsa.com/rsalabs/newfaq/ PKCS Standards: http://www.rsa.com/rsalabs/pubs/PKCS/
Button S, and Kaliski Jr. An Overview of the PKCS Standards. An RSA Laboratories Technical Note. Revised November 1, 1993. http://www.rsa.com/rsalabs/pubs/PKCS/
Steve Duss and Tim Matthews. S/MIME: Anatomy of a Secure E-mail Standard. Messaging Magazine: http://www.ema.org/html/pubs/mmv2n4/s-mime.htm
Nortel at Canada maintains a site for its security product suite named Entrust (http://www.entrust.com). Here you can find much information on CAs and PKI management. Look for: Entrust Certificate Demo. You can use this free demo service to get demonstration client and server X.509 certificates to enable SSL: http://www.entrust.com/new.htm
White papers. Many white papers and security primers, including some IETF working drafts on PKI: http://www.entrust.com/library.htm
Internet and IETF Information at InterNIC: http://ds.internic.net/ds/dspg0intdoc.html. Here you can find tons of information and pointers on the working PKI, IPng, and IP security standards currently adopted by the available certificate server products. In particular look for these Internet Drafts from IETF working groups:
IP Security Protocol: http://www.ietf.cnri.reston.va.us/ids.by.wg/ipsec.html
Public Key Infrastructure: http://www.ietf.cnri.reston.va.us/ids.by.wg/X.509.html
Site Security Handbook: http://www.ietf.cnri.reston.va.us/ids.by.wg/ssh.html
Internet MCI Security Engineering: http://www.security.mci.net/. Here you can find information on DoS attacks as well as pointers to vendors patches to work around the problem. Also look for the white paper by Dale Drew, Protection of TCP/IP Based Network Elements: Security Checklist. SunWorld Magazine online is an excellent resource for sys admins (http://www.sunworld.com). Here, Peter Galvin writes a monthly security colum. Recently, an encryption primer by Dave Kosiuhttp was featured: http://www.sun.com/sunworldonline/swol-03-1997/swol-03-encrypt.html
Felten, E.W., D. Balfanz, D. Dean, and D. S. Wallach. Web Spoofing: An Internet Con Game. Technical Report available at: http://www.cs.princeton.edu/sip
Cylink Corporation - Tutorials and White papers: http://www.cylink.com/tutorial/
The WWW security FAQ by Lincoln D. Stein, Whitehead Institute for Biomedical Research: http://www-genome.wi.mit.edu/WWW/faqs/ \ www-security-faq.html Computer Security Institute (http://www.csi.com). Here you can access the main outcomes from recent security surveys performed by the institute, as well as information on security courses. National Computer Security Association (NCSA; http://www.ncsa.com). The Association sells many good books on security, and some whitepapers are also available on line. Printed Resources There are many good books about security published by O'Reilly, Prentice-Hall, John Wiley and others. However, I have not seen a book with a good coverage of the subject addressed here. The reader is encouraged to visit regularly the local technical bookstore - among that mountain of overhyped books a few are really worthy, and new books appear weekly. Many excellent articles on security are also featured in Sys Admin magazine, in particular the October and November 1996 issues. The article by Arthur Donkers, Building a Secure Web Site, is particularly illuminating and contains a good description of the SSL handshake, SSL implementation on the Apache Web Server, and shows the use of the freeware implementation of SSL and SSLeay. SSLeay utilities include req, a program to generate public cryptography key pairs, certificate requests, and self-signed X.509 certificates. This utility can be useful to those outside the United States who need to use 1024-bit length certificates. n
|