Pfleeger’s book is packaged as a university text. It opens with three excellent chapters that cover the basic mathematics of encryption, decryption, and associated practices. A brief introduction to computer security, and a decent summary of program security, lead into two thorough chapters on operating systems security and an excellent survey chapter (almost 50 pages long) on the basic terrain of database security. Chapter 9, on personal computer security, is unfortunately superficial and disappointing. In chapter 10, on “Computer Network Security,” the author resumes his thorough coverage, but chapter 11 on communications security is only 20 pages long, too brief to do justice to the topic. The chapters which follow cover physical protection, risk analysis, and security planning, but Pfleeger devotes only two pages to the topic of controlling access to computers, and the final two chapters, on legal and ethical issues, total only 40 pages.
DES and RSA schemes are undoubtedly the most popular, and the hardest-to-defeat, encryption standards currently in use, so the attention Pfleeger devotes to explaining their theoretical underpinnings and implementations is justified; to his credit, he does not shy away from discussing their potential limitations either. He discusses proposed NBS work on encryption standards, NSDD-145 (which gives the NSA authority over computer security), and such problems with the NSA’s new proposals as the agency’s distribution of new devices and keys under the next (non-DES) standard. Pfleeger correctly points out that “the government then has the capability to decrypt any intercepted encrypted data, within the private or public sector.” Any discussion of security and encryption must address such an issue, for we must know the context through which an attack might occur, and this proposal will certainly represent a potential hole in any security scheme.
The ethical cases Pfleeger presents in the final chapter are superficial, and he does not discuss them in any depth. The chapter exercises throughout the main body of the text, however, are excellent and thorough; I suspect that many instructors will even have trouble with some of them. Pfleeger’s complete and up-to-date bibliography is also better than what most textbooks offer. Unfortunately, the index does not include names; although the bibliography includes David Chaum’s articles, it was impossible for me to find where Pfleeger discusses his work on security in transaction processing systems. The book will thus be of limited use to practitioners and researchers. It is purposefully geared toward undergraduates and should be welcome and successful in this market. I recommend it to any educators who need to cover this material in their courses.