Search in Book Reviews

The book promises to tell you how to cryptographically secure your applications with Java. However, even though it gives an overview of public and symmetric key cryptography, introduces Java's cryptographic frameworks JCA and JCE and discusses typical issues when implementing web and database applications, the book falls short. The book suffers most from two problems; the unclear target readership as well as the numerous and often severe errors.

Cryptographic applications are always critical. If they fail your sensitive data may be compromised. If your data is not sensitive enough to make you worry about potential failures then there is no reason to apply cryptography in the first place. It is therefore reasonable to assume that someone trusted with the design and implementation of cryptographic (Java-)components of your system has at least basic knowledge of computer science fundamentals, is able to use Java's primitive types properly and knows enough about undergraduate abstract algebra to comprehend the concepts of algorithms like RSA. Galbreath considers it necessary to explain all these details. I'd agree if this was an undergraduate textbook that introduces computer science students to cryptography, but not if the book is explicitly written for software engineers, i.e. practitioners with at least some experience. As it is, the basics take too much room and other discussions, e.g. ease of use vs. security, are kept short.

Whatever the target readership, the errors in the book are too many to be overlooked. I am not talking about the numerous typos, layout glitches or syntax errors in sample code. There are serious errors in the text that may confuse readers in the best case and cause them to write insecure code in the worst. The sections on key storage fail to mention special purpose hardware like, e.g. smartcards.

The book's strong points (like its extensive, partially commented bibliography) cannot make up for its shortcomings. Not recommended.