SECTION 4 ©
5 key components of security in correspondence Security and Cryptography Keys Encryption 56 bit key, 128 bit key Public Keys and Private Keys Email Security PEM Privacy Enhanced Mail PGP Pretty Good Privacy - Phil Zimmerman Wireless Security, WANS weaknesses |
changes last made to this
page 2002 Dec 28
course author:Tim Richardson
.
Security and Cryptography
. | Learning Objectives
for Section 4
After completing this section, participants will be able to
|
Chpt 5 The Regulatory Environment |
Chpt
5
Government Agency Concerns p. 147 Domestic Use and the Import and Export of Cryptographic Products
"In the past, law enforcement
agencies relied on the ability to obatin a court order .. to allow them
to wiretap a suspected criminal... With computers, e-mail and encryption
algorithms, criminals can communicate confidentially withone another by
encrypting their messages so strongly that a court order allowing the agency
to read the message is basically worthless since the message cannot be
decoded"
"RSA Data Security Inc., in a move to circumvent U.S. export laws announced [1999] the opening of its office in Australia" |
||||
Export
controls for Cryptography |
Export controls are aimed
at fighting organised crime, and restricting use of cryptography by foreign
powers
Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries. - any kind of cryptography
is classed as a military weapon - and is therefore subject to export restrictions
- now its referred to as "sensitive dual use" technology- ie
from website of Prof. Edward
Re, Sociological Issues of Cryptography
|
||||
The "R" in RSA
Export
|
The "R" in RSA speaks
"Ron Rivest says 'It is poor policy to clamp down indiscriminately on a technology just because some criminals might be able to use it to their advantage. For example, any citizen can freely buy a pair of gloves, even though a burglar might use them to ransack a house without leaving fingerprints. Cryptography is a data protection technology just as gloves are a hand protection technology. Cryptography protects data from hackers, corporate spies, and con artists, whereas gloves protect hands from cuts, scrapes, heat, cold, and infection. The former can frustrate FBI wire tapping, and the latter can thwart FBI fingerprint analysis. Cryptography and gloves are both dirt cheap and widely available. In fact, you can download good cryptographic software from the Internet for less than the price of a good pair of gloves." |
screen capture to video we discussed in class |
.
These
5 important points of Messaging and Communication Security
are explained in detail in the Greenstein text from page 228 - 232. Along with this explantion, you can find many examples on the Web were these same 5 principles are explained, and used. Below, we find an example in a bank's web site of how they adhere to the same 5 principles of IT security in communications. |
Chpt 8 1st ed.
Cryptography Public
Keys
Cryptography Public
Keys
|
Public
Keys and Private Keys
Greenstein text, page 237 - 239 The textbook explanation and accompaying diagrams are satisfactory, in addition there is are online resources that also explain this well. Public Keys (also known as Asymmetrical Keys) "Public Key encryption uses two separate but related keys. One key is used only to encrypt a message, and its companion key is used to decrypt the message. Public Key encryption works this way. The person who wants to receive encrypted files generates a pair of keys in their encryption program. That person can then 'publish' their public key, or in effect let anyone and everyone know what their 'public' key is. Anyone who wants to send this person a message can use this 'Public Key' to encrypt the message and send it on. When the message is received it can be decrypted using the secret companion key to the public key. The primary advantage of Public Key encryption is that you do not have to risk transmitting a secret key to the person who will receive the message." from www.cypost.com/encr_ppkeys.html
Private Keys (also called Secret Key or Symmetric Key) "With secret-key encryption, both the sender and receiver use the same key to encrypt and decrypt messages. The two people first agree on a pass phrase. They should use a different method of communicating than the one they are going to use to send encrypted messages. They can agree on a password in person, by phone, or perhaps even communicate a word or phrase known only to the two of them. A good strong password will include a mix of numbers lower and upper case letters, and characters; e.g. ad2%56jJ[*92K, since most brute force attacks will try common dictionary words, names, towns, dates, etc., or if the person attacking you can get background information on you they will try combinations that include all your relatives names, addresses, towns, birthdates, schools, etc. They know that people do have a propensity for choosing passwords that are somewhat easy to remember. The encryption software turns the password into a binary number and hashes it (adds characters to increase the size). Then uses that number(key) to encrypt all outgoing messages. The mathematical module usedfor encrypting the message is called the algorithm. The whole system is referred to as a cipher." |
EMAIL
security EMAIL
|
.
Schneier explains in his book that PEM is intended to be compatible with a wide range of key management approaches. It has mechanisms for using conventional (secret-key) cryptography or public-key cryptography. Most of the readily available PEM implementations use public-key cryptography. PEM Security Features
Types of Messages
- to learn how to create a PEM message, follow the steps on page 110-114 Sending a PEM Message involves 4 steps (for further details, page 117)
|
PGP is explained well in the Schneier book on e-mail security, but for those of you that do not chose to purchase this text, there are a number of online resources that fully explain PGP. Click on the screen capture to the left and you can read about how PGP originated and what it is used for. |
PGP
Basics |
"PGP
(Pretty Good Privacy) is a system designed by a programmer called Phil
Zimmerman which offers Internet users a secure email facility. PGP works
rather like UUcoding or MIME - it turns a mail message into unreadable
gibberish. The difference is that it does this to make the mail secure
from prying eyes. Ordinary email can be read by anyone determined enough
to do it. PGP makes sure that even if it is picked up by a third party,
the contents will remain a secret. It does this because the gibberish
can only be read by someone who has the right 'key' - a special number
that allows the message to be decoded. As a coding system PGP
is extremely secure - even a large supercomputer requires months
of computer time to crack a message coded with PGP. In short, if you send
email using PGP you can be sure it's as secure as it can be, given the
current state of the technology."from
http://www.which.net/help/internet/advanced/aguide1f.html
PGP
for ABSOLUTE Beginners
PGP is basically used for
3 things.
|
PGP
and Zimmerman |
Phil Zimmerman, the author
and creator of PGP was a pretty controversial person, you can read about
some of the issues here at
http://www.skypoint.com/members/gimonca/philzim2.html "Zimmerman had been under investigation for supposedly violating ITAR, the U.S. government's International Traffic in Arms Regulations. His PGP software is strong enough to have been classified as a munition under ITAR, just like a hand grenade or a stealth bomber. In June of 1991, as Congress was considering a possible ban on the use of such strong encryption, the PGP program was uploaded to the Internet, and made available to anyone who wanted to copy it. Even though Zimmerman himself didn't put the software on the Internet, the Justice Department started an investigation against him in February 1993 for allegedly exporting a munition" |
EMAIL
security EMAIL
|
. .
PGP Security Features
Receiving
a PGP Message
Chpt 11, page 141 in Schneier's text describes the decryption process to read a message. |
EMAIL
security Vulnerable
|
.
"A newly-identified snooping
technology allows someone sending an e-mail to see what the recipient wrote
when it is forwarded on to another user, an Internet privacy group
has announced. It’s a wiretap and it's "very illegal and very
easy to do," said Richard Smith, chief technology officer for the Privacy
Foundation based in Denver, in acolumn he wrote for the non-profit educational
and research organization. The vulnerability exists in mail that uses HTML.
A few lines of JavaScript can be embedded in an e-mail message and
allows the recipient's mail to be returned to the original sender. It only
works, however, if the recipient's e-mail program is set to read JavaScript."
|
RSA, the company
which is at the forefront of IT Security, has information on their web
site about Wireless Security, which you should look at.
A brief summary of the introductory points is below. Clicking on the screencapture to the right will lead you to the page. "Businesses and consumers alike are benefiting from new levels of connectivity. Devices such as mobile phones, personal digital assistants (PDAs), set-top boxes and hand-held PCs now provide an unprecedented variety of ways for people to access and act upon information. People can participate in the global marketplace regardless of their physical location or ability to access a personal computer. Along with the convenience of connectivity offered by wireless and portable devices, however, come increased security risks. Wireless transmissions are susceptible to interception and tampering. Portable devices with no fixed connection offer tempting wireless access points to hackers. Portable devices also contain valuable information and credentials. This information must be protected in case of theft or loss of a device." |
Wireless Security - banking Wireless Security
|
"Royal Bank in Wireless
Security Venture"
is the title of a 13 June 2000 article written by Vito Pilieci for The National Post Royal Bank formed a company
with Baldhead Systems www.baldhead.com/
Pilieci quotes Jim Connor,
Manager of Electronic Services Technologies for Royal Bank as saying
On Baldhead's web site, they
still have the digital version of the June 2000 press release. You can
read all the points yourself at
|
WANS
security Wireless
|
.
"Computer scientists at the University of California at Berkeley have sounded new warnings about the vulnerabilities of wireless LANs, saying flaws in a common encryption algorithm pose major security issues. The Internet, Security, Applications, Authentication and Cryptography (ISAAC) research group said in a report posted on the Web that it had "discovered a number of flaws" in the Wired Equivalent Privacy (WEP) 40-bit algorithm used to secure all IEEE 802.11 standard wireless LANs. These flaws, the ISAAC report added, "seriously undermine the security claims of the system." Wireless LANs have a number of vulnerabilities, the report said, including passive attacks to decrypt traffic based on statistical analysis. WEP also has flaws that make it easier to inject unauthorized traffic from mobile base stations or launch active attacks to decrypt traffic by tricking the access point (the base station), the report said. Analysts said the ISAAC report is the first to illustrate how easy it is to hack wireless LANs." |
1.
Can you recite and explain the meaning of the 5 principles of security
in messaging and communication? If you have trouble remembering the 5 principles,
make yourself an acronym, eg. CIANA
2. Could you describe to someone a simple explanation of the difference between cleartext and ciphertext? 3. Would you be able to explain verbally the difference between PEM and PGP? 4. Why should people not indiscrimantly pass on emails of jokes and meaningless messages? 5. Why is a 128 bit key impossible to crack with today's technology? 6. If someone asked you the difference between Public and Private Key Encryption, could you explain? |