SECTION 4 ©
5 key components of security in correspondence
Security  and Cryptography
Keys
Encryption
56 bit key, 128 bit key
Public Keys and Private Keys
Email Security
PEM Privacy Enhanced Mail
PGP Pretty Good Privacy
- Phil  Zimmerman
Wireless Security, WANS weaknesses

changes last made to this page 2002 Dec 28
 
In Section Three we will use material 
from the following texts
 
Chpt 3
Chpt 8 1st ed.
Chpt 5
Chpt 10 2nd ed.
Chpt 6
Chpt 7 
Chpt 9
Chpt 1
Chpt 10
Chpt 11
Chpt 12
In addition to these three books, we will also use material from these web sites, which are quite extensive and have the potential to keep you reading for a long time, if you have it.
 
http://www.counterpane.com/publish.html Bruce Schneier's company
Counterpane
- many online articles about cryptography
http://www.cypost.com/encr_gloss.html cypost.com has an excellent online glossary which specifically focuses on encryption vocabulary
http://www.pgpi.org/ The international PGP home page

course author:Tim Richardson
.
Security  and Cryptography
 
. Learning Objectives for Section 4

After completing this section, participants will be able to

  • recognize the importance of cryptography and understand the 5 key components of security in e-commerce situations
  • understand the a basics of how cryptography works and recognize that it is a family of technologies
  • appreciate the purposes of email security such as PEM
  • understand the purpose of, and applications for PGP
  • know some of the vulnerabilities in email messages, such as hidden Javascript
  • identify some of the issues associated with the new field of wireless security
. .
 

Chpt 5
The Regulatory Environment
 
Chpt 5
Government Agency Concerns
p. 147
Domestic Use and the Import and Export of Cryptographic Products
 
. The key concern of the government is that certain cryptographic products are so powerful in their method of creating a "secret message" that even expensive government funded counter-cryptographic systems cannot decode the messages - thereby raising the real possibility of terrorists and enemies using these products and avoiding detection.

WTGR

"In the past, law enforcement agencies relied on the ability to obatin a court order .. to allow them to wiretap a suspected criminal... With computers, e-mail and encryption algorithms, criminals can communicate confidentially withone another by encrypting their messages so strongly that a court order allowing the agency to read the message is basically worthless since the message cannot be decoded"
 

. How to U.S. creators, and vendors of encryption software avoid U.S. regulations on exporting Cryptographic Products, easy, they set up subsidiary corporations in other countries.
.
"RSA Data Security Inc., in a move to circumvent U.S. export laws announced [1999] the opening of its office in Australia"
Export
controls
for
Cryptography
 
Export controls are aimed at fighting organised crime, and restricting use of cryptography by foreign powers 
 
Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information,
information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over
military or business adversaries. 

- any kind of cryptography is classed as a military weapon - and is therefore subject to export restrictions - now its referred to as "sensitive dual use" technology- ie
its civilian based with military applications. 
- previously restricted under the Arms Export Control Act as defined in the US Munitions List as put out by the International Traffic in Arms Regulations - does
include inventions covered by a secrecy order

from website of Prof. Edward Re, Sociological Issues of Cryptography
http://www.cse.unsw.edu.au/~cs4012/Seminar7.htm 
The University of New South Wales * Sydney * Australia

The "R" in RSA

Export
controls
for
Cryptography

The "R" in RSA speaks
"Ron Rivest says 'It is poor policy to clamp down indiscriminately on a technology just because some criminals might be able to use it to their advantage. For example, any citizen can freely buy a pair of gloves, even though a burglar might use them to ransack a house without leaving fingerprints. Cryptography is a data protection technology just as gloves are a hand protection technology. 

Cryptography protects data from hackers, corporate spies, and con artists, whereas gloves protect hands from cuts, scrapes, heat, cold, and infection. The former can frustrate FBI wire tapping, and the latter can thwart FBI fingerprint analysis. Cryptography and gloves are both dirt cheap and widely available. In fact, you can download good cryptographic software from the Internet for less than the price of a good pair of gloves." 

.
http://www.witiger.com/ecommerce/encryption.htm
 
http://www.witiger.com/ecommerce/videocryptography.htm screen capture to video we discussed in class

.

These 5 important points of Messaging and Communication Security
  • Confidentiality
  • Integrity
  • Authentification
  • Non-Repudiation
  • Access Controls

  • are explained in detail in the Greenstein text from page 228 - 232. Along with this explantion, you can find many examples on the Web were these same 5 principles are explained, and used.

    Below, we find an example in a bank's web site of how they adhere to the same 5 principles of IT security in communications.

    .
     

    Chpt 8
    1st ed.


    Chpt 10
    2nd ed.

    Cryptography

    Public Keys 
    and 
    Private Keys


    Chpt 8
    1st ed.


    Chpt 10
    2nd ed.

    Cryptography

    Public Keys 
    and 
    Private Keys

    Public Keys and Private Keys
    Greenstein text, page 237 - 239

    The textbook explanation and accompaying diagrams are satisfactory, in addition there is are online resources that also explain this well.

    Public Keys (also known as  Asymmetrical Keys)

    "Public Key encryption uses two separate but related keys. One key is used only to encrypt a message, and its companion key is used to  decrypt the message. Public Key encryption works this way. The person  who wants to receive encrypted files generates a pair of keys in their encryption program. That person can then 'publish' their public key, or in  effect let anyone and everyone know what their 'public' key is. Anyone who wants to send this person a message can use this 'Public Key' to encrypt the message and send it on. When the message is received it can be decrypted using the secret companion key to the public key.   The primary advantage of Public Key encryption is that you do not have to  risk transmitting a secret key to the person who will receive the message."

    from www.cypost.com/encr_ppkeys.html

    Private Keys (also called Secret Key or Symmetric Key)

    "With secret-key encryption, both the sender and receiver use the same  key to encrypt and decrypt messages. The two people first agree on a pass phrase. They should use a different method of communicating than the one they are going to use to send encrypted messages. They can agree on a password in person, by phone, or perhaps even communicate a word or phrase known only to the two of them. A good strong password will include a mix of numbers lower and upper case letters, and characters; e.g. ad2%56jJ[*92K, since most brute force attacks will try common dictionary words, names, towns, dates, etc., or if the person attacking you can get background information on you they will try combinations that include all your relatives names, addresses, towns, birthdates, schools, etc. They know that people do have a propensity for  choosing passwords that are somewhat easy to remember.  The encryption software turns the password into a binary number and hashes it (adds characters to increase the size). Then uses that number(key) to encrypt all outgoing messages. The mathematical module usedfor encrypting the message is called the algorithm. The whole system is  referred to as a cipher."

    from www.cypost.com/encr_ppkeys.html

    http://www.cs.rpi.edu/~noel/Security/Crypto.html
     

    .

     
    EMAIL
    security
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     

    EMAIL
    security

    E-Mail Security: How to Keep Your Electronic Messages Private
    by Bruce Schneier

    This book by Schneier is specific to e-mail security and would be a recommended purchase for ECP participants that were involved in situations that required specifically knowing that subject since it is about the only book specializing in this area and is written by a very knowledgable e-security expert.

    . Chapter 1 in Schneier's book offers a general overview of e-mail security (written in 1995) which, if read by an ECP participant in 2001, might be subjects with which you are quite familiar.
    .
    Chpt 10PEM - Privacy Enhanced Mail

    PEM isn't a product, it is a standard.
    "PEM defines message encryption and authentification procedures in order to provide privacy-enhanced mail services for electronic mail transfer on the Internet. It is most commonly used in conjunction with SMTP - Simple Mail Transfer Protocol"

    Schneier explains in his book that PEM is intended to be compatible with a wide range of key management approaches. It has mechanisms for using conventional (secret-key) cryptography or public-key cryptography. Most of the readily available PEM implementations use public-key cryptography.

    PEM Security Features

    • confidentiality
    • data orgin authentification
    • message integrity
    • nonrepudication of origin
    • key management
    Schneier points out that not all of PEM's security features are necessarily part of every message. PEM messages automatically incorporate authentification, integrity and nonrepudiation however confidentiality is an optional feature. Confidentiality says Schneier, protects the contents of the e-mail message against unauthorized disclosure.

    Types of Messages
    There are three different types of PEM messages   (Chpt 10, page 109)

    • MIC-CLEAR, provides integrity and authentification
    • MIC-ONLY, same as MIC-CLEAR but has an additional encoding step. This allows the message to pass through various electronic-mail gateways
    • ENCRYPTED, same as MIC-CLEAR with the addition of CONFIDETIALITY
    A PEM Message
    - to learn how to create a PEM message, follow the steps on page 110-114

    Sending a PEM Message involves 4 steps (for further details, page 117)

    • canonicalization
    • message integrity and originator authentification
    • encryption (optional)
    • transmission encoing (optional)
    .

     
    PGP is explained well in the Schneier book on e-mail security, but for those of you that do not chose to purchase this text, there are a number of online resources that fully explain PGP. Click on the screen capture to the left and you can read about how PGP originated and what it is used for.
    .
    PGP
    Basics
    "PGP (Pretty Good Privacy) is a system designed by a programmer called Phil  Zimmerman which offers Internet users a secure email facility. PGP works rather  like UUcoding or MIME - it turns a mail message into unreadable gibberish. The difference is that it does this to make the mail secure from prying eyes. Ordinary email can be read by anyone determined enough to do it. PGP makes sure that even if it is picked up by a third party, the contents will remain a secret. It does this  because the gibberish can only be read by someone who has the right 'key' - a special  number that allows the message to be decoded.   As a coding system PGP is extremely secure - even a large supercomputer requires  months of computer time to crack a message coded with PGP. In short, if you send  email using PGP you can be sure it's as secure as it can be, given the current state of  the technology."from http://www.which.net/help/internet/advanced/aguide1f.html

    PGP for ABSOLUTE Beginners 
     http://www.geocities.com/ResearchTriangle/1703/pgp-begin.html

    PGP is basically used for 3 things. 
     http://www.geocities.com/ResearchTriangle/1703/pgp-begin.html#uses

    • Encrypting a message or file so that only the recipient can decrypt and read it. The sender, by signing, can also guarantee to the recipient, that the message or file must have come from the sender and not an impostor. 
    • Clear signing a plain text message guarantees that it can only have come from the sender and not an impostor. In a plain text message, the text is readable by anyone (ie is 'plain') but a PGP signature is attached. 
    • Encrypting computer files so that they can't be decrypted by anyone other than the person who encrypted them. 
    .
    PGP
    and
    Zimmerman
    Phil Zimmerman, the author and creator of PGP was a pretty controversial person, you can read about some of the issues here at
     http://www.skypoint.com/members/gimonca/philzim2.html
    "Zimmerman had been under investigation for supposedly violating ITAR, the U.S. government's International Traffic in Arms Regulations. His PGP software is strong enough to have been classified as a munition under ITAR, just like a hand grenade or a stealth bomber. In June of 1991, as Congress was considering a possible ban on the use of such strong encryption, the PGP program was uploaded to the Internet, and made available to anyone who wanted to copy it. Even though Zimmerman himself
    didn't put the software on the Internet, the Justice Department started an investigation against him in February 1993 for allegedly exporting a munition"
    .
    EMAIL
    security
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     

    EMAIL
    security

    . .
    Chpt 11     PGP - Pretty Good Privacy

    PGP is an electronic mail security program. You can download this program for free from many sites on the Net and it works on many platforms, MACs, PCs
    download here www.pgpi.org/products/pgp/versions/freeware/

    PGP is also a bit controversial - it was written (as Bruce Schneier notes) without permission from RSA Data Security Inc,, the patent holder of the RSA algorithm.

    PGP's primary purpose is to send secure messages: signed and encrypted

    Person's who wish to know more about PGP can begin the the PGP web site that is used by security experts

    There is also a good selection of PGP FAQs at
     www.pgpi.org/doc/faq/

    http://www.pgpi.org/

    PGP Security Features

    • confidentiality
    • data orgin authentification
    • message integrity
    • nonrepudication of origin
    Sending a PGP Message consists of four steps (for detail see Chpt 11, page 137 in Schneier's book)
    • Signing (optional)
    • Compression
    • Encryption (optional)
    • Transmission encoding (optional)
    PGP is used by many people. Here is an example of a lawyer who uses PGP and has an explanation on his web site to explain the process to clients so they exchange confidential email with him.
     www.bloorstreet.com/200block/pgpcode.htm
    larger version

    Receiving a PGP Message
    You have to also have the PGP software on your computer - you don't have to download from the exact same vendor as the person who created and sent to you the PGP message, you simply have to have any version either one higher or lower than the sender.
    - for example if you have PGP 2.7, like the lawyer in the example above, you can send to and receive from people that have PGP 2.6, and PGP 2.8, including PGP 2.7

    Chpt 11, page  141 in Schneier's text describes the decryption process to read a message.

    .
    EMAIL
    security

    Vulnerable
    to
    Javascript

    March 09, 2001 article
    "JavaScript spy creates an e-mail wiretap"

    "A newly-identified snooping technology allows someone sending an e-mail to see what the recipient wrote when it is forwarded on to another user, an  Internet privacy group has announced.   It’s a wiretap and it's "very illegal and very easy to do," said Richard Smith, chief technology officer for the Privacy Foundation based in Denver, in acolumn he wrote for the non-profit educational and research organization. The vulnerability exists in mail that uses HTML. A few lines of JavaScript can  be embedded in an e-mail message and allows the recipient's mail to be returned to the original sender. It only works, however, if the recipient's e-mail program is set to read JavaScript."
     

    . Whenever you hear of a new threat, the first reaction is how to consider how to defend against it. But the first question should be asked "Why is this being done?" and depending on the answer "Am I in the target group at risk?"

    In the case of the JavaScript allowing the recipient's mail to be returned to the original sender - the principle application of this is for people who ant to collect email addresses to be used in compiling mass direct email marketing campaigns. Usually, the technique is emplyed with a joke, or virus warning - which counts on people passing it on and on - allowing the originator to "harvest" all the email addresses it gets passed to.

    .
    .
     
    RSA, the company which is at the forefront of IT Security, has information on their web site about Wireless Security, which you should look at.

    A brief summary of the introductory points is below. Clicking on the screencapture to the right will lead you to the page.

    "Businesses and consumers alike are benefiting from new levels of  connectivity. Devices such as mobile  phones, personal digital assistants  (PDAs), set-top boxes and hand-held  PCs now provide an unprecedented  variety of ways for people to access and act upon  information. People can participate in the global marketplace regardless of their physical location or ability to access a personal computer.   Along with the convenience of connectivity offered by  wireless and portable devices, however, come  increased security risks. Wireless transmissions are  susceptible to interception and tampering. Portable devices with no fixed connection offer tempting wireless access points to hackers. Portable devices also contain  valuable information and credentials. This information  must be protected in case of theft or loss of a device."

    http://www.rsasecurity.com/solutions/wireless/
    .

    Wireless Security
    - banking
     
     
     
     
     
     
     
     
     

    Wireless Security
    - banking

    "Royal Bank in Wireless Security Venture"
    is the title of a 13 June 2000 article written by Vito Pilieci for The National Post

    Royal Bank formed a company with Baldhead Systems  www.baldhead.com/
    to provide secure wireless banking and brokerage services. The new company will be named Sona Innovations. Royal Bank will own 20% and Baldhead will own 80%
    In August 2000, people viewing Baldhead's splash page can see the Royal Bank logo along with the words "Corporate partners with" and a click through to the royal bank web site.

    Pilieci quotes Jim Connor, Manager of Electronic Services Technologies for Royal Bank as saying
    "This gives us the opportunity to put a product out where we have end-to-end security between the palm unit and our back-end systems"

    On Baldhead's web site, they still have the digital version of the June 2000 press release. You can read all the points yourself at
     http://www.baldhead.com/new/digeratis_sona1.htm
     

    . This clearly indicates that Royal Bank has considered that more and more customers will be accessing banking services through mobile devices and they are building capability by buying into a company developing products for this market.
    .
    .
    WANS
    security

    Wireless
    Weakness

    March 09, 2001 article 
    "Wireless LANs have serious security flaws"

    "Computer scientists at the University of California at Berkeley have sounded  new warnings about the vulnerabilities of wireless LANs, saying flaws in a common encryption algorithm pose major security issues. The Internet, Security, Applications, Authentication and Cryptography (ISAAC) research  group said in a report posted on the Web that it had "discovered a number of flaws" in the Wired Equivalent Privacy (WEP) 40-bit algorithm used to secure all IEEE 802.11 standard wireless LANs. These flaws, the ISAAC report added, "seriously undermine the security claims of the system." Wireless LANs have a  number of vulnerabilities, the report said, including passive attacks to decrypt  traffic based on statistical analysis. WEP also has flaws that make it easier to  inject unauthorized traffic from mobile base stations or launch active attacks to decrypt traffic by tricking the access point (the base station), the report said.   Analysts said the ISAAC report is the first to illustrate how easy it is to hack wireless LANs."

    .
    .
    1. Can you recite and explain the meaning of the 5 principles of security in messaging and communication? If you have trouble remembering the 5 principles, make yourself an acronym, eg. CIANA

    2. Could you describe to someone a simple explanation of the difference between cleartext and ciphertext?

    3. Would you be able to explain verbally the difference between PEM and PGP?

    4. Why should people not indiscrimantly pass on emails of jokes and meaningless messages?

    5. Why is a 128 bit key impossible to crack with today's technology?

    6. If someone asked you the difference between Public and Private Key Encryption, could you explain?