Public Keys 
and 
Private Keys
 
 
 
 
 
 
 

Chpt 8
Cryptography

Public Keys 
and 
Private Keys

The textbook explanation and accompaying diagrams are satisfactory, in addition there is are online resources that also explain this well.

Public Keys (also known as  Asymmetrical Keys)

"Public Key encryption uses two separate but related keys. One key is used only to encrypt a message, and its companion key is used to  decrypt the message. Public Key encryption works this way. The person  who wants to receive encrypted files generates a pair of keys in their encryption program. That person can then 'publish' their public key, or in  effect let anyone and everyone know what their 'public' key is. Anyone who wants to send this person a message can use this 'Public Key' to encrypt the message and send it on. When the message is received it can be decrypted using the secret companion key to the public key.   The primary advantage of Public Key encryption is that you do not have to  risk transmitting a secret key to the person who will receive the message."

from www.cypost.com/encr_ppkeys.html

Private Keys (also called Secret Key or Symmetric Key)

"With secret-key encryption, both the sender and receiver use the same  key to encrypt and decrypt messages. The two people first agree on a pass phrase. They should use a different method of communicating than the one they are going to use to send encrypted messages. They can agree on a password in person, by phone, or perhaps even communicate a word or phrase known only to the two of them. A good strong password will include a mix of numbers lower and upper case letters, and characters; e.g. ad2%56jJ[*92K, since most brute force attacks will try common dictionary words, names, towns, dates, etc., or if the person attacking you can get background information on you they will try combinations that include all your relatives names, addresses, towns, birthdates, schools, etc. They know that people do have a propensity for  choosing passwords that are somewhat easy to remember.  The encryption software turns the password into a binary number and hashes it (adds characters to increase the size). Then uses that number(key) to encrypt all outgoing messages. The mathematical module usedfor encrypting the message is called the algorithm. The whole system is  referred to as a cipher."

from www.cypost.com/encr_ppkeys.html

EMAIL
security

E-Mail Security: How to Keep Your Electronic Messages Private by Bruce Schneier This book by Schneier is specific to e-mail security and would be a recommended purchase for ECP participants that were involved in situations that required specifically knowing that subject since it is about the only book specializing in this area and is written by a very knowledgable e-security expert.

Chpt 10 PEM - Privacy Enhanced Mail PEM isn't a product, it is a standard. "PEM defines message encryption and authentification procedures in order to provide privacy-enhanced mail services for electronic mail transfer on the Internet. It is most commonly used in conjunction with SMTP - Simple Mail Transfer Protocol"

Schneier explains in his book that PEM is intended to be compatible with a wide range of key management approaches. It has mechanisms for using conventional (secret-key) cryptography or public-key cryptography. Most of the readily available PEM implementations use public-key cryptography.

PEM Security Features

• confidentiality
• data orgin authentification
• message integrity
• nonrepudication of origin
• key management

Types of Messages
There are three different types of PEM messages   (Chpt 10, page 109)

• MIC-CLEAR, provides integrity and authentification
• MIC-ONLY, same as MIC-CLEAR but has an additional encoding step. This allows the message to pass through various electronic-mail gateways
• ENCRYPTED, same as MIC-CLEAR with the addition of CONFIDETIALITY

Sending a PEM Message involves 4 steps (for further details, page 117)

• canonicalization
• message integrity and originator authentification
• encryption (optional)
• transmission encoing (optional)

PGP for ABSOLUTE Beginners 
 http://www.geocities.com/ResearchTriangle/1703/pgp-begin.html

PGP is basically used for 3 things. 
 http://www.geocities.com/ResearchTriangle/1703/pgp-begin.html#uses

• Encrypting a message or file so that only the recipient can decrypt and read it. The sender, by signing, can also guarantee to the recipient, that the message or file must have come from the sender and not an impostor. 
• Clear signing a plain text message guarantees that it can only have come from the sender and not an impostor. In a plain text message, the text is readable by anyone (ie is 'plain') but a PGP signature is attached. 
• Encrypting computer files so that they can't be decrypted by anyone other than the person who encrypted them. 

EMAIL
security

Chpt 11     PGP - Pretty Good Privacy PGP is an electronic mail security program. You can download this program for free from many sites on the Net and it works on many platforms, MACs, PCs download here www.pgpi.org/products/pgp/versions/freeware/ PGP is also a bit controversial - it was written (as Bruce Schneier notes) without permission from RSA Data Security Inc,, the patent holder of the RSA algorithm. PGP's primary purpose is to send secure messages: signed and encrypted

Person's who wish to know more about PGP can begin the the PGP web site that is used by security experts There is also a good selection of PGP FAQs at  www.pgpi.org/doc/faq/

PGP Security Features

• confidentiality
• data orgin authentification
• message integrity
• nonrepudication of origin

• Signing (optional)
• Compression
• Encryption (optional)
• Transmission encoding (optional)

PGP is used by many people. Here is an example of a lawyer who uses PGP and has an explanation on his web site to explain the process to clients so they exchange confidential email with him.  www.bloorstreet.com/200block/pgpcode.htm

Receiving a PGP Message
You have to also have the PGP software on your computer - you don't have to download from the exact same vendor as the person who created and sent to you the PGP message, you simply have to have any version either one higher or lower than the sender.
- for example if you have PGP 2.7, like the lawyer in the example above, you can send to and receive from people that have PGP 2.6, and PGP 2.8, including PGP 2.7

Chpt 11, page  141 in Schneier's text describes the decryption process to read a message.

Vulnerable
to
Javascript

March 09, 2001 article "JavaScript spy creates an e-mail wiretap"

"A newly-identified snooping technology allows someone sending an e-mail to see what the recipient wrote when it is forwarded on to another user, an  Internet privacy group has announced.   It’s a wiretap and it's "very illegal and very easy to do," said Richard Smith, chief technology officer for the Privacy Foundation based in Denver, in acolumn he wrote for the non-profit educational and research organization. The vulnerability exists in mail that uses HTML. A few lines of JavaScript can  be embedded in an e-mail message and allows the recipient's mail to be returned to the original sender. It only works, however, if the recipient's e-mail program is set to read JavaScript."
 

A brief summary of the introductory points is below. Clicking on the screencapture to the right will lead you to the page.

"Businesses and consumers alike are benefiting from new levels of  connectivity. Devices such as mobile  phones, personal digital assistants  (PDAs), set-top boxes and hand-held  PCs now provide an unprecedented  variety of ways for people to access and act upon  information. People can participate in the global marketplace regardless of their physical location or ability to access a personal computer.   Along with the convenience of connectivity offered by  wireless and portable devices, however, come  increased security risks. Wireless transmissions are  susceptible to interception and tampering. Portable devices with no fixed connection offer tempting wireless access points to hackers. Portable devices also contain  valuable information and credentials. This information  must be protected in case of theft or loss of a device."

Wireless Security
- banking

Royal Bank formed a company with Baldhead Systems  www.baldhead.com/
to provide secure wireless banking and brokerage services. The new company will be named Sona Innovations. Royal Bank will own 20% and Baldhead will own 80%
In August 2000, people viewing Baldhead's splash page can see the Royal Bank logo along with the words "Corporate partners with" and a click through to the royal bank web site.

Pilieci quotes Jim Connor, Manager of Electronic Services Technologies for Royal Bank as saying
"This gives us the opportunity to put a product out where we have end-to-end security between the palm unit and our back-end systems"

On Baldhead's web site, they still have the digital version of the June 2000 press release. You can read all the points yourself at
 http://www.baldhead.com/new/digeratis_sona1.htm
 

Wireless
Weakness

March 09, 2001 article  "Wireless LANs have serious security flaws"

"Computer scientists at the University of California at Berkeley have sounded  new warnings about the vulnerabilities of wireless LANs, saying flaws in a common encryption algorithm pose major security issues. The Internet, Security, Applications, Authentication and Cryptography (ISAAC) research  group said in a report posted on the Web that it had "discovered a number of flaws" in the Wired Equivalent Privacy (WEP) 40-bit algorithm used to secure all IEEE 802.11 standard wireless LANs. These flaws, the ISAAC report added, "seriously undermine the security claims of the system." Wireless LANs have a  number of vulnerabilities, the report said, including passive attacks to decrypt  traffic based on statistical analysis. WEP also has flaws that make it easier to  inject unauthorized traffic from mobile base stations or launch active attacks to decrypt traffic by tricking the access point (the base station), the report said.   Analysts said the ISAAC report is the first to illustrate how easy it is to hack wireless LANs."