- However, once that data passes outside the network bound- aries, it is beyond the protection of the tools discussed thus far and is susceptible to poten- tial capture by hostile entities. - Most Internet applications today send their data in the clear, also known as plain text. - ISP routers and switches can be co-opted either from the inside or outside, and other mail and Web servers regularly handle your private data.. - There is no way to avoid sending your data outside of your network. - The biggest advantage of a global Internet is being able to share information with all of your business partners and customers in the outside world. - You can’t go back to the days of totally pri- vate networks. - So, how do you protect your important data once it leaves the comfy and safe confines of your home network? Encryption is what most businesses rely on to make the Internet safe for their data, and it is an important tool you can use too for maintaining the integrity and confidentiality of your data on the Internet.. - Finally, encrypting your important data can be a final line of defense against hackers. - There are many different protocols for encryption. - Looking again at the OSI Refer- ence Model (Figure 9.1), you can see that there are encryption tools that operate at several different levels of the network model. - As you probably guessed, there are many excellent open source encryption tools available for just about every application, from encrypting single files to protecting all of your outbound Internet connections. - In fact, the ready avail- ability of high-quality encryption software has its roots in the open source movement.. - There are two main ways to do encryption today. - The person on the other end needs the shared secret (key) to unlock the data—the encryption algorithm. - You can change the key and change the results of the encryption. - It is called symmetric cryptography because the same key is used on both ends for both encryption and decryption (see Figure 9.2).. - The problem with this method is that you have to communicate the secret key securely to your intended recipient. - A revolution in encryption was started when Whitfield Diffie, Martin Hellman, and Ralph Merkle invented Public Key cryptography. - It took them a few years, but finally they came up with a system called public key encryption (PKE), also known as asymmetric cryptography.. - One of the keys is made public and one is kept private. - You encrypt a message with the recipient’s public key. - The recipient can then decrypt it with their private key. - And they can do the same for you, encrypting a message with your public key so you can decrypt it with your private key (see Figure 9.3). - The difference here is that you don’t need some- one’s private key to send him or her a secure message. - By using your recipient’s public key, you know that only that person can encrypt it using his or her private key. - This is what allows you to publish your public key, which is derived from your private key. - It is very difficult to work backwards and determine the private key. - It is easy to multiply two prime numbers together and get a product. - However, to determine which of the many possibilities are the two factors of the product is one of the great math- ematical problems. - If anyone were to invent a method for easily deducing factors of large prime numbers, it could make obsolete much of the public key encryption used today. - Soon after the paper by Diffie, Hellman, and Merkle was released, another group of three men developed a practical application of the theory. - Their system for public key encryption was called RSA after their names: Ronald Rivest, Adi Shamir, and Leonard Adleman. - The adoption rate was slow and their company almost went out of business, until they cut a deal to take advantage of the growing Internet commerce field with a then little-known company. - Decrypted with recipient's private key. - Encrypted with recipient's public key. - The rest is history, and RSA is now the most widely used public key encryption algorithm. - Diffie and Hellman eventually released a practical application of their own, but it is usable only for key exchanges, whereas RSA can do authentication and nonrepudiation.. - Public key encryption is now behind every Web server that offers you a secure pur- chase. - Your transaction is encrypted without giving or taking a secret key, and it all hap- pens in the background. - Obviously, e-commerce could not exist as it does today without public key cryptography.. - There are many different encryption algorithms, protocols, and applications based on these two main types of encryption. - No matter how strong the algorithm, the encrypted data can be subject to brute force attacks in which all possible combinations of keys are tried. - Eventually the encryption can be cracked. - Generally, the thinking is that the key length should be suitable for keeping the data secure for a reasonable amount of time. - Data Encryption Standard (DES) DES is the original standard that the U.S. - Originally thought to be practically unbreakable in the 1970s, the increase in power and decrease in cost of com- puting has made its 56-bit key functionally obsolete for highly sensitive information.. - However, it is still used in many commercial products and is considered acceptable for lower security applications. - TripleDES TripleDES, or 3DES as it is sometimes written, is the newer, improved ver- sion of DES, and its name implies what it does. - It actually doesn’t give a threefold increase in the strength of the cipher (because the first encryption key is used twice to. - encrypt the data and then a second key is used to encrypt the results of that process), but it still gives an effective key length of 168 bits, which is plenty strong for almost all uses.. - RC4, RC5, and RC6 This is an encryption algorithm developed by Ronald Rivest, one of the developers of RSA, the first commercial application of public key cryptography.. - They settled on AES, which is based on an algorithm called Rijndael, designed by two Belgian cryptographers. - It offers up to a 256-bit cipher key, which is more than enough power for the foreseeable future. - By hashing a suspect file and comparing the hash to the known good hash, you can tell if any changes have been made. - It is unlikely that a file with a different structure would produce an identical hash. - The official Web site will usually post the correct hash of the latest version. - If the two don’t match, then you know some changes have been made, possibly without the permission or knowl- edge of the software developers. - Digital Certificates Digital certificates are the “signature” of the Internet commerce world. - key of the organization encrypted with either its private key or the private key of a signing authority. - Using a signing or certificate authority is considered the more secure method of the two. - If you can decrypt the certificate with their public key, then you can reasonably assume the Web site belongs to that organization.. - They can be issued by a central entity, called a Certificate Authority (CA), or created and signed locally as described above. - There are several of these organizations, the biggest of which is VeriSign, the com- pany that also runs the domain names system. - Getting a certificate from VeriSign or one of the companies it authorizes is like having someone vouch for you. - Generally, they will not issue you a certificate until they verify the information you are putting in the certificate, either by phone or via some kind of paper documentation, such as a corporate charter.. - Once they “certify” you, they will take this information, including the URLs you are going to use the certificate for, and digitally “sign” it by encrypting it with their private key. - Then a Web server or other program can use this certificate. - When outside users receive some data, such as a Web page from the server, and it has a certificate attached, they can use public key cryptography to decrypt the certificate and verify your identity. - SSH and Nessus both can use certificates for authentication. - IP version 4 (IPv4), which is what most of the world uses for IP communications, doesn’t provide any kind of authentication or confidentiality. - Packet payloads are sent in the clear, and packet headers can easily be modified since they are not verified at the desti- nation. - Many Internet attacks rely on this basic insecurity in the Internet infrastructure. - However, an implementation of security for IP, called IPsec, was developed that wouldn’t require major changes in the addressing scheme. - IPsec can use different algorithms and can be implemented in whole or just partially. - A combination of public key and private key cryp- tography is used to encrypt the packet contents, and hashes add authentication as well.. - With AH, a hash is made of the IP header and passed along. - You may choose to do encryption of the packet payload but not do AH, as this can slow down the throughput. - There are also different two operation modes you can run IPsec in: tunnel mode or transport mode.. - Another advantage is that the VPN can be controlled and administered from a few central points.. - You can still do AH when using transport mode and verify the source address of the packets. - Secure Socket Layer (SSL) This protocol was designed specifically for use on the Web, although it can be used for almost any type of TCP communications. - Most of the time, SSL is used when connecting to a Web server so that we know the information we send it is being protected along the way. - Most people don’t even realize that SSL is running in the background. - their information private and safe from the eyes of the brutal regimes that ruled them. - Zimmerman was investigated for violat- ing federal munitions export laws for allowing his software to be downloaded out of the country.. - He did subsequently form a company to market commercial versions of the software, but there are open source implementations of PGP all over the Internet.. - You can find a list of all the implementations of PGP at www.cypherspace.org/openpgp/.. - Web site: www.pgp.com. - All these lists can be accessed and subscribed to at www.pgpi.org/links/mailinglists/en/.. - Since it is licensed from Phil Zimmerman and PGP Corporation, you can be reasonably sure of its integrity and validity.. - The downside of the PGP freeware is that it is licensed for personal use only, so you can use it for your personal e-mail or for educational purposes if you are student. - While this version of PGP is open source and freeware, there are considerable restrictions on what you can use it for. - If you can’t or won’t pay, then the next tool, GnuPG, which is a fully free implementation of PGP, may be of more inter- est to you. - A built-in VPN client, IPsec 3DES VPN, which can be used to communicate securely with anyone who has PGP 8.0 or later.. - Deleted file wiping, which is the ability to permanently delete a file by overwriting the data on the disk multiple times.. - Free space wiping, which is the same concept as deleted file wiping, but for your disk free space that may contain traces of old data.. - Proxy support, which is useful for users behind a proxy firewall (paid version only).. - you can refer to the many books on those sub- jects. - Alt.security.pgp. - Comp.security.pgp.announce Comp.security.pgp.discuss Comp.security.pgp.resources Comp.security.pgp.tech
Xem thử không khả dụng, vui lòng xem tại trang nguồn hoặc xem
Tóm tắt