Securing Your Online Communications
October 2001
In this article, Chris Cowger attempts to
increase awareness and understanding of the basic cryptographic systems that
exist, their real-world implementations, and what to expect in the future.
by Chris
Cowger
Total Risk Management
Cryptography is quickly moving from the background to the forefront of daily
life in the IT world. The amount of communiqué that traverses the digital highways
and byways of the Internet is growing at an exponential rate. Amongst all this
traffic, black hat hackers sit quietly and listen to everything that comes by.
They capture large portions of data and then sift through looking for a diamond
in the rough, a clear text password, e-mail, credit card information, financial
information, or anything that could in some way benefit them at your expense.
Competitors will even go so far as to snoop your transmissions at times.
Passing data over the Internet and even inside your own network (around 80
percent of attacks come from the inside of a network) is like sending a letter
through the mail with a transparent envelope. It's there to be seen by anyone
who wants to look at it. Once it's en-route, its fair game for the masses until
it reaches its destination.
With about 75 percent of the traffic you generate, you could probably care
less if other people see it. Whether it's browsing your daily Web sites or looking
for movie times, searching for files, or chatting. It's that other 25 percent
that you have to worry about. All the online orders you place, your sensitive
e-mail, your online 401K information, or anything halfway confidential that
you do over Internet. This 25 percent has to be protected somehow. Well, rest
easy, because a multitude of cryptographic tools stand ready to defend your
data from the scourge black hat hackers.
Through this article I hope to increase your awareness and understanding
of the basic cryptographic systems that exist, their real-world implementations,
and what to expect in the future. These systems are making the Internet a safe
place to do business, exchange information, trade stocks, handle bank accounts,
buy car insurance, etc. Knowing the basics of encryption will help you in your
journeys along the information superhighway and give you a better sense of the
risks involved therein.
The Evolution of Cryptography
Cryptography has always been around. It has been used in almost any setting
you can think of, just behind the scenes. Cryptography has evolved into two
main systems, secret key and public key. Both systems operate much in the same
way and are widely accepted and used. They encrypt data, decrypt data, and handle
minor authentication functions.
Two Main Systems
As mentioned, there are two types of cryptographic systems in use today. Secret Key systems are a traditional form of
cryptography. You use a key (password) to encrypt the data, and the same key
to decrypt the data. This key must remain a secret between the two parties because
anyone who knows the key can view the data you are trying to protect.
It is important to find some way to relay the key to the other party without
anyone eavesdropping on the conversation. Never send a private key via e-mail.
Over the phone, through the mail, or in person are the preferred methods.
With secret key systems, there was always that burning question "How do I
let the other party know the key without it being compromised?" In 1976 an answer
was given. Whitfield Diffie and Martin Hellman came up with the idea of a Public Key infrastructure. Here's how it works.
Each party gets two keys (passwords). One key is public, the other key is private.
These keys are mathematically related in such a way that if a message was
encrypted with a public key, only the associated private key could decrypt it,
and vice versa. I'll set up a quick little scenario. Bob wants to send Dave
a sensitive document. Bob encrypts the message with Dave's public key. The only
key that can decrypt that message is Dave's private key which he has stashed
away somewhere. Data is encrypted with the recipient's public key, and decrypted
with their private key. It is imperative that your private key stays just that,
private.
Algorithms
Let's look at what actually takes the key and the data, and turns it into
something that other people can't read without knowing the key. Algorithms are
either secret key algorithms or public key algorithms. The larger the key can
be, the better.
Secret Key Algorithms
- RC2, RC4, RC5
- All these algorithms can handle up to 56-bit (character) keys
- DES, Triple DES, DESX
- DES can handle up to 56-bit keys
- DESX can handle up to 120-bit keys
- Triple DES can handle up to 168-bit keys (3 56-bit keys together)
- Blowfish
- Blowfish can handle keys up to 448-bit keys.
- Blowfish is a free, open source algorithm
- Rijndael
- Rijndael can handle up to 256-bit keys
- Rijndael recently replaced Triple DES as the Advanced
- Encryption Standard (AES)
Public Key Algorithms
- Diffie-Hellman
- First public key algorithm, widely used in VPNs
- Diffie-Hellman can support up to 1536-bit keys
- RSA
- RSA can support up to 2034-bits
- ElGamal
- Developed in 1986, it is widely use in digital certificates
- ElGamal can support up to 2048-bits
Fingerprinting Algorithms
- Fingerprinting algorithms are used to verify the encrypted message.
Let's say someone learns your key, captures the message while it's in transit,
modifies the information, and sends it down the line to the recipient. These
algorithms create a string of numbers and letters called a hash. The hash
serves as a "condensed representation" of the message or data file. The
hash is created with the encrypted data as a key. If any changes are made
to the encrypted data, then the hash cannot be decrypted to verify its authenticity.
- Message Digest 5 (MD5)
- MD5 creates a 128-bit hash from the message
- If speed is a concern, then go with MD5
- Secure Hash Algorithm 1 (SHA-1)
- SHA-1 creates a 160-bit hash from the message
- I would recommend using SHA-1 if you can. The larger the hash the
better.
Protocols and the Solutions That Use Them
All those algorithms are great, but standards are needed to make them useful.
A number of standards already exist, and more will be on the way as new algorithms
and systems are developed. These protocols, listed below, are the heart and
soul of the solutions people use to secure their communications and transactions
across the Internet.
- Internet Protocol Security Protocol (IPSEC)
- IPSEC is quickly becoming the standard in VPNs. It gives you the
choice of a number of different algorithms in a number of ways. IPSEC
a building block for secure solutions.
- Diffie-Hellman, RSA, DES, Triple DES, and SHA-1
- Secure Sockets Layer (SSL)
- SSL is normally used to create a secure socket between a Web browser
and a Web server during an online transaction. Developed by Netscape,
SSL is built into Microsoft Internet Explorer, Netscape, and a number
of Web servers.
- SSL can use RSA, RC4, SHA-1, MD5, Triple DES, DES, and Diffie-Hellman.
- Secure Multipurpose Internet Message Extensions (S/MIME)
- S/MIME was developed by RSA Labs to prevent the interception and
forgery of e-mail messages. Some S/MIME enabled products are Netscape
Communicator, Microsoft Outlook Express, and Verisign Digital ID.
- S/MIME uses RSA, DES, Triple DES, RC2, MD5, and SHA-1.
- Secure Shell (SSH)
- SSH was developed by SSH Communications Security and is widely used
for secure log-ons to remote servers and secure sessions between the
client and the server. To use SSH, you must either purchase the software
from SSH Communications Security or find the open source of it and develop
a solution.
- SSH uses RSA, Triple DES, DES, and RC5
- Secure Electronic Transaction (SET)
- Developed in a joint venture between Visa and Mastercard, SET is
used to secure credit card transactions across the Internet. Used in
a number of Digital Certificate solutions.
- SET uses RSA, DES, and SHA-1
- Point to Point Tunneling Protocol (PPTP)
- PPTP is used to create VPNs and is widely used in Microsoft Products.
In Windows 2000 environment, the extension protocol L2TP (Layer 2 Tunneling
protocol) is used. To use the L2TP extension, the routers that the traffic
will traverse must support it.
- PPTP uses RSA and DES
- If you have a choice, I would avoid using PPTP and opt for a third-party
solution that uses IPSEC. If you're running a Win2k domain, then L2TP
will be just fine.
- Digital Certificates and Digital Signatures
- Digital Certificates are your digital passports, an Internet ID.
They are verification of who you are and the integrity of your data.
Digital Certificates can be verified through an intermediary, such as
OpenSSL, Netscape, Verisign, Entrust, and RSA Keon.
- Companies can set up an internal certificate server to handle the
verification of certificates.
- Digital Signatures are used in e-mail to verify the sender of the
message and operate much in the same way that Digital Certificates work.
- Pretty Good Privacy (PGP) works like a digital signature. Recently
though, many weaknesses have been found and published in regard to PGP
and its implementations.
- RSA is the standard in digital certificates, although there are
a few solutions that use Diffie-Hellman.
- Virtual Private Network (VPN)
- VPN is quickly becoming a household term. A VPN is a secure connection
established between two points. Many vendors offer VPN solutions that
use one or a number of the protocols mentioned above.
- Cisco, Microsoft, RSA, Verisign, and many other vendors offer VPN
Solutions. I prefer Cisco's VPN solutions to others.
- The vendor you use to purchase the solution will determine the protocol
and algorithms used. More often than not, though, it will be using IPSEC.
- Secure E-mail Attachments
- If you don't want to spend the money on a Digital Signature system,
you can purchase software that encrypts an attachment to an e-mail message.
- This software works with Secret Key systems and algorithms. You
encrypt your attachment with their software using the algorithm they
use (sometimes you can choose the one you use) and send it on its merry
way. Finding a secure way to exchange the key is up to you. What ever
you do, do NOT send the key along with the message.
- Novastor, RSALabs, SafeTNet, and a host of others offer software
that performs the aforementioned service. In the past, I have been quite
pleased with the performance of Novastor's DataSafe SE
What To Look for and What To Avoid
In real-world situations, these protocols are used by developers to create
solutions that incorporate any number of the protocols and algorithms I've mentioned.
When looking for a solution, there are a few things you'll want to avoid. Stay
away from solutions that claim to use a secret proprietary algorithm. Its best
to stick with tested and accepted algorithms. If a solution provider won't be
upfront on what protocols and algorithms their software uses, avoid them as
well. Also, just because a solution is the latest and greatest, doesn't mean
it's the best choice. A good rule of thumb is not to buy a software package
until its version number has at least a .1 behind or a few patches available.
Administrative key recovery is a feature to be wary of. Some vendors keep
a key that will reveal your key to you if lost. What is to keep them from selling
it to your competitors or, worse, if it is stolen from them? Regardless of who
the vendor is, knowing what protocols and algorithms are being implemented in
their packages will make your decision a more informed one.
Hackability
Hacking any of these systems can be tough, but it has been done. Some of
the above mentioned algorithms have also shown weaknesses as well. The elitist
underground of cryptographic hackers, so aptly named as "cypherpunks," are there
to try, and they have an arsenal of attacks and exploits at their disposal.
The main attack they will try to use is called a brute-force crack. The size
of the key determines the amount of time it will take. They capture the message
and then begin guessing as to what the key could be. The guessing is done by
a program and the guesses are every possible key that the key could be. They
figure out the algorithm used, what the key length is, and then go at it.
It is important to remember: All encrypted messages
can be cracked through brute force cracking! This can take quite some
time, depending on the key length (upward of 900 years with some). Other attacks
use known weaknesses in an algorithm that can be very complicated and confusing
to comprehend. The point to remember is that they exist.
The main weakness they'll exploit is small and/or bad keys. Keys are like
passwords—don't use the same one twice, and use mixture of letters, numbers,
and characters. tR3~$8)vQq% is a good example of what you would want a key to
look like, just make sure it's a lot longer. I can't stress enough the practice
of making your keys and passwords as strong as possible. Weak keys are the number
one cause of these systems getting compromised.
Conclusion
Risks that were once great are slowly shrinking. But the risk is still there,
and it still needs to be addressed. It comes as no surprise that encryption
is becoming important and prevalent in daily life. Transmitting data unencrypted
across the Internet is a very risky thing, which isn't something risk managers
do.
So, with your newly found understanding of the basics of cryptography, look
again at the systems and keys in place (if there are any) and ask yourself,
"Are the keys and solutions in place the right ones for our needs and provide
adequate protection?" You may be surprised at the answer.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.