Online security ranges from message encryption and
session authentication to seesion security and transactions.
---------CRYPTOGRAPHY----------------------------
e-mail accounts for most of internet traffic (100million
messages a day - 100,000,001 now ;-) ).
According to the Electronic communications privacy act of 1986,
intercepting e-mail is a felony.
e-mail passes through a number of routers, systems and servers
en route. Usual problem occur from a poorly guarded server.
Cryptography remains one of the easiest avenues of security.
PGP (pretty good privacy) isn't bad. Written by Philip Zimmerman 1991.
You can get it at viacrypt@acm.org or www.zdnet.com
Since the US classifies incorporating encryption as munitions
subject to export restrictions (like grenades mines, and mortar shells)
Zimmerman has been under federal investigations. But
PGP is all around the world. Some PGP variants use keys
larger than the 40 bit maximum allowed in exportable crytography products.
But the US commerce department recently relaxed restrictions on exportable
authentication products.
PGP is a sophisticated program combining multiple encryption algorithms
based on RSA Data security's public key and Merkle-Hellman patents,
with the robust IDEA algorithm.
---------PUBLIC KEY CRYPTOGRAPHY-----------------
Is the most significant recent development in encryption.
Also called asymmetric cryptography. It requires a key
to encrypt and one to decrypt. The problem with symmetric
cryptography is that you need to send the key to decrypt
which can be intercepted. The difference is public key
encryption like PGP uses two keys a private key held
by the receiver and a public key freely distributed to
anyone. So you would look up my (ben's) public key say
on the internet find out it's "deathstalker", and
encrypt using that key, send me the message and I would
decrypt your message with my private key. PGP takes
my private key uses a 1 way hash function creates a 128bit
number then signs this number with his private key,
that you could check using my public key.
The US Digital signature algorithm standard, generate a signature
of 2 160-bit blocks, the first a function of a random 160-bit number
selected by the signer for each signature, the second a mathematical
derivative of both the message and the signer's private key.
---------CRACKING CODES--------------------------
Involves trying to obtain the key, making assumptions,
leveraging standard headers, or brute force (using every key).
---------AUTHENTICATION--------------------------
Methods to verify that a message has been sent by a given person.
Kerberos an authentication scheme devised by MIT. Supplies users
with "tickets" used to identify themselves to other communicants
with secret cryptographic keys for secure communications.
Unlike keys, tickets sequences of a few hundred bytes can be embedded
in network protocols to continuously verify the conversing parties.
Implementations of Kerberos may use different ticket functions.
The AFS version converts a password into a DES key, MIT's Kerberos uses
the network realm / domain name as an additional part of the computation.
Kerberos is a solid means to authenticate logons using exact accounts
from specific physical areas.
---------BUYING ON THE INTERNET------------------
To safeguard internet communications and transactions are
Secure Hypertext Transfer Protocol (SHTTP) (an HTTP extension)
and Secure Sockets Layer (SSL). A lower-level transport-security mechanism
that sits on top of a networking protocol such as TCP/IP.
Both SHTTP and SSL use RSA Data Security's robust authentication
public key algorithms. SHTTP takes each message slaps a
digital signature on it, seals it w/ encryption and sends it off.
It is used primarily by Web browsers. Its main advantage is its
message-based approach allows selective encryption with
no time lost shielding data that need not be shielded.
SSL works on the network-transport level.
It sets up a safe passageway between client and server.
Since *everything* gets encrypted it eats up CPU time.
IBM's homegrown multiparty protocol iKP allows information e.g.
credit-card number to bypass being seen by an online shop or vendor
during a transaction. The card number is encrypted and sent to
the seller; the seller forwards it to the credit-card company
which decrypts it and returns an approval.
Secure Telnet (Stel) uses DES, Triple DES and
IDEA algorithms. A secure FTP program is available at
http://www.elementrix.co.il
---------BANKING ON THE INTERNET-----------------
Security first network bank (http://www.sfnb.com) and
First Union (http://firstunion.com) were given
approval to bank on the internet by the federal government.
It offers online credit card applications and
plans to offer additional services like home-mortgage
applications.
For info on PGP - http://www.eff.org/pub/net_info/tools/crypto
Kerberos - http://www.cis.ohiostate.edu/hypertext/faq/usenet/kerberos-faq/user/faq.html
SSL/SHTTP - http://www.w3.org
http://www.netscape.com
http://www.terisa.com
