- Shopping Bag ( 0 items )
Public Key Infrastructure Implementation and Design is a complete, concise guide for professionals. This book offers a complete reference on all aspects of public key infrastructure including architecture, planning, implementation, cryptography, standards and certificates.
|Ch. 1||Cryptography Basics||1|
|Ch. 2||Public Key Infrastructure Basics||31|
|Ch. 3||PKI Architecture||43|
|Ch. 4||CA Functions||65|
|Ch. 5||Certificate Management||85|
|Ch. 6||PKI Management Protocols and Standards||109|
|Ch. 7||PKI-Enabled Services||137|
|Ch. 8||Installing Windows 2000-Based PKI Solutions||163|
|Ch. 9||Installing and Configuring Windows 2000 Certificate Server for SSL, IPSec, and S/MIME||201|
|Ch. 10||Understanding PGP||237|
|Ch. 11||Planning for PKI Deployment||255|
|Ch. 12||AllSolv, Inc. Case Study||277|
|App. A||IDNSSE and SDSI||295|
|App. B||VPN Basics||303|
|App. C||Cryptographic Algorithms||315|
IN THIS CHAPTER
* The basics of cryptography
* Applications of cryptography
* Digital signatures
From the dawn of civilization, to the highly networked societies that we live in today - communication has always been an integral part of our existence. What started as simple sign-communication centuries ago has evolved into many forms of communication today - the Internet being just one such example. Methods of communication today include
* Radio communication
* Telephonic communication
* Network communication
* Mobile communication
All these methods and means of communication have played an important role in our lives, but in the past few years, network communication, especially over the Internet, has emerged as one of the most powerful methods of communication - with an overwhelming impact on our lives.
Such rapid advances in communications technology have also given rise to security threats to individuals and organizations. In the last few years, various measures and services have been developed to counter these threats. All categories of such measures and services, however, have certain fundamental requirements, which include
* Confidentiality, which is the process of keeping information private and secret so that only the intended recipient is able to understand the information. For example, if Alice has to send a message to Bob, then Bob only (and no other person except for Bob) should be able to read or understand the message.
* Authentication, which is the process of providing proof of identity of the sender to the recipient, so that the recipient can be assured that the person sending the information is who and what he or she claims to be. For example, when Bob receives a message from Alice, then he should be able to establish the identity of Alice and know that the message was indeed sent by Alice.
* Integrity, which is the method to ensure that information is not tampered with during its transit or its storage on the network. Any unauthorized person should not be able to tamper with the information or change the information during transit. For example, when Alice sends a message to Bob, then the contents of the message should not be altered with and should remain the same as what Alice has sent.
* Non-repudiation, which is the method to ensure that information cannot be disowned. Once the non-repudiation process is in place, the sender cannot deny being the originator of the data. For example, when Alice sends a message to Bob, then she should not be able to deny later that she sent the message.
Before we look at the various mechanisms that provide these security services, let us look at the various types of security attacks that can be faced by an organization:
* Interruption: In an attack where one or more of the systems of the organization become unusable due to attacks by unauthorized users. This leads to systems being unavailable for use. Figure 1-1 displays the process of interruption.
* Interception: An unauthorized individual intercepts the message content and changes it or uses it for malicious purposes. After this type of attack, the message does not remain confidential; for example, if the contents of message that Alice sends to Bob are read or altered during its transmission of message by a hacker or an interceptor. In this situation, Bob cannot consider such a message to be a confidential one. Figure 1-2 displays the process of interception.
* Modification: The content of the message is modified by a third party. This attack affects the integrity of the message. Figure 1-3 displays the process of modification.
* Fabrication: In this attack, a third party inserts spurious messages into the organization network by posing as a valid user. This attack affects the confidentiality, authenticity, and integrity of the message. Figure 1-4 displays fabrication.
From securing sensitive military information to securing personal messages, you often would be confronted with the need of masking information to protect it. One of the most important methods that help provide security to messages in transit is cryptography. It helps overcome the security issues as described above, involved in the delivery of messages over any communication channel. This chapter provides an overview of cryptography and popular cryptographic techniques.
The term cryptology has its origin in the Greek kryptós lógos, which means "hidden word." Other examples of cryptography date back to circa 1900 B.C. when Egyptians began using hieroglyphics in inscriptions.
The Basics of Cryptography
Cryptography is the science of protecting data, which provides means and methods of converting data into unreadable form, so that
* The data cannot be accessed for unauthorized use.
* The content of the data frames is hidden.
* The authenticity of the data can be established.
* The undetected modification of the data is avoided.
* The data cannot be disowned by the originator of the message.
Cryptography is one of the technological means to provide security to data being transmitted on information and communications systems. Cryptography is especially useful in the cases of financial and personal data, irrespective of the fact that the data is being transmitted over a medium or is stored on a storage device. It provides a powerful means of verifying the authenticity of data and identifying the culprit, if the confidentiality and integrity of the data is violated. Because of the development of electronic commerce, cryptographic techniques are extremely critical to the development and use of defense information systems and communications networks.
History of Cryptography
As already discussed, the messages were first encrypted in ancient Egypt as a result of hieroglyphics. The Egyptians encrypted messages by simply replacing the original picture with another picture. This method of encryption was known as substitution cipher. In this method, each letter of the cleartext message was replaced by some other letter, which results in an encrypted message or ciphertext. For example, the message
WELCOME TO THE WORLD OF CRYPTOGRAPHY
can be encrypted by using substitution cipher as
XFMDPNF UP UIF XPSME PG DSZQUPHSBQIZ
In the preceding example, each letter of the plaintext message has been replaced with the next letter in the alphabet. This type of substitution is also known as Caesar cipher.
Caesar cipher is an example of shift cipher because it involves shifting each letter of the plaintext message by some number of spaces to obtain the ciphertext. For example, if you shift the letters by 5, you get the following combination of plaintext and ciphertext letters:
Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Ciphertext F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
However, simple substitution ciphers are not a very reliable type and can easily be broken down. In such a case, an alternative way is to use multiple alphabets instead of one alphabet. This type of a cipher, which involves multiple cipher alphabets, is known as a polyalphabetic substitution cipher. An example of the polyalphabetic substitution cipher is the Vigenere cipher.
With the recent advances in mathematical techniques, there has an acceleration in the development of newer methods of encryption. Today, cryptography has emerged so powerful that it is considered rather impossible to break some ciphers.
Cryptography has now become an industry standard for providing information security, trust, controlling access to resources, and electronic transactions. Its use is no longer limited to just securing sensitive military information. In fact, cryptography is now recognized as one of the major components of the security policy of an organization.
Before moving further with cryptography, let us first look at a few terms that are commonly associated with cryptography:
* Plaintext: Is the message that has to be transmitted to the recipient. It is also commonly referred to as cleartext.
* Encryption: Is the process of changing the content of a message in a manner such that it hides the actual message.
* Ciphertext: Is the output that is generated after encrypting the plain text.
* Decryption: Is the reverse of encryption and is the process of retrieving the original message from its encrypted form. This process converts ciphertext to plaintext.
* Hash algorithm: Is an algorithm that converts text string into a string of fixed length.
* Key: Is a word, number, or phrase that is used to encrypt the cleartext. In computer-based cryptography, any text, key word, or phrase is converted to a very large number by applying a hash algorithm on it. The large number, referred to as a key, is then used for encryption and decryption.
* Cipher: Is a hash algorithm that translates plaintext into an intermediate form called ciphertext, in which the original message is in an unreadable form.
* Cryptanalysis: Is the science of breaking codes and ciphers.
Before looking at the details of various cryptographic techniques, let us now look at the steps involved in the conventional encryption model:
1. A sender wants to send a Hello message to a recipient.
2. The original message, also called plaintext, is converted to random bits known as ciphertext by using a key and an algorithm. The algorithm being used can produce a different output each time it is used, based on the value of the key.
3. The ciphertext is transmitted over the transmission medium.
4. At the recipient end, the ciphertext is converted back to the original text using the same algorithm and key that were used to encrypt the message.
This process is also shown in Figure 1-5.
Having looked at an overview of cryptography, let us now look at the various cryptography techniques available. For the purpose of classification, the techniques are categorized on the basis of the number of keys that are used. The two main cryptography techniques are
* Single key cryptography: This cryptography technique is based on a single key. It is also known as symmetric key or private key or secret key encryption.
* Public key cryptography: This cryptography technique is based on a combination of two keys-secret key and public key. It is also known as asymmetric encryption.
Let us look at each of these methods in detail.
Single Key Cryptography
The process of encryption and decryption of information by using a single key is known as secret key cryptography or symmetric key cryptography. In symmetric key cryptography, the same key is used to encrypt as well as decrypt the data. The main problem with symmetric key algorithms is that the sender and the receiver have to agree on a common key. A secure channel is also required between the sender and the receiver to exchange the secret key.
Here's an example that illustrates the process of single key cryptography. Alice wants to send a "For Your Eyes" message to Bob and wants to ensure that only Bob is able to read the message. To secure the transmission, Alice generates a secret key, encrypts the message with this key, and sends the message to Bob.
Figure 1-6 represents the process of secret key cryptography.
Now, to read the encrypted message, Bob would need the secret key that has been generated by Alice. Alice can give the secret key to Bob in person or send the key to Bob by any other means available. If Alice sends the key to Bob in person, it could be time-consuming depending on the physical distance between the two of them or other circumstances such as Bob's availability. After Bob receives the secret key, he can decrypt the message to retrieve the original message.
Many secret key algorithms were developed on the basis of the concept of secret key cryptography. The most widely used secret key algorithms include
* Data Encryption Standard (DES)
* Triple-DES (3DES)
* International Data Encryption Algorithm (IDEA)
* Advanced Encryption Standard (AES)
Let us consider these algorithms in detail in the following sections.
DATA ENCRYPTION STANDARD (DES)
DES, which is an acronym for the Data Encryption Standard, is the common name for the Federal Information Processing Standard (FIPS) 46-3. It describes the Data Encryption Algorithm (DEA). DEA is also defined in the ANSI standard X3.92. The DES algorithm is one of the most widely used encryption algorithms in the world. The Data Encryption Standard (DES) algorithm was developed by the IBM team in the 1970s and was adopted by National Institute of Standards and Technology (NIST) for commercial applications.
Refer to RFCs 1827 and 2144 for more information on DES.
DES is still surrounded by controversy. This controversy was originally fueled by the following facts:
* The key length used by this algorithm was reduced to 56 bits by the U.S. government, although the original design called for a key length of 128 bits, leading to a compromise on security. Although the algorithm for DES was published, the rationale for the design was never published.
* DES became widely available to the U.S. public and to approved users in other countries. However, DES was excluded by the U.S. government from protection of any of its own classified information.
The major weaknesses and attacks that are faced by DES are described below.
BRUTE FORCE ATTACK The simplest attack to decipher a DES key is the brute force attack. The brute force attack on the DES algorithm is feasible because of the relatively small key length (56 bit) and ever-increasing computational power of the computers. Until the mid-1990s, brute force attacks were beyond the capabilities of hackers because the cost of computers that were capable of hacking was extremely high and unaffordable. With the tremendous advancement in the field of computing, high-performance computers are relatively cheaper and, therefore, affordable.
Excerpted from Public Key Infrastructure Implementation and Design by Suranjan Choudhury Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.