Description
Book SynopsisCryptography is the most effective way to achieve data security and is essential to e-commerce activities such as online shopping, stock trading, and banking. This book explains the basics of encryption and various techniques and introduces readers to the terminology used in the subject.
Trade Review“…a useful guide for anyone bamboozled by encryption…” (
PC Utilities, June 2004)
“The reader can dip into it whenever the mood takes them…” (MicroMart, 29th April 2004)
Table of ContentsIntroduction 1
About This Book 2
How to Use This Book 2
What You Don’t Need to Read 3
Foolish Assumptions 3
How This Book Is Organized 3
Part I: Crypto Basics & What You Really Need to Know 4
Part II: Public Key Infrastructure 4
Part III: Putting Encryption Technologies to Work for You 4
Part IV: The Part of Tens 4
Part V: Appendixes 5
Icons Used in This Book 5
Where to Go from Here 5
Part I: Crypto Basics & What You Really Need to Know 7
Chapter 1: A Primer on Crypto Basics 9
It’s Not about James Bond 9
Go with the rhythm 10
Rockin’ the rhythm 11
Getting to Know the Basic Terms 12
What Makes a Cipher? 13
Concealment ciphers 13
Substitution ciphers 14
Transposition ciphers 15
Hash without the corned beef 16
XOR what? 17
Breaking Ciphers 20
Not-so-secret keys 20
Known plaintext 21
Pattern recognition 21
What a brute! 21
Cryptosystems 22
Everyday Uses of Encryption 23
Network logons and passwords 23
Secure Web transactions 25
ATMs 26
Music and DVDs 27
Communication devices 28
Why Encryption Isn’t More Commonplace 28
Difficulty in understanding the technology 29
You can’t do it alone 29
Sharing those ugly secrets 30
Cost may be a factor 30
Special administration requirements 31
Chapter 2: Major League Algorithms 33
Beware of “Snake Oil” 34
Symmetric Keys Are All the Same 37
The key table 37
Key generation and random numbers 38
Protecting the Key 39
Symmetric Algorithms Come in Different Flavors 40
Making a hash of it 40
Defining blocks and streams 42
Which is better: Block or stream? 44
Identifying Symmetric Algorithms 45
Des 45
Triple DES 45
Idea 46
Aes 46
Asymmetric Keys 47
Rsa 48
Diffie-Hellman (& Merkle) 49
Pgp 50
Elliptical Curve Cryptography 50
Working Together 52
Chapter 3: Deciding What You Really Need 53
Justifying the Costs to Management 53
Long-term versus short-term 54
Tangible versus intangible results 55
Positive ROI 55
Government due diligence 60
Insurers like it! 61
Presenting your case 61
Do You Need Secure Communications? 62
Secure e-mail 62
Instant Messaging (IM) 64
Secure e-commerce 64
Online banking 66
Virtual Private Networks (VPNs) 66
Wireless (In)security 68
Do You Need to Authenticate Users? 69
Who are your users? 70
Authentication tokens 71
Smart cards 72
Java tokens 73
Biometrics 74
Do You Need to Ensure Confidentiality and Integrity? 75
Protecting Personal Data 75
What’s It Gonna Cost? 77
Chapter 4: Locks and Keys 79
The Magic Passphrase 80
The weakest link 81
Mental algorithms 82
Safety first! 84
Passphrase attacks 86
Don’t forget to flush! 87
The Key Concept 88
Key generation 89
Protecting your keys 90
What to do with your old keys 91
Some cryptiquette 91
Part II: Public Key Infrastructure 93
Chapter 5: The PKI Primer 95
What Is PKI? 96
Certificate Authorities (CAs) 97
Digital Certificates 98
Desktops, laptops, and servers 100
Key servers 102
Registration Authorities (RAs) 103
Uses for PKI Systems 103
Common PKI Problems 105
Chapter 6: PKI Bits and Pieces 107
Certificate Authorities 108
Pretenders to the throne 110
Registration Authorities 110
Certificate Policies (CPs) 111
Digital Certificates and Keys 112
D’basing Your Certificates 113
Certificate Revocation 114
Picking the PKCS 115
PKCS #1: RSA Encryption Standard 115
PKCS #3: Diffie-Hellman Key Agreement Standard 115
PKCS #5: Password-Based Cryptography Standard 115
PKCS #6: Extended-Certificate Syntax Standard 116
PKCS #7: Cryptographic Message Syntax Standard 116
PKCS #8: Private-Key Information Syntax Standard 116
PKCS #9: Selected Attribute Types 117
PKCS #10: Certification Request Syntax Standard 117
PKCS #11: Cryptographic Token Interface Standard 117
PKCS #12: Personal Information Exchange Syntax Standard 118
PKCS #13: Elliptic Curve Cryptography Standard 118
PKCS #14: Pseudo-Random Number Generation Standard 118
PKCS #15: Cryptographic Token Information Format Standard 118
Chapter 7: All Keyed Up! 119
So, What Exactly IS a Key? 120
Making a Key 120
The Long and Short of It 121
Randomness in Keys Is Good 122
Storing Your Keys Safely 123
Keys for Different Purposes 124
Keys and Algorithms 124
One Key; Two Keys 125
Public/private keys 126
The magic encryption machine 127
The magic decryption machine 128
Symmetric keys (again) 129
Trusting Those Keys 129
Key Servers 130
Keeping keys up to date 131
Policies for keys 132
Key escrow and key recovery 132
Part III: Putting Encryption Technologies to Work for You 135
Chapter 8: Securing E-Mail from Prying Eyes 137
E-Mail Encryption Basics 138
S/mime 138
Pgp 139
Digital Certificates or PGP Public/Private Key Pairs? 140
What’s the diff? 140
When should you use which? 141
Sign or encrypt or both? 141
Remember that passphrase! 142
Using S/MIME 142
Setting up S/MIME in Outlook Express 143
Backing up your Digital Certificates 151
Fun and Games with PGP 153
Setting up PGP 154
Deciding on the options 156
Playing with your keyring 160
Sending and receiving PGP messages 162
PGP in the enterprise 164
Other Encryption Stuff to Try 164
Chapter 9: File and Storage Strategies 167
Why Encrypt Your Data? 168
Encrypted Storage Roulette 170
Symmetric versus asymmetric? 171
Encrypting in the air or on the ground? 173
Dealing with Integrity Issues 174
Message digest/hash 174
MACs 175
HMACs 175
Tripwire 176
Policies and Procedures 177
Examples of Encryption Storage 178
Media encryption 179
Encrypting File System 180
Secure e-mail 181
Program-specific encryption 181
Encrypted backup 181
Chapter 10: Authentication Systems 183
Common Authentication Systems 185
Kerberos 185
Ssh 186
Radius 187
Tacacs+ 188
Authentication Protocols 188
How Authentication Systems Use Digital Certificates 190
Tokens, Smart Cards, and Biometrics 191
Digital Certificates on a PC 191
Time-based tokens 192
Smartcard and USB Smartkeys 193
Biometrics 194
Chapter 11: Secure E-Commerce 197
SSL Is the Standard 198
A typical SSL connection 199
Rooting around your certificates 201
Time for TLS 203
Setting Up an SSL Solution 204
What equipment do I need? 205
The e-commerce manager’s checklist 206
XML Is the New Kid on the Block 209
Going for Outsourced E-Commerce 210
Chapter 12: Virtual Private Network (VPN) Encryption 213
How Do VPNs Work Their Magic? 214
Setting Up a VPN 214
What devices do I need? 215
What else should I consider? 216
Do VPNs affect performance? 216
Don’t forget wireless! 217
Various VPN Encryption Schemes 217
PPP and PPTP 217
L2tp 218
IPsec 218
Which Is Best? 220
Testing, Testing, Testing 221
Chapter 13: Wireless Encryption Basics 223
Why WEP Makes Us Weep 224
No key management 225
Poor RC4 implementation 225
Authentication problems 226
Not everything is encrypted 226
WEP Attack Methods 227
Finding wireless networks 228
War chalking 228
Wireless Protection Measures 230
Look for rogue access points 230
Change the default SSIDs 230
Turn on WEP 231
Position your access points well 232
Buy special antennas 232
Use a stronger encryption scheme 232
Use a VPN for wireless networks 232
Employ an authentication system 233
Part IV: The Part of Tens 235
Chapter 14: The Ten Best Encryption Web Sites 237
Mat Blaze’s Cryptography Resource on the Web 237
The Center for Democracy and Technology 237
SSL Review 238
How IPsec Works 238
Code and Cipher 238
CERIAS — Center for Education and Research in Information Assurance and Security 238
The Invisible Cryptologists — African Americans, WWII to 1956 239
Bruce Schneier 239
North American Cryptography Archives 239
RSA’s Crypto FAQ 239
Chapter 15: The Ten Most Commonly Misunderstood Encryption Terms 241
Military-Grade Encryption 241
Trusted Third Party 241
X 509 Certificates 242
Rubber Hose Attack 242
Shared Secret 242
Key Escrow 242
Initialization Vector 243
Alice, Bob, Carol, and Dave 243
Secret Algorithm 243
Steganography 244
Chapter 16: Cryptography Do’s and Don’ts 245
Do Be Sure the Plaintext Is Destroyed after a Document Is Encrypted 245
Do Protect Your Key Recovery Database and Other Key Servers to the Greatest Extent Possible 246
Don’t Store Your Private Keys on the Hard Drive of Your Laptop or Other Personal Computing Device 246
Do Make Sure Your Servers’ Operating Systems Are “Hardened” before You Install Cryptological Systems on Them 246
Do Train Your Users against Social Engineering 247
Do Create the Largest Key Size Possible 247
Do Test Your Cryptosystem after You Have It Up and Running 248
Do Check the CERT Advisories and Vendor Advisories about Flaws and Weaknesses in Cryptosystems 248
Don’t Install a Cryptosystem Yourself If You’re Not Sure What You Are Doing 248
Don’t Use Unknown, Untested Algorithms 249
Chapter 17: Ten Principles of “Cryptiquette” 251
If Someone Sends You an Encrypted Message, Reply in Kind 251
Don’t Create Too Many Keys 251
Don’t Immediately Trust Someone Just Because He/She Has a Public Key 252
Always Back Up Your Keys and Passphrases 252
Be Wary of What You Put in the Subject Line of Encrypted Messages 252
If You Lose Your Key or Passphrase, Revoke Your Keys as Soon as Possible 253
Don’t Publish Someone’s Public Key to a Public Key Server without His/Her Permission 253
Don’t Sign Someone’s Public Key Unless You Have Reason To 253
If You Are Corresponding with Someone for the First Time, Send an Introductory Note Along with Your Public Key 254
Be Circumspect in What You Encrypt 254
Chapter 18: Ten Very Useful Encryption Products 255
PGP: Pretty Good Privacy 255
Gaim 255
madeSafe Vault 256
Password Safe 256
Kerberos 256
OpenSSL and Apache SSL 256
SafeHouse 257
WebCrypt 257
Privacy Master 257
Advanced Encryption Package 257
Part V: Appendixes 259
Appendix A: Cryptographic Attacks 261
Known Plaintext Attack 262
Chosen Ciphertext Attacks 262
Chosen Plaintext Attacks 263
The Birthday Attack 263
Man-in-the-Middle Attack 263
Timing Attacks 264
Rubber Hose Attack 264
Electrical Fluctuation Attacks 265
Major Boo-Boos 265
Appendix B: Glossary 267
Appendix C: Encryption Export Controls 279
Index 283
