|SECTION 4 ©
5 key components of security in correspondence
Security and Cryptography
56 bit key, 128 bit key
Public Keys and Private Keys
PEM Privacy Enhanced Mail
PGP Pretty Good Privacy
- Phil Zimmerman
Wireless Security, WANS weaknesses
changes last made to this
page 2002 Dec 28
|In Section Three
we will use material
from the following texts
|In addition to
these three books, we will also use material from these web sites, which
are quite extensive and have the potential to keep you reading for a long
time, if you have it.
course author:Tim Richardson
Security and Cryptography
for Section 4
After completing this section, participants will be able to
The Regulatory Environment
Government Agency Concerns
Domestic Use and the Import and Export of Cryptographic Products
"In the past, law enforcement
agencies relied on the ability to obatin a court order .. to allow them
to wiretap a suspected criminal... With computers, e-mail and encryption
algorithms, criminals can communicate confidentially withone another by
encrypting their messages so strongly that a court order allowing the agency
to read the message is basically worthless since the message cannot be
"RSA Data Security Inc., in a move to circumvent U.S. export laws announced  the opening of its office in Australia"
|Export controls are aimed
at fighting organised crime, and restricting use of cryptography by foreign
Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information,
information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over
military or business adversaries.
- any kind of cryptography
is classed as a military weapon - and is therefore subject to export restrictions
- now its referred to as "sensitive dual use" technology- ie
from website of Prof. Edward
Re, Sociological Issues of Cryptography
|The "R" in RSA
|The "R" in RSA speaks
"Ron Rivest says 'It is poor policy to clamp down indiscriminately on a technology just because some criminals might be able to use it to their advantage. For example, any citizen can freely buy a pair of gloves, even though a burglar might use them to ransack a house without leaving fingerprints. Cryptography is a data protection technology just as gloves are a hand protection technology.
Cryptography protects data from hackers, corporate spies, and con artists, whereas gloves protect hands from cuts, scrapes, heat, cold, and infection. The former can frustrate FBI wire tapping, and the latter can thwart FBI fingerprint analysis. Cryptography and gloves are both dirt cheap and widely available. In fact, you can download good cryptographic software from the Internet for less than the price of a good pair of gloves."
|screen capture to video we discussed in class|
5 important points of Messaging and Communication Security
are explained in detail in the Greenstein text from page 228 - 232. Along with this explantion, you can find many examples on the Web were these same 5 principles are explained, and used.
Below, we find an example in a bank's web site of how they adhere to the same 5 principles of IT security in communications.
Keys and Private Keys
Greenstein text, page 237 - 239
The textbook explanation and accompaying diagrams are satisfactory, in addition there is are online resources that also explain this well.
Public Keys (also known as Asymmetrical Keys)
"Public Key encryption uses two separate but related keys. One key is used only to encrypt a message, and its companion key is used to decrypt the message. Public Key encryption works this way. The person who wants to receive encrypted files generates a pair of keys in their encryption program. That person can then 'publish' their public key, or in effect let anyone and everyone know what their 'public' key is. Anyone who wants to send this person a message can use this 'Public Key' to encrypt the message and send it on. When the message is received it can be decrypted using the secret companion key to the public key. The primary advantage of Public Key encryption is that you do not have to risk transmitting a secret key to the person who will receive the message."
Private Keys (also called Secret Key or Symmetric Key)
"With secret-key encryption, both the sender and receiver use the same key to encrypt and decrypt messages. The two people first agree on a pass phrase. They should use a different method of communicating than the one they are going to use to send encrypted messages. They can agree on a password in person, by phone, or perhaps even communicate a word or phrase known only to the two of them. A good strong password will include a mix of numbers lower and upper case letters, and characters; e.g. ad2%56jJ[*92K, since most brute force attacks will try common dictionary words, names, towns, dates, etc., or if the person attacking you can get background information on you they will try combinations that include all your relatives names, addresses, towns, birthdates, schools, etc. They know that people do have a propensity for choosing passwords that are somewhat easy to remember. The encryption software turns the password into a binary number and hashes it (adds characters to increase the size). Then uses that number(key) to encrypt all outgoing messages. The mathematical module usedfor encrypting the message is called the algorithm. The whole system is referred to as a cipher."
Schneier explains in his book that PEM is intended to be compatible with a wide range of key management approaches. It has mechanisms for using conventional (secret-key) cryptography or public-key cryptography. Most of the readily available PEM implementations use public-key cryptography.
PEM Security Features
Types of Messages
- to learn how to create a PEM message, follow the steps on page 110-114
Sending a PEM Message involves 4 steps (for further details, page 117)
|PGP is explained well in the Schneier book on e-mail security, but for those of you that do not chose to purchase this text, there are a number of online resources that fully explain PGP. Click on the screen capture to the left and you can read about how PGP originated and what it is used for.|
(Pretty Good Privacy) is a system designed by a programmer called Phil
Zimmerman which offers Internet users a secure email facility. PGP works
rather like UUcoding or MIME - it turns a mail message into unreadable
gibberish. The difference is that it does this to make the mail secure
from prying eyes. Ordinary email can be read by anyone determined enough
to do it. PGP makes sure that even if it is picked up by a third party,
the contents will remain a secret. It does this because the gibberish
can only be read by someone who has the right 'key' - a special number
that allows the message to be decoded. As a coding system PGP
is extremely secure - even a large supercomputer requires months
of computer time to crack a message coded with PGP. In short, if you send
email using PGP you can be sure it's as secure as it can be, given the
current state of the technology."from
for ABSOLUTE Beginners
PGP is basically used for
|Phil Zimmerman, the author
and creator of PGP was a pretty controversial person, you can read about
some of the issues here at
"Zimmerman had been under investigation for supposedly violating ITAR, the U.S. government's International Traffic in Arms Regulations. His PGP software is strong enough to have been classified as a munition under ITAR, just like a hand grenade or a stealth bomber. In June of 1991, as Congress was considering a possible ban on the use of such strong encryption, the PGP program was uploaded to the Internet, and made available to anyone who wanted to copy it. Even though Zimmerman himself
didn't put the software on the Internet, the Justice Department started an investigation against him in February 1993 for allegedly exporting a munition"
PGP Security Features
a PGP Message
Chpt 11, page 141 in Schneier's text describes the decryption process to read a message.
"A newly-identified snooping
technology allows someone sending an e-mail to see what the recipient wrote
when it is forwarded on to another user, an Internet privacy group
has announced. Itís a wiretap and it's "very illegal and very
easy to do," said Richard Smith, chief technology officer for the Privacy
Foundation based in Denver, in acolumn he wrote for the non-profit educational
and research organization. The vulnerability exists in mail that uses HTML.
allows the recipient's mail to be returned to the original sender. It only
|RSA, the company
which is at the forefront of IT Security, has information on their web
site about Wireless Security, which you should look at.
A brief summary of the introductory points is below. Clicking on the screencapture to the right will lead you to the page.
"Businesses and consumers alike are benefiting from new levels of connectivity. Devices such as mobile phones, personal digital assistants (PDAs), set-top boxes and hand-held PCs now provide an unprecedented variety of ways for people to access and act upon information. People can participate in the global marketplace regardless of their physical location or ability to access a personal computer. Along with the convenience of connectivity offered by wireless and portable devices, however, come increased security risks. Wireless transmissions are susceptible to interception and tampering. Portable devices with no fixed connection offer tempting wireless access points to hackers. Portable devices also contain valuable information and credentials. This information must be protected in case of theft or loss of a device."
|"Royal Bank in Wireless
is the title of a 13 June 2000 article written by Vito Pilieci for The National Post
Royal Bank formed a company
with Baldhead Systems www.baldhead.com/
Pilieci quotes Jim Connor,
Manager of Electronic Services Technologies for Royal Bank as saying
On Baldhead's web site, they
still have the digital version of the June 2000 press release. You can
read all the points yourself at
"Computer scientists at the University of California at Berkeley have sounded new warnings about the vulnerabilities of wireless LANs, saying flaws in a common encryption algorithm pose major security issues. The Internet, Security, Applications, Authentication and Cryptography (ISAAC) research group said in a report posted on the Web that it had "discovered a number of flaws" in the Wired Equivalent Privacy (WEP) 40-bit algorithm used to secure all IEEE 802.11 standard wireless LANs. These flaws, the ISAAC report added, "seriously undermine the security claims of the system." Wireless LANs have a number of vulnerabilities, the report said, including passive attacks to decrypt traffic based on statistical analysis. WEP also has flaws that make it easier to inject unauthorized traffic from mobile base stations or launch active attacks to decrypt traffic by tricking the access point (the base station), the report said. Analysts said the ISAAC report is the first to illustrate how easy it is to hack wireless LANs."
Can you recite and explain the meaning of the 5 principles of security
in messaging and communication? If you have trouble remembering the 5 principles,
make yourself an acronym, eg. CIANA
2. Could you describe to someone a simple explanation of the difference between cleartext and ciphertext?
3. Would you be able to explain verbally the difference between PEM and PGP?
4. Why should people not indiscrimantly pass on emails of jokes and meaningless messages?
5. Why is a 128 bit key impossible to crack with today's technology?
6. If someone asked you the difference between Public and Private Key Encryption, could you explain?