- 1. Introduction to Encryption……………….2
- 2. What is Encryption……………………….2
- 3. How Encryption works……………………2
- 4. Explanation………………………………….4
- Types of Encryption………………………4
Asymmetrical (or public)key……………..4
- 5. Why use encryption……………………….5
- 6. Key Servers………………………………..7
NOVA LUG/DCLUG Keyserver…………8
- 7. How do we get keys………………………..8
- 8. Encryption Algorithms……………………8
- 9. Trust……………………………………….9
Introduction to Encryption
A secure computing environment would not be complete without consideration of encryption technology. The term encryption refers to the practice of obscuring the meaning of a piece of information by encoding it in such a way that it can only be decoded, read and understood by people for whom the information is intended. It is the process of encoding data to prevent unauthorized parties from viewing or modifying it.
The use of simple codes to protect information can be traced back to the fifth century BC. As time has progressed, the methods by which information is protected have become more complex and more secure. Encryption can be used to provide high levels of security to network communication, e-mail, files stored on hard drives or floppy disks, and other information that requires protection.
The goal of this article is to present the reader with an introduction to the basics of encryption, its role in the small office/ home office environment and the benefits and drawbacks of encryption to the non-professional user who is concerned about information security.
What is encryption?
1)Encryption is the process of scrambling data so as to render it unreadable to all but the holder of the correct decryption key.
2)Encryption dates back to the time of Caesar. Roman forces would assign numeric values to each letter, and add or subtract a fixed amount to this value. This method is still in use today, called ROT-13.13 is added to the value of each letter, scrambling the message. (E.g. A=M, B=N, etc.) 13 is added because the alphabet is modulo 26. This is considered very weak encryption.
How encryption works?
When we use the Internet, we’re not always just clicking around and passively taking in information, such as reading news articles or blog posts-a great deal of our time online involves sending others our own information. Ordering something over the Internet, whether it’s a book, a CD or anything else from an online vendor, or signing up for an online account, requires entering in a good deal of sensitive personal information. A typical transaction might include not only our names, E-mail address and physical address and phone number, but also passwords and personal identification numbers (PINs).
The incredible growth of the Internet has excited businesses and consumers alike with its promise of changing the way we live and work. It’s extremely easy to buy and sell goods all over the world while sitting in front of a laptop. But security is a major concern on the Internet, especially when you’re using it to send sensitive information between parties. Let’s face it, there’s a whole lot of information that we don’t want other people to see, such as:
- Credit-card information
- Social Security numbers
- Private correspondence
- Personal details
- Sensitive company information
- Bank-account information
Information security is provided on computers and over the Internet by a variety of methods. A simple but straightforward security method is to only keep sensitive information on removable storage media like portable flash memory drives or external hard drives. But the most popular forms of security all rely on encryption, the process of encoding information in such a way that only the person (or computer) with the key can decode it.
TYPES OF ENCRYPTION
1) Symmetrical Key– The same key is used to both encrypt and decrypt the message. Each party involved with encrypting or decrypting the message must have an identical copy of the encryption key. The main downside to this method is the security concerns, that the keys must be kept secret. It is especially vulnerable since it must be transported between parties.
2) Asymmetrical (or public) key– Keys are generated in pairs: A public is freely distributed. The issue associated with compromise in transit is negated because the public is freely distributed. Note that each key is a compliment of the other. The public key can decrypt information encrypted by the private key (generally known as digital signatures) and messages encrypted with the public key can only be decrypted with the private key. The secret key is only used by its owner.
Why use encryption?
1) Authentication/No repudiation– Validation of the authenticity of a person or article (e.g. a message digitally signed by a key to which only its owner has the passphrase cannot be denied by that person). Public key encryption has made the use of digital signatures widespread.
2) Data Integrity– Proof that the data has not been changed or tampered with.
3) Privacy/Confidentiality–Information is scrambled to insure only the proper parties have access to it.
Authentication and No repudiation
Messages, data and information especially that transmitted across the Internet pass through a number of sites. At any of these waypoints, the messages can be intercepted and tampered with. Information within files and messages can be replaced or modified.
Use of encryption and/or digital signatures is a proof that the data was created or sent by the party claiming to have originating it, much like a signature on a paper document.
Conversely, the digital signature keeps the originating party from denying their data. Digital signatures have been made more common because of public key encryption. Public key encryption makes it academic to check signatures.
Data integrity merely insures that the data you have received is the same as the data that was sent. The originator “signs” (creates a “hush” or cryptographic checksum) the data with their private key (which only that person should have access to), and their public key, which is freely available, is used to verify the signature.
Privacy and Confidentiality
As stated earlier, the Internet is for the most part an open network. Data travelling across it is open to anyone with the time and desire to read it. Encryption is a method for getting data from sender to recipient without prying eyes having access to it.
It should be noted that there is no such thing as unbreakable encryption. The difference qualitative difference between encryption algorithms is the amount of time it takes to crack a message. The Data Encryption Standard (DES) is now considered broken. Distributed.net decrypted a message in under 24 hours. Compare this to Pretty Good Privacy (PGP), which can, with sufficiently large keys, withstand an attack for an estimated 10,000 years.
1) I’m not doing anything illegal. Okay, but why don’t you send all of your snail mail on postcards? Privacy does not automatically imply illegal activity, as some would have you believe. Today more than ever, companies and governments are building databases on the common citizen.
2) Encryption is illegal. Not at all. The International Traffic in Arms Regulation (ITAR) prohibits the export of strong crypto, but does not prohibit the use of it. Some say the applying the ITAR to personal encryption is unconstitutional. The Wassenar Agreement, signed in 1998 does not apply to personal encryption.
3) My system in safe. If you never connect to the Net, fine. However, in January 1999, a trojaned copy of TCP-Wrappers and until-Linux were introduced. If you update packages, many come with PGP signatures for verification of authenticity.
Public key encryption would be much harder to use and less secure were it not for the availability of key servers on the Internet.
There are a number of keyservers around the Internet, which make keys available. Use of these servers is sncouraged.
The rationale for having a NOVA LUG/DCLUG keyserver is that anyone can add a key to a public keyserver. We are endeavoring to verify the authenticity of a given key before we add it to the server.
NOVA LUG/DCLUG Keyserver
The NOVA LUG/DCLUG keyserver is a secure place for the keys of players in the Linux/Unix software arena. Its purpose is to provide a local, trusted facility containing the keys of *nix developers and LUG members.
Unlike the public keyserver on the Net, the key managers will verify each key in the server and sign it as our proof that the key truly belongs to the person the key claims to. Users will be unable to upload keys to the server; only the key managers will be able to upload keys to the server, providing access control.
How do we get keys?
1) Local keys will be verified face-to-face at key signings before/during/after meetings.
2) Keys of non-local folks will be pulled down from the Net, and then verified through encrypted emails.
3) Another copy of the key will be sent, along with the key fingerprint encrypted to the key managers.
4) In some cases, telephonic contact to verify the fingerprint may be considered.
5) AT & T Path server will be used when it is put back online.
2) Algorithm patented by Rivest, Shamir, and Adleman.
3) The de facto standard in strong encryption today.
4) Patented algorithm, patent expires in 2000.
5) Used in PGP 2.6.2, 2.6.3i, commercial versions of 5.0, 5.0i and presumably 6.0.
6) Licensing issues kept RSA out of newer versions of the freeware PGP.
7) Used both for encryption and digital signatures.
8) Use the maximum kesize possible; at least 1024 bits.
10) Relatively new algorithm used mainly for key exchange. Note that this is a method for key exchange only. The actual encryption method is usually EIGamal. PGP is misleading on this point.
11) Generally considered roughly equal in terms of security for equally sized keys.
12) Default algorithm for encryption in PGP 5.0, 5.0i and beyond. DSS is used for signing in PGP 5.0/5.0i.
13)Not compatible with older versions of PGP. DH keys or signatures cannot be decrypted by PGP 2.x.
14) DSS and DSA.
15) Part of the U.S Government’s Digital Signature Standard/Digital Signature Algorithm, proposed by NIST and NSA. Its design has not been made public.
16) Some questions about its security. The first NIST release used 512-bit keys, which has been upped to 1024-bit.
17) DSS has, for the most part, been looked upon unfavorably by the computer industry, much of which had hoped the government would choose the RSA algorithm as the official standard.
18) Used as default signing algorithm in PGP 5.0/5.0i and GPG .9.
20) A new crypto algorithm does encryption and optionally signatures.
21) Used in GNU pg 0.9.x and PGP >2.
22) PGP keys can be imported into GPG. See the procedure at http://technocage.com/gnupg/pgp2gnupg.html.
23)Not compatible with older versions of PGP. EIGamal/DH/DSS/DSA keys or keys signed with anything other than RSA will not work with PGP 2.x.
1) Trust is probably the hardest concept within encryption to convey. The only requirement to create a keypair is to have access to the programs. Anyone could put any ID on a key they wish, e.g., I could create a key and put Linux Torvalds on it and place it on public keyservers. Hence some verification of identity and trustworthiness must be undertaken. This verification is by default at the hands of the user. The purpose of the keyserver is to take some of this verification from the user and make it a community effort.