Cryptography For Dummies

Chey Cobb, CISSP, author of Network Security For Dummies, was Chief Security Officer for a National Reconnaissance Office (NRO) overseas location. She is a nationally recognized computer security expert.

Introduction  1

About This Book 2

How to Use This Book 2

What You Don’t Need to Read  3

Foolish Assumptions 3

How This Book Is Organized 3

Part I: Crypto Basics & What You Really Need to Know 4

Part II: Public Key Infrastructure  4

Part III: Putting Encryption Technologies to Work for You 4

Part IV: The Part of Tens  4

Part V: Appendixes 5

Icons Used in This Book  5

Where to Go from Here  5

Part I: Crypto Basics & What You Really Need to Know 7

Chapter 1: A Primer on Crypto Basics  9

It’s Not about James Bond  9

Go with the rhythm  10

Rockin’ the rhythm 11

Getting to Know the Basic Terms 12

What Makes a Cipher? 13

Concealment ciphers 13

Substitution ciphers 14

Transposition ciphers  15

Hash without the corned beef  16

XOR what? 17

Breaking Ciphers  20

Not-so-secret keys  20

Known plaintext  21

Pattern recognition  21

What a brute! 21

Cryptosystems 22

Everyday Uses of Encryption 23

Network logons and passwords 23

Secure Web transactions 25

ATMs  26

Music and DVDs  27

Communication devices  28

Why Encryption Isn’t More Commonplace 28

Difficulty in understanding the technology  29

You can’t do it alone  29

Sharing those ugly secrets  30

Cost may be a factor  30

Special administration requirements 31

Chapter 2: Major League Algorithms  33

Beware of “Snake Oil”  34

Symmetric Keys Are All the Same  37

The key table 37

Key generation and random numbers 38

Protecting the Key  39

Symmetric Algorithms Come in Different Flavors 40

Making a hash of it 40

Defining blocks and streams 42

Which is better: Block or stream?  44

Identifying Symmetric Algorithms 45

Des 45

Triple DES  45

Idea  46

Aes 46

Asymmetric Keys 47

Rsa 48

Diffie-Hellman (& Merkle)  49

Pgp 50

Elliptical Curve Cryptography  50

Working Together 52

Chapter 3: Deciding What You Really Need  53

Justifying the Costs to Management  53

Long-term versus short-term  54

Tangible versus intangible results 55

Positive ROI 55

Government due diligence  60

Insurers like it!  61

Presenting your case  61

Do You Need Secure Communications?  62

Secure e-mail  62

Instant Messaging (IM)  64

Secure e-commerce  64

Online banking  66

Virtual Private Networks (VPNs)  66

Wireless (In)security  68

Do You Need to Authenticate Users? 69

Who are your users?  70

Authentication tokens 71

Smart cards 72

Java tokens  73

Biometrics 74

Do You Need to Ensure Confidentiality and Integrity?  75

Protecting Personal Data  75

What’s It Gonna Cost?  77

Chapter 4: Locks and Keys  79

The Magic Passphrase 80

The weakest link 81

Mental algorithms  82

Safety first! 84

Passphrase attacks  86

Don’t forget to flush!  87

The Key Concept  88

Key generation  89

Protecting your keys  90

What to do with your old keys 91

Some cryptiquette  91

Part II: Public Key Infrastructure 93

Chapter 5: The PKI Primer  95

What Is PKI?  96

Certificate Authorities (CAs)  97

Digital Certificates  98

Desktops, laptops, and servers  100

Key servers 102

Registration Authorities (RAs) 103

Uses for PKI Systems 103

Common PKI Problems  105

Chapter 6: PKI Bits and Pieces  107

Certificate Authorities 108

Pretenders to the throne 110

Registration Authorities  110

Certificate Policies (CPs)  111

Digital Certificates and Keys 112

D’basing Your Certificates 113

Certificate Revocation 114

Picking the PKCS  115

PKCS #1: RSA Encryption Standard 115

PKCS #3: Diffie-Hellman Key Agreement Standard 115

PKCS #5: Password-Based Cryptography Standard  115

PKCS #6: Extended-Certificate Syntax Standard 116

PKCS #7: Cryptographic Message Syntax Standard 116

PKCS #8: Private-Key Information Syntax Standard 116

PKCS #9: Selected Attribute Types  117

PKCS #10: Certification Request Syntax Standard 117

PKCS #11: Cryptographic Token Interface Standard 117

PKCS #12: Personal Information Exchange Syntax Standard  118

PKCS #13: Elliptic Curve Cryptography Standard  118

PKCS #14: Pseudo-Random Number Generation Standard 118

PKCS #15: Cryptographic Token Information Format Standard 118

Chapter 7: All Keyed Up!  119

So, What Exactly IS a Key?  120

Making a Key 120

The Long and Short of It  121

Randomness in Keys Is Good 122

Storing Your Keys Safely 123

Keys for Different Purposes  124

Keys and Algorithms  124

One Key; Two Keys  125

Public/private keys  126

The magic encryption machine  127

The magic decryption machine  128

Symmetric keys (again) 129

Trusting Those Keys  129

Key Servers 130

Keeping keys up to date  131

Policies for keys  132

Key escrow and key recovery 132

Part III: Putting Encryption Technologies to Work for You 135

Chapter 8: Securing E-Mail from Prying Eyes  137

E-Mail Encryption Basics  138

S/mime 138

Pgp 139

Digital Certificates or PGP Public/Private Key Pairs?  140

What’s the diff? 140

When should you use which? 141

Sign or encrypt or both?  141

Remember that passphrase! 142

Using S/MIME  142

Setting up S/MIME in Outlook Express  143

Backing up your Digital Certificates  151

Fun and Games with PGP  153

Setting up PGP  154

Deciding on the options  156

Playing with your keyring  160

Sending and receiving PGP messages  162

PGP in the enterprise 164

Other Encryption Stuff to Try  164

Chapter 9: File and Storage Strategies  167

Why Encrypt Your Data? 168

Encrypted Storage Roulette  170

Symmetric versus asymmetric? 171

Encrypting in the air or on the ground?  173

Dealing with Integrity Issues 174

Message digest/hash  174

MACs  175

HMACs 175

Tripwire 176

Policies and Procedures  177

Examples of Encryption Storage  178

Media encryption 179

Encrypting File System  180

Secure e-mail 181

Program-specific encryption  181

Encrypted backup  181

Chapter 10: Authentication Systems  183

Common Authentication Systems  185

Kerberos  185

Ssh  186

Radius 187

Tacacs+  188

Authentication Protocols  188

How Authentication Systems Use Digital Certificates 190

Tokens, Smart Cards, and Biometrics 191

Digital Certificates on a PC  191

Time-based tokens 192

Smartcard and USB Smartkeys 193

Biometrics 194

Chapter 11: Secure E-Commerce  197

SSL Is the Standard  198

A typical SSL connection 199

Rooting around your certificates 201

Time for TLS  203

Setting Up an SSL Solution  204

What equipment do I need?  205

The e-commerce manager’s checklist 206

XML Is the New Kid on the Block 209

Going for Outsourced E-Commerce 210

Chapter 12: Virtual Private Network (VPN) Encryption  213

How Do VPNs Work Their Magic?  214

Setting Up a VPN  214

What devices do I need?  215

What else should I consider?  216

Do VPNs affect performance? 216

Don’t forget wireless! 217

Various VPN Encryption Schemes 217

PPP and PPTP 217

L2tp 218

IPsec 218

Which Is Best?  220

Testing, Testing, Testing  221

Chapter 13: Wireless Encryption Basics  223

Why WEP Makes Us Weep 224

No key management 225

Poor RC4 implementation 225

Authentication problems 226

Not everything is encrypted 226

WEP Attack Methods 227

Finding wireless networks 228

War chalking  228

Wireless Protection Measures  230

Look for rogue access points  230

Change the default SSIDs 230

Turn on WEP 231

Position your access points well  232

Buy special antennas 232

Use a stronger encryption scheme  232

Use a VPN for wireless networks  232

Employ an authentication system  233

Part IV: The Part of Tens  235

Chapter 14: The Ten Best Encryption Web Sites  237

Mat Blaze’s Cryptography Resource on the Web 237

The Center for Democracy and Technology 237

SSL Review  238

How IPsec Works  238

Code and Cipher 238

CERIAS — Center for Education and Research in Information Assurance and Security 238

The Invisible Cryptologists — African Americans, WWII to 1956  239

Bruce Schneier 239

North American Cryptography Archives  239

RSA’s Crypto FAQ 239

Chapter 15: The Ten Most Commonly Misunderstood Encryption Terms  241

Military-Grade Encryption  241

Trusted Third Party 241

X 509 Certificates 242

Rubber Hose Attack 242

Shared Secret  242

Key Escrow  242

Initialization Vector  243

Alice, Bob, Carol, and Dave 243

Secret Algorithm  243

Steganography  244

Chapter 16: Cryptography Do’s and Don’ts  245

Do Be Sure the Plaintext Is Destroyed after a Document Is Encrypted  245

Do Protect Your Key Recovery Database and Other Key Servers to the Greatest Extent Possible  246

Don’t Store Your Private Keys on the Hard Drive of Your Laptop or Other Personal Computing Device 246

Do Make Sure Your Servers’ Operating Systems Are “Hardened” before You Install Cryptological Systems on Them 246

Do Train Your Users against Social Engineering  247

Do Create the Largest Key Size Possible 247

Do Test Your Cryptosystem after You Have It Up and Running 248

Do Check the CERT Advisories and Vendor Advisories about Flaws and Weaknesses in Cryptosystems 248

Don’t Install a Cryptosystem Yourself If You’re Not Sure What You Are Doing 248

Don’t Use Unknown, Untested Algorithms 249

Chapter 17: Ten Principles of “Cryptiquette”  251

If Someone Sends You an Encrypted Message, Reply in Kind  251

Don’t Create Too Many Keys  251

Don’t Immediately Trust Someone Just Because He/She Has a Public Key 252

Always Back Up Your Keys and Passphrases 252

Be Wary of What You Put in the Subject Line of Encrypted Messages  252

If You Lose Your Key or Passphrase, Revoke Your Keys as Soon as Possible  253

Don’t Publish Someone’s Public Key to a Public Key Server without His/Her Permission  253

Don’t Sign Someone’s Public Key Unless You Have Reason To  253

If You Are Corresponding with Someone for the First Time, Send an Introductory Note Along with Your Public Key  254

Be Circumspect in What You Encrypt 254

Chapter 18: Ten Very Useful Encryption Products  255

PGP: Pretty Good Privacy 255

Gaim  255

madeSafe Vault 256

Password Safe 256

Kerberos  256

OpenSSL and Apache SSL  256

SafeHouse  257

WebCrypt  257

Privacy Master  257

Advanced Encryption Package 257

Part V: Appendixes  259

Appendix A: Cryptographic Attacks  261

Known Plaintext Attack 262

Chosen Ciphertext Attacks 262

Chosen Plaintext Attacks  263

The Birthday Attack 263

Man-in-the-Middle Attack  263

Timing Attacks  264

Rubber Hose Attack 264

Electrical Fluctuation Attacks  265

Major Boo-Boos  265

Appendix B: Glossary  267

Appendix C: Encryption Export Controls  279

Index  283