Cryptography for dummies

Cryptography is the most effective way to achieve data security and is essential to e-commerce activities such as online shopping, stock trading, and banking This invaluable introduction to the basics of encryption covers everything from the terminology used in the field to specific technologies to the pros and cons of different implementations Discusses specific technologies that incorporate cryptography in their design, such as authentication methods, wireless encryption, e-commerce, and smart cards Based entirely on real-world issues and situations, the material provides instructions for already available technologies that readers can put to work immediately Expert author Chey Cobb is retired from the NRO, where she held a Top Secret security clearance, instructed employees of the CIA and NSA on computer security and helped develop the computer security policies used by all U.S. intelligence agencies

• Introduction 1 About This Book 2 How to Use This Book 2 What You Don't Need to Read 3 Foolish Assumptions 3 How This Book Is Organized 3 Part I: Crypto Basics & What You Really Need to Know 4 Part II: Public Key Infrastructure 4 Part III: Putting Encryption Technologies to Work for You 4 Part IV: The Part of Tens 4 Part V: Appendixes 5 Icons Used in This Book 5 Where to Go from Here 5 Part I: Crypto Basics & What You Really Need to Know 7 Chapter 1: A Primer on Crypto Basics 9 It's Not about James Bond 9 Go with the rhythm 10 Rockin' the rhythm 11 Getting to Know the Basic Terms 12 What Makes a Cipher? 13 Concealment ciphers 13 Substitution ciphers 14 Transposition ciphers 15 Hash without the corned beef 16 XOR what? 17 Breaking Ciphers 20 Not-so-secret keys 20 Known plaintext 21 Pattern recognition 21 What a brute! 21 Cryptosystems 22 Everyday Uses of Encryption 23 Network logons and passwords 23 Secure Web transactions 25 ATMs 26 Music and DVDs 27 Communication devices 28 Why Encryption Isn't More Commonplace 28 Difficulty in understanding the technology 29 You can't do it alone 29 Sharing those ugly secrets 30 Cost may be a factor 30 Special administration requirements 31 Chapter 2: Major League Algorithms 33 Beware of "Snake Oil" 34 Symmetric Keys Are All the Same 37 The key table 37 Key generation and random numbers 38 Protecting the Key 39 Symmetric Algorithms Come in Different Flavors 40 Making a hash of it 40 Defining blocks and streams 42 Which is better: Block or stream? 44 Identifying Symmetric Algorithms 45 Des 45 Triple DES 45 Idea 46 Aes 46 Asymmetric Keys 47 Rsa 48 Diffie-Hellman (& Merkle) 49 Pgp 50 Elliptical Curve Cryptography 50 Working Together 52 Chapter 3: Deciding What You Really Need 53 Justifying the Costs to Management 53 Long-term versus short-term 54 Tangible versus intangible results 55 Positive ROI 55 Government due diligence 60 Insurers like it! 61 Presenting your case 61 Do You Need Secure Communications? 62 Secure e-mail 62 Instant Messaging (IM) 64 Secure e-commerce 64 Online banking 66 Virtual Private Networks (VPNs) 66 Wireless (In)security 68 Do You Need to Authenticate Users? 69 Who are your users? 70 Authentication tokens 71 Smart cards 72 Java tokens 73 Biometrics 74 Do You Need to Ensure Confidentiality and Integrity? 75 Protecting Personal Data 75 What's It Gonna Cost? 77 Chapter 4: Locks and Keys 79 The Magic Passphrase 80 The weakest link 81 Mental algorithms 82 Safety first! 84 Passphrase attacks 86 Don't forget to flush! 87 The Key Concept 88 Key generation 89 Protecting your keys 90 What to do with your old keys 91 Some cryptiquette 91 Part II: Public Key Infrastructure 93 Chapter 5: The PKI Primer 95 What Is PKI? 96 Certificate Authorities (CAs) 97 Digital Certificates 98 Desktops, laptops, and servers 100 Key servers 102 Registration Authorities (RAs) 103 Uses for PKI Systems 103 Common PKI Problems 105 Chapter 6: PKI Bits and Pieces 107 Certificate Authorities 108 Pretenders to the throne 110 Registration Authorities 110 Certificate Policies (CPs) 111 Digital Certificates and Keys 112 D'basing Your Certificates 113 Certificate Revocation 114 Picking the PKCS 115 PKCS #1: RSA Encryption Standard 115 PKCS #3: Diffie-Hellman Key Agreement Standard 115 PKCS #5: Password-Based Cryptography Standard 115 PKCS #6: Extended-Certificate Syntax Standard 116 PKCS #7: Cryptographic Message Syntax Standard 116 PKCS #8: Private-Key Information Syntax Standard 116 PKCS #9: Selected Attribute Types 117 PKCS #10: Certification Request Syntax Standard 117 PKCS #11: Cryptographic Token Interface Standard 117 PKCS #12: Personal Information Exchange Syntax Standard 118 PKCS #13: Elliptic Curve Cryptography Standard 118 PKCS #14: Pseudo-Random Number Generation Standard 118 PKCS #15: Cryptographic Token Information Format Standard 118 Chapter 7: All Keyed Up! 119 So, What Exactly IS a Key? 120 Making a Key 120 The Long and Short of It 121 Randomness in Keys Is Good 122 Storing Your Keys Safely 123 Keys for Different Purposes 124 Keys and Algorithms 124 One Key
• Two Keys 125 Public/private keys 126 The magic encryption machine 127 The magic decryption machine 128 Symmetric keys (again) 129 Trusting Those Keys 129 Key Servers 130 Keeping keys up to date 131 Policies for keys 132 Key escrow and key recovery 132 Part III: Putting Encryption Technologies to Work for You 135 Chapter 8: Securing E-Mail from Prying Eyes 137 E-Mail Encryption Basics 138 S/mime 138 Pgp 139 Digital Certificates or PGP Public/Private Key Pairs? 140 What's the diff? 140 When should you use which? 141 Sign or encrypt or both? 141 Remember that passphrase! 142 Using S/MIME 142 Setting up S/MIME in Outlook Express 143 Backing up your Digital Certificates 151 Fun and Games with PGP 153 Setting up PGP 154 Deciding on the options 156 Playing with your keyring 160 Sending and receiving PGP messages 162 PGP in the enterprise 164 Other Encryption Stuff to Try 164 Chapter 9: File and Storage Strategies 167 Why Encrypt Your Data? 168 Encrypted Storage Roulette 170 Symmetric versus asymmetric? 171 Encrypting in the air or on the ground? 173 Dealing with Integrity Issues 174 Message digest/hash 174 MACs 175 HMACs 175 Tripwire 176 Policies and Procedures 177 Examples of Encryption Storage 178 Media encryption 179 Encrypting File System 180 Secure e-mail 181 Program-specific encryption 181 Encrypted backup 181 Chapter 10: Authentication Systems 183 Common Authentication Systems 185 Kerberos 185 Ssh 186 Radius 187 Tacacs+ 188 Authentication Protocols 188 How Authentication Systems Use Digital Certificates 190 Tokens, Smart Cards, and Biometrics 191 Digital Certificates on a PC 191 Time-based tokens 192 Smartcard and USB Smartkeys 193 Biometrics 194 Chapter 11: Secure E-Commerce 197 SSL Is the Standard 198 A typical SSL connection 199 Rooting around your certificates 201 Time for TLS 203 Setting Up an SSL Solution 204 What equipment do I need? 205 The e-commerce manager's checklist 206 XML Is the New Kid on the Block 209 Going for Outsourced E-Commerce 210 Chapter 12: Virtual Private Network (VPN) Encryption 213 How Do VPNs Work Their Magic? 214 Setting Up a VPN 214 What devices do I need? 215 What else should I consider? 216 Do VPNs affect performance? 216 Don't forget wireless! 217 Various VPN Encryption Schemes 217 PPP and PPTP 217 L2tp 218 IPsec 218 Which Is Best? 220 Testing, Testing, Testing 221 Chapter 13: Wireless Encryption Basics 223 Why WEP Makes Us Weep 224 No key management 225 Poor RC4 implementation 225 Authentication problems 226 Not everything is encrypted 226 WEP Attack Methods 227 Finding wireless networks 228 War chalking 228 Wireless Protection Measures 230 Look for rogue access points 230 Change the default SSIDs 230 Turn on WEP 231 Position your access points well 232 Buy special antennas 232 Use a stronger encryption scheme 232 Use a VPN for wireless networks 232 Employ an authentication system 233 Part IV: The Part of Tens 235 Chapter 14: The Ten Best Encryption Web Sites 237 Mat Blaze's Cryptography Resource on the Web 237 The Center for Democracy and Technology 237 SSL Review 238 How IPsec Works 238 Code and Cipher 238 CERIAS - Center for Education and Research in Information Assurance and Security 238 The Invisible Cryptologists - African Americans, WWII to 1956 239 Bruce Schneier 239 North American Cryptography Archives 239 RSA's Crypto FAQ 239 Chapter 15: The Ten Most Commonly Misunderstood Encryption Terms 241 Military-Grade Encryption 241 Trusted Third Party 241 X 509 Certificates 242 Rubber Hose Attack 242 Shared Secret 242 Key Escrow 242 Initialization Vector 243 Alice, Bob, Carol, and Dave 243 Secret Algorithm 243 Steganography 244 Chapter 16: Cryptography Do's and Don'ts 245 Do Be Sure the Plaintext Is Destroyed after a Document Is Encrypted 245 Do Protect Your Key Recovery Database and Other Key Servers to the Greatest Extent Possible 246 Don't Store Your Private Keys on the Hard Drive of Your Laptop or Other Personal Computing Device 246 Do Make Sure Your Servers' Operating Systems Are "Hardened" before You Install Cryptological Systems on Them 246 Do Train Your Users against Social Engineering 247 Do Create the Largest Key Size Possible 247 Do Test Your Cryptosystem after You Have It Up and Running 248 Do Check the CERT Advisories and Vendor Advisories about Flaws and Weaknesses in Cryptosystems 248 Don't Install a Cryptosystem Yourself If You're Not Sure What You Are Doing 248 Don't Use Unknown, Untested Algorithms 249 Chapter 17: Ten Principles of "Cryptiquette" 251 If Someone Sends You an Encrypted Message, Reply in Kind 251 Don't Create Too Many Keys 251 Don't Immediately Trust Someone Just Because He/She Has a Public Key 252 Always Back Up Your Keys and Passphrases 252 Be Wary of What You Put in the Subject Line of Encrypted Messages 252 If You Lose Your Key or Passphrase, Revoke Your Keys as Soon as Possible 253 Don't Publish Someone's Public Key to a Public Key Server without His/Her Permission 253 Don't Sign Someone's Public Key Unless You Have Reason To 253 If You Are Corresponding with Someone for the First Time, Send an Introductory Note Along with Your Public Key 254 Be Circumspect in What You Encrypt 254 Chapter 18: Ten Very Useful Encryption Products 255 PGP: Pretty Good Privacy 255 Gaim 255 madeSafe Vault 256 Password Safe 256 Kerberos 256 OpenSSL and Apache SSL 256 SafeHouse 257 WebCrypt 257 Privacy Master 257 Advanced Encryption Package 257 Part V: Appendixes 259 Appendix A: Cryptographic Attacks 261 Known Plaintext Attack 262 Chosen Ciphertext Attacks 262 Chosen Plaintext Attacks 263 The Birthday Attack 263 Man-in-the-Middle Attack 263 Timing Attacks 264 Rubber Hose Attack 264 Electrical Fluctuation Attacks 265 Major Boo-Boos 265 Appendix B: Glossary 267 Appendix C: Encryption Export Controls 279 Index 283