bulgarien online goldstrand bulgarien immobilien bulgarien bulgaria real estates party reisen boryana bulgarien goldstrand goldstrand bulgarien bulgarien sonnenstrand bulgarien hotels bulgarien urlaub partyurlaub Free ringtones credit cards processing bankruptcy chapters search engine optimization company website design promotion financial aids service webmarketing home based business plans home organize new small business loans mortage payment calculator

blogtechemail: SSL

Digital Certificates and Keys

04:18:48 Digital Certificates and Keys So how do the keys get generated when you request a Digital Certificate? At some point in the application process, the Certificate Authority software sends a command to the computer that is being used to request the certificate. That command basically says, "Generate the public and private keys with X algorithm and create a fingerprint with X message digest." The CA D'basing Your Certificates

04:18:38 D'basing Your Certificates Sometimes a PKI system is so busy that it makes sense to take some of the load off the CA and move it to another server. In this case, because certificates and keys have uniquely identifiable fields, it makes sense to move them to a database. SQL Server and Oracle servers are able to handle this job, but there are also free utilities to make this change easier. What Certificate Revocation

04:18:30 Certificate Revocation Most certificates are given a lifespan when created, but there are times that you might want to revoke a certificate to keep it from being used. For example, a person might lose his keys or change positions within the company, or an e-commerce site using SSL may merge with another company. In these situations, and many more, a certificate should be revoked. But, this is Picking the PKCS

04:18:20 Picking the PKCS I know I've sort of hit you out of the blue with this, but this is the first chance I've had to work this subject into a chapter. Of course you're wondering what the heck I'm talking about! PKCS stands for Public Key Cryptography Standards and it's sort of a catch-all for all the standards not covered by public key algorithms, key exchange protocols, and Digital Certificate So, What Exactly IS a Key?

04:18:09 So, What Exactly IS a Key? First off, I'll tell you what a key is NOT. A key is not larger than a breadbox (not usually, anyway) A key is not an encryption algorithm A passphrase is not a key A key is not shaped like a key A key is not a token (but it can be stored on a token) A key is not interchangeable between algorithms A key is not an indication of trust These are Making a Key

04:17:59 Making a Key If you have a program like PGP, you make your own key or keys. If you order your keys through a bank-like company called a Certificate Authority, they tell your computer to make the keys which are then stored on your computer. A certificate authority will also send you a file called a Digital Certificate. The digital certificate is not a key itself; it guarantees that you are the The Long and Short of It

04:17:50 The Long and Short of It I'm sure you've heard this before, but you need to make your keys as long as possible. Why? Longer keys are generally much harder to crack. Look at it this way, of the house keys shown in Figure 7-1, which do you think would be safer to use? Figure 7-1: Which key would you trust? I'm sure you decided that the key on the far right is the safest because it's longer Randomness in Keys Is Good

04:17:37 Randomness in Keys Is Good I mentioned the randomness of the size and placement of the teeth in a house key. Randomness is also an important issue when it comes to the generation of a key. The encryption program you use also has both the encryption algorithm and an algorithm that makes sure that the composition of the key is random. Randomness in keys is called entropy and the algorithms used to Storing Your Keys Safely

04:17:30 Storing Your Keys Safely As I mention several times throughout this book, it's not a good idea to keep your keys stored on the hard drive of your desktop computer or your laptop. It's too easy for someone to gain access to those machines and copy or steal your keys. Of course, that person would also have to figure out your passphrase to be able to use the key, but do you consider that good enough Keys for Different Purposes

04:17:21 Keys for Different Purposes And here you thought keys were just used to start encryption and decryption! Not to burst your bubble, but keys are used for many, many different purposes now. This has nothing to do with the algorithm, key length, or passphrase; it's about what the key is going to be used for. I refer to these as different classes of keys. A lot of this has to do with PKI and, to be Keys and Algorithms

04:17:13 Keys and Algorithms Just as a key for a Ford truck won't work with your front door lock, keys made for algorithms are made for that algorithm alone. A key made for the 3DES algorithm will only be able to encrypt and decrypt with the 3DES algorithm; it can't encrypt or decrypt with Twofish, for example. You usually don't have to worry about that, though, because your encryption program knows which One Key; Two Keys . . .

04:17:05 One Key; Two Keys . . . There are encryption algorithms that only generate one key and others that generate two keys. The keys made by the single-key algorithms are called symmetric keys. That doesn't mean that each key is shaped the same, or that one side looks the same as the other, it simply means that the same key is used to encrypt data and decrypt data. Both keys are made of the exact same Trusting Those Keys

04:16:53 Trusting Those Keys Remember this: Just because Boris has a key, it doesn't necessarily mean you should trust him! Having a key does not imply trust. It simply means that the person who owns it can encrypt and decrypt data. Even a valid key does not mean that it actually belongs to the person whose name is on it. Sounds like a real conundrum, doesn't it? The fact of the matter is that anyone Key Servers

04:16:46 Key Servers One method used to distribute keys (any type of key) is to use a key server. You can set one up for corporate use or you can buy a PKI system from one of the many vendors. Basically, you're dealing with a database with set fields to hold information about the keys and you use access lists to control who can get which keys. It sounds easy, but it can quickly become a quagmire, E-Mail Encryption Basics

04:16:34 E-Mail Encryption Basics When e-mail programs were first created, no one ever conceived of the fact that eventually some security measures would have to be added to keep people from reading others' mail. The early Internet users were a very naïve group ? they tended to believe in the honesty and integrity of people and envisioned the Internet as a self-policing community. Sigh. How wrong they Digital Certificates or PGPPublic/Private Key Pairs?

04:16:24 Digital Certificates or PGPPublic/Private Key Pairs? This is where most people give up the ghost on using encryption products. They know that keys are involved, but they don't know exactly what they are, how they are created, or what to do with them. They can understand the concept of keys, but when they run into the words Digital Certificate, they tend to run screaming from the room. It's the Using S/MIME

04:16:15 Using S/MIME S/MIME capabilities are built into most popular e-mail programs because it is a standard for signing and encrypting e-mail. S/MIME uses Digital Certificates for both signing and encrypting. Your Digital Certificate is a "container" for your public key to accomplish these tasks. The private key portion of the Digital Certificate is encrypted and kept on a different system. Exactly Fun and Games with PGP

04:16:03 Fun and Games with PGP As they used to say in the Monty Python shows, "And now for something completely different." Yes, I'm switching gears on you. This is not just a ploy to keep you awake; it is in recognition of the fact that not everyone uses all Microsoft software. It's also in recognition of the fact that not everyone will have the time and inclination to go to the trouble of registering Other Encryption Stuff to Try

04:15:44 Other Encryption Stuff to Try In my research for this book, I discovered tons of different encryption programs, plug-ins, and other cool stuff. Unfortunately it was impossible for me to download, install, and test everything I saw. One cool thing is that many of these programs and plug-ins are free! But, just because something is free and is supposed to be secure doesn't necessarily mean it's Why Encrypt Your Data?

04:15:31 Why Encrypt Your Data? Before you decide to encrypt your data in storage, you need to ask yourself some questions. Answer truthfully, now: What is the usefulness of your data? Is your data valid? Can you verify the owners/creators of the data? What would it cost you to replace or repair the data? If your data started appearing in bus stops all over the city, would it bother Encrypted Storage Roulette

04:15:22 Encrypted Storage Roulette Beware of the term secure storage. Many of the companies offering off-site, secure storage really only offer physical security. They have buildings with steel plates in the walls, electrified fences surrounding the property, access controls on all the doors, and a lot of rent-a-cops. This is a good strategy to keep in mind for disaster recovery, but you won't find many Dealing with Integrity Issues

04:15:09 Dealing with Integrity Issues So you're saying to yourself that you don't really need to encrypt your data. Okay. You know your business and what's right for you. But have you ever considered that you may need to check the veracity of your applications and data? Did you know that all CEOs have to verify and sign their company's financial records now? Yep. It's a federal law. If their financial Policies and Procedures

04:14:57 Policies and Procedures Before you make any major changes in the way you use your network and resources ? and adding encryption is a major step ? you shouldn't dive right into a solution before you have prepared your Encryption Policies. I know paperwork is such a drudge, but in doing this it will also help you decide what your needs really are. The questions you need to address in your policy Examples of Encryption Storage

04:14:48 Examples of Encryption Storage There are many different types of encryption storage that will serve anyone from home users to major corporations. There are online encrypted storage "vaults" for individuals to server farms dedicated to encrypted storage. There are also external drives that attach to your computer via firewire or USB. What you get depends upon what you need and what you need will Common Authentication Systems

04:14:39 Common Authentication Systems There are probably hundreds, if not thousands, of authentication systems on the market. What you need to know is that most of them are based on some core technologies that have been in use for some time now. When you are talking to a vendor about their "new, better, improved" authentication system, ask them what their system is based upon. Chances are that they give Examples of Encryption Storage

04:14:14 Examples of Encryption Storage There are many different types of encryption storage that will serve anyone from home users to major corporations. There are online encrypted storage "vaults" for individuals to server farms dedicated to encrypted storage. There are also external drives that attach to your computer via firewire or USB. What you get depends upon what you need and what you need will Common Authentication Systems

04:14:00 Common Authentication Systems There are probably hundreds, if not thousands, of authentication systems on the market. What you need to know is that most of them are based on some core technologies that have been in use for some time now. When you are talking to a vendor about their "new, better, improved" authentication system, ask them what their system is based upon. Chances are that they give Authentication Protocols

04:13:44 Authentication Protocols Now that I've given you a little bit of information about the different types of authentication servers, you should know that there are different methods of authentication that these servers are able to handle. Authentication protocols vary from the very simple (and most common) UserIDs and passwords that we are all familiar with to more complex and sophisticated systems. How Authentication Systems Use Digital Certificates

04:13:35 How Authentication Systems Use Digital Certificates I've mentioned a couple of times that most authentication systems are able to integrate with PKI systems that use Digital Certificates. What I'm about to tell you is a broad generality, but it is a good description of how this combination works. The variances in implementation are due to changes in how the different vendors have configured their Tokens, Smartcards, and Biometrics

04:13:26 Tokens, Smartcards, and Biometrics Okay. You've decided on which authentication system to use. The next question is: "How are the users going to interact with the system?" Will they only be using Digital Certificates stored on their desktop computers? Or, will they use one of the many physical devices intended to augment the authentication system. To help you decide which to use, I'm going to SSL Is the Standard

04:13:13 SSL Is the Standard Believe it or not but Secure Sockets Layer is almost ten years old! Given the fact that most people have only discovered the Internet within the past five years, that says a lot. SSL is also the single-most widely used form of encryption in the world and hardly anyone realizes that it even exists. SSL is a stable and mature technology but that does not necessarily mean that it Time for TLS

04:13:02 Time for TLS SSL is a good protocol for protecting and encrypting Web transactions, but it has had it's problems. SSL v3 made a lot of changes in the way authentication is handled and that's the version currently embedded in most Web browsers. But, there's always an opportunity to make things better and TLS v1 (Transport Layer Security) was created to do just that. The user won't notice any Setting Up an SSL Solution

04:12:54 Setting Up an SSL Solution There are three basic methods of setting up a secure e-commerce Web site using SSL: You can buy a complete SSL solution, including the SSL certificates, from an established vendor. The vendors deliver fully configured servers and all you have to do is build code into your Web site and put it on the box. Most vendors will also offer Web-building solutions as XML Is the New Kid on the Block

04:12:44 XML Is the New Kid on the Block XML stands for eXtensible Markup Language and I predict it will soon be as familiar to builders of Web sites as HTML (HyperText Markup Language) is today. XML's reason for being is to add another layer of security to Web page and to make it easier for systems to exchange data . It does this by creating new tags to be used in Web pages and these tags not only define Going for Outsourced E-Commerce

04:12:36 Going for Outsourced E-Commerce Sometimes you'll find that it's easier and more economical to have the experts do something for you rather than to try to do it yourself. When you decide to outsource e-commerce to a co-location Web hosting service, the agreement is the most important item to get straight. The agreement should answer all of your questions and tell you what guarantees are made by How Do VPNs Work Their Magic?

04:12:25 How Do VPNs Work Their Magic? First of all, a VPN chops the data into chunks called packets and then encrypts the packets so that no one other than the intended recipients can read them. Each packet contains headers that contain information about the size and type of data, and information to check the authentication and integrity of the data. This is a security measure that ensures that the data Setting Up a VPN

04:12:17 Setting Up a VPN Generally, you'd use a VPN for three different types of security: Keeping secrets within a company ? For this you would use an intranet, which is a common network infrastructure, across various physical locations; for example, several offices within one building or several buildings may be connected to a data center. With this type of VPN you can segregate departmental Various VPN Encryption Schemes

04:12:09 Various VPN Encryption Schemes As you may have figured out by now, not all VPNs are created equal and this applies to their encryption techniques as well. In the Internet world of competing standards, VPNs are no exception ? the vendors all tout their solutions as the best. However, some standards have become standard options. These are the VPN protocols that handle authentication, tunneling, and Which Is Best?

04:11:59 Which Is Best? I wish I could give you an absolute answer on that, but asking "Which is best?" is like asking "How long is a piece of string?" The answer for both these questions is that it depends. There are so many variables in networks, operating systems, and applications, it's almost impossible to give you an answer without knowing all the details of each and every network configuration Testing, Testing, Testing

04:11:49 Testing, Testing, Testing Let's say you've done your research, paid your money, and set up your VPN. All is right with the world, right? Well, maybe. Did you remember to test your system to make sure that it's really doing what it is supposed to do? That's an important step that many organizations forget about. It doesn't matter that you've implemented a good encryption algorithm and have long, Why WEP Makes Us Weep

04:11:40 Why WEP Makes Us Weep There are a number of inadequacies with WEP that makes using it difficult and easy to configure it incorrectly. You can tell the Access Point to enable WEP, but if you don't manually configure all the wireless network cards on the desktop and laptop computers, it won't work ? and you won't know it's not working. There are no dialog boxes or error messages that tell you that WEP Attack Methods

04:11:30 WEP Attack Methods When the majority of people logged on to networks via modems, hackers created software that automatically had their computer dial thousands of phone numbers in a series; looking for a modem to answer. These software programs were called war dialers. Taking a page from that book, hackers and freeloaders looking for wireless access points now engage in war driving, war walking, Wireless Protection Measures

04:11:19 Wireless Protection Measures Here's a quick and dirty listing of some of the important (and fairly easy) things you can do to make your network less visible to war drivers and to implement WEP or other encryption schemes: Look for rogue access points Because wireless access points are very cheap, the temptation for employees to install their own access point is very high. In fact, they may be The Center for Democracy and Technology

04:11:02 The Center for Democracy and Technology www.cdt.org/crypto is a non-profit organization which lobbies the government on cryptography issues ? in particular, the right for citizens to use strong encryption to protect their work and/or their networks. It's interesting reading as the government regards strong encryption as a "munition" and controls the export of strong encryption. If you do business SSL Review

04:10:52 SSL Review The site used to be called Which SSL.org and has recently changed its name to SSL Review. The URL is www.sslreview.com, and it gives you all you need to know, and more, about SSL. One of my favorite parts of this site is the side-by-side review of the major digital certificate vendors which includes the costs and other factors. How IPsec Works

04:10:45 How IPsec Works Although this site is actually part of Cisco's main site and is Cisco-specific in it's explanations, it has some very good information for those of you considering implementing IPsec. The URL is a long one, so here it goes: www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a0080094203.shtml. Because IPsec hasn't been as widely implemented as the vendors (and security Code and Cipher

04:10:35 Code and Cipher www.certicom.com/resources/codeandcipher/volume1/issue1/index.php is Certicom's educational newsletter on what's new in cryptography. You can subscribe to their newsletter, which comes out quarterly, to keep up with the latest trends and vulnerabilities. CERIAS ? Center for Education and Research in Information Assurance and Security

04:10:25 CERIAS ? Center for Education and Research in Information Assurance and Security www.cerias.purdue.edu/about/history/coast_resources/cryptography has plenty of links to white papers, reports, studies, techniques, and products and vendors. CERIAS is a well-respected organization at Purdue University and is a wonderful resource for other security-related subjects as well. The Invisible Cryptologists ? African Americans, WWII to 1956

04:10:17 The Invisible Cryptologists ? African Americans, WWII to 1956 www.nsa.gov/wwii/papers/invisible_cryptologists.htm is a project by the NSA (National Security Agency) to let us in on declassified information. I found the chapters of this section particularly interesting about some of our unsung heroes of WWI and the Cold War. Bruce Schneier

04:10:09 Bruce Schneier www.schneier.com. No book on cryptography would be complete without mention of Bruce Schneier; one of the most well-known cryptographers of the age. His books are almost required reading for those who are serious about the subject and you can subscribe to his newsletter: CryptoGram online. North American Cryptography Archives

04:10:02 North American Cryptography Archives www.cryptography.org first has you fill out a form stating that you are an American and that you will not be exporting information about strong encryption overseas. From there you are presented with a smorgasbord of links and information about algorithms, history, books, research, you name it. It would take you weeks to go through all the information on this RSA's Crypto FAQ

04:09:54 RSA's Crypto FAQ www.rsasecurity.com/rsalabs/faq/index.html has everything from basic information to highly technical and complex papers ? take your pick! RSA is one of the most respected vendors of cryptographic software and encryption solutions and they have tons of information regarding how-tos. I find that getting the information you need from their site a bit difficult via their navigation Trusted Third Party

04:09:44 Trusted Third Party This refers to a Certificate Authority or similar entity who has been entrusted to store and distribute public keys. Some well known trusted third parties are Verisign, RSA, and Entrust. There are many more commercial Certificate Authorities, but you can also set one up for your own use within your organization. X.509 Certificates

04:09:34 X.509 Certificates This is a standardized format for digital certificates. Since certificate servers are basically databases, it made sense that all certificates contain the same fields for information; making it easier for the certificate servers to manage the storage and distribution of certificates. A certificate that complies with the X.509v3 standard will contain the following information: Rubber Hose Attack

04:09:26 Rubber Hose Attack When an algorithm is considered practically unbreakable, someone will always remind you that it is susceptible to a rubber hose attack. What? In simple terms, a rubber hose attack simply means beating up your adversary with a rubber hose (or other threatening object) until he/she breaks and gives you the secret key or password. Inelegant, but effective (not that I recommend it, Shared Secret

04:09:19 Shared Secret When two or more parties use the same key for encryption and decryption. Symmetric algorithms use a shared key for this purpose. Key Escrow

04:09:12 Key Escrow To many, "escrow" is a bad word, but it needn't be. You are probably familiar with the escrow process when buying a house ? the bank holds some money back "just in case" it is needed. Key escrow is the secure storage of a person's private key and/or passphrase "just in case" it is needed. Say an important person in a company suffers a medical emergency and is unable to communicate Initialization Vector

04:09:05 Initialization Vector Even with good algorithms we need to make sure that there is no way that any messages begin with the same sequence of characters. For example, if every encrypted message began with the characters 234kngaeo9i, it could give an attacker enough information to begin cracking the message. The trick then, is to make sure that all encrypted messages begin with a unique sequence Alice, Bob, Carol, and Dave

04:08:57 Alice, Bob, Carol, and Dave These names represent the cryptographers' convention of identifying who sends the message, who receives the message, who intercepts the message, etc. Instead of saying "A sends a message to B" and so forth, cryptographers have personalized the process by stating that "Alice sends a message to Bob." I chose to break with convention in this book and use Boris and Secret Algorithm

04:08:48 Secret Algorithm Run, hide, and don't deal with anyone who promises to protect your data by using a "secret" algorithm. Cryptographers found out a long time ago that it was better to make their algorithms public so they could be thoroughly without bias. Many algorithms have been pulled from use after they were publicized and the testers found problems with them. A secret algorithm has not been Steganography

04:08:41 Steganography Steganography is similar to cryptography. Cryptography means secret writing, and steganography means covered writing. The trick with steganography is that it hides data in plain sight. How can that be? Some historical steganographic tricks include tiny pin punctures made in selected characters in a newspaper article or writing in invisible ink. More modern uses of steganography Do Protect Your Key Recovery Database and Other Key Servers to the Greatest Extent Possible

04:08:31 Do Protect Your Key Recovery Database and Other Key Servers to the Greatest Extent Possible You know what a gut-wrenching feeling it is to discover that you have lost your key ring ? your house keys, car keys, mailbox key, key to your mother's condo, key to your pied d'tierre in the south of France. When you lose your keys you just know that someone is going to steal your car and enter your Don't Store Your Private Keys on the Hard Drive of Your Laptop or Other Personal Computing Device

04:08:23 Don't Store Your Private Keys on the Hard Drive of Your Laptop or Other Personal Computing Device For the same reason that you need to secure your key servers in the company office, you need to make sure that people's private keys are adequately protected on their workstations and laptops. Laptops are particularly vulnerable to theft and, if the private key is left on the hard drive in a default Do Make Sure Your Servers' Operating Systems Are "Hardened" before You Install Cryptological Systems on Them

04:08:15 Do Make Sure Your Servers' Operating Systems Are "Hardened" before You Install Cryptological Systems on Them All operating systems, as they come installed from the factory, have numerous security holes in them. "Hardening" the operating system means changing all the vulnerable default settings and installing security patches that come from the vendors. Some operating systems are better than Do Train Your Users against Social Engineering

04:08:03 Do Train Your Users against Social Engineering Social engineering is just a euphemism for "con job," and it happens every day. Employees get calls from someone purporting to be from the IT department and are asked to give up their passphrases and keys, amongst other things. Employees do this because they are afraid to challenge authority. Give your employees permission to challenge anyone who Do Create the Largest Key Size Possible

04:07:53 Do Create the Largest Key Size Possible Most cryptosystems give you the option of creating keys of almost any size, starting with 40 bits and working up to over 4,000 bits. The difference in protection is like the difference in strength between a nylon cable tie and a reinforced steel lock. Which would you choose to lock up a bike, for example? I don't know why vendors give you the choice of Do Test Your Cryptosystem after You Have It Up and Running

04:07:44 Do Test Your Cryptosystem after You Have It Up and Running Most people are content to set up an encryption program and just leave it at that. What they forget to check is that the system actually encrypts data correctly. The most common problem is that the encryption program is not actually creating an initialization vector that is random enough. Check with your vendor for software to test Do Check the CERT Advisories and Vendor Advisories about Flaws and Weaknesses in Cryptosystems

04:07:36 Do Check the CERT Advisories and Vendor Advisories about Flaws and Weaknesses in Cryptosystems SSH v.2 has been considered for years to be one of the most effective means of encrypting occasional remote communications. Given that, the number of security vulnerabilities found recently is really surprising. What that tells us, however, is that just because something is free of vulnerabilities or Don't Install a Cryptosystem Yourself If You're Not Sure What You Are Doing

04:07:26 Don't Install a Cryptosystem Yourself If You're Not Sure What You Are Doing As with any program installation, if you don't know what you are doing, you can really muck up the program badly. Usually there are numerous dialog questions to answer during the installation as well as directory location and other decisions to make. With a cryptosystem this is not the time to chuck the manual and try to Don't Use Unknown, Untested Algorithms

04:07:18 Don't Use Unknown, Untested Algorithms As I have mentioned before, if an algorithm is unknown or secret, that means it hasn't been tested to see if it can be broken or not. If you come across an algorithm you've never heard of before, do some research on the Internet to see if anyone else of note is using it. Believe me, if you want opinions on something, the Internet is the place to find If Someone Sends You an Encrypted Message, Reply in Kind

04:07:05 If Someone Sends You an Encrypted Message, Reply in Kind There's a reason the person sent you the message in an encrypted format, even though it may not be evident to you. Respect your friend's efforts by replying with an encrypted message. Don't Create Too Many Keys

04:06:56 Don't Create Too Many Keys Especially with PGP, those of us who use it often search key servers for keys for the people we want to send something too ? only to find that there are 3 gazillion keys for that person. Finding out which one to use is a real pain. Therefore, if you are using public/private keys, please make sure that you keep the number of keys you use to a minimum and make it easy for Don't Immediately Trust Someone Just Because He/She Has a Public Key

04:06:48 Don't Immediately Trust Someone Just Because He/She Has a Public Key Anyone can generate a pair of keys, especially with PGP. Just because you see the public key of someone you know, or someone you wish to correspond with, doesn't necessarily mean that key really belongs to that person. You should always verify, verify, verify keys with your correspondents before you send encrypted messages to Always Back Up Your Keys and Passphrases

04:06:41 Always Back Up Your Keys and Passphrases Losing your keys and your passphrases is a royal pain for everyone involved. Always, always, always back up your keys and your passphrases to some type of removable media. (And don't keep the passphrases and the keys on the same drive, floppy, or CD.) Save your keys and passphrases as plain, ordinary text files (.txt) without fancy formatting and name them Be Wary of What You Put in the Subject Line of Encrypted Messages

04:06:32 Be Wary of What You Put in the Subject Line of Encrypted Messages The point of this is to not draw unnecessary attention to the message. If the encrypted message contains the projected sales figures for a new product, don't put in the subject line, "Projected Sales Figures for Next Year." You're only asking for trouble if you do that. Use a phrase that is meaningful to you and your recipient, but If You Lose Your Key or Passphrase, Revoke Your Keys as Soon as Possible

04:06:24 If You Lose Your Key or Passphrase, Revoke Your Keys as Soon as Possible Nothing is more frustrating to the sender and receiver than to exchange messages that can't be decrypted. It's a waste of time and effort, too. If you lose your key or your passphrase, revoke your key as soon as possible. Key servers won't always update this information immediately, so you should also notify the people Don't Publish Someone's Public Key to a Public Key Server without His/Her Permission

04:06:15 Don't Publish Someone's Public Key to a Public Key Server without His/Her Permission If a person has not published his or her key on a public key server, there may be a reason for this. Don't assume the person forgot and do it for himself or herself. That person owns the key and let him or her do with it what he/she pleases. Don't Sign Someone's Public Key Unless You Have Reason To

04:06:06 Don't Sign Someone's Public Key Unless You Have Reason To This pertains to PGP more than anything else. If you were to search for Phil Zimmermann's key and then look at all the people who have signed his key, the list is enormous. If you talk to Phil, he'll admit that he has no idea who most of these people are. The only reason you should be signing someone's public key is either because that If You Are Corresponding with Someone for the First Time, Send an Introductory Note Along with Your Public Key

04:05:58 If You Are Corresponding with Someone for the First Time, Send an Introductory Note Along with Your Public Key If you are intending to send an encrypted file or message to someone who is not expecting anything from you (maybe you've never contacted this person before), send them an introductory message with your public key and explain what and why you are sending this message. Give the person Be Circumspect in What You Encrypt

04:05:47 Be Circumspect in What You Encrypt You don't need to encrypt everything you send. If it's just a friendly message saying "Hi, how are you?" chances are that you can forget sending it encrypted. GAIM

04:05:37 GAIM GAIM is the name of a new program that will encrypt all your online chatter. Worried that people are reading what you write in AIM, ICQ, IRQ, MSN, Jabber, and more? Then download this neat little puppy and hide your messages from others. http://gaim.sourceforge.net (Please note that there is no "www" in the URL.) madeSafe Vault

04:05:29 madeSafe Vault This is an online privacy and encryption vault in which to store your most sensitive files. The company also makes a number of home and small business related products which are sold mainly as "privacy" products, but really are encryption products. One of the neat things their products do is, after the data is encrypted, it is then stored in various places on the hard drive and not Password Safe

04:05:22 Password Safe This is a cool little bit of software ? and free ? that will store all those thousands of passwords in one little place and keep them all encrypted so no one can steal them. Made by the infamous cryptographer, Bruce Schneier, Bruce no longer supports this program because he has made the source code available for others to review and change as required. You can get this program at Kerberos

04:05:14 Kerberos This is one of the encrypting authentication systems I told you about earlier in this book. It's free and it's also being included in many off-the-shelf programs such as Windows XP. If you want to give it a try yourself, please read the FAQ first (www.faqs.org/faqs/kerberos-faq/general). After you've at least perused the FAQ and gotten a feel for what Kerberos is all about, then go to OpenSSL and Apache SSL

04:05:05 OpenSSL and Apache SSL If you are planning on creating a Web site for e-commerce, then SSL is a must and is available at the Open SSL site at www.openssl.org. There's everything you need there, including a FAQ, instructions, and download sites. The Apache software group has been known for years as the creators of the most secure Web server around for UNIX or Windows machines. Also check out SafeHouse

04:04:56 SafeHouse SafeHouse has made drive encryption programs for Windows platforms for years. This is a cool product because the encryption and decryption is "invisible" to the user ? there's no need to mount or unmount a special drive or partition, the product does it all for you. They also have a free version for you to try out. www.pcdynamics.com/SafeHouse. WebCrypt

04:04:47 WebCrypt If you have a Web site or are in the business of creating Web sites, then you know how easy it is for people to steal your code and your pictures. The WebCrypt product will encrypt your Web pages so all your hard work isn't just thrown out the window. Check them out at www.moonlight-software.com/webcrypt.htm. The product works on Windows, Macs, and Linux platforms. Privacy Master

04:04:38 Privacy Master This is an easy to use program for home users to encrypt any private information and be able to set the level of security for files and documents. Privacy Master used to be known as PrivacyMaker and is sold through a new company. You can find it at www.secureaction.com/encryption. Advanced Encryption Package

04:04:30 Advanced Encryption Package This is too cool! You can send an encrypted file to someone even if that person doesn't have the same encryption package you have! This program creates self-extracting encrypted files that you can send to others. There are lots of other features, too. Available at www.secureaction.com/encryption. Known Plaintext Attack

04:04:17 Known Plaintext Attack Basically, this attack means that you know what some of the plaintext is in the encrypted data. For example, in an e-mail message, you know that there will be a return e-mail address. If there is a Word document attached to the e-mail, you know that there will be a file with the ".doc" extension somewhere in the ciphertext. The compression programs like PKZip and WinZip Chosen Ciphertext Attacks

04:04:08 Chosen Ciphertext Attacks In this attack, Boris has somehow acquired some encrypted data and he doesn't know what it means. Usually this data is captured off a network connection with a sniffer. Boris has two ways to try to crack the ciphertext: He can send the ciphertext back to the victim and social-engineer the victim to decrypt it and send it back. With both the ciphertext and plaintext, Chosen Plaintext Attacks

04:03:59 Chosen Plaintext Attacks This is very similar to known plaintext except that the plaintext is not known; the attacker is only guessing. The attacker chooses a bunch of words or phrases that he guesses might appear in the ciphertext. He encrypts his list of words and phrases and compares that to the ciphertext. Again, this takes a fair amount of computational energy on the part of the computer (or The Birthday Attack

04:03:50 The Birthday Attack Did you know that if you gather 23 people in a room, the chances of two of them having the same birthday is greater than 50 percent? It's one of those strange but true facts that seem impossible. In cryptography, when an algorithm produces the same key or ciphertext string more than once, it's called a collision and cryptanalysts rely upon the fact that there are bound to be Man-in-the-Middle Attack

04:03:41 Man-in-the-Middle Attack This is perhaps the most famous of all attacks and it is carried out quite frequently with some success. This attack is possible with public/private key encryption and SSL transactions. Scary, huh? A MITM (man-in-the-middle) attack is done by sitting on the network and monitoring traffic between two people (or two computers). You can sniff and capture the traffic and, Timing Attacks

04:03:30 Timing Attacks This is a bit obscure, but you can also break crypto by watching the amount of time a system takes to encrypt messages. If Boris captures enough traffic over a long period of time and then computes the differences in timing, it will give him enough data to start figuring out the key. In 1995, a 22-year-old cryptographer did that to the RSA algorithm and quickly made headline Rubber Hose Attack

04:03:20 Rubber Hose Attack And now, for something completely different! If you don't have the computing power or the time to try a brute force attack ? that is, trying every possible combination of keys there could possibly be ? you can always revert to the rubber hose attack. This is quite easy, but I strongly recommend against it because it entails using a length of rubber hose to beat the Electrical Fluctuation Attacks

04:03:10 Electrical Fluctuation Attacks This is a relatively new method of attack and it's very similar to the timing attack. Instead of gathering data to deduce the amount of time it takes to encrypt the data, an electrical fluctuation attack measures the small fluctuations in power consumption to figure out the key. This was discovered in 1998 by the same fellow who figured out how to conduct timing Major Boo-Boos

04:02:59 Major Boo-Boos The number one boo-boo that people make when implementing encryption software or other crypto systems is that they forget to adequately protect the keys! Admininstrators have been found to leave encryption keys on Web servers ? in directories that allow anyone to access them. Keys are also often stored on desktops and laptops in default locations, on servers, and on databases. If Appendix B: Glossary

04:02:48 A5 The encryption algorithm used for GSM telephones. These telephones are mainly sold in Europe. AES Advanced Encryption Standard. A block cipher that was chosen through a competition of the world's greatest cryptographers. It is approved for government use by NIST and is assumed to be good for the next 20 years before a replacement needs to be found. Also known as Rijndael (rine-doll) for Appendix C: Encryption Export Controls

04:02:23 Appendix C: Encryption Export Controls In This Appendix Getting down to the nitty-gritty of export controls In times of war, the military and the government use encrypted messaging and file transfers to exchange data to and from the war zones. In addition, almost all diplomatic messages are sent encrypted to protect the national interests. Cryptography played a huge role in World War II and



Latest Articles:

ceo
business
Biotechnology
aviation
podcasting audio
Anime
govedar
verizon ringtones shebek
Kalkan Seo
Mezernik Business
blogtechemail: SSL
blogtechemail: SSL
blogtechemail: SSL
blogtechemail: SSL
blogtechemail: SSL
blogtechemail: SSL