Cryptography For Dummies

Cryptography is the most effective way to achieve data security and is essential to e-commerce activities such as online shopping, stock trading, and banking This invaluable introduction to the basics of encryption covers everything from the terminology used in the field to specific technologies to the pros and cons of different implementations Discusses specific technologies that incorporate cryptography in their design, such as authentication methods, wireless encryption, e-commerce, and smart cards Based entirely on real-world issues and situations, the material provides instructions for already available technologies that readers can put to work immediately Expert author Chey Cobb is retired from the NRO, where she held a Top Secret security clearance, instructed employees of the CIA and NSA on computer security and helped develop the computer security policies used by all U.S. intelligence agencies

Table of Contents:
Introduction  1 About This Book 2 How to Use This Book 2 What You Don’t Need to Read  3 Foolish Assumptions 3 How This Book Is Organized 3 Part I: Crypto Basics & What You Really Need to Know 4 Part II: Public Key Infrastructure  4 Part III: Putting Encryption Technologies to Work for You 4 Part IV: The Part of Tens  4 Part V: Appendixes 5 Icons Used in This Book  5 Where to Go from Here  5 Part I: Crypto Basics & What You Really Need to Know 7 Chapter 1: A Primer on Crypto Basics  9 It’s Not about James Bond  9 Go with the rhythm  10 Rockin’ the rhythm 11 Getting to Know the Basic Terms 12 What Makes a Cipher? 13 Concealment ciphers 13 Substitution ciphers 14 Transposition ciphers  15 Hash without the corned beef  16 XOR what? 17 Breaking Ciphers  20 Not-so-secret keys  20 Known plaintext  21 Pattern recognition  21 What a brute! 21 Cryptosystems 22 Everyday Uses of Encryption 23 Network logons and passwords 23 Secure Web transactions 25 ATMs  26 Music and DVDs  27 Communication devices  28 Why Encryption Isn’t More Commonplace 28 Difficulty in understanding the technology  29 You can’t do it alone  29 Sharing those ugly secrets  30 Cost may be a factor  30 Special administration requirements 31 Chapter 2: Major League Algorithms  33 Beware of “Snake Oil”  34 Symmetric Keys Are All the Same  37 The key table 37 Key generation and random numbers 38 Protecting the Key  39 Symmetric Algorithms Come in Different Flavors 40 Making a hash of it 40 Defining blocks and streams 42 Which is better: Block or stream?  44 Identifying Symmetric Algorithms 45 Des 45 Triple DES  45 Idea  46 Aes 46 Asymmetric Keys 47 Rsa 48 Diffie-Hellman (& Merkle)  49 Pgp 50 Elliptical Curve Cryptography  50 Working Together 52 Chapter 3: Deciding What You Really Need  53 Justifying the Costs to Management  53 Long-term versus short-term  54 Tangible versus intangible results 55 Positive ROI 55 Government due diligence  60 Insurers like it!  61 Presenting your case  61 Do You Need Secure Communications?  62 Secure e-mail  62 Instant Messaging (IM)  64 Secure e-commerce  64 Online banking  66 Virtual Private Networks (VPNs)  66 Wireless (In)security  68 Do You Need to Authenticate Users? 69 Who are your users?  70 Authentication tokens 71 Smart cards 72 Java tokens  73 Biometrics 74 Do You Need to Ensure Confidentiality and Integrity?  75 Protecting Personal Data  75 What’s It Gonna Cost?  77 Chapter 4: Locks and Keys  79 The Magic Passphrase 80 The weakest link 81 Mental algorithms  82 Safety first! 84 Passphrase attacks  86 Don’t forget to flush!  87 The Key Concept  88 Key generation  89 Protecting your keys  90 What to do with your old keys 91 Some cryptiquette  91 Part II: Public Key Infrastructure 93 Chapter 5: The PKI Primer  95 What Is PKI?  96 Certificate Authorities (CAs)  97 Digital Certificates  98 Desktops, laptops, and servers  100 Key servers 102 Registration Authorities (RAs) 103 Uses for PKI Systems 103 Common PKI Problems  105 Chapter 6: PKI Bits and Pieces  107 Certificate Authorities 108 Pretenders to the throne 110 Registration Authorities  110 Certificate Policies (CPs)  111 Digital Certificates and Keys 112 D’basing Your Certificates 113 Certificate Revocation 114 Picking the PKCS  115 PKCS #1: RSA Encryption Standard 115 PKCS #3: Diffie-Hellman Key Agreement Standard 115 PKCS #5: Password-Based Cryptography Standard  115 PKCS #6: Extended-Certificate Syntax Standard 116 PKCS #7: Cryptographic Message Syntax Standard 116 PKCS #8: Private-Key Information Syntax Standard 116 PKCS #9: Selected Attribute Types  117 PKCS #10: Certification Request Syntax Standard 117 PKCS #11: Cryptographic Token Interface Standard 117 PKCS #12: Personal Information Exchange Syntax Standard  118 PKCS #13: Elliptic Curve Cryptography Standard  118 PKCS #14: Pseudo-Random Number Generation Standard 118 PKCS #15: Cryptographic Token Information Format Standard 118 Chapter 7: All Keyed Up!  119 So, What Exactly IS a Key?  120 Making a Key 120 The Long and Short of It  121 Randomness in Keys Is Good 122 Storing Your Keys Safely 123 Keys for Different Purposes  124 Keys and Algorithms  124 One Key; Two Keys  125 Public/private keys  126 The magic encryption machine  127 The magic decryption machine  128 Symmetric keys (again) 129 Trusting Those Keys  129 Key Servers 130 Keeping keys up to date  131 Policies for keys  132 Key escrow and key recovery 132 Part III: Putting Encryption Technologies to Work for You 135 Chapter 8: Securing E-Mail from Prying Eyes  137 E-Mail Encryption Basics  138 S/mime 138 Pgp 139 Digital Certificates or PGP Public/Private Key Pairs?  140 What’s the diff? 140 When should you use which? 141 Sign or encrypt or both?  141 Remember that passphrase! 142 Using S/MIME  142 Setting up S/MIME in Outlook Express  143 Backing up your Digital Certificates  151 Fun and Games with PGP  153 Setting up PGP  154 Deciding on the options  156 Playing with your keyring  160 Sending and receiving PGP messages  162 PGP in the enterprise 164 Other Encryption Stuff to Try  164 Chapter 9: File and Storage Strategies  167 Why Encrypt Your Data? 168 Encrypted Storage Roulette  170 Symmetric versus asymmetric? 171 Encrypting in the air or on the ground?  173 Dealing with Integrity Issues 174 Message digest/hash  174 MACs  175 HMACs 175 Tripwire 176 Policies and Procedures  177 Examples of Encryption Storage  178 Media encryption 179 Encrypting File System  180 Secure e-mail 181 Program-specific encryption  181 Encrypted backup  181 Chapter 10: Authentication Systems  183 Common Authentication Systems  185 Kerberos  185 Ssh  186 Radius 187 Tacacs+  188 Authentication Protocols  188 How Authentication Systems Use Digital Certificates 190 Tokens, Smart Cards, and Biometrics 191 Digital Certificates on a PC  191 Time-based tokens 192 Smartcard and USB Smartkeys 193 Biometrics 194 Chapter 11: Secure E-Commerce  197 SSL Is the Standard  198 A typical SSL connection 199 Rooting around your certificates 201 Time for TLS  203 Setting Up an SSL Solution  204 What equipment do I need?  205 The e-commerce manager’s checklist 206 XML Is the New Kid on the Block 209 Going for Outsourced E-Commerce 210 Chapter 12: Virtual Private Network (VPN) Encryption  213 How Do VPNs Work Their Magic?  214 Setting Up a VPN  214 What devices do I need?  215 What else should I consider?  216 Do VPNs affect performance? 216 Don’t forget wireless! 217 Various VPN Encryption Schemes 217 PPP and PPTP 217 L2tp 218 IPsec 218 Which Is Best?  220 Testing, Testing, Testing  221 Chapter 13: Wireless Encryption Basics  223 Why WEP Makes Us Weep 224 No key management 225 Poor RC4 implementation 225 Authentication problems 226 Not everything is encrypted 226 WEP Attack Methods 227 Finding wireless networks 228 War chalking  228 Wireless Protection Measures  230 Look for rogue access points  230 Change the default SSIDs 230 Turn on WEP 231 Position your access points well  232 Buy special antennas 232 Use a stronger encryption scheme  232 Use a VPN for wireless networks  232 Employ an authentication system  233 Part IV: The Part of Tens  235 Chapter 14: The Ten Best Encryption Web Sites  237 Mat Blaze’s Cryptography Resource on the Web 237 The Center for Democracy and Technology 237 SSL Review  238 How IPsec Works  238 Code and Cipher 238 CERIAS — Center for Education and Research in Information Assurance and Security 238 The Invisible Cryptologists — African Americans, WWII to 1956  239 Bruce Schneier 239 North American Cryptography Archives  239 RSA’s Crypto FAQ 239 Chapter 15: The Ten Most Commonly Misunderstood Encryption Terms  241 Military-Grade Encryption  241 Trusted Third Party 241 X 509 Certificates 242 Rubber Hose Attack 242 Shared Secret  242 Key Escrow  242 Initialization Vector  243 Alice, Bob, Carol, and Dave 243 Secret Algorithm  243 Steganography  244 Chapter 16: Cryptography Do’s and Don’ts  245 Do Be Sure the Plaintext Is Destroyed after a Document Is Encrypted  245 Do Protect Your Key Recovery Database and Other Key Servers to the Greatest Extent Possible  246 Don’t Store Your Private Keys on the Hard Drive of Your Laptop or Other Personal Computing Device 246 Do Make Sure Your Servers’ Operating Systems Are “Hardened” before You Install Cryptological Systems on Them 246 Do Train Your Users against Social Engineering  247 Do Create the Largest Key Size Possible 247 Do Test Your Cryptosystem after You Have It Up and Running 248 Do Check the CERT Advisories and Vendor Advisories about Flaws and Weaknesses in Cryptosystems 248 Don’t Install a Cryptosystem Yourself If You’re Not Sure What You Are Doing 248 Don’t Use Unknown, Untested Algorithms 249 Chapter 17: Ten Principles of “Cryptiquette”  251 If Someone Sends You an Encrypted Message, Reply in Kind  251 Don’t Create Too Many Keys  251 Don’t Immediately Trust Someone Just Because He/She Has a Public Key 252 Always Back Up Your Keys and Passphrases 252 Be Wary of What You Put in the Subject Line of Encrypted Messages  252 If You Lose Your Key or Passphrase, Revoke Your Keys as Soon as Possible  253 Don’t Publish Someone’s Public Key to a Public Key Server without His/Her Permission  253 Don’t Sign Someone’s Public Key Unless You Have Reason To  253 If You Are Corresponding with Someone for the First Time, Send an Introductory Note Along with Your Public Key  254 Be Circumspect in What You Encrypt 254 Chapter 18: Ten Very Useful Encryption Products  255 PGP: Pretty Good Privacy 255 Gaim  255 madeSafe Vault 256 Password Safe 256 Kerberos  256 OpenSSL and Apache SSL  256 SafeHouse  257 WebCrypt  257 Privacy Master  257 Advanced Encryption Package 257 Part V: Appendixes  259 Appendix A: Cryptographic Attacks  261 Known Plaintext Attack 262 Chosen Ciphertext Attacks 262 Chosen Plaintext Attacks  263 The Birthday Attack 263 Man-in-the-Middle Attack  263 Timing Attacks  264 Rubber Hose Attack 264 Electrical Fluctuation Attacks  265 Major Boo-Boos  265 Appendix B: Glossary  267 Appendix C: Encryption Export Controls  279 Index  283