applied cryptography and network security

ABSTRACT:
It’s personal. It’s private. And it’s no one’s business but yours. You may be planning a political campaign, discussing your taxes, or having a secret romance. Or you may be communicating with a political dissident in a repressive country. Whatever it is, you don’t want your private electronic mail (email) or confidential documents read by anyone else. There’s nothing wrong with asserting your privacy. Privacy is as apple-pie as the Constitution.
But with the coming of the information age, starting with the invention of the telephone, all that has changed. Now most of our conversations are conducted electronically. This allows our most intimate conversations to be exposed without our knowledge. Cellular phone calls may be monitored by anyone with a radio. Email is rapidly replacing postal mail, becoming the norm for everyone, not the novelty it was in the past. And email can be routinely and automatically scanned for interesting keywords, on a large scale, without detection.
Imagine yourself in a situation where you are sitting in your office, faced with the rather mundane task of sending a sales report to a coworker in such a way that no one else can read it. You just want to be sure that your colleague was the actual and only recipient of the email and you want him or her to know that you were unmistakably the sender. It’s not national security at stake, but if your company’s competitor got a hold of it, it could cost you. How can you accomplish this? You can use cryptography. You may find it lacks some of the drama of code phrases whispered in dark alleys, but the result is the same: information revealed only to those for whom it was intended.
When you need to send messages to your coworkers, you don’t trust your messengers. So replace every A in your messages with a D, every B with an E, and so on through the alphabet. Only someone who knew the “shift by 3”rule could decipher your messages.





Simple Digital Signatures

Hash functions:
An improvement on the above scheme is the addition of a one-way hash function in the process. A one-way hash function takes variable-length input—in this case, a message of any length, even thousands or millions of bits—and produces a fixed-length output; say, 160-bits. The hash function ensures that, if the information is changed in any way—even by just one bit—an entirely different output value is produced.
As long as a secure hash function is used, there is no way to take someone's signature from one document and attach it to another, or to alter a signed message in any way. The slightest change in a signed document will cause the digital signature verification process to fail.

Hash Functions

Digital certificates:
In a public key environment, it is vital that you are assured that the public key to which you are encrypting data is in fact the public key of the intended recipient and not a forgery. You could simply encrypt only to those keys, which have been physically handed to you. But suppose you need to exchange information with people you have never met; how can you tell that you have the correct key?
Digital certificates, or certs, simplify the task of establishing whether a key truly belongs to the purported owner.
A digital certificate is information included with a person’s public key that helps others verify that a key is genuine or valid. Digital certificates are used to thwart attempts to substitute one person’s key for another.

• A public key.
• Certificate information.
• One or more digital signatures.
The purpose of the digital signature on a certificate is to state that the certificate information has been attested to by some other person or entity.


Keys:
A key is a value that works with a cryptographic algorithm to produce a specific ciphertext. Keys are basically really, really, really big numbers. Key size is measured in bits; the number representing a 1024-bit key is darn huge. In public key cryptography, the bigger the key, the more secure the cipher text. However, public key size and conventional cryptography’s secret key size are totally unrelated. A conventional 80-bit key has the equivalent strength of a 1024-bit public key. A conventional 128-bit key is equivalent to a 3000-bit public key. Again, the bigger the key, the more secure, but the algorithms used for each type of cryptography are very different and thus comparison is like that of apples to oranges.
Keys are stored in encrypted form.

Validity and trust:

Every user in a public key system is vulnerable to mistaking a phony key (certificate) for a real one. Validity is confidence that a public key certificate belongs to its purported owner. Validity is essential in a public key environment where you must constantly establish whether or not a particular certificate is authentic.

Checking validity:
One way to establish validity is to go through some manual process. There are several ways to accomplish this. You could require your intended recipient to physically hand you a copy of his or her public key. But this is often inconvenient and inefficient.
Another way is to manually check the certificate’s fingerprint. Just as every human’s fingerprints are unique, every certificate’s fingerprint is unique. The fingerprint is a hash of the user’s certificate and appears as one of the certificate’s properties.
You can check that a certificate is valid by calling the key’s owner (so that you originate the transaction) and asking the owner to read his or her key’s fingerprint to you and verifying that fingerprint against the one you believe to be the real one. This works if you know the owner’s voice, but how do you manually verify the identity of someone you don’t know? Some people put the fingerprint of their key on their business cards for this very reason.
Another way to establish validity of someone’s certificate is to trust that a third individual has gone through the process of validating it.

What is a passphrase?
Most people are familiar with restricting access to computer systems via a password, which is a unique string of characters that a user types in as an identification code.
A passphrase is a longer version of a password, and in theory, a more secure one. Typically composed of multiple words, a passphrase is more secure against standard dictionary attacks, wherein the attacker tries all the words in the dictionary in an attempt to determine your password. The best passphrases are relatively long and complex and contain a combination of upper and lowercase letters, numeric and punctuation characters.

Key splitting:
A secret is not a secret if more than one person knows it. Sharing a private key pair poses such a problem. While it is not a recommended practice, sharing a private key pair is necessary at times. Corporate Signing Keys, for example, are private keys used by a company to sign—for example—legal documents, sensitive personnel information, or press releases to authenticate their origin.
In such a case, it is worthwhile for multiple members of the company to have access to the private key. However, this means that any single individual can act fully on behalf of the company.
In such a case it is wise to split the key among multiple people in such a way that more than one or two people must present a piece of the key in order to reconstitute it to a usable condition. If too few pieces of the key are available, then the key is unusable. Some examples are to split a key into three pieces and require two of them to reconstitute the key, or split it into two pieces and require both pieces. If a secure network connection is used during the reconstitution process, the key’s shareholders need not be physically present in order to rejoin the key.

Summary:
Someone with vast supercomputer resources, such as a government intelligence agency, could possibly mount an expensive and formidable cryptanalytic attack. They might crack your public key by using some new secret mathematical breakthrough.
In summary, without good cryptographic protection of your data communications, it may be practically effortless and perhaps even routine for an opponent to intercept your messages, especially those sent through a modem or email system. If you use PGP and follow reasonable precautions, the attacker will have to expend far more effort and expense to violate your privacy.
If you protect yourself against the simplest attacks, and you feel confident that your privacy is not going to be violated by a determined and highly resourceful attacker, then you’ll probably be safe using cryptography. Cryptography gives pretty good privacy.
Reference:
• “Cryptography for the Internet,” by Philip R. Zimmermann.
• “Privacy on the Line,” by Whitfield Diffie and Susan Eva Landau.
• “Firewalls and Internet Security: Repelling the Wily Hacker,” by William R. Cheswick and Steven M. Bellovin. Addison-Wesley Pub Co;
• Google.com