1 / 17

Tools and Techniques of Encryption

Tools and Techniques of Encryption. Jeremy Malcolm A presentation to WASCAL on 29 May 1996. Introduction. Encryption ensures security of computer-based information Security includes privacy and authentication Trade-off between security and convenience

nelle-rocha
Télécharger la présentation

Tools and Techniques of Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tools and Techniques of Encryption Jeremy Malcolm A presentation to WASCAL on 29 May 1996

  2. Introduction • Encryption ensures security of computer-based information • Security includes privacy and authentication • Trade-off between security and convenience • If tools are used incorrectly, security may be lost

  3. Agenda • Importance of encryption • Applications for encryption • Principles and protocols • Secret key versus public key encryption • PGP • Other encryption standards • Using encryption tools

  4. Importance of encryption • Lawyers have a duty to keep clients’ information confidential • Email messages are more like postcards than sealed letters • Using encryption for all your email avoids drawing attention to confidential email • Cost-benefit analysis

  5. Applications for encryption • Email • Secure electronic transactions • World Wide Web (Secure Sockets Layer)eg. Netscape and Internet Explorer v.2 • Proprietary systems eg. home banking, MSN • Office equipment • DES telephones, faxes, digital mobile phones • Confidential documents in the office

  6. Encryption in the office • Built-in encryption gives poor security • $US185 package cracks encryption schemes of WordPerfect, Lotus 1-2-3, Symphony, Quattro Pro, Paradox, Excel and MS Word 2.0 • Lotus Notes • Secret key encryption for Notes documents • Key can be made distributable or non-distributable • Public key encryption for Notes mail • Microsoft Exchange fax encryption

  7. Principles and protocols • Public key encryption • Secret key (symmetric, conventional, password, single key) encryption • USA export controls • Some encryption software unavailable here • International Netscape substantially less secure • Phil Zimmerman prosecution

  8. What is public key encryption? Sender Recipient Distribute public key Distribute public key public key public key Decrypt message with private key Encrypt with recipient’s public key/s Verify signature with sender’s public key Sign with private key

  9. Authentication without encryption • Create a hash (checksum) for the plaintext • Encrypt the hash with your private key • This “signature” can be authenticated only with your public key From alt.security.pgp: “I am a practicing attorney in Colorado with clients in other states and in Canada, and I use e-mail to communicate with many of them. Having a verified PGP signature on e-mail from me tells the clients that the message really comes from me and that any advice or instructions contained in the e-mail is advice or instructions that I want them to follow. Hopefully, they trust me enough to do so. :-)”

  10. Public Keys -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQBtAzDmHn0AAAEDAMzvMfAQYj2AGd6dV/ctqtKj2grlDrWW8R9B2vSe8w2lZDqb r+/msS/UvSci79vxHmppkOvKVFhCdcI9yRcsFL5BNrJf5zLTKUVZVcUhIWQXF4Db //2HwEe/5gZYw9iQAQAFEbQxSmVyZW15IE0uIE1hbGNvbG0gPHRlcm1pbnVzQG9k eXNzZXkuYXBhbmEub3JnLmF1Pg== =liEN -----END PGP PUBLIC KEY BLOCK----- • Obtained through: • Email, finger, WWW • Key servers • Automatic for WWW browsers

  11. PGP - Pretty Good Privacy • De facto Internet standard • Offers public key and secret key encryption • Not an email program • Variants • Freeware • Commercial: “Viacrypt” • Restricted export • International

  12. Other encryption standards • PEM - Privacy Enhanced Mail • De jure standard (RFCs 1421-1424) • Easier to integrate into third party products • Relies on hierarchy of Certifying Authorities • RIPEM - Riordan’s Internet Privacy Enhanced Mail • Less widely used than PGP • Illegal to export outside USA • TIS/PEM - Trusted Information System PEM

  13. Other encryption standards • DES (Data Encryption Standard) • Conventional encryption (secret key only) • Fast • Available for office equipment • Built in to application software • No longer considered sufficiently secure • Triple DES

  14. Using encryption tools • Secret key encryption requires a secure channel • “Add-ins” • Microsoft Exchange PGP add-in • Eudora, Pegasus Mail add-ins available • Stand-alone products • Power PGP (freeware) • Numerous others available

  15. Dangers and limitations • Compromised passphrase and secret key • Remember the passphrase • Keep the key on a floppy disk • Exposure on multi-user systems • Don’t keep your secret key on such a system • Obvious passwords • Physical security breaches • Don’t save or print out plaintext

  16. Dangers and limitations • Public key tampering • Certification by PGP signature • Bogus timestamps • Timestamping service or PGP signature • "Not quite deleted" files • Ensure software wipes plaintext files • Viruses and Trojan Horses • Anti-viral software

  17. Summary • Security for electronic information • “Armoured van” for communications • “Safety deposit box” for documents • Less convenient to work with than plaintext, but effective if proper safeguards are taken • Email Encryption for Lawyershttp://www.tpgi.com.au/lawsoc/encrypt.htm • Question time

More Related