Steganography:

1. Steganography is the process of hiding one message in another. In

theory, doing this prevents analysts from detecting the real message.
2. You could encode your message in another file or message and use
that file to hide your message.
3. This type of encryption can be somewhat harder to detect, but it’s still
breakable.
4. Consider the following message:
“Meet the mini me that ate later.”
The real message is every third word:
“Meet me later.”
5. Steganography is also called electronic watermarking.

HASHING:
1. Hashing refers to performing a calculation on a message and
converting it into a numeric hash value.
2. The hash value of the example in Figure 7.2 is computed by multiplying
each character by 2, adding those results together, and then dividing
the sum by 10.

3. As you can see, this hash value is a single number. The hash value
can’t be used to derive the meaning of the message. The number is
transmitted with the message to the receiver, and the receiving end
uses the same hash function to determine that the message is
authentic.
4. If the hash value is different, the message has been altered in some
way.
5. This process is also known as performing a checksum. This type of
hashing is called a one-way process.
6. There is no way to reverse the hash and turn the number back into the
original message. This method of hashing is used to verify message
authenticity, and it may be used in conjunction with one of the other
encryption methods previously defined.
7. It’s important to note that a one-way hash can’t be used to decrypt a
message that is used primarily for authenticity verification.
 8. Nevertheless, it’s considered an encryption process, used primarily to
verify the integrity of the message.
9. As you can imagine, calculating all the numbers in a larger, more
complicated message by hand would be cumbersome and time
consuming. Computers make hashing a very fast process.
Hashing is used extensively in computer programming. Many early random
access file methods used hashing to locate records in a data file.

Digital Signatures
A digital signature is similar in function to a standard signature on a
document. It validates
the integrity of the message and the sender. The message is encrypted using
the encryption
system, and a second piece of information, the digital signature, is added to
the message.
Figure 7.8 illustrates this concept.

Let’s say that the sender in Figure 7.8 wants to send a message to the receiver. It’s
important that this message not be altered. The sender uses the receiver’s public
key to create a hash value that is stored in the message digest. The sender then
sends the message to the receiver. The receiver can use their private key and
compare the value of the message digest. If the message value from the private key
is the same as the message digest sent with the message, the receiver knows the
message is authentic.
The digital signature is derived from a hash process known only by the originator.
The receiver uses a key provided by the sender or a key that will provide the same
result. The receiver compares the signature area referred to as a message digest in
the message with the calculated value. If the values match, the message hasn’t
been tampered with and the originator is verified as the person they claim to be.
This process provides both message integrity and authentication.
Centralized Key Generation
Centralized key generation allows the key-generating process to take
advantage of large-scale
system resources. Key-generating algorithms tend to be extremely processor
intensive. Using a
centralized server, this process can be managed with a large single system.
However, problems
arise when the key is distributed. How can it be transported to end users
without compromising
security?
Figure 7.23 shows a centralized generation process. In this example, all the
physical
resources are in a single location, under centralized management control.
Centralized generation has the advantage of allowing additional
management functions
to be centralized. A major disadvantage is that the key archival and storage
process may be
vulnerable to an attack against a single point instead of a network.
Reliability, security, and
archiving can be addressed if the proper systems, procedures, and policies
are put into place
and followed.

Decentralized Key Generation

Decentralized key generation allows the key-generating process to be
pushed out into the
organization or environment. The advantage of this method is that it allows
work to be
decentralized and any risks to be spread. This system isn’t vulnerable to a
single-point failure
or attack. Decentralized generation addresses the distribution issue, but it
creates
a storage and management issue.
Figure 7.24 demonstrates a decentralized system. In this situation, the loss
of any single
key-generating system doesn’t disrupt the entire network. The RA in the
figure refers to a
registration authority, and the CA refers to a certificate authority.

KEY ESCROW
1. A key escrow system stores keys for the purpose of law enforcement
access.
2. If a criminal investigation is under way, law enforcement agents with a
search warrant have the right to access and search records within the
scope of the warrant.
3. In general, the key archival system will provide the access needed.
4. Key escrow is listed separately because the usage is important to a law
enforcement investigation.
5. One of the proposed methods of dealing with key escrow involves the
storage of key information with a third party, referred to as a key
escrow agency.
6. This agency would provide key information only when ordered by a
court.
7. In general, key escrow is handled by the key archival system.
8. Key escrow systems can also be a part of the key recovery process.
Several government agencies are attempting to implement regulations
requiring mandated key escrow. Mandated key escrow would allow law
enforcement agencies to investigate a key escrow user without their
knowledge.
9. Many individuals and organizations view this as an invasion of their
privacy, and they’re fighting the use of mandated key escrow on the
basis that it violates personal freedom.

PUBLIC KEY INFRASTRUCTURE:

The Public Key Infrastructure (PKI) is a first attempt to provide all the aspects
of security to messages and transactions that have been previously
discussed. The need for universal systems to support e-commerce, secure
transactions, and information privacy is one aspect of the issues being
addressed with PKI. PKI is a two-key—asymmetric—system with four key
components: Certificate Authority (CA), Registration Authority (RA), RSA, and
digital certificates. Messages are encrypted with a public key and decrypted
with a private key. As an example, take the following scenario:
1. You want to send an encrypted message to Jordan, so you request his
public key.
2. Jordan responds by sending you that key.
3. You use the public key he sends you to encrypt the message.
4. You send the message to him.
5. Jordan uses his private key to decrypt the message.
The main goal of PKI is to define an infrastructure that should work across
multiple vendors, systems, and networks. It’s important to emphasize that
PKI is a framework and not a specific technology. Implementations of PKI are
dependent on the perspective of the software manufacturers that implement
it. This has been one of the major difficulties with PKI: Each vendor can
interpret the documents about this infrastructure and implement it however
they choose. Many of the existing PKI implementations aren’t compatible
with each other; however, this situation should change over the next few
years because customers expect compatibility.

E-Mail Issues
If malware is one of your biggest security concerns (as it should be), then you need
to consider e-mail. It’s the most common delivery mechanism used to deposit
malware into your secured environment. E-mail is also often the bearer of hoaxes,
spam, phishing, and social engineering attacks. Unfortunately, Internet-based
e-mail will always be subject to attack (as well as a means to wage attacks).
Internet e-mail delivery is performed in clear text with few means to prevent
eavesdropping, alterations, delay, interceptions, and so forth. Currently, the only
option is to use a client-side encryption scheme, such as PGP and S/MIME. But they
offer security only for messages between other users of the same tool. Thus, most
messages
are still sent in the clear without any form of protection.
E-mail security is a product of reducing its functionality and user behavior
modification.
As for functionality, secure e-mail is e-mail that does not execute mobile code, nor
does it
interpret and display HTML. Consider not allowing attachments to reach your
clients; strip
them off at the firewall. However, this will greatly reduce the ease of data exchange
many
rely on daily. Spam filtering services should be added to your e-mail delivery
system, if they
are not already part of your antivirus solution and your ISP’s e-mail services. All
inbound
e-mail should be quarantined until scanned. E-mail servers should be deployed as
separate
systems from all other services on the LAN.