Académique Documents
Professionnel Documents
Culture Documents
HASHING:
1. Hashing refers to performing a calculation on a message and
converting it into a numeric hash value.
2. The hash value of the example in Figure 7.2 is computed by multiplying
each character by 2, adding those results together, and then dividing
the sum by 10.
3. As you can see, this hash value is a single number. The hash value
can’t be used to derive the meaning of the message. The number is
transmitted with the message to the receiver, and the receiving end
uses the same hash function to determine that the message is
authentic.
4. If the hash value is different, the message has been altered in some
way.
5. This process is also known as performing a checksum. This type of
hashing is called a one-way process.
6. There is no way to reverse the hash and turn the number back into the
original message. This method of hashing is used to verify message
authenticity, and it may be used in conjunction with one of the other
encryption methods previously defined.
7. It’s important to note that a one-way hash can’t be used to decrypt a
message that is used primarily for authenticity verification.
8. Nevertheless, it’s considered an encryption process, used primarily to
verify the integrity of the message.
9. As you can imagine, calculating all the numbers in a larger, more
complicated message by hand would be cumbersome and time
consuming. Computers make hashing a very fast process.
Hashing is used extensively in computer programming. Many early random
access file methods used hashing to locate records in a data file.
Digital Signatures
A digital signature is similar in function to a standard signature on a
document. It validates
the integrity of the message and the sender. The message is encrypted using
the encryption
system, and a second piece of information, the digital signature, is added to
the message.
Figure 7.8 illustrates this concept.
Let’s say that the sender in Figure 7.8 wants to send a message to the receiver. It’s
important that this message not be altered. The sender uses the receiver’s public
key to create a hash value that is stored in the message digest. The sender then
sends the message to the receiver. The receiver can use their private key and
compare the value of the message digest. If the message value from the private key
is the same as the message digest sent with the message, the receiver knows the
message is authentic.
The digital signature is derived from a hash process known only by the originator.
The receiver uses a key provided by the sender or a key that will provide the same
result. The receiver compares the signature area referred to as a message digest in
the message with the calculated value. If the values match, the message hasn’t
been tampered with and the originator is verified as the person they claim to be.
This process provides both message integrity and authentication.
Centralized Key Generation
Centralized key generation allows the key-generating process to take
advantage of large-scale
system resources. Key-generating algorithms tend to be extremely processor
intensive. Using a
centralized server, this process can be managed with a large single system.
However, problems
arise when the key is distributed. How can it be transported to end users
without compromising
security?
Figure 7.23 shows a centralized generation process. In this example, all the
physical
resources are in a single location, under centralized management control.
Centralized generation has the advantage of allowing additional
management functions
to be centralized. A major disadvantage is that the key archival and storage
process may be
vulnerable to an attack against a single point instead of a network.
Reliability, security, and
archiving can be addressed if the proper systems, procedures, and policies
are put into place
and followed.
KEY ESCROW
1. A key escrow system stores keys for the purpose of law enforcement
access.
2. If a criminal investigation is under way, law enforcement agents with a
search warrant have the right to access and search records within the
scope of the warrant.
3. In general, the key archival system will provide the access needed.
4. Key escrow is listed separately because the usage is important to a law
enforcement investigation.
5. One of the proposed methods of dealing with key escrow involves the
storage of key information with a third party, referred to as a key
escrow agency.
6. This agency would provide key information only when ordered by a
court.
7. In general, key escrow is handled by the key archival system.
8. Key escrow systems can also be a part of the key recovery process.
Several government agencies are attempting to implement regulations
requiring mandated key escrow. Mandated key escrow would allow law
enforcement agencies to investigate a key escrow user without their
knowledge.
9. Many individuals and organizations view this as an invasion of their
privacy, and they’re fighting the use of mandated key escrow on the
basis that it violates personal freedom.
E-Mail Issues
If malware is one of your biggest security concerns (as it should be), then you need
to consider e-mail. It’s the most common delivery mechanism used to deposit
malware into your secured environment. E-mail is also often the bearer of hoaxes,
spam, phishing, and social engineering attacks. Unfortunately, Internet-based
e-mail will always be subject to attack (as well as a means to wage attacks).
Internet e-mail delivery is performed in clear text with few means to prevent
eavesdropping, alterations, delay, interceptions, and so forth. Currently, the only
option is to use a client-side encryption scheme, such as PGP and S/MIME. But they
offer security only for messages between other users of the same tool. Thus, most
messages
are still sent in the clear without any form of protection.
E-mail security is a product of reducing its functionality and user behavior
modification.
As for functionality, secure e-mail is e-mail that does not execute mobile code, nor
does it
interpret and display HTML. Consider not allowing attachments to reach your
clients; strip
them off at the firewall. However, this will greatly reduce the ease of data exchange
many
rely on daily. Spam filtering services should be added to your e-mail delivery
system, if they
are not already part of your antivirus solution and your ISP’s e-mail services. All
inbound
e-mail should be quarantined until scanned. E-mail servers should be deployed as
separate
systems from all other services on the LAN.