When computers were standalone systems that were easily controlled by a central administrative group, keeping data out of the hands of those who didn't need to see it was already difficult. Usernames and passwords were designed to restrict individual users and their actions, as well as track the actions they performed. File and resource protections enforced by operating systems made it simple to keep most prying eyes out of sensitive files, but where there's a will, there's usually a way, and even operating system resource-protection techniques have their vulnerabilities.
For example, many passwords are either easy to guess or easy to obtain. If you don't enforce a strict security policy in your network, often users will use passwords that are so simple it makes a joke out of using passwords at all. Passwords such as the name of the local football team, a spouse, a child, or even a pet are often used because they're easy to remember. It is a good idea to create passwords using both uppercase and lowercase letters and alphabetic and numeric characters. These techniques can go a long way toward preventing a hacker from using a simple dictionary attack against your network. This kind of attack simply involves using a program that cycles through all the words in a dictionary to see whether any match up to your password. Hackers don't use just any dictionary, but instead can find huge lists of possible passwords (names, city names, baseball teams, and others we've just mentioned) to use. Another type of dictionary attack can be performed on Unix systems if the hacker steals the password file. Because the encryption scheme is known for most Unix systems, the program can simply encrypt every word found in a dictionary and compare it to the encrypted version in the simple /etc/passwd file!
When you consider the environment today, with large-scale networks and connections to the Internet, the security issues become even more complex and difficult to manage using simple schemes, such as username/password authentication. Encrypting the actual data files themselves, especially when they are to be transferred across an untrusted network link, can solve a large part of this problem.
Encryption techniques should be seriously considered in an environment in which security is considered an important part of the network and not assumed to be taken care of by the standard username/password mechanism.
What Is Encryption?
Encryption is the process of performing some function on a set of data that attempts to render it in a format that makes it unreadable or unusable by anyone but the intended recipient. A key is required to read something that has been encrypted. This might be a secret key, as is the case with single-key encryption, or it might be a key that can be known by many different people, as is the case with public-key encryption. Some cryptographic methods use the same key for encrypting and decrypting information, whereas others use a separate key for these functions.
Digital signatures and certificates are part of another interesting concept that has become increasingly important in networks today. You'll learn more about that later. First, take a quick look at basic encryption techniques.
Single-Key Encryption Symmetric Encryption
As its name implies, single-key encryption uses the same key to encrypt and decrypt information. The Data Encryption Standard (DES) is a technology developed by IBM in the 1970s and adopted as a federal government standard in the United States in 1976. DES was thought for many years to be extremely secure. It is still in use in many networks and businesses today. You'll find it in various forms, typically using more than one pass at encryption to secure the data. For example, a technique called triple-DES uses three different keys successively to encrypt and then re-encrypt the data. A 56-bit key is used, which results in a little over 72 quadrillion possible key values. You would think with such a large number of possible keys, and using multiple passes, that the data secured by DES would truly be secure.
That might have been true a few years ago. However, when you consider that the typical desktop PC today is a lot more powerful than the computers available back in the 1970s when DES was first developed, it's obvious that even this strong form of encryption is vulnerable to being broken, if only by a brute-force method in which every possible key value is tried. The National Institute of Standards and Technology (NIST) has decided not to recertify DES as a standard.
No comments:
Post a Comment