Friday, April 4, 2008

Computers and Privacy part 3

RSA Public Key Cryptography

Several algorithms are used today for public-key asymmetric encryption. The most widely known is called the RSA algorithm, named after its inventors, Ronald Rivest, Adi Shamir, and Len Adleman. This method is based on multiplying two prime numbers to come up with the key pair. Further mathematical functions are performed after the multiplication to create the actual key pair. It's a simple matter to use a computer to come up with a rather large prime number, but it's a difficult computation task to take the result of this multiplication and the subsequent operations performed and determine which two prime numbers were used to generate it.

If you want to learn more about RSA, visit the Web site for the company founded to market this technology: www.rsasecurity . com. The RSA Security Web site is an excellent resource for encryption techniques overall, but also has a lot of information pertaining to the RSA algorithm, which has been licensed to a large number of software and hardware security providers.

Because of the difficulty in cracking RSA-encrypted data, it has been adopted by a large number of vendors, including Sun, Microsoft, and Novell, and is the most widely used cryptosystem today.

Digital Certificates

Digital certificates are used to bind a person's name (or an identity) to a public key. Certificates, then, must come from a trusted authority. The certificate itself is determined to be valid (that is, it was issued by the certificate authority [CA] it claims to represent) by a digital signature. Because the public key of a CA can be known to anyone, it is a simple computational matter to use the CA's public key to determine that the digital signature is valid. After this is done, the certificate itself can be assumed to contain a valid identity (a user, a corporation, or another entity) associated with a public key. Using a digital certificate, you then can obtain the public key for a person and use it to encrypt data to be sent to that person, who then can use his own private key to read your message.

Internet 2010

CAs can be trusted companies on the Internet, or you can act as your own CA in your company. Included with Windows 2000 Advanced Server and the family of Windows 2003 servers, for example, is Microsoft's Certificate Services, which can be used within a company that wants to manage its own digital certificates. If you have branch offices and want to use digital certificates to certify public keys used for communicating over the Internet, you can set up your own certificate servers in your enterprise. Or you can use a commercial company (such as VeriSign) and obtain certificates from a third party.

In practice, it also is possible for a hierarchy of certificate servers to be set up, with a single root server being the most trusted certificate server in your enterprise. Then, child certificate servers are created, which can be validated by the end user because the child certificate server itself has a Certificate from the root server (or another server in the hierarchy leading back to the root server) that validates its certificate. It's all a game of trust, however. If the secret key of the root server's key pair becomes compromised, it's possible to impersonate the certificate server and all security is lost. Most certificates also are issued with an expiration date, which can be used to ensure that new certificates, created using a new key pair, are in use.

For this reason, should you choose to operate your own certificate server(s) in your network, you need to take extreme security precautions to safeguard the private key. Likewise, if you use a third- party commercial certificate service, you need to read the policy of that company to determine how it verifies the identity of the end users that it issues certificates to. For example, a CA might simply verify the email address of the requestor and issue a certificate. For a software publisher, the CA might conduct some kind of background check and require further evidence before it issues certificates to the company. Before you decide to use a commercial service for issuing digital certificates, be sure you investigate the company's policies for both issuing and revoking certificates.

Pretty Good Privacy (PGP)

One of the most popular encryption programs on the Internet for a number of years now has been PGP, originally developed by Phillip Zimmerman. PGP uses public-key cryptography and has been ported to many computer platforms, including Unix, Linux, and, of course, all versions of Windows from Windows NT and Windows 95 onward.

PGP Corporation currently markets the commercial version of PGP. PGP is available in a Universal Series version for network gateways, Whole Disk Encryption for desktop and enterprise systems, command-line for servers and mainframes, and home and professional desktop versions. PGP also maintains a Global Directory of PGP keys, replacing the PGP Keyserver service. A 30-day trial of the home desktop version is available.

PGP has been established as an Internet proposed standard through the Request for Comments (RFC) process. RFC 2440, "OpenPGP Message Format," was written in 1998 and details the specification.

An international site devoted to PGP also can be used to download PGP. Visit the PGPi Project International PGP home page at www pgpi. org/ to learn more about PGP International. The downloads available from this site include support for the following platforms:




EPOC (Psion, and so on)







Windows 3.x

Windows 95/98/NT

Windows Me

Windows 2000

Windows XP

As you can see, various operating systems are supported by the International PGP site, which is working to establish PGP as a standard for encryption on the Internet. In addition to the standard PGP package, which provides for a number of applications, such as document encryption and email, a number of other products also are available, such as PGPdisk (for encrypting disks) and PGPphone (for making secure phone calls on the Internet).

The PGPi Project also is making PGP available in various languages, and also is currently translating the documentation. PGPi is a nonprofit organization dedicated to further developing and distributing PGP technology throughout the world. In addition, for some platforms, the source code is available so that you can examine it before compiling it on your system.

No comments:

Internet Blogosphere