Upload File

for dummiesdownload.e-bookshelf.de/download/0000/5862/56/l-g... · cryptography for dummies ... no...

  • Home
  • Documents
  • FOR DUMmIESdownload.e-bookshelf.de/download/0000/5862/56/L-G... · Cryptography FOR DUMmIES ... No part of this publication may be reproduced, stored in a retrieval system or transmitted
30
by Chey Cobb, CISSP Cryptography FOR DUMmIES

Upload: others

Post on 04-Aug-2020

0 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • by Chey Cobb, CISSP

    CryptographyFOR

    DUMmIES‰

    541889 FM.qxd 12/17/03 8:21 PM Page iii

    C1.jpg

  • 541889 FM.qxd 12/17/03 8:21 PM Page ii

  • CryptographyFOR

    DUMmIES‰

    541889 FM.qxd 12/17/03 8:21 PM Page i

  • 541889 FM.qxd 12/17/03 8:21 PM Page ii

  • by Chey Cobb, CISSP

    CryptographyFOR

    DUMmIES‰

    541889 FM.qxd 12/17/03 8:21 PM Page iii

  • Cryptography For Dummies®

    Published byWiley Publishing, Inc.111 River StreetHoboken, NJ 07030-5774

    Copyright © 2004 by Wiley Publishing, Inc., Indianapolis, Indiana

    Published by Wiley Publishing, Inc., Indianapolis, Indiana

    Published simultaneously in Canada

    No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form orby any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permit-ted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior writtenpermission of the Publisher, or authorization through payment of the appropriate per-copy fee to theCopyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600.Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing,Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, e-mail: [email protected].

    Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for theRest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related tradedress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the UnitedStates and other countries, and may not be used without written permission. All other trademarks are theproperty of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendormentioned in this book.

    LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USEDTHEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WAR-RANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOKAND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTA-TIVES OR WRITTEN SALES MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOTBE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A PROFESSIONAL WHERE APPRO-PRIATE. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT ORANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CON-SEQUENTIAL, OR OTHER DAMAGES.

    For general information on our other products and services or to obtain technical support, please contactour Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax317-572-4002.

    Wiley also publishes its books in a variety of electronic formats. Some content that appears in print maynot be available in electronic books.

    Library of Congress Control Number: 2003105686

    ISBN: 0764541889

    Manufactured in the United States of America

    10 9 8 7 6 5 4 3 2 1

    1O/QY/QR/QU/IN

    541889 FM.qxd 12/17/03 8:21 PM Page iv

  • About the AuthorChey Ewertz Cobb, CISSP, began working in computer security in 1989. Sincethen she has managed her own computer security consulting company, CobbAssociates, working for such clients as Apple Computers and SunMicrosystems. She later worked for the government, creating a secure net-work at Cape Canaveral, assisting in the security at Patrick Air Force Base,and later as a technical security officer for the National ReconnaissanceOffice (NRO), which is more secretive than the NSA.

    During her work in security, she had the opportunity to evaluate and managecryptosystems for private industry and the U.S. Intelligence Agencies.

    Chey now writes books on computer security (Computer Security Handbook,4th Edition and Network Security For Dummies), writes articles for magazines,and speaks at computer security conferences.

    541889 FM.qxd 12/17/03 8:21 PM Page v

  • 541889 FM.qxd 12/17/03 8:21 PM Page vi

  • DedicationTo R. W. Ewertz, Jr. He was my role model and inspiration when things gottough.

    541889 FM.qxd 12/17/03 8:21 PM Page vii

  • 541889 FM.qxd 12/17/03 8:21 PM Page viii

  • AcknowledgmentsFirst of all, let me thank Andrea Boucher and Melody Layne who saw methrough thick and thin and never lost faith in me (at least they never let onthat they did!). I enjoy working with them both, and any writer who has theopportunity to work with them should count himself/herself lucky!

    Secondly, I want to thank Dave Brussin, Ryan Upton, Josh Beneloh, JonCallas, and Dave Del Torto for setting me on the correct path when my expla-nations strayed. Thanks so much for lending me your brainwork!

    Last, but not least, Stephen. My love, my life, and my everything.

    541889 FM.qxd 12/17/03 8:21 PM Page ix

  • Publisher’s AcknowledgmentsWe’re proud of this book; please send us your comments through our online registration formlocated at www.dummies.com/register/.

    Some of the people who helped bring this book to market include the following:

    Acquisitions, Editorial, and MediaDevelopment

    Project Editor: Andrea C. Boucher

    Acquisitions Editor: Melody Layne

    Technical Editor: Tim Crothers

    Editorial Manager: Carol Sheehan

    Media Development Manager:Laura VanWinkle

    Media Development Supervisor:Richard Graves

    Editorial Assistant: Amanda Foxworth

    Cartoons: Rich Tennant (www.the5thwave.com)

    Production

    Project Coordinator: Maridee Ennis

    Layout and Graphics: Joyce Haughey, Andrea Dahl, Stephanie D. Jumper,Jacque Schneider, Melanee Wolven

    Proofreaders: Andy Hollandbeck,Carl William Pierce, TECHBOOKSProduction Services

    Indexer: TECHBOOKS Production Services

    Publishing and Editorial for Technology Dummies

    Richard Swadley, Vice President and Executive Group Publisher

    Andy Cummings, Vice President and Publisher

    Mary C. Corder, Editorial Director

    Publishing for Consumer Dummies

    Diane Graves Steele, Vice President and Publisher

    Joyce Pepple, Acquisitions Director

    Composition Services

    Gerry Fahey, Vice President of Production Services

    Debbie Stailey, Director of Composition Services

    541889 FM.qxd 12/17/03 8:21 PM Page x

    www.dummies.com

  • Contents at a GlanceIntroduction ................................................................1

    Part I: Crypto Basics & What You Really Need to Know ..............................................................7Chapter 1: A Primer on Crypto Basics ............................................................................9Chapter 2: Major League Algorithms ............................................................................33Chapter 3: Deciding What You Really Need .................................................................53Chapter 4: Locks and Keys .............................................................................................79

    Part II: Public Key Infrastructure ...............................93Chapter 5: The PKI Primer .............................................................................................95Chapter 6: PKI Bits and Pieces .....................................................................................107Chapter 7: All Keyed Up! ...............................................................................................119

    Part III: Putting Encryption Technologiesto Work for You .......................................................135Chapter 8: Securing E-Mail from Prying Eyes ............................................................137Chapter 9: File and Storage Strategies ........................................................................167Chapter 10: Authentication Systems ...........................................................................183Chapter 11: Secure E-Commerce .................................................................................197Chapter 12: Virtual Private Network (VPN) Encryption ...........................................213Chapter 13: Wireless Encryption Basics ....................................................................223

    Part IV: The Part of Tens ..........................................235Chapter 14: The Ten Best Encryption Web Sites ......................................................237Chapter 15: The Ten Most Commonly Misunderstood Encryption Terms ............241Chapter 16: Cryptography Do’s and Don’ts ...............................................................245Chapter 17: Ten Principles of “Cryptiquette” ............................................................251Chapter 18: Ten Very Useful Encryption Products ...................................................255

    Part V: Appendixes ..................................................259Appendix A: Cryptographic Attacks ...........................................................................261Appendix B: Glossary ...................................................................................................267Appendix C: Encryption Export Controls ...................................................................279

    Index .......................................................................283

    541889 FM.qxd 12/17/03 8:21 PM Page xi

  • 541889 FM.qxd 12/17/03 8:21 PM Page xii

  • Table of ContentsIntroduction .................................................................1

    About This Book ..............................................................................................2How to Use This Book ....................................................................................2What You Don’t Need to Read .......................................................................3Foolish Assumptions ......................................................................................3How This Book Is Organized ..........................................................................3

    Part I: Crypto Basics & What You Really Need to Know ..................4Part II: Public Key Infrastructure .........................................................4Part III: Putting Encryption Technologies to Work for You ..............4Part IV: The Part of Tens .......................................................................4Part V: Appendixes ................................................................................5

    Icons Used in This Book .................................................................................5Where to Go from Here ...................................................................................5

    Part I: Crypto Basics & What You Really Need to Know ..............................................................7

    Chapter 1: A Primer on Crypto Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . .9It’s Not about James Bond .............................................................................9

    Go with the rhythm .............................................................................10Rockin’ the rhythm ..............................................................................11

    Getting to Know the Basic Terms ................................................................12What Makes a Cipher? ..................................................................................13

    Concealment ciphers ..........................................................................13Substitution ciphers ............................................................................14Transposition ciphers .........................................................................15Hash without the corned beef ...........................................................16XOR what? ............................................................................................17

    Breaking Ciphers ...........................................................................................20Not-so-secret keys ...............................................................................20Known plaintext ...................................................................................21Pattern recognition .............................................................................21What a brute! ........................................................................................21

    Cryptosystems ..............................................................................................22Everyday Uses of Encryption ......................................................................23

    Network logons and passwords ........................................................23Secure Web transactions ....................................................................25ATMs .....................................................................................................26Music and DVDs ...................................................................................27Communication devices .....................................................................28

    541889 FM.qxd 12/17/03 8:21 PM Page xiii

  • Cryptography For Dummies xivWhy Encryption Isn’t More Commonplace ................................................28

    Difficulty in understanding the technology .....................................29You can’t do it alone ...........................................................................29Sharing those ugly secrets .................................................................30Cost may be a factor ...........................................................................30Special administration requirements ................................................31

    Chapter 2: Major League Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . .33Beware of “Snake Oil” ...................................................................................34Symmetric Keys Are All the Same ...............................................................37

    The key table ........................................................................................37Key generation and random numbers ..............................................38Protecting the Key ...............................................................................39

    Symmetric Algorithms Come in Different Flavors ....................................40Making a hash of it ..............................................................................40Defining blocks and streams ..............................................................42Which is better: Block or stream? .....................................................44

    Identifying Symmetric Algorithms ..............................................................45DES ........................................................................................................45Triple DES .............................................................................................45IDEA .......................................................................................................46AES ........................................................................................................46

    Asymmetric Keys ..........................................................................................47RSA ........................................................................................................48Diffie-Hellman (& Merkle) ...................................................................49PGP ........................................................................................................50Elliptical Curve Cryptography ...........................................................50

    Working Together ..........................................................................................52

    Chapter 3: Deciding What You Really Need . . . . . . . . . . . . . . . . . . . . .53Justifying the Costs to Management ...........................................................53

    Long-term versus short-term .............................................................54Tangible versus intangible results ....................................................55Positive ROI ..........................................................................................55Government due diligence .................................................................60Insurers like it! .....................................................................................61Presenting your case ...........................................................................61

    Do You Need Secure Communications? .....................................................62Secure e-mail .......................................................................................62Instant Messaging (IM) .......................................................................64Secure e-commerce .............................................................................64Online banking .....................................................................................66Virtual Private Networks (VPNs) .......................................................66Wireless (In)security ...........................................................................68

    541889 FM.qxd 12/17/03 8:21 PM Page xiv

  • Do You Need to Authenticate Users? ..........................................................69Who are your users? ...........................................................................70Authentication tokens ........................................................................71Smart cards ..........................................................................................72Java tokens ...........................................................................................73Biometrics ............................................................................................74

    Do You Need to Ensure Confidentiality and Integrity? .............................75Protecting Personal Data .............................................................................75What’s It Gonna Cost? ...................................................................................77

    Chapter 4: Locks and Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79The Magic Passphrase ..................................................................................80

    The weakest link ..................................................................................81Mental algorithms ...............................................................................82Safety first! ............................................................................................84Passphrase attacks .............................................................................86Don’t forget to flush! ...........................................................................87

    The Key Concept ...........................................................................................88Key generation .....................................................................................89Protecting your keys ...........................................................................90What to do with your old keys ..........................................................91Some cryptiquette ...............................................................................91

    Part II: Public Key Infrastructure ................................93

    Chapter 5: The PKI Primer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95What Is PKI? ...................................................................................................96

    Certificate Authorities (CAs) .............................................................97Digital Certificates ...............................................................................98Desktops, laptops, and servers .......................................................100Key servers ........................................................................................102Registration Authorities (RAs) ........................................................103

    Uses for PKI Systems ..................................................................................103Common PKI Problems ...............................................................................105

    Chapter 6: PKI Bits and Pieces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107Certificate Authorities ................................................................................108

    Pretenders to the throne ..................................................................110Registration Authorities ...................................................................110

    Certificate Policies (CPs) ...........................................................................111Digital Certificates and Keys ......................................................................112D’basing Your Certificates ..........................................................................113Certificate Revocation ................................................................................114

    xvTable of Contents

    541889 FM.qxd 12/17/03 8:21 PM Page xv

  • Cryptography For Dummies xviPicking the PKCS .........................................................................................115

    PKCS #1: RSA Encryption Standard ................................................115PKCS #3: Diffie-Hellman Key Agreement Standard ........................115PKCS #5: Password-Based Cryptography Standard .....................115PKCS #6: Extended-Certificate Syntax Standard ............................116PKCS #7: Cryptographic Message Syntax Standard ......................116PKCS #8: Private-Key Information Syntax Standard ......................116PKCS #9: Selected Attribute Types .................................................117PKCS #10: Certification Request Syntax Standard ........................117PKCS #11: Cryptographic Token Interface Standard ....................117PKCS #12: Personal Information Exchange Syntax Standard .......118PKCS #13: Elliptic Curve Cryptography Standard .........................118PKCS #14: Pseudo-Random Number Generation Standard ..........118PKCS #15: Cryptographic Token Information

    Format Standard ............................................................................118

    Chapter 7: All Keyed Up! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119So, What Exactly IS a Key? .........................................................................120Making a Key ................................................................................................120The Long and Short of It .............................................................................121Randomness in Keys Is Good ....................................................................122Storing Your Keys Safely ............................................................................123Keys for Different Purposes .......................................................................124Keys and Algorithms ...................................................................................124One Key; Two Keys . . . ...............................................................................125

    Public/private keys ...........................................................................126The magic encryption machine .......................................................127The magic decryption machine .......................................................128Symmetric keys (again) ....................................................................129

    Trusting Those Keys ...................................................................................129Key Servers ..................................................................................................130

    Keeping keys up to date ...................................................................131Policies for keys .................................................................................132Key escrow and key recovery ..........................................................132

    Part III: Putting Encryption Technologies to Work for You ........................................................135

    Chapter 8: Securing E-Mail from Prying Eyes . . . . . . . . . . . . . . . . . . .137E-Mail Encryption Basics ...........................................................................138

    S/MIME ................................................................................................138PGP ......................................................................................................139

    Digital Certificates or PGP Public/Private Key Pairs? .............................140What’s the diff? ..................................................................................140When should you use which? ..........................................................141Sign or encrypt or both? ...................................................................141Remember that passphrase! ............................................................142

    541889 FM.qxd 12/17/03 8:21 PM Page xvi

  • xviiTable of ContentsUsing S/MIME ...............................................................................................142

    Setting up S/MIME in Outlook Express ...........................................143Backing up your Digital Certificates ...............................................151

    Fun and Games with PGP ...........................................................................153Setting up PGP ...................................................................................154Deciding on the options ...................................................................156Playing with your keyring .................................................................160Sending and receiving PGP messages .............................................162PGP in the enterprise ........................................................................164

    Other Encryption Stuff to Try ...................................................................164

    Chapter 9: File and Storage Strategies . . . . . . . . . . . . . . . . . . . . . . . . .167Why Encrypt Your Data? ............................................................................168Encrypted Storage Roulette .......................................................................170

    Symmetric versus asymmetric? ......................................................171Encrypting in the air or on the ground? .........................................173

    Dealing with Integrity Issues ......................................................................174Message digest/hash .........................................................................174MACs ...................................................................................................175HMACs ................................................................................................175Tripwire ..............................................................................................176

    Policies and Procedures .............................................................................177Examples of Encryption Storage ...............................................................178

    Media encryption ..............................................................................179Encrypting File System .....................................................................180Secure e-mail ......................................................................................181Program-specific encryption ...........................................................181Encrypted backup .............................................................................181

    Chapter 10: Authentication Systems . . . . . . . . . . . . . . . . . . . . . . . . . . .183Common Authentication Systems .............................................................185

    Kerberos .............................................................................................185SSH .......................................................................................................186RADIUS ................................................................................................187TACACS+ .............................................................................................188

    Authentication Protocols ...........................................................................188How Authentication Systems Use Digital Certificates ............................190Tokens, Smart Cards, and Biometrics ......................................................191

    Digital Certificates on a PC ...............................................................191Time-based tokens ............................................................................192Smartcard and USB Smartkeys ........................................................193Biometrics ..........................................................................................194

    Chapter 11: Secure E-Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197SSL Is the Standard .....................................................................................198

    A typical SSL connection ..................................................................199Rooting around your certificates ....................................................201

    541889 FM.qxd 12/17/03 8:21 PM Page xvii

  • Cryptography For Dummies xviiiTime for TLS .................................................................................................203Setting Up an SSL Solution .........................................................................204

    What equipment do I need? .............................................................205The e-commerce manager’s checklist ............................................206

    XML Is the New Kid on the Block ..............................................................209Going for Outsourced E-Commerce ..........................................................210

    Chapter 12: Virtual Private Network (VPN) Encryption . . . . . . . . . . .213How Do VPNs Work Their Magic? .............................................................214Setting Up a VPN .........................................................................................214

    What devices do I need? ...................................................................215What else should I consider? ...........................................................216Do VPNs affect performance? ..........................................................216Don’t forget wireless! ........................................................................217

    Various VPN Encryption Schemes ............................................................217PPP and PPTP ....................................................................................217L2TP ....................................................................................................218IPsec ....................................................................................................218

    Which Is Best? .............................................................................................220Testing, Testing, Testing .............................................................................221

    Chapter 13: Wireless Encryption Basics . . . . . . . . . . . . . . . . . . . . . . .223Why WEP Makes Us Weep ..........................................................................224

    No key management ..........................................................................225Poor RC4 implementation ................................................................225Authentication problems ..................................................................226Not everything is encrypted ............................................................226

    WEP Attack Methods ..................................................................................227Finding wireless networks ................................................................228War chalking .......................................................................................228

    Wireless Protection Measures ...................................................................230Look for rogue access points ...........................................................230Change the default SSIDs ..................................................................230Turn on WEP ......................................................................................231Position your access points well .....................................................232Buy special antennas ........................................................................232Use a stronger encryption scheme .................................................232Use a VPN for wireless networks .....................................................232Employ an authentication system ...................................................233

    Part IV: The Part of Tens ...........................................235

    Chapter 14: The Ten Best Encryption Web Sites . . . . . . . . . . . . . . . .237Mat Blaze’s Cryptography Resource on the Web ....................................237The Center for Democracy and Technology ............................................237SSL Review ...................................................................................................238How IPsec Works .........................................................................................238

    541889 FM.qxd 12/17/03 8:21 PM Page xviii

  • xixTable of ContentsCode and Cipher ..........................................................................................238CERIAS — Center for Education and Research in Information

    Assurance and Security ..........................................................................238The Invisible Cryptologists — African Americans, WWII to 1956 .........239Bruce Schneier ............................................................................................239North American Cryptography Archives .................................................239RSA’s Crypto FAQ ........................................................................................239

    Chapter 15: The Ten Most Commonly Misunderstood Encryption Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

    Military-Grade Encryption .........................................................................241Trusted Third Party ....................................................................................241X.509 Certificates ........................................................................................242Rubber Hose Attack ....................................................................................242Shared Secret ...............................................................................................242Key Escrow ...................................................................................................242Initialization Vector .....................................................................................243Alice, Bob, Carol, and Dave ........................................................................243Secret Algorithm .........................................................................................243Steganography .............................................................................................244

    Chapter 16: Cryptography Do’s and Don’ts . . . . . . . . . . . . . . . . . . . . . .245Do Be Sure the Plaintext Is Destroyed after a Document

    Is Encrypted .............................................................................................245Do Protect Your Key Recovery Database and Other Key Servers

    to the Greatest Extent Possible .............................................................246Don’t Store Your Private Keys on the Hard Drive

    of Your Laptop or Other Personal Computing Device ........................246Do Make Sure Your Servers’ Operating Systems Are “Hardened”

    before You Install Cryptological Systems on Them ............................246Do Train Your Users against Social Engineering .....................................247Do Create the Largest Key Size Possible ..................................................247Do Test Your Cryptosystem after You Have It Up and Running ............248Do Check the CERT Advisories and Vendor Advisories about

    Flaws and Weaknesses in Cryptosystems ............................................248Don’t Install a Cryptosystem Yourself If You’re

    Not Sure What You Are Doing ................................................................248Don’t Use Unknown, Untested Algorithms ..............................................249

    Chapter 17: Ten Principles of “Cryptiquette” . . . . . . . . . . . . . . . . . . .251If Someone Sends You an Encrypted Message, Reply in Kind ...............251Don’t Create Too Many Keys .....................................................................251Don’t Immediately Trust Someone Just Because

    He/She Has a Public Key..........................................................................252Always Back Up Your Keys and Passphrases ..........................................252

    541889 FM.qxd 12/17/03 8:21 PM Page xix

  • Be Wary of What You Put in the Subject Line of Encrypted Messages ...........................................................................252

    If You Lose Your Key or Passphrase, Revoke Your Keys as Soon as Possible .................................................................................253

    Don’t Publish Someone’s Public Key to a Public Key Server withoutHis/Her Permission .................................................................................253

    Don’t Sign Someone’s Public Key Unless You Have Reason To .............253If You Are Corresponding with Someone for the First Time, Send an

    Introductory Note Along with Your Public Key ...................................254Be Circumspect in What You Encrypt ......................................................254

    Chapter 18: Ten Very Useful Encryption Products . . . . . . . . . . . . . . .255PGP: Pretty Good Privacy ..........................................................................255GAIM .............................................................................................................255madeSafe Vault ............................................................................................256Password Safe ..............................................................................................256Kerberos .......................................................................................................256OpenSSL and Apache SSL ...........................................................................256SafeHouse .....................................................................................................257WebCrypt .....................................................................................................257Privacy Master .............................................................................................257Advanced Encryption Package ..................................................................257

    Part V: Appendixes ...................................................259

    Appendix A: Cryptographic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . .261Known Plaintext Attack ..............................................................................262Chosen Ciphertext Attacks ........................................................................262Chosen Plaintext Attacks ...........................................................................263The Birthday Attack ....................................................................................263Man-in-the-Middle Attack ...........................................................................263Timing Attacks .............................................................................................264Rubber Hose Attack ....................................................................................264Electrical Fluctuation Attacks ...................................................................265Major Boo-Boos ...........................................................................................265

    Appendix B: Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267

    Appendix C: Encryption Export Controls . . . . . . . . . . . . . . . . . . . . . . .279

    Index .......................................................................283

    Cryptography For Dummies xx

    541889 FM.qxd 12/17/03 8:21 PM Page xx

  • Introduction

    Congratulations! You’ve successfully navigated through the gazillion com-puter books on the bookstore shelves and finally found just what youwere looking for — a book on cryptography that you can read and actuallyunderstand! Just thumb through some of the chapters here and you’ll soonrealize that you don’t need a degree in advanced mathematics, nor do youneed to be the world’s biggest brainiac to understand this stuff. If you have abasic understanding of computers and networking, and you have an interestin increasing your data and communications security, then this is just thebook for you.

    What I’m talking about here is cryptography — you know, crypto, geek talk,secret coding, cypherpunk’n. If you have heard of the word cryptography, you’llknow that it is one of those subjects that many people are aware of, but veryfew people can actually tell you what it’s all about. Frankly, just the mention ofthe word cryptography scares the heck out of people — even experienced net-work administrators! And to be honest, a lot of the books on the subject aremore suited as college textbooks than business “how-to” guides or intros to thesubject, and have contributed to the atmosphere of FUD — fear, uncertainty,and doubt — about cryptography. Yep, the subject can be scary as all get-out.

    So, how do you decide whether or not you should use cryptography? I’ll helpyou answer that question with questions and checklists. Before you go on tothat chapter, however, there are many situations in which cryptographycould or should be used. Here’s a preview of some situations:

    � Your company relies heavily upon its trade secrets to gain a competitiveedge over your competitors. If an unauthorized person got access tothose trade secrets, it could spell disaster for your entire company.

    � You work in the health care industry and are required by the HIPAA leg-islation to protect personal information. You get notice from a federalauthority that your protection methods are about to be scrutinizedbecause there have been complaints about the way you have handledpersonal information.

    � You’re an attorney who has been charged with prosecuting someoneguilty of war crimes, drug trafficking, or any situation where witnessesand evidence need to be fiercely protected. Obviously, you wouldn’twant your evidence or your witnesses compromised.

    02 541889 intro.qxd 12/17/03 10:49 AM Page 1

  • Cryptography is a complex subject, I won’t kid you there, but it could definitelysave a lot of headaches if it were used in any of the situations mentionedabove. Additionally, adding cryptography to your security doesn’t necessarilyhave to be expensive or impossible to understand. That’s why I wrote thisbook. I’m here to take the fear out of the equation and to help you get it rightthe first go-round. After you read through a few sections of this book, you’ll bespouting the jargon like a true techno-geek and you’ll even be able to under-stand what you’re talking about.

    I’ll give you some advance warning, though: You’ll be seeing a lot of informa-tion about keys in this book because (and excuse the cliché) the key tocryptography is the keys. That is perhaps the most confusing thing aboutcryptography — that the word “key” can be used to mean more than onething. I wish I could change the terminology so it wouldn’t get so confusing,but I have to consider the real world, too. The terminology used in this bookis based on what you are really likely to encounter.

    About This BookAs I just mentioned, the subject matter covered in this book is what you aremost likely to encounter in real life. That means that you can obtain enoughinformation here to help you make decisions on cryptography: Is it right foryou? What type of programs should you use? How do you set things upappropriately? After you have installed your chosen system, you can alwaysrefer back to this book to refresh your memory as need be.

    Every time I introduce a new concept, I start out with really basic explanationswith some analogies to help you get the idea and then, as the chapter pro-gresses, I explain things in more detail. I promise not to get to the uber-geeklevel of detail on any particular subject because I certainly haven’t intendedfor the book to act as a substitute for a sedative.

    How to Use This BookIt’s quite simple, really. You hold the book in one hand, and use the other toturn the pages! Alternatively, you could use the book to prop up a brokentable leg. To be honest, though, I don’t recommend the last usage becauseyou really won’t receive the benefits of the book if you can’t open it to read it.

    Seriously, I suggest that you peruse the Table of Contents and have a look atthe headings and subheadings. When you see something of interest, diveright in; I promise it won’t hurt. If nothing else, you can also flip through thebook and have a sneak peek at all the cartoons.

    2 Cryptography For Dummies

    02 541889 intro.qxd 12/17/03 10:49 AM Page 2

  • What You Don’t Need to ReadOccasionally I include some deeper technical detail on certain subjects. WhenI include this sort of information, I make it obvious by putting a special iconcalled “Technical Stuff” next to the section. It isn’t really necessary that youknow this stuff, but I thought I’d include it just in case you were interested.

    So, if you see the Technical Stuff icon, you can just pass it by. Or, if you wantto impress your boss, you can memorize the information and impress himwith your knowledge!

    Foolish AssumptionsWhen you are writing for a mass audience (as I am here), it’s difficult to gaugethe level of aptitude. Because I didn’t know ahead of time what you know andwhat you don’t know, I’ve had to make certain foolish assumptions. So as notto insult your intelligence, here are the assumptions I’ve made:

    � You’d really like to know more about cryptography.

    � You’re not intimidated by computers, computing, or networks.

    � You are connected to an Internet, whether through your job, DSL orcable modem at home, or a dial-up account.

    � You are interested in security and, in particular, securing your data andcommunications.

    � You are aware that your e-mail messages can be read by almost anyonein the world (besides the intended recipient).

    � You’re aware of the fact that unauthorized persons can get access toyour computer and read, steal, and change your files.

    � You’re capable and/or authorized to install computer software programs.

    � You don’t expect this book to make you an instant expert; I give youenough information to get you started and to be able to speak intelli-gently with others on the subject.

    How This Book Is OrganizedI’ve assembled this book into distinct and separate “parts” and each partfocuses on a particular aspect of cryptography. This will help you to find thecorrect level of explanation for the questions you need answered. It’s not nec-essary to read each part completely in order to get an idea of what’s goingon. Here’s a brief description of each of the parts.

    3Introduction

    02 541889 intro.qxd 12/17/03 10:49 AM Page 3

  • Part I: Crypto Basics & What You Really Need to KnowThe title says it all! Algorithms and ciphers explained. An introduction tokeys and how they are used in cryptography. Help with deciding what youreally need. And I discuss keys in depth (because they are really, reallyimportant!).

    Part II: Public Key InfrastructurePublic Key Infrastructure, also known as PKI, is as it says, an infrastructure.That is, basic facilities, services, and installations needed for the functioningof a cryptographic system. It’s not something that comes complete in onebox; you generally have to build this system with servers, software, and con-nections to a public network like the Internet.

    This part goes into what PKI does, how it does it, what you need to do it, andwhy you would want to build such a system.

    Part III: Putting Encryption Technologiesto Work for YouNow that you’ve decided that you really should be using cryptography as anadditional security measure, here are all the things you can use it for. I dis-cuss e-mail systems, file storage, and authenticating users of your systems. Inaddition, I have a look at e-commerce on the Web, the use of VPNs, and last,but not least, wireless security. Wireless security is a hot topic right now!

    Part IV: The Part of TensDo you like lists? Do you like tips, tricks, and resources for additional infor-mation? Included in this part is lots of information that is sure to inform andamuse you! I’ve included Web sites, software, and common mistakes, amongother goodies.

    4 Cryptography For Dummies

    02 541889 intro.qxd 12/17/03 10:49 AM Page 4

  • Part V: AppendixesHere you get three appendixes with even more information! In addition to ahandy glossary of terms you’ll read about, I also tell you all kinds of stuffabout crypto attacks and encryption export controls.

    Icons Used in This BookYou’ll probably notice that I put a lot of these in the book. If you really wantto impress your geeky friends, this is the stuff to read. It’s not really neces-sary that you read every one of these, but you might be amazed at whatyou’ll learn.

    These are the things you always want in a hurry. They sometimes make thejob easier or faster by suggested short-cuts for common tasks.

    Basically, this icon means Don’t Do This! Tread softly, pay attention, and bevery, very sure of what you are doing. Always have a back-up plan in casethings don’t go well.

    We all need a little nudge now and then to jog our memory. That’s exactlywhat these sections do. After a while you won’t need these reminders astasks become second nature to you.

    Where to Go from HereStart flipping through the book and dive in where something catches youreye. Like I’ve said before, it’s not necessary for you to read this book in anyparticular order, so you’re free to dive in anywhere to get your feet wet.

    Occasionally I suggest software that you may want to try. Go to the site I men-tion and download the file and install it on your system. I recommend thatyou install these programs on test machines first, to see how they work andto see if they conflict with anything else you already have. Playing aroundwith the software is one of the best ways to underscore the knowledge Iimpart here. In any case, enjoy yourself!

    5Introduction

    02 541889 intro.qxd 12/17/03 10:49 AM Page 5

  • 6 Cryptography For Dummies

    02 541889 intro.qxd 12/17/03 10:49 AM Page 6

  • Part ICrypto Basics &What You Really

    Need to Know

    03 541889 PP01.qxd 12/17/03 10:49 AM Page 7

  • In this part . . .

    This is the part to get you started — get you started soyou can attend that meeting on cryptography andencryption products and sound like you know what you’retalking about. This is the section that will make your bossrealize that you’re an indispensable employee. And if youare the boss, this part will give you the information youneed to work your way through the labyrinth of confusingjargon and new technology.

    In addition to giving you the basic information to be ableto understand what the software and hardware vendorsare throwing at you, the basics of algorithms and keys areexplained. There’s also a complete chapter to help youdecide what you need by giving you situations in whichencryption is used and the technology needed to make ithappen. You don’t have to start here if you don’t want to,but if you’ve never encountered cryptography or encryp-tion before, I suggest you at least give it a browse.

    03 541889 PP01.qxd 12/17/03 10:49 AM Page 8


CPA Exam - download.e-bookshelf.de€¦ · viii CPA Exam For Dummies Scheduling the Exam..... 27 Where to take the test..... 27

QuarkXPress - download.e-bookshelf.de€¦ · vi QuarkXPress For Dummies Applying a different master page to a layout page . . . . . . . . . . . .111 Changing master page items

iOS 6 - download.e-bookshelf.de · His books include: • iWork For Dummies • Dashcode For Dummies • FileMaker Pro in Depth • Sams Teach Yourself Core Data in 24 Hours • Sams

Marketing to - download.e-bookshelf.de€¦ · x Marketing to Millennials For Dummies Developing Your Editorial Calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

FOR DUMmIES - download.e-bookshelf.de · Crystal Xcelsius ™ FOR DUMmIES ... technologies.com, where he shares free Access and Excel tips to interme-diate users. He currently lives

Origami Kitdownload.e-bookshelf.de/download/0000/5782/17/L-G-0000578217... · Origami Kit For Dummies ... Yoshihide Momotani (Twist Flower). British Library Cataloguing in Publication

LEADER Wednesday, November 4, 2020 15...Found Notices published FREE 5862 1034 [email protected] TROPHIES & ENGRAVING NUMURKAH LEADER NumurkahLEADER 03 5862 1034 Classifieds 16

Trading - download.e-bookshelf.de€¦ · Trading 4th Edition Lita Epstein, MBA Author of Reading Financial Reports For Dummies Grayson D. Roze Business Manager, StockCharts.com

NFC - download.e-bookshelf.de · vi NFC For Dummies PART 2: UNDERSTANDING NFC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 CHAPTER 3: Defining NFC

DUMmIES - download.e-bookshelf.de · Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily,

Criminology - download.e-bookshelf.de · Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies

All New 5th Editiondownload.e-bookshelf.de/download/0000/5862/39/L-G... · 2013. 7. 17. · L.S. Starrett Company Lufkin Tool Company Monarch-Cortland ... Tinius Olsen Testing Machine

Investing - download.e-bookshelf.de · Trademarks: Wiley, the Wiley logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun

WEDNESDAY, MAY 27, 2020 $1.30 INSIDE School’s back! · 2020-05-26 · Phone 5862 1034 – Fax 5862 2668 – Email - Editorial: [email protected] - Advertising: [email protected]

Astrology - download.e-bookshelf.de€¦ · viii Astrology For Dummies Sagittarius the Archer: November 22–December 21 . . . . . . . . . . . . . .114 The sunny side

Eating Clean - download.e-bookshelf.de€¦ · titles, Dummies is a global leader in how-to information. Now you can get the same great Dummies information in an App. With topics

Bulldogs - download.e-bookshelf.de · Bulldogs FOR DUMmIES ‰ by Susan M.Ewing 01_599798 ffirs.qxp 11/28/05 4:09 PM Page i. C1.jpg

Malicious Cryptography Exposing Cryptovirologydownload.e-bookshelf.de/download/0000/5862/60/L-G-0000586260... · in a virus so that part of its payload would be to perform a one-way

FOR DUMmIES - download.e-bookshelf.de€¦ · DUMmIES‰ 2ND EDITION 01_145029 ffirs.qxp 8/22/07 6:08 PM Page iii. C1.jpg. 01_145029 ffirs.qxp 8/22/07 6:08 PM Page ii . Fibromyalgia

Banjo - download.e-bookshelf.de · x Banjo For Dummies, 2nd Edition Discovering Pete Seeger–Style Banjo..... 155 Syncing with the Seeger stroke ..... 156

Phone 5862 1034 – Fax 5862 2668 – Email - Editorial: … · 2020-05-19 · Phone 5862 1034 – Fax 5862 2668 – Email - Editorial: [email protected] - Advertising: [email protected]

Being the - download.e-bookshelf.de · viii Being the Best Man For Dummies, 2nd Edition Part III: The Speech ..... 87 Chapter 8: Writing the Speech . . . . . . . . . . . . . . .

Statistics - download.e-bookshelf.de€¦ · Statistics For Dummies, 2nd Edition (9781119293521) was previously published as Statistics For Dummies, 2nd Edition (9780470911082). While

QuickBooks - download.e-bookshelf.de · viii QuickBooks 2014 For Dummies Adding Employees to Your Employee List..... 50 Customers Are Your Business ..... 52

Math Word Problems - download.e-bookshelf.de · For Dummies, Algebra II For Dummies, CliffsStudySolver Algebra I, and CliffsStudySolver Algebra II. She taught junior high and high

FOR DUMmIES - download.e-bookshelf.de€¦ · Mac OS 9 For Dummies . for Wiley Publishing, Inc.; Stupid Mac Tricks . and . Dr. Macintosh . for Addison-Wesley; and . The Little iTunes

Neuroscience - download.e-bookshelf.de · vi Neuroscience For Dummies Fighting or Fleeing: The Autonomic Nervous System . . . . . . . . . . . . . .45 How We Know What We Know about

Machining - download.e-bookshelf.de · iv Machining For Dummies Turning It Up: Exploring Lathes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Engine lathes

Hybrid Cloud - download.e-bookshelf.de€¦ · custom published For Dummies titles including Platform as a Service For Dummies, CloudBees Special Edition (John Wiley & Sons, Inc.,

Mindfulness - download.e-bookshelf.de · x Mindfulness at Work For Dummies Using a smart phone mindfully ..... 179 Engaging with social media mindfully..... 181

Innovative - download.e-bookshelf.de · vi Innovative Presentations For Dummies Projecting Your Desired Image ..... 36 Pursuing the ideal image..... 37

Hadoopdownload.e-bookshelf.de/download/0002/3297/41/L-G...The Hadoop For Dummies distribution: Apache Bigtop.....45 Setting up the Hadoop For Dummies environment ..... 46 The Hadoop

Astrology - download.e-bookshelf.de fileby Rae Orion Astrology FOR DUMmIES‰ 2ND EDITION 01_098400 ffirs.qxp 2/23/07 11:37 PM Page iii