Implementing encryption protocols

WEP, which stands for wireless encryption protocol, provides encrypted communication between wireless clients and access points.  WEP uses key encryption algorithm to encrypt messages between devices.  Each client and access point on the wireless LAN must use the same encryption key.  The key has to be and is manually configured on each access point and each client before either can access the network.  Basic WEP specifies the use of up to 64 bit keys, but 64 bit WEP encryption has been proven to be vulnerable to attack.  Most device now supports 128 bit encryption (104 bit key plus a 24 bit initialization vector); but this one is also vulnerable.

Since modern access points and other wireless devices now support stronger encryption mechanisms, if your wireless access point supports only WEP, the best thing is to upgrade.  If you can’t upgrade, try to use 128 bit WEP encryption in conjunction with other security controls such as MAC address filtering and network identifiers, along with other security mechanisms, such as IPSec and HTTPS.

WPA and WPA2 (wifi protected access) is one of the most recent and secure form of encryption for wireless networks.  When they made WPA, it was a quick fix for WEP, until WPA 2 came and replaced WPA.  WPA can use a pre shared key, and in the preshared key method (personal WPA), all devices on the wireless LAN must use the same passphrase key to access the network.  The authentication server method (enterprise WPA) is more suited for environments with hundreds of clients, where using a single passphrase key for each device is not scalable, and the authentication server takes care of key management between the wireless devices on the network.

When using WPA method, a single ephemeral / session key can’t be hacked by the time protocol changes keys.  WPA also provides for improved integrity checking of the data, traversing the wireless network to make sure that data can’t be intercepted and changed on its way to destination.  This provides much more protection.  But this is only as strong as the passphrase used.  WPA should be long, and it should also include uppercase, lowercase, and special characters.  All devices on the WPA network must share the same passphrase, including all access points.

WPA2 is the true replacement to WEP and adds RSN (robust security network) support that includes added protection for adhoc networks, key caching, preroaming authentication, and the CCMP that uses the AES cipher to replace TKIP.  All currently manufactured devices support WPA2 in addition to WPA.  If your network devices support WPA2, they should use this type of encryption.  However, many older devices do not support WPA2, and you will have to use WPA or some other common encryption method, such as WEP, that can be supported by all your clients.

By default, mail server doesn’t encrypt email messages.  You will have to encrypt it.  If not, a hacker may capture the unprotected network traffic and can read your email messages, because it’s not encrypted.  Most of the time, these servers are insecure and email can be captured and viewed.  Users should always protect sensitive emails through the use of encryption and use of digital certificates.

One of the way to use encryption and use digital certificate is by using PGP.  PGP (pretty good privacy) is a pretty common encryption tools used to protect messages on the internet because its easy and effective.  PGP uses its own decentralized type of digital certificates using an RSA based public key encryption method with two keys.  A passphrase is used to encrypt the user’s private key which is stored on the local computer.  Each PGP user distributes his own public key, creating a web of trust with other users.  Each user keeps a collection of the other users public keys on a key ring.  PGP is different from centralized certificate authority, where on authority is used to authenticate users; using PGP, users rely on each other to establish trust between other users and their keys.

GN privacy guard is a free open source implementation of the openPGP standard.  It is intended as a free replacement for PGP, GPG does not contain any patented encryption algorithms, and it supports many technologies, including DSA, RSA, AES, 3DES, blowfish, twofish, MD5, SHA1, and RIPEMD160.

GPG utilizes asymmetric keys that are generated by GPG end users and public keys can be exchanged with other users using internet key servers.  You can also use digital signatures to verify the sender and integrity of the message.

MIME stands for multipurpose internet mail extensions.  It is a specification for transferring multimedia and attachments through email.  It offers standard way for every mail clients and mail transfer systems to handle types of attachments.  If I sent an audio clip to another user through email, the MIME header will include information on the attachment.  When audio clip reaches the receiver, the computer will understand what file it is and what apps it will use to open it.

Secure MIME is an extension that is used to digitally sign and encrypt email using certificate.  It is used for sending confidential email.  It requires use of public key certificates for authentication and provides message confidentiality and integrity via the user’s encryption and hashing algorithms.

SSL and TLS protocol enables communication between systems to be encrypted.  Many websites have both secured and unsecured areas.  The secured areas are mostly used for financial bank account or anything that can include PII.  Secured areas require users to authenticate to proceed.  You can use TLS or SSL to encrypt the areas that require it.  SSL must be supported by both web server and client browser to function.  It is also often used in email systems to secure message from mail servers and clients.

In an SSL, process known as digital handshake occurs.  It starts when server sends a message indicating a secure session must be set up.  The client then sends its security information and encryption key to the server, which then compares the credentials with its own to find the right match.  Next, the server sends authentication information so the client knows the web server with which it is communicating is the right one.  Be wary of this step because a user can be switched from one site to another without user’s knowledge by redirection or other methods.

For example, you enter your user and pass, you might be entering information into a scam site that collects all your information for them to try on other websites.  This handshake confirms not only that you say you are who you are, but also that the site you are connected to is legit.  SSL protocol uses public key cryptography in the handshake phase to securely exchange symmetric session.  When client moves to another website, the encrypted session is closed.

TLS is the next tier of SSL protocol.  Although similar, TLS is more advanced and has enhanced encryption and authentication techniques for more advanced protection.  However, TLS is not interoperable with SSL.

TLS is widely implemented protocol used to secure connections to websites, email connections, IM, VoIP apps, and connections to LDAP servers.  Cipher suites support the underlying security of both SSL and TLS through the implementation of a combination of authentication, encryption, and MAC algorithms that negotiate the security of the connection.  Any number of algorithms can be used for it.

Different server implementations of SSL and TLS are possible with the adoption of either strong or weak ciphers.  It is important to understand which type of cipher you choose to utilize based on requirements; if strong ciphers are used, weak ciphers should be disabled.  Either way, you should research and make a conscientious decision.

HTTPS is hypertext transfer protocol over secure socket layer.  It is a secure means of communication http data between web browser and web server.  All http communications are sent in clear text, so no messages are secure, and they can be easily viewed using protocol analyzer.  This makes http useless for communication requiring privacy, and https has to be used to protect channel by using SSL and certificates to provide encrypted and protected communications.

When I connect to the website using https, web server sends a certificate to the web browser I’m using to establish identity.  If my browser accepts the certificate and finds no validation issues with it, SSL is activated between the server and I.  This ensures that the website is genuine and the I’m not connecting to fake site.  In many web browsers, a secure site is indicated by a small padlock icon on the tasbar.  HTTPS uses TCP port 443 for communications (don’t confuse this with S-HTTP).

IPSec is a standards based suite of protocols that provide information assurance across IP networks.  It works on IP network layer to encrypt communications.  It is the most often used to secure VPN (virtual private network) over an open network like the internet. Because IPSec operates at lower levels than most application security protocols, such as SSL, it offers greater flexibility in its implementation, as applications do not need to be aware of IPSec to make use of its benefits.  IPSec ensures that communications can’t be read by a third party, that traffic has not been modified in transit, and that messages received are from a trusted source.

IPSec uses two types of encryption modes: transport and tunnel.  In transport it encrypts the data portion of each packet, but not the header.  This can be used only in host to host communications.  Tunnel mode encrypts both header and the data of the network packet.  This is used to host VPN gateway communications.  The receiver of the packet uses IPSec to decrypt the message.  For IPSec to work, each communicating device needs to be running IPSec and share some form of public key.  Key management is provided by IKE, known as internet key exchange.  IKE enables the receiver to obtain a public key and authenticate the sender using digital certificates.

IPSec consists of component protocols, including authentication header and encapsulating security payload headers.  The authentication header is an IP header that is added to a network packet and provides its cryptographic checksum.  This checksum is used to achieve authentication and integrity to ensure that the packet has been sent by a specified source and has not been captured and changed in transit.  ESP is a header applied to an IP packet after it has been encrypted.  IT provides data confidentiality so that the packet can’t be viewed in transit.  In newer IPSec implementations, it is always performed within ESP header, resulting in a singled combined authentication header and encapsulating security payload header.

Security association (SAs) are the basic building blocks of IPSec communications.  Before any two devices can communicate using IPSec, they must first establish a set of SAs that specify the cryptographic parameters that must be agreed upon by both devices before data can be transferred securely between them, including encryption and authentication algorithms and keys.

The primary way of establishing SAs and managing VPN keys is via internet security association and key management protocol (ISAKMP) and IKE.  These are the protocol for performing automated key management for IPSec.  It process automatically and negotiates with the remove VPN device to establish the parameters for individual SAs.  An SA is establish so that all key exchanges can be encrypted an no keys need to be pass over the internet  in clear text.  Once the SA is established, a session SA is negotiated for securing normal VPN traffic, referred to as IKE phase 1 and phase 2 negotiations.  The session SAs are short lived and are renegotiated at regular intervals, ensuring that the keys are discarded regularly.  The same keys are used only for a small amount of time and for limited amounts of data.

SSH stands for secure shell and it is a secure remote access utility that lets a user log into a remote machine and execute commands as if they were working at the console of that system.  Other remote access utilities like Telnet are insecure because the data isn’t encrypted.  SSH provides secure, encypted tunnel to access another system remotely.  It is sometimes used as a low cost alternative to normal VPN communications because of its simple installation and delivery of well encrypted, secure communications.

SSH uses public key cryptography for authentication, and when a client connects to a system using SSH, an initial handshaking process begins and a special session key is exchanged.  This starts the session, and a secure channel is created to allow the access.  Vulnerabilities exists in some versions of SSH, so make sure you use the latest version.

Key stretching techniques strengthen a weak key, usually a password, against brute force attacks by increasing the time for testing each potential key.  Passwords are particularly susceptible to brute force or other password cracking attacks because they’re often quite short and are often created by humans.  Key stretching works to counteract this by creating an enhanced key; a result of the initial key and a hash function or a block cipher being applied in a loop.  This enhanced key should be theoretically impossible to crack through various attacks.  Two common functions that are used for key stretching are password based key derivation function 2 and bcrypt.

Leave a Reply

Your email address will not be published. Required fields are marked *