WindowsSecurity.com Monthly Newsletter

WindowSecurity.com Newsletter of October 2011 Sponsored by: ManageEngine

Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: gchetcuti@windowsecurity.com

How to protect your IT network from insider threat and address the compliance audit requirements?

With ManageEngine EventLog Analyzer, carry out unintrusive monitoring of internal privileged user activities. On timely detection of activities with malicious intensions, take appropriate action to prevent the attacks on your enterprise resources. Get the compliance reports automatically generated for the PCI-DSS, HIPAA, FISMA, SOX & GLBA regulatory acts. Schedule to get the reports periodically. Customize the existing canned compliance reports. Also create reports for the new compliance acts.

Download 30-Day Free trial of EventLog Analyzer.

1. PGP - Under the Hood

Introduction to Cryptography

Cryptography is a term that embraces the art of hiding information so that only the intended recipient is able to view. The science behind cryptography involves mathematical functions, strong analytic skills and a combination of techniques that we find in computer science. While cryptography is the science of securing information, cryptanalysis is the opposite - the science of analyzing and breaking secure information. Cryptanalysts are those attackers that try to unmask the information secured by cryptography. When the information is in its original form it is called plaintext or cleartext and the process of disguising the plaintext is called encryption. The resultant disguised text is called ciphertext and the process of reverting back (decipher) the ciphertext to its original readable form is called decryption.  Modern cryptography is more complex than that!

A cryptographic algorithm uses a secret key to encrypt data and the same key is used on the other end to decrypt the data. A key can be a word, number, phrase or a combination of. The same cryptographic algorithm used with different keys will output different ciphertext. The strength of cryptography depends on the strength of the cryptographic algorithm and the secrecy and type of key. The combination of all these features make up a cryptosystem and PGP (Pretty Good Privacy) is one of these cryptosystems. Before I move on to PGP in detail, it is imperative to say something about the schemes available in cryptography.

Symmetric (Secret-key) and Asymmetric (Public-Key) Cryptography

Symmetric-key encryption also known as secret-key uses one secret key to both encrypt and decrypt data. DES (Data Encryption Standard) is an example of a conventional symmetric-key cryptosystem. Though this method is computationally fast it can be easily compromised due to the difficulties in distributing the secret keys safely. If key distribution is a problem then what alternatives do we have? The solution is an asymmetric scheme known as Public-key cryptography. Public-key cryptography uses a pair of keys known as the private and public keys.  The public keys as the name implies is made public to all potential recipients while the private key is kept secret hence, there’s no need to share it with your recipients. The mathematics behind Public-key encryption makes it impossible to deduce the private key from the public key with today’s computing power.  When data is encrypted with the Public key, only the private key holder can decrypt that data. Therefore, the need of sharing a secret key is now eliminated. RSA (Rivest, Shamir, and Adleman) is an example of a public-key cryptosystem. One basic requirement remains though, that the private key should be securely stored.

How PGP works

Why not combine the best of both Cryptographic schemes? In fact, PGP combines some of the best features of both schemes and includes additional methods to further secure data. Cryptanalysis techniques try to exploit patterns found in data to crack the cipher, but data compression techniques reduce such patterns and thus enhance security. Apart from this, compression reduces transmission time and storage space. PGP is in fact a hybrid cryptosystem and the process of encryption and decryption is as follows:

  1. The plaintext information or data that can be compacted is initially compressed.
  2. A session key is created. This one-time-only secret key is a random number generated from the arbitrary movements of the mouse and keystrokes.
  3. The session key is used with a fast conventional encryption algorithm to encrypt the plaintext to produce the ciphertext.
  4. The session key is encrypted using the recipient’s public key. The recipient public key can be known to the sender or retrieved from public PGP key servers.
  5. The encrypted session key together with the ciphertext are sent to the recipient.

Decryption on the recipients works in the reverse order:

  1. The PGP cryptosystem at the other end uses the recipient’s private key to recover the one-time-only session key.
  2. With the session key then the cryptosystem decrypts the conventionally-encrypted ciphertext.

The combination of the two schemes leverages the speed of conventional encryption methods and the convenience (solution to key distribution mentioned above) of public keys. The end result is a secure, high performance encryption system!

In general, bigger keys relate to more secure cryptosystems but one needs to factor in the algorithm used to be able to evaluate the cryptosystem overall security! Also, asymmetric (Public-Key) and symmetric key sizes are unrelated. For instance, a symmetric key of 80 bits is as secure as a public key of 1024 bits. Key sizes are measured in bits and extremely large keys will have an impact on performance - we need secure and efficient systems! PGP stores the keys in two files called keyrings, one for the public key and one for the private key. The recipient's Public keys will be stored in the public keyring. PGP provides authentication, data integrity, confidentiality and non-repudiation.

How PGP digitally signs an email message

Digital signatures provide a method to ensure the authenticity of the information’s origin and that the information was not modified in transit. Actually, it provides authentication, data integrity and non-repudiation. PGP uses a strong hash function on the plaintext the user is signing and generates a fixed-length data output known as the message digest. A hash function outputs completely different values with different plaintexts, even if the change between the two plaintexts is extremely minimal say, by just one bit. Then, the PGP uses the message digest and the private key to create a digital signature which is transmitted together with the plaintext to the recipient. On the other side, the recipient’s PGP recomposes the digest using the sender’s public key and received plaintext to verify the signature. If the digests do not match then the verification process fails. In this scenario the plaintext is not encrypted to allow for recipients that have no cryptosystems in place or are not interested in secure communications. 

How can one be sure that the Public key of the recipient is the real one?

It is vital to have assurance that the public key to which you are encrypting data is in fact the public key of the intended recipient and not a fake one perpetrated by some man-in-middle. In a highly secure environment you may exchange keys physically but is this practical when exchanging information with people that you have never met? Digital certificates are intended to establish this assurance – confirmation that a public key truthfully belongs to the claimed owner. In other words, a digital certificate is the information included with a person’s public key that helps others to verify that a key is genuine. Digital Certificates are stored on Certificate Servers which are also called cert or key servers. In Public key Infrastructure (PKI) apart from the repository of digital certifications, one would find additional services and a Certificate Authority (CA) that issues certificates digitally signed by the CA's own private key as to attest the validity of the certificate. PGP supports two different certificate formats which are PGP and X.509. There’s more to these certificates but the main difference between the two is that you can create your own PGP certificate but you must request and be issued an X.509 certificate from a CA.

Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you’re more than welcome to e-mail me at gchetcuti@windowsecurity.com

See you next month! – George

2. WindowSecurity.com Articles of Interest 

How to protect your IT network from insider threat and address the compliance audit requirements?

With ManageEngine EventLog Analyzer, carry out unintrusive monitoring of internal privileged user activities. On timely detection of activities with malicious intensions, take appropriate action to prevent the attacks on your enterprise resources. Get the compliance reports automatically generated for the PCI-DSS, HIPAA, FISMA, SOX & GLBA regulatory acts. Schedule to get the reports periodically. Customize the existing canned compliance reports. Also create reports for the new compliance acts.

Download 30-Day Free trial of EventLog Analyzer.

3. Tip of the Month

Remember that electronic mail is an insecure means of communications and can be easily snooped, forged or leveraged for malicious purposes. If your organization does recognize this threat but cannot afford an expensive encryption product then explore affordable products or reliable free software. For instance, the Gpg4win is a cryptosystem for file and email encryption. Gpg4win (GNU Privacy Guard for Windows) is Free Software.

4. Latest Security Exploits and Concerns

5. Ask the Forum a question

This month, I would like to share another forum post with you. Our WindowSecurity.com Message Boards are a great source of information where you can get free support and an exchange of brilliant ideas. I urge you to participate!!!
For instance, check this cool thread –

SHA256 security

How to protect your IT network from insider threat and address the compliance audit requirements?

With ManageEngine EventLog Analyzer, carry out unintrusive monitoring of internal privileged user activities. On timely detection of activities with malicious intensions, take appropriate action to prevent the attacks on your enterprise resources. Get the compliance reports automatically generated for the PCI-DSS, HIPAA, FISMA, SOX & GLBA regulatory acts. Schedule to get the reports periodically. Customize the existing canned compliance reports. Also create reports for the new compliance acts.

Download 30-Day Free trial of EventLog Analyzer.