Security: Secure Internet Data Transmission.

by The Editor [Published on 16 Oct. 2002 / Last Updated on 23 Jan. 2013]

Sniff, spoof, encryption


In the two preceding chapters we examined ways in which to keep your data safe, mainly from within an organization. I discussed the best ways to keep hackers out of your intranet and how to protect actual data from viruses and human error as well as the physical security of your software and hardware. Now that you've secured your tools and applications physically and have taken all precautions internally to keep data safe, it's time to consider how safe your data is during transmission. This transmission from one computer to another could be within your LAN, within your intranet, or over the Internet.

This chapter's topic, secure transmission, explores the security risks involved with data transmission, such as eavesdropping and decrypting. It discusses why and how to establish secure channels as well as ways to prevent or foil attacks on these secure channels. It's aimed primarily at anyone who is trying to design a fully secure system of computers and data or for anyone interested in encrypting data for transmission. Any individual involved with transmitting sensitive data-whether in a business that exchanges confidential information, either inside its corporate headquarters or with customers, or in an organization that exchanges any sensitive data between just two computers-should not skip this chapter. This includes banks; corporations with offices in different geographical locations that share proprietary information, regardless of whether it's public or private; or individuals doing business on the Internet, including selling products and conducting business transactions.

What Is Transmission Security?

Transmission security is the capability to send a message electronically from one computer system to another computer system so that only the intended recipient receives and reads the message and the message received is identical to the message sent. The message would not be identical if it was altered in anyway, whether transmitted over faulty channels or intercepted by an eavesdropper. Transmission security translates into secure networks. Although many people regard networks as computers connected by wires, this definition of a network, while technically correct, misses the point. Rather, networks are transmitted data, the data flowing over wires.

All transmissions can be intercepted. And the cautious user looks at all transmissions as if they will be intercepted. You can minimize the risks of transmission interception, but you can never, under any circumstances, completely rule it out. After all, it is people who design and put wires in their place, and people can get to them. Accessing wires is somewhat comparable, although much more difficult, to accessing a transmission sent over airwaves, as on a CB radio. For example, as a ham, you may have a message intended only for other hams. Although hams are the main communicators on these frequencies, anyone with the right radio equipment can tune in and listen, so it's likely your message will be received and heard by other listeners who pick up the frequency, whether you want them to hear it or not.

Similar risks occur with cellular phones, even though most transmission takes place over wire and not air. One risky transmission occurred between Prince Charles and his mistress Camilla Parker Bowles when an eavesdropper intercepted a now infamous cellular phone conversation between the two.

So, like it or not, networks are our transmissions. If you ascertain that security is too high to risk over networks and you decide not to transmit over networks, throw your computer systems away; you've wasted your money. Unfortunately, transmission interceptions are inevitable; it's likely they will occur at times. Designing a 100 percent transmission-secure network is akin to designing a car that can't be broken into; no matter how secure the car is, someone can always break the windows. This doesn't mean you should sit back and wait for the interception, however; instead, build your system to deter people from attempting to break in, and make it costly for the hacker to enter.

How Information Is Transmitted

Most networking schemes involve data transmission over certain whole sections of the network. Most network transmissions don't go directly from computer A to computer B. Ethernet networks, for example, involve transmission to all directly connected computers on the local network. Two computers are "directly connected" if there is no device between them that filters the transmission based on its destination. So if computer A sends a message to computer E, computers B, C, and D will receive the message but will ignore it, because it is not intended for them, as shown in Figure 16.1. Many other types of networks, including Token Ring, FDDI, and some switched ethernets operate on the same idea: Transmitted packets go to many devices on the network and expect the recipients to ignore messages destined for other computers. This is much like radio or television transmission, in which signals are sent out in every direction, but radios and TVs not on the correct station don't use the signal.

Figure 16.1: This is where every message travels on an ethernet network.

How Information Is Intercepted and Read

Any computer with access to the physical network wire or in the vicinity of over-air transmissions, however, could be instructed not to ignore the signals intended for other computers. This is the essence of electronic eavesdropping.

Information is considered intercepted when someone other than the intended recipient receives the information. Data can be intercepted in many ways, such as electronic eavesdropping or by using the recipient's password. It can occur anywhere, including in a chat room or through an e-mail exchange.

The tools required to read the transmission depend on how the information is intercepted. If an intruder is stealing transmissions at the most basic level (stealing the data packets straight off the wire or out of the air), the interloper will need something that translates electronic signals from voltage changes to the numbers and letters that those changes represent. Computers for which the transmission is intended do this automatically, because they are expecting the signal and already know its characteristics, how to decode it, and what to do with it. A much simpler method would be intercepting a message by just looking over someone's shoulder to read what they have written. Again, the legitimate user already has a context in which to interpret the on-screen information. The snooper, however, still has to interpret the message, and this isn't always so simple.

Sniffing Devices

There are troubleshooting programs and devices designed to analyze LAN traffic. These are commonly referred to as packet sniffers, because they are created to "sniff" packets of data for the network engineer. As mentioned in the preceding section, all transmissions are broadcast over all the wires. When one computer wants to communicate with another, it sends out an electrical signal through the network, which could be copper wire, fiber optic cable, or air. The signal travels over this whole section of the network until it reaches the end of its signal strength in the air, the end of the wire or cable, or a network device that turns the packet back because the packet's destination is not on the other side of the device. At each point along this journey that the signal encounters a network interface, that interface examines the signal. If the interface sees the signal is for someone else, it ignores it. If the interface recognizes a signal for it, it reads it and gives it to the other parts of the computer for interpretation and use.

The nice thing about LANs is that the systems administrator can use a sniffer to tap into the wire to examine it. A systems administrator should occasionally examine these lines to check on the raw material going over the LAN. This is where packet sniffers are helpful. Packet sniffers will instruct your computer to look at every signal over the wire or only signals that meet certain criteria. This allows the systems administrator to analyze and actually read electrical signals. However, anyone with malicious intent also can use packet sniffers for analyzing and reading network traffic.

Now, you might think there are users out there maliciously using packet sniffers to read data worldwide, continuously. It's true that there may be many users with malicious intent snooping around networks, but it is not as simple as just purchasing a packet sniffer. There are devices-generally referred to as internetworking devices and more specifically referred to as routers and bridges-that actually filter the electrical signals sent out as data packets. These devices filter signals logically, which means that any data passing through a bridge or router must be intended to go through that bridge or router; the destination of the data must be on the other side of the internetworking device to get through the filter. If the destination of the data is not on the other side of the filter, the internetworking device won't pass the signal; and if it doesn't pass the signal, someone on the other side is unable to sniff the information, as shown in Figure 16.2. Anytime you have a network that requires any sort of logical divisions, you need an internetworking device. If you are connected to the Internet, you have an internetworking device. If your local network spans a large physical distance, you have some sort of internetworking device.

Figure 16.2: This sniffer cannot smell packets on the other side of the router.

Devices for Spoofing

Spoofing is somewhat of an overrated threat. Spoofing means getting your computer to pretend it is a different computer. The user forces the computer to present credentials to the network that are false. To do so, the user doesn't need tools but rather information to make those credentials realistic. The Internet identifies computers by numbers: Every computer has a unique number on the Internet. Some computers will grant access to systems they are charged with protecting or resources that they guard on the basis of the identification number presented to them by another computer. In this way, if a computer presents a fake identification number, the computer that requested the number could be fooled.

These are generally difficult attacks to carry out because of how information is transmitted from computer to computer. When information is transmitted, it must follow a route based on your address. If you are using a fake address, the information returning to you will look for your fake address and thus take a route that does not lead to you, as shown in Figure 16.3. For example, if you send mail to someone but you want them to think you are someone else, you put someone else's return address on the envelope. When they write back to the person at the return address, the mail carrier delivers the message to that address and not back to you. The Internet equivalent of the dutiful mail carrier is termed "forbidding source routing" and is easy to enable. You can't get return messages, so the attack is difficult to carry out. In addition, firewalls know the difference between inside and outside, and a firewall will ignore messages from outside by computers claiming to have an inside address. Similarly, the mailroom at IBM will view suspiciously any internal company mail brought in by a mail carrier. These simple safeguards make it difficult to carry out a spoof attack from the outside.

Figure 16.3: Spoofed packets reach their destination but not their origin.

A drawback of a spoof attack from inside the company is that if a computer on the Internet at any time detects any other computer on the Internet with the same Internet address, both computers will complain. In this case, if someone is spoofing you by pretending to be you and your computer is on or being monitored, the trick would be detected easily because your computer will tell you that there is another computer on the network with the same address.

Still another drawback of a spoofing attack is that every network interface on any computer has a unique identifying number. Anyone trying to spoof your IP address on a local network could disable the computer he or she is spoofing, avoiding the earlier mentioned conflict. This would fail, however, if any other computer on the network were using the address routing protocol (ARP). The address routing protocol matches Internet addresses to the number given to a network card. Therefore, turning off your computer would eliminate the IP conflict, but the interface card number mismatch would require either stealing the network card, making a special one, or adjusting the ARP on the third computer.

Attacks in which individuals pretend to be another user can occur on several levels. The attacker can pretend that his or her network interface is one that it isn't by manufacturing a network card with a fake address. The user then might pretend to have the Internet address of another computer and thus steal that computer's transmission or create transmissions under the guise of the impersonated computer. A user could also pretend to be a different person by stealing that person's username and password in one of about a billion ways. In addition, a user could steal information simply by gaining access to a computer whose data was not protected against direct physical intrusion.

Methods of Transmissions and Their Levels of Security

At the most basic level transmission occurs over wires or in the air; every electrical signal travels one way or the other. Transmission is more secure over wire because an eavesdropper or hacker must be physically near the wire, whereas an interception of an air transmission can occur anywhere in reach of the signal.

An attempt to intercept a transmission traveling via fiber by tapping into the cable would be more easily detected than a tap into copper wire, because the tapper could easily damage or impair a particular segment of the network, which should be easy to spot. Detecting an interception that took place over the air would be nearly impossible.

Encryption

There are two aspects to consider when planning for transmission security. The first aspect, discussed in the preceding paragraph, is how transmissions are physically sent (that is, over wire or air). The impossibility of preventing physical interception should now be clear. The second aspect of secure transmission relates to the content that is being transmitted. Securing the content of the message is done through encryption.

Encryption involves transforming messages to make them legible only for the intended recipients. Encryption is the process of translating plain text into ciphertext. Human-readable information intended for transmission is plain text, whereas ciphertext is the text that is actually transmitted. At the other end, decryption is the process of translating ciphertext back into plain text. (Figure 16.4 demonstrates the process.) Encryption algorithm refers to the steps that a personal computer takes to turn plain text into ciphertext. A key is a piece of information, usually a number, that allows the sender to encode a message only for the receiver. Another key also allows the receiver to decode messages sent to him or her.

Figure 16.4: Plain text is encrypted to produce ciphertext. Ciphertext is decrypted to produce plain text. Keys are used for both encryption and decryption.

Now that you have the basic encryption jargon down, let's look at why and how encryption is essential for secure transmissions.

Why Use Encryption?

As you've learned by now, your transmissions can have only so much physical security. It is reasonable to assume that at some point someone may intercept your transmissions. Whether you expect an interception or whether you just generally suspect that interceptions may occur, you should transmit your information in a format that is useless to any interceptors. At the simplest level, this means when transmitting a message to someone, you use a coded message or slang (nicknames) that no one else understands. When Ulysses S. Grant captured Vicksburg during the Civil War, he sent a coded but predetermined message to Abraham Lincoln that read "The father of waters flows unvexed to the sea," meaning that the Union now owned the whole Mississippi river. Perhaps a good plan at the time, but still, Grant and Lincoln (or their advisers/confidantes) had to communicate a predetermined message and the message's meaning. A more recent example of a coded message might involve the use of nicknames. For instance, you and your sister give nicknames to family members whom you discuss unfavorably. Should a malicious family member decide to intercept a transmission, you would hope he wouldn't understand which family members you and your sister refer to in your messages. The obvious drawback of this coded message, like the Grant-Lincoln message, is that you and the recipient must establish a system of code before you begin transmitting messages.

A better system is one that allows you to send any message, even one you had not anticipated, to anyone without fear of interception. This is why an encryption system is so valuable; it allows any message to be transmitted that will be useless to anyone who intercepts it.

Private Key Encryption

Another rather simple form of encryption is commonly known as private key or symmetric encryption. It's called private key encryption because each party must know before the message is sent how to interpret the message. For example, spies in the movies always have a sequence of statements that they exchange to be sure of each other's identity, like "the sun is shining" must be followed by "the ice is still slippery." This is an example of encrypting so that only the person for whom a message is intended will understand it.

Other systems have been developed so that information can be encrypted in a general way. Again, using history as an example, one encryption method is commonly referred to as Caesar's code. According to history, Caesar would send messages that were encoded by replacing each letter in the message with the letter three places higher in the alphabet (A was replaced by D, B by E, and so on). The recipient just had to change the letters back to find out what the message said. An enemy who intercepted the message and did not know the method of encoding it would be unable to decipher it. Clearly though, this encoding method is not terribly difficult to break. This is called private key encryption because the method of encryption must be kept quiet. Anyone who knows the method could decode the message. It also is called symmetric because the same key is used to both encrypt and decrypt the message. Other private key methods have been devised to be more difficult to break.

Data Encrypt Standard (DES) is a private key system adopted by the U.S. government as a standard very secure method of encryption. An even more secure private key method is called a one-time pad. A one-time pad involves sheets of paper with random numbers on them: These numbers are used to transform the message; each number or sequence of numbers is used only once. The recipient of the message has an identical pad to use to decrypt the message. One-time pads have been proven to be foolproof-without having a copy of the pad. Supposedly, mathematicians can prove that a one-time pad is impossible to break.

The drawbacks to private key systems, however, are twofold. First, anyone who learns the method of encryption and gets the key, or a number or sequence of numbers or the sequences' equivalent of numbers that are used as a random input into the encrypted system, can break the key. Second, keys must be exchanged before transmission with any recipient or potential recipient of your message. So, to exchange keys you need a secure method of transmission, but essentially what you've done is create a need for another secure method of transmission.

Public Key Encryption

To overcome the drawbacks of private key systems, a number of mathematicians have invented public key systems. Unknown until about 30 years ago, public key systems were developed from some very subtle insights about the mathematics of large numbers and how they relate to the power of computers. Public key means that anyone can publish his or her method of encryption, publish a key for his or her messages, and only the recipient can read the messages. This works because of what is known in math as a trapdoor problem. A trapdoor is a mathematical formula that is easy to work forward but very hard to work backward. In general it is easy to multiply two very large numbers together, but it is very difficult to take a very large number and find its two prime factors. Public key algorithms depend on a person publishing a large public key and others being unable to factor this public key into its component parts. Because the creator of the key knows the factors of his or her large number, he or she can use those factors to decode messages created by others using his or her public key. Those who only know the public key will be unable to discover the private key, because of the difficulty of factoring the large number. (Figure 16.5 shows the difference between private and public key encryptions.)

Figure 16.5: Private key encryption uses one key to go both ways. Public key encryption uses one key to encrypt (the public key) and one key to decrypt (the secret key).

Public key methods vary, but one of the most common, and also free, is PGP (pretty good privacy). This is a public key encryption method that allows you to exchange messages with anyone that will send you his or her key. When you receive a key from someone, your PGP software can use that key to encode a message that only that person can interpret. The PGP method also allows you to encode a signature that only can be decoded using your public key, ensuring that it was you who sent the message. There are many free software packages that allow users to encode e-mail and other files they send. These software packages also will generate a public key for you. The software, along with the source codes, are available for almost all common operating systems.

Public key encryption works because users can send any message to any person without first meeting them or exchanging secret keys or secret encryption schemes. This obviously makes an extremely powerful tool in commerce for transmission of confidential customer information between buyers and sellers. In addition, public key encryption is extremely secure because decrypting public key encryption methods is a matter of time. If someone had enough time, that person could decipher your message. With commonly used methods, however, even an entire nation of hackers with the most powerful computers would take many years to decipher encrypted messages.

Now that I've told you about what many in the world of computer security consider the most secure method of transmission, I must tell you that there are times when public key encryption doesn't work. When the method used for encryption isn't secure, the message isn't secure. Because the methods of encryption are usually public, anyone who is interested in finding a hole has all the information necessary to find any holes. Holes often are discovered in methods previously thought to be secure. The fact that the algorithm is public makes the method more secure over the long term but less secure over the short term. In the long term all the flaws will be discovered and fixed, but over the short term flaws will be discovered and perhaps exploited. A second insecurity of public key methods in general is that public key encryption won't work when a recipient has no method of authenticating the sender. If someone sends you his or her public key, you can use that to encode a message for that person only-but it doesn't mean they are who they say they are.

Services of certifying authorities, such as Verasign, Inc., are needed to ensure the authenticity of correspondence. These certifying authorities use common identification methods to authenticate the identity of their subscribers. When verified, the authority issues a digital certificate to the subscriber. The subscriber then can use this certificate in his or her Web server to carry on secure communications with those browsing the Web site. Individuals who want to use public keys for their correspondence or companies that wish to prove their identity in electronic correspondence also can get an identity service from a certifying authority. Certifying authorities aim to overcome the aforementioned weakness of public keys being only as authentic as the user who sends it. The service only removes the dilemma one level, however, because the authority's services are only as good as their methods of authenticating subscribers.

Public key also doesn't work if your private keys are compromised. Keeping your private key secure is essential to the security of the system. Remember that the security of a public key system depends on no one being able to get your private key by knowing your public key. Your private key is what you use to decode messages sent to you and to prove your identity to others to whom you send messages. If someone is able to gain possession of your private key, that person could read your messages and forge messages from you.

State-of-the-Art Encryption and Its Future

Encryption has often involved making a choice between public and private key security methods. Public key encryption involves a heavy computing load, meaning that transmission with a public key takes more time and resources. Private key systems are less cumbersome but also less secure and less versatile. To overcome the drawbacks of both security methods, users have combined public and private key systems, such as an exchange of DES keys using a public system and then using those keys for the private DES system. Remember that private key systems can be stronger because it is possible to make an unbreakable private key system. A public key system is not theoretically unbreakable; it's just too difficult to do it in real life. The weak point in a private key system is the exchange of keys, so the very secure public key method can be used to exchange keys, and then the completely secure private key system can be used to do the actual transmission. A second advantage is that public key systems require a big commitment of computing power for every message. Private key, by comparison, is far less computing intensive and therefore cheaper and more efficient overall for transmission.

This combination likely will continue and become more common in the future, but it's unlikely that most systems will become public key. As computing resources advance to make public key encryption easier, the resources for cracking those keys also advance. This means that keys will become longer while the calculations will become bigger.

MCKEON & JEFFRIES
McKeon & Jeffries didn't foresee a lot of need for secure transactions. Its entire Web site would be behind the firewall on its network. Outside access would be available only by dialing into the network.

One of the future projects the accounting firm is planning for its intranet, however, will allow the firm's clients to access specific information through the Internet. M&J wants to allow its clients to review specific company and general financial news. In addition, the firm wants to provide clients with limited access to the file server and message boards. This would provide M&J's clients with a way to exchange files quickly and easily with the company and give the clients a vehicle to communicate with staff through the message boards. For this project, the firm is considering a public key encryption method through a secure Web server. A decision is on hold, however, as implementation of the project is about a year away and both technology and pricing will have changed considerably.

THE SPORTING GOODS AND APPAREL ASSOCIATION
The SGAA had much different security concerns. Originally, the only information that needed to be kept secure was financial transactions between the members and the organization. Paying dues and purchasing other services were done online with credit-card purchases. The association decided to implement a system that would allow secure transactions between members (that is, manufacturers selling to distributors, and distributors selling to resellers). Concern was also raised about manufacturers and resellers posting confidential and sensitive price lists on the site.

To meet these concerns, the SGAA decided to place the entire site on a secure server. Using Oracle Webserver 2.0 and a public key from Verasign, transmissions from the site were encrypted. Oracle was chosen for its noted ability to encrypt data between server and client and for its secure socket layer compatibility.

Why a Technical Solution Is Never the Whole Solution

This topic cannot be discussed enough. No matter how good your solutions are, no matter how many guards are around your computers or how many passwords or encrypted materials you have, if the people in your organization don't follow good security policies or if you don't have a clear security policy, your network is not secure. Remember, the goal to good security is to keep information away from other people, not from other computers. Throughout history people have gotten information in basically the same ways. For example, disgruntled employees often can be sources of information leaks to competitors. This happens about 100 times for every one time a hacker intrudes. Of course you must have the right technical solutions for your network, but they just aren't important compared with the human concerns. All the important information is really in someone's head, and it doesn't take packet sniffers to pull it out. (For a complete discussion on good security policies, see Chapter 14, "Security: Keeping Hackers Out.")

Human history is full of spy stories about stolen information; these stories are never about how someone used a computer to get the information. Of the many recent incidents of breaches of national security-Aldrich Ames, who gave details of espionage operations; the Walkers, who sold Navy code books; the Rosenbergs, who gave away atomic secrets-almost none involved strictly computer-based breaches. The reason this rarely occurs is that all the data is handled by humans-they're the ones who put data in computers-and humans have far less strict security than computers do.

Client/Server Issues

A group known as the computer emergency response team (CERT) at Carnegie-Mellon University makes it their business to find security holes in the Internet and then to make the public aware of these holes. CERT especially concerns itself with computer-Internet connections using TCP/IP protocol and maintains a list of Internet-related security holes. To find the information about CERT, look for their home page at http://www.cert.org/.

Reading information about holes and keeping abreast of security issues will give you information about old holes, including what holes have been discovered, allowing you to plug your system. Usually hackers are aware of old holes and search systems for those holes, creating havoc on private or public networks. Exploiting unplugged known holes is overwhelmingly more common than finding a new, undiscovered hole. After an intruder has used a hole to eavesdrop your transmissions, that person can use any information you transmit. A hacker could sell your marketing plans, reschedule your meetings, steal product orders, or provide your customers with inappropriate or wrong information. Most users don't keep themselves up-to-date on security holes, exposing themselves to holes anyone else, including hackers, might know about.

In a way, anyone setting up a server or client is creating his or her own security hole. By its nature, a Web server or a file server is a machine that invites other computers to visit and use its resources; this basis itself is insecure. The challenge now is to prevent people from using anything but the resources you have set up for them to access. On the client side, you are always asking for people to be interactive. A good example is Java. With Java the user asks the server for a LAN executable file. This means your computer is specifically taking direction from another computer. Suppose that the server directs your computer to reconfigure its own hard drive; this is an example of a security hole. This could happen inadvertently if you have an incompetent programmer who has written a Java application that damages the computer, or it could be malicious intent. Although both Java and JavaScript have extensive safeguards, there are still lingering doubts about how secure they truly are. Never dismiss the inadvertent and never overemphasize the malicious; they are both equally dangerous.

Secure Computing in Practice

Almost all network computing involves one of two types of transmission: file transfer or interactive transmission. File transfer involves one computer transferring a block of data and expecting nothing in return other than acknowledgment of reception. Interactive transmission involves two computers that have meaningful transmissions flowing in both directions. With file transmission, only the file to be transferred must be encrypted. Anyone who intercepted the transfer would only know that something had been transferred. Because only that file must be encrypted and the file must be ready before transfer, encryption can take place at any time before transfer. Interactive transmission, however, often involves spontaneous messages and must occur on both ends.

File Transmission

In practice, there are several types of file transmissions most users perform, including the transmission of files through FTP (file transfer protocol), submitting forms by a Web server, and sending e-mail.

Information transferred in this way should be encrypted before transmission. Transferring unencrypted files with these methods means the files travel as plain text, ready to be intercepted and interpreted by anyone. Clearly, encrypting files for transmission adds a level of inconvenience, but to secure the transmission, this inconvenience is unavoidable. Unfortunately, security decisions always involve a trade-off between security and convenience.

Using encryption in these cases is simple. Many shareware PGP programs exist to allow a user to encrypt a file. Other stronger methods exist for purchase, including products made by RSA security. The advantage of using these programs is that the encryption can be tested before the file is sent, ensuring its usefulness.

Interactive Transmission

To use any computer system over a network interactively, users must overcome two security exposures. First, users must authenticate themselves, and this exposes the authentication process to interception. Anyone sending out his or her password over the network is often sending that password out in clear text, which means anyone eavesdropping can pick up the password and username and use them. Stolen password and username combinations are the most common problem of interactive transmission. The other problem occurs while the user is using the system. The information being typed in is most likely going out in plain text, which can be intercepted. There are a few systems designed to limit the security risk in using a remote system interactively.

One method is called Kerberos, shown in Figure 16.6. When a user logs into a workstation, that workstation authenticates the user so that the user's password is never sent over the network in any form. That workstation then contacts the Kerberos server, which issues the user a ticket; that ticket contains encrypted information used to authenticate the user of other network computers. It's secure because the username and password are never transmitted over the network. The local machine does all the authentication, and then it uses a secure method of transmission to authenticate itself to the Kerberos server. The server then passes an encrypted ticket back to the user, who sends that ticket over the network, as opposed to using his or her password and username. For example, if the user's Telnet is somewhere, the user contacts the remote computer, which then asks the user for his or her username and password. It then transmits both across the network.

Figure 16.6: Two computers using Kerberos for authentication require a third computer as a Kerberos server.

With a Kerberos server this never happens. The user is authenticated locally, and all the exchanges with the network are encrypted and completed. However, a drawback is that every machine you want to send information to or any applications or services you wish to use must be "Kerberized" so that the machine will accept your credentials. A second drawback is that if the Kerberos server is ever compromised-that is, if an unauthorized person ever gains access to the Kerberos server-then the integrity of the entire system is compromised.

If you are interacting a lot across the network, that information is insecure. With Kerberos, the transmission between the machines is not encrypted, just the authentication process is. So someone couldn't use passwords to gain access; but if all they wanted was to look at the information you are sending, they could do so. For example, if you log into a financial system and type in account numbers and financial data, an eavesdropper could get this information without actually getting on the system.

Secure RPC (Remote Procedure Call) is another method of reducing network security exposure. The difference between RPC and Kerberos is that after you authenticate yourself to the local machine, which has your private key stored on it, all your transmission across the network is encrypted. You can then authenticate yourself to other machines and transmit all your transactions over a secure channel. Like Kerberos, the main drawback is that any machines you want to interact with must be equipped with the proper decrypting software, which is a hassle. Also, because RPC is a public key encryption method, you take a performance hit because all the encryption and decryption must be done before sending out anything across the network, which takes a lot of time and computational power.

The final encrypted transmission method is SSL (secure sockets layer). SSL is a method of encrypting all the communications between computers. It is used to encrypt and decrypt communications between a Web browser and a Web server. Whenever you use URLs beginning with https://, you're using SSL. SSL is included with security capable Netscape browsers. SSL uses technology based on the commercially available public key encryption products of RSA, Inc. SSL itself is an open standard, and the algorithms are free to all. SSL libraries can be used to encrypt all traffic among computers, because the encryption occurs at a level that makes it transparent to both the user and any programs he or she is running.

How Much Is Too Much?

Security always involves a trade-off between the security of your data and the ease with which that data is accessible. Like any computer system or any amount of data, you must look carefully at the dollar value of secure transmissions. Encrypting a transmission so that it is too slow to be of any value must be weighed against the danger of having the transmission intercepted. The point of having a network is to transmit important data in a timely fashion. If these functions are impaired, your security measures are costing, not saving, you money. When implementing transmission security, your concern must be the amount of time and resources that someone would have to apply to decipher your transmissions. The simplest measure of this security is the length of the keys used in your encryption algorithm. Usually the particular software package that does your encryption will recommend a particular key length. These are usually sufficient enough to ensure your security, and longer ones are often merely an additional burden.

What Level of Security Is Right for You?

I cannot stress often enough that security costs money. If you are implementing complicated security measures for data that is not valuable, you are wasting money. When deciding on security measures, make the dollar-smart decision. That is, if you must upgrade all your computer hardware to handle the public key software, you should make sure that the cost of the upgrade matches the value of the data that will be encrypted. Clearly those selling products over the Internet would benefit greatly from extremely secure communications and need to spend accordingly. On the other hand, a company that uses the Internet only to disseminate catalogs and price information will not need to have such secure transmissions. Also, a company that wishes to send out confidential contracts will probably need some sort of secure e-mail capability, but it may not be necessary to pay a certifying authority for the service of verifying the company's identity to all its customers. That is, the likelihood of someone intercepting the transmissions and supplying a false contract seems not only slim but also easily detectable. It should be relatively simple to look at the times and manners in which your company needs secure transmission. After this has been determined, choose the encryption tools that cover these paths.

Summary

When it comes to security, secure data transmission fills out the final third of the security equation, right behind (or before, depending on how you look at it) security of data storage and security of the physical technology and the location of that technology. Assuming you've satisfied the first two-thirds of the security equation, before setting out to secure your data during transmission, first determine the value of that data and then spend accordingly to secure it. Valuable data with little or no security can prove as costly as unvaluable data with too much unnecessary security.

After determining the value of your security, consider the most appropriate options for transmitting data and then explore the various encryption methods necessary for protecting your specific data transmissions. And, finally, I can't reiterate enough that a technical solution is never the whole solution. Data originates from individuals, not from computers, so implementing strong security policies and procedures is as important as choosing all the physical and technical barriers to your data.


See Also

Featured Links