Internet Security: A Jumpstart for Systems Administrators and IT Managers

3.3 RSA: public and private key

We now have a better idea about how the public-private system works. It is based on a technique patented by Diffie-Hellman in 1974 and formatted into architecture by Rivest, Shamir, and Adelman (RSA Data Security, Inc.). You can find more information at http://www.rsa.com/ and http://www.verisign.com/.

One example of the RSA implementation is PGP (Pretty Good Privacy). Philip Zimmermann originally created PGP. Zimmermann was the first person to make military-grade cryptography available to the general public. PGP can be used to send encrypted messages via most any e-mail system. All that is needed is software available from http://www.pgp.com/ and the public key of the party to whom you want to send an encrypted message.

There are several methods to encrypt messages. One standard is S/ MIME. There are also secret key systems and other systems to encrypt data as it travels from one location to another.

One process that can be used from a byproduct of public-private keys is "digital signatures." Digital signatures can be used to authenticate messages and prevent forgeries and/or tampering.

Following are encryption techniques that you will need to be familiar with:

• DES the U.S. government's data encryption standard, a cipher that operates on 64-bit blocks of data using a 56-bit key. IBM developed DES under contract to NIST (National Institute of Standards and Technology).

• Triple DES a cipher like DES that operates on 64-bit data blocks. The difference is that Triple DES uses the basic DES cipher three times.

• RC2 a variable-key-size symmetric block cipher that can serve as a replacement for DES.

• RC4 a variable-key-size symmetric stream cipher known for being faster than DES.

• PEM the Internet privacy-enhanced mail standard. PEM includes encryption authentication and key management. The details of PEM can be found in Internet RFCs (Requests for Comments) 1421 through 1424.

• S/MIME (Secure/Multipurpose Internet Mail Extensions) provides a method to send and receive secure MIME messages. S/MIME is included in the latest versions of various web browsers from Netscape and Microsoft. S/MIME is based on the RSA public-key cryptography systems. See RFCs 2311 and 2312 for more information on S/MIME.

• MD2, MD4, and MD5 (MD stands for Message Digest) A digest is a computed value known as a hash. A hash creates a fixed-length string from a block of data. The hash is created based on the content of the message. Using a hash or message digest, a user will digitally sign a message. This process will identify the person who sent and/or created the message. MD2, MD4, and MD5 are hash functions created by Ron Rivest of RSA, Inc. Each one will create a 128-bit digest. MD2 is the slowest, MD4 the fastest. At the time of this writing, the MD5 algorithm is the de facto hashing standard for digests. See Internet RFCs 1319, 1320, and 1321 for more information.

• SHA-1 (secure hashing algorithm) an NIST-sponsored hashing system that has been adopted by the U.S. government. SHA-1 produces a 160-bit hash, which is larger than the 128-bit hash and is slower than MD5. One fact about all computed digests is that they are very difficult to duplicate. Example: If you change one bit in message for an existing MD5 digest, then up to half of the digest will change.

At this point you may be thinking, "My head hurts! MD2, RC2, RFCs! 160-bit hash! I'll never use all these things!" So before we delve any further into this topic, let us take a break and address a few business concerns. We will take a side trip a three-hour tour, if you will.