Cryptography on the Internet

zhaozj2021-02-08  397

The Internet introduced a large number of different security weaknesses. Organization or individual you are communicating with it may be or may be organized or personal that you don't know or may be disguised into other organizations (individuals). Don't have to suspect such problems too much, but it is necessary to take appropriate preventive measures to prevent losses caused by various ways, including fund transfer, false certification results, confidential information loss, destruction, etc. Passwords are primarily to address such risks. This article describes some protocols and related mechanisms, which are specific dependencies with Internet activities (including, email). Request for Comment (RFC) requesting comments are official Internet documents managed by the Internet Engineering Task Force (IETF), which is used as a way for the Internet Engineering Task Force (IETF). . RFC describes an open standard that benefits those who may want or need to communicate with those standards. They are written by volunteers participating in different working groups, published in different locations, especially in the IETF site. Details about TLS (see the description below) are represented in this format. IPsecietf IP Security Protocol Working Group is currently defining an IP security additional protocol, which provides a specification for authentication, integrity, and confidentiality services for IP datagrams. It has a description in several RFCs, although it is designed for IP V.6.0, but it can also be used for IP V. 4.0 (IP v. 4.0 is the current standard, using the address of four groups) Such as 192.168.1.3). It is designed to provide security based on Internet communication (eg, for VPN and package tunnel, etc.). Some suppliers and software organizations are developing or providing products integrated with IPSec. For example, Finland's SSH Communications Security has a product called IPsec Express, which is designed for convenience in compliance with IPSec, and starting from June 1999, NetBSD Foundation has merged IPsec code to NetBSD distribution. Edition. Although IPSec has become a factual standard for Internet security implementation, it is affected by Niels Ferguson and Bruce Schneier (the latter is a wide concern of the blackfish password designer). Ferguson and Schneier believe that IPSec has become overrun more and more difficult to manage. They said that the problem here is that the increase in the content of IPSec does not enhance the product in a desired way, but to meet the desire and expectations of expressed extensive interest. They did not take advantage of this method with the method used by NIST to select a new security algorithm to replace DES, which describes this in articles on symmetrical cryptography (Part 2). Their conclusion is that IPsec is much better than the previous security agreement, but claims that its design in its design has led to a large amount of blur, contradiction, inefficiencies and other weaknesses, and produce a set of extremely difficult to understand Specification, the result they suspect whether it can generate a real safe operating system. They put forward many specific recommendations, but the poor quality and protocol of the recognition of documents means that they have not fully understood the system, which is a great challenge for their experience and authority. Just as they point out, 90% of the security work is not working. Frankly, they were very unsatisfactory using the current form of IPsec, but more strongly opposed any other protocol. Therefore, when these other protocols cannot protect the security of the network, they are recommended to use IPSec.

Safety HTTP (Secure HTTP (S-HTTP)) secure HTTP (S-HTTP) is HTTP security extension running at the application layer. It is designed to provide confidentiality and authentication when supporting unrecognizable and allows multiple password algorithms and key management mechanisms. Although the initial key agreed by the Kerberos server can be obtained prior to the session, or the next session to be used can be generated in a session, the RSA can usually be used for the initial key negotiation. Secure Socket Layer (SSL) Secure Sockets (SSL) is a handshake protocol for providing security and confidentiality to Internet sessions by Netscape Communications. It supports server and client authentication, and is designed to negotiate encryption keys and authenticate the server before exchange any data. It uses encryption, authentication, and Mac to maintain the integrity of the transport channel. Although SSL is best for HTTP, it can also be used for FTP or other related protocols. It runs in the transport layer and is independent of the application, so the relevant protocols like FTP or HTTP can be placed on this layer. Use the initial handshake to authenticate the server. In this process, the server submits the certificate to the client and specifies the preferred password to use. Then, the client generates the secret used during the upcoming session, then submit it to the server, and encrypts it accordingly using the server's public key. The server uses its private key to decrypt messages, restore the secret key, and then authenticates yourself by sending a message using the key encrypted to the client. Use this to reach an agreement to further exchange for encrypted data. Security can be further increased with the second phase (optional). Here, the server sends a question, and the client responds to this, returns the server's digital signature and the client's public key certificate. The challenge phase is usually performed using RSA with MD5 for message abstract. Various symmetric passwords can also be used, including DES, triple DES, IDEA, RC2, and RC4. The public key certificate meets the X.509 standard. SSL current version is 3.0. SSL previous history gives a warning for the importance of password products, especially Ian Goldberg and David Wagner (two doctoral students from California University) written in DR Dobb's Journal in February 1996. Describe how they crack the encryption system and then use it. Because at that time, Netscape did not want to release any information about the structure of SSL or the password technique used in SSL, and other methods of other methods, Goldberg and Wagner used reverse engineering. They found that the seeds used to generate a pseudo-random number (and this random number constipation) depends on the date, process identification, and parent process identity. Get these two identities is relatively easy, at least for any user with an account on the UNIX machine running the browser. The sniffer can complete the collection of information packages for a second. This information reduces the number of possible seeds to one million, and then uses HP 712/80 to complete the crack of these values ​​in less than half a minute. It is difficult to generate a real random value using a computer, so a random number will generate a seed in a random manner as possible, and then generate a pseudo random number from this seed using a pseudo-random number generator (PRNG). However, the same seed using a particular PRNG will produce the same number, which is correspondingly used in the encryption system algorithm, which will produce the same key. This is very important for it is not weakness itself, but it is very important to make the original seed as randomly generate. Applications typically encounter very difficult to expect or repeat, for example, random electronic noise in the chip, noise diode, a disk drive, user hit, or mouse movement, etc.

In this special case, at first glance, the use of three elements to create a seed is reasonable, and the designers who have just started is obviously doing so, but further analysis reveals some limitations. Ask others to pick this type of mechanism to pick up the value of the peer-to-peer review, if a system is finally considered good, this is a key. Transport Layer Security (TLS)) Transport Layer Security (TLS) protocol is a draft IETF standard, which is similar to SSL and similar. Its main goal is to provide confidentiality and data integrity between two communications applications. It consists of two layers. The lower layer is called the TLS Record protocol, and is located on a reliable transport protocol (eg, TCP). This layer has two basic characteristics, specifically, the connection is dedicated and is reliable. It is used to encapsulate various higher-level protocols, but can also be used without encryption. When encryption is usually used, the generated secret key for this encryption is dedicated to each connection, which is based on the key negotiated by another protocol (for example, a higher level TLS Handshake protocol). The TLS Handshake protocol provides connection safety with three basic features, that is, asymmetric cryptosome can be used to authenticate the identity of the same, and the negotiation of the shared key is secure, and negotiation is reliable. Like SSL, TLS is similar to the application protocol, the type of encryption algorithm used is similar to SSL. However, TLS standards how to start TLS handshake and how to explain the decision of the authentication certificate to the designer and implementation of the protocol running on its upper layer. Targets of the TLS protocol, which are password security, interoperability, and scalability in its priority order. The last goal means that TLS provides a framework that can introduce them when new and improved asymmetry and other encryption methods are available, they can introduce them into the frame. Wireless Transport Layer Security (WIRELESS TRANS) Wireless Application Protocol (Wireless Transport Layer Security (WTLS) ). It operates over the transport protocol layer, which is modular, whether it is used depending on the security level required for a given application. WTLS provides a secure transmission service interface for the transfer service interface under WAP. In addition, it provides an interface for the management security connection. WTLS is very similar to TLS, but it is best suited for a narrowband transmission network for waiting time relatively long. However, it adds some new features, for example, datagram supports, with optimized handshake and key refresh. As with TLS, its main goal is to provide confidentiality, data integrity, and authentication between two communications applications. Secure Electronics Transactions (SET) Safety Electronics Transaction (SET) protocols are developed by Visa and MasterCard International consortium as a safe banking card transaction on open network. It supports DES and triple DES to achieve batch data encryption and supports encryption of the key to the key and bank card number with RSA. Although SET is considered to be very safe, it is too safe to make it relatively very slow. In addition, the user needs the correct number of digital certificates, so it cannot be used in a simple special way as SSL or TLS.

For these reasons, as well as many banks passed the risks and bank card security vulnerabilities to their business customers, SET's use is far from being envisaged so much, this is a problem. However, there is indication that this is changing. Safety WAN (S / WAN) Security WAN initiative is driven by RSA Data Security, which is intended to facilitate the extensive deployment of Internet-Based Virtual Private Networks (VPN)). S / WAN supports IP level encryption, so it provides more basic, lower level security than similar SSL or TLS. VPN is a mechanism that is designed to use the Internet to allow them to maintain the security tunnel between them. For example, you can connect your remote office cheap, without increasing cost, or avoiding the use of special rental lines to cause inconvenience points. Encrypts messages transmitted through channels, so they should be secure and can avoid effective interception of third parties. In fact, and partially due to the development of different standards, it is designed to bring competitive interests, resulting in theoretical and practical severity, especially in interoperability. The S / WAN initiative is an attempt to bring some order to the resulting chaos. Although the original S / WAN initiative is no longer carried out, there is a very similar initiative in the Linux Frees / WAN and the Virtual Private Network Consortium initiative. FREES / WAN is an Implementation in Red Hat Linux in RED HAT Linux, and effectively provides homemade Linux VPN implementations in the GNU GPL. Secure Shell (SSH) Safety Shell (SSH) is a protocol currently being standardized by the IETF's Secsh Working Group. It allows security remote access on the network. A variety of methods can be used to authenticate the client and server and establish an encrypted communication channel between the system that supports SSH. This connection can then be used in many respects, for example, establish a VPN or create a secure remote login on the server to replace similar TELNET, RLOGIN or RSH. What is encrypted email? In many cases, it is not different, but the user should understand that sending a plaintext email equal to sending a postcard that anyone can read. Email is transmitted in an uncertain, segmentation routing, and many points along the way can see it without much power. In some time, it saves the semi-open area or ISP memory of the webmail server. Email may also be false routes or incorrectly, a network manager's article is included in the Network News journal. He mistakenly writes a "I am very munchable" in his avatar. The image sent to each printer in the office building, this image was originally a message on the private T-shirt as his wife. Of course, it is not an email, but emails are also very prone to this problem, and it will also cause embarrassment. Many products provide secure email, or as a supplementary product that uses PGP (PRETTY Good Privacy (PGP), later in the article), or use the protocol such as safe MIME (S / MIME) Digital Signatures and Encryption Tools are added to the message message created with the appropriate client (for example, Netscape).

转载请注明原文地址:https://www.9cbs.com/read-773.html

New Post(0)