Firewall Wizards mailing list archives
Re: encryption
From: Bennett Todd <bet () rahul net>
Date: Tue, 21 Mar 2000 13:23:27 -0500
2000-03-20-08:17:38 Simondon:
I am looking for a key encryption system : - 1) to choose a key encryption method - 2) to find , if possible, a key server existant technology (domain public) - 3) to find an encryption system Perhaps this mail group is not adapted for this kind of questions ?
Perhaps it's not, but I'll take a stab here. Please reply offline if you'd like more details. Very first thing, you should consider reading a book on this stuff. In English, the basic text is Applied Cryptography, by Bruce Schneier. I don't know if that text has been translated, or if there are other recommended texts in other languages. I'll try and give a quick overview of cryptography, but length limits will guarantee that this is really superficial, that's unavoidable. First off, it's helpful to separate some different concepts, giving them different names. Encryption Algorithms are mathematical procedures. They fall into a few categories. Encryption algorithms use "keys", typically short strings or integers, to control a scrambling of the plaintext to produce an encrypted text. Without the key it's impossible to recover the plaintext from the encrypted text. Encryption algorithms in turn fall into two categories: symmetric (or "secret key") and assymetric (or "public key"). Symmetric key algorithms use the same key for encrypting and decrypting. DES, IDEA, and Blowfish are typical symmetric algorithms. Assymetric, or public key algorithms, help with the key distribution problem, since they use separate keys for encryption and decryption. A plaintext is encrypted with one key, and can only be decrypted with the other. So you can publish one key --- the "public key" --- and people can use that to send you secret documents. Assymetric algorithms are very, very slow, so people don't use them to actually handle bulk encryption of traffic; instead, they generate random keys ("session keys"), encrypt those keys with an assymetric algorithm, then use the session keys with another, symmetric algorithm to bulk encrypt the actual traffic. Assymetric algorithms include RSA and Diffie-Hellman. Another category of algorithm is a cryptographic hash function, such as MD5. A hash takes an arbitrary-length body of plaintext, and produces a sort of checksum. The feature that distinguishes a crypto hash is that it's impractical to generate a plaintext to match a given hash, so if you check such a hash, and you know nobody has been able to tamper with the hash, and the check passes, then you know nobody has tampered with the plaintext. These are used for digital signatures, among other things. Encryption protocols are procedures for performing various interesting tasks, like e.g. sending secure email, signed email, or both; securing traffic over a network link (VPN); securing data in a filesystem; etc. Such protocols are built using Encryption Algorithms as the blocks. A protocol describes how the algorithms should be used. A sufficiently detailed protocol includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program. Examples of such well-documented protocols include PGP and IPSEC. Encryption Programs implement encryption protocols. Naturally, it's preferable to use programs that implement well-documented protocols, ideally ones with multiple implementations available; this protects you against defects in the protocol design, since such public protocols get particularly close scrutiny and analysis. By similar reasoning, it's generally preferred to use open source encryption programs in preference to closed source, proprietary programs, since the open source code can be reviewed by more people. With that background, perhaps you can approach your question. What do you want to accomplish with encryption? That will indicate what protocols might be candidates, which will in turn guide the choice of programs. Popular protocols with good open source implementations include TLS (nee SSL), used for secure web transactions (and other tasks, more rarely); ssh, a good remote shell and file copy protocol; PGP, the most widely-used email encryption standard; and IPSEC, the current leading competitor for encrypting network links to create Virtual Private Nets (VPNs). Some of these can sometimes make use of key servers. -Bennett
Attachment:
_bin
Description:
Current thread:
- encryption Simondon (Mar 21)
- Re: encryption Bennett Todd (Mar 21)
- Re: encryption aturner (Mar 23)