279 C HAPTER 9 Encryption Tools So far, the tools discussed have been used for protecting your network and the machines that reside within that network. However, once that data passes outside the network bound- aries, it is beyond the protection of the tools discussed thus far and is susceptible to poten- tial capture by hostile entities. Most Internet applications today send their data in the clear, also known as plain text . This means that anyone viewing the packet can see your data. When your data crosses the Internet, it passes through different systems, many of which are out of your direct control and thus should be assumed to be nonfriendly. ISP routers and switches can be co-opted either from the inside or outside, and other mail and Web servers regularly handle your private data. There is no way to avoid sending your data outside of your network. The biggest advantage of a global Internet is being able to share information with all of your business partners and customers in the outside world. You can’t go back to the days of totally pri- vate networks. So, how do you protect your important data once it leaves the comfy and safe confines of your home network? Encryption is what most businesses rely on to make the Internet safe for their data, and it is an important tool you can use too for maintaining the integrity and confidentiality of your data on the Internet. You may also want to protect your data from unauthorized viewers within your net- work, because certain information may not be for all eyes within the company. Finally, encrypting your important data can be a final line of defense against hackers. Even if they manage to break into your network and exploit the server, they still have to crack the encryption to get at your data. Howlett_CH09.fm Page 279 Thursday, June 24, 2004 11:12 PM 280 Chapter 9 • Encryption Tools Chapter Overview Concepts you will learn: • Symmetric and asymmetric encryption • Different encryption algorithms • Encryption applications • Certificate authority security model • Web of trust security model Tools you will use: PGP, GnuPG, OpenSSH, FreeS/WAN, and John the Ripper There are many different protocols for encryption. Looking again at the OSI Refer- ence Model (Figure 9.1), you can see that there are encryption tools that operate at several different levels of the network model. As you probably guessed, there are many excellent open source encryption tools available for just about every application, from encrypting single files to protecting all of your outbound Internet connections. In fact, the ready avail- ability of high-quality encryption software has its roots in the open source movement. OSI Layer Layer Name Encryption Standards Layer 7 Application PGP, GnuPG Layer 6 Presentation Layer 5 Session SSL, SSH Layer 4 Transport Layer 3 Network IPsec Layer 2 Data Link Layer 1 Physical Figure 9.1 OSI Model and Encryption Howlett_CH09.fm Page 280 Thursday, June 24, 2004 11:12 PM Types of Encryption 281 Types of Encryption There are two main ways to do encryption today. The first kind of encryption, called sym- metric cryptography or shared secret encryption , has been used since ancient Egyptian times. This form of encryption uses a secret key, called the shared secret , to scramble the data into unintelligible gibberish. The person on the other end needs the shared secret (key) to unlock the data—the encryption algorithm. You can change the key and change the results of the encryption. It is called symmetric cryptography because the same key is used on both ends for both encryption and decryption (see Figure 9.2). The problem with this method is that you have to communicate the secret key securely to your intended recipient. If your enemy intercepts the key, he can read the mes- sage. All kinds of systems were invented to try to get around this basic weakness, but the fact remained: you still had to communicate the secret key in some way to your intended recipient before you could commence secure communications. A revolution in encryption was started when Whitfield Diffie, Martin Hellman, and Ralph Merkle invented Public Key cryptography. (Actually, there is some debate whether the British civil servant James Ellis really invented it earlier and kept it secret, but Diffie, Hellman, and Merkle were the first to go public with it in 1976.) They were trying to solve the age-old problem of key exchange. Diffie wondered how two individuals wanting to make a financial transaction over an electronic network could do so securely. He was thinking far ahead here, because the Internet was in its infancy at the time and e-commerce didn’t yet exist. If big governments had problems dealing with the key exchange problem, how could the average person manage this? He wanted to come up with a system by which two parties could easily hold protected conversations and secure transactions without hav- ing to exchange keys every time. He knew that if he could solve the key exchange prob- lem, it would be a huge advance in cryptography. Diffie partnered with Martin Hellman and Ralph Merkle. It took them a few years, but finally they came up with a system called public key encryption (PKE), also known as asymmetric cryptography . Figure 9.2 Symmetric Cryptography Encrypted document Plain text document Plain text document Sender Recipient Decrypted with shared key Encrypted with shared key Howlett_CH09.fm Page 281 Thursday, June 24, 2004 11:12 PM 282 Chapter 9 • Encryption Tools Asymmetric cryptography uses encryption that splits the key into two smaller keys. One of the keys is made public and one is kept private. You encrypt a message with the recipient’s public key. The recipient can then decrypt it with their private key. And they can do the same for you, encrypting a message with your public key so you can decrypt it with your private key (see Figure 9.3). The difference here is that you don’t need some- one’s private key to send him or her a secure message. You use his or her public key, which doesn’t have to be kept secure (in fact, it can be published like a phone number). By using your recipient’s public key, you know that only that person can encrypt it using his or her private key. This system allows two entities to communicate securely without any prior exchange of keys. Asymmetric cryptography is usually implemented by the use of one-way functions. In mathematic terms, these are functions that are easy to compute in one direction but very difficult to compute in reverse. This is what allows you to publish your public key, which is derived from your private key. It is very difficult to work backwards and determine the private key. A common one-way function used today is factoring large prime numbers. It is easy to multiply two prime numbers together and get a product. However, to determine which of the many possibilities are the two factors of the product is one of the great math- ematical problems. If anyone were to invent a method for easily deducing factors of large prime numbers, it could make obsolete much of the public key encryption used today. For- tunately, other one-way functions work for this application, such as calculations on ellipti- cal curves or computation of inverse logarithms over a finite field. Soon after the paper by Diffie, Hellman, and Merkle was released, another group of three men developed a practical application of the theory. Their system for public key encryption was called RSA after their names: Ronald Rivest, Adi Shamir, and Leonard Adleman. They formed a company and began licensing their system. The adoption rate was slow and their company almost went out of business, until they cut a deal to take advantage of the growing Internet commerce field with a then little-known company Figure 9.3 Asymmetric Cryptography (Public Key) Encrypted document Plain text documentPlain text document Sender Recipient Decrypted with recipient's private key Encrypted with recipient's public key Howlett_CH09.fm Page 282 Thursday, June 24, 2004 11:12 PM Types of Encryption 283 called Netscape. The rest is history, and RSA is now the most widely used public key encryption algorithm. Diffie and Hellman eventually released a practical application of their own, but it is usable only for key exchanges, whereas RSA can do authentication and nonrepudiation. Public key encryption is now behind every Web server that offers you a secure pur- chase. Your transaction is encrypted without giving or taking a secret key, and it all hap- pens in the background. All we know as users is that the little SSL lock symbol displays in our browser and we feel safer. Imagine the effects on Internet commerce if every time you wanted to buy something online you had to think of a secret key, encrypt the message, and then somehow communicate that key to the other party. Obviously, e-commerce could not exist as it does today without public key cryptography. There are many different encryption algorithms, protocols, and applications based on these two main types of encryption. The following sections introduce some of these. Encryption Algorithms Today, strength of encryption is usually measured by key size. No matter how strong the algorithm, the encrypted data can be subject to brute force attacks in which all possible combinations of keys are tried. Eventually the encryption can be cracked. For most mod- ern ciphers with decent key lengths, the time to crack them with brute force them is mea- sured in millennia. However, an undisclosed flaw in an algorithm or an advance in computer technology or mathematical methods could sharply decrease these times. Generally, the thinking is that the key length should be suitable for keeping the data secure for a reasonable amount of time. If the item is very topical, such as battlefield com- munications or daily stock information, then a cipher that protects it for a matter of weeks or months is just fine. However, something like your credit card number or national secu- rity secrets need to be kept secure for a longer period, effectively forever. So using weaker encryption algorithms or shorter key lengths for some things is okay, as long as the infor- mation usefulness to an outsider expires in a short amount of time. Data Encryption Standard (DES) DES is the original standard that the U.S. govern- ment began promoting for both government and business use. Originally thought to be practically unbreakable in the 1970s, the increase in power and decrease in cost of com- puting has made its 56-bit key functionally obsolete for highly sensitive information. However, it is still used in many commercial products and is considered acceptable for lower security applications. It also is used in products that have slower processors, such as smart cards and appliance devices that can’t process a larger key size. TripleDES TripleDES, or 3DES as it is sometimes written, is the newer, improved ver- sion of DES, and its name implies what it does. It runs DES three times on the data in three phases: encrypt, decrypt, and then encrypt again. It actually doesn’t give a threefold increase in the strength of the cipher (because the first encryption key is used twice to Howlett_CH09.fm Page 283 Thursday, June 24, 2004 11:12 PM 284 Chapter 9 • Encryption Tools encrypt the data and then a second key is used to encrypt the results of that process), but it still gives an effective key length of 168 bits, which is plenty strong for almost all uses. RC4, RC5, and RC6 This is an encryption algorithm developed by Ronald Rivest, one of the developers of RSA, the first commercial application of public key cryptography. Improvements have been made over time to make it stronger and fix minor issues. The current version, RC6, allows up to a 2,040-bit key size and variable block size up to 128 bits. AES When the U.S. government realized that DES would eventually reach the end of its useful life, it began a search for a replacement. The National Institute of Standards and Technology (NIST), a government standards body, announced an open competition for a new algorithm that would become the new government standard. There were many com- petitors including RC6, Blowfish by renowned cryptographer Bruce Schneier, and other worthy algorithms. They settled on AES, which is based on an algorithm called Rijndael, designed by two Belgian cryptographers. This is significant because they used an open competition to decide on the standard. Also, selecting an algorithm by two non-American developers with no significant commercial interests helped to legitimize this selection worldwide. AES is rapidly becoming the new standard for encryption. It offers up to a 256-bit cipher key, which is more than enough power for the foreseeable future. Typically, AES is implemented in either 128- or 192-bit mode for performance considerations. Encryption Applications Hashes Hashes are a special use of one-way functions to provide authentication and verification using encryption. A hash function takes a file and puts it through a function so that it produces a much smaller file of a set size. By hashing a file, you produce a unique fingerprint of it. This gives you a way to make sure that the file has not been altered in any way. By hashing a suspect file and comparing the hash to the known good hash, you can tell if any changes have been made. It is unlikely that a file with a different structure would produce an identical hash. Even changing one character changes the hash significantly. The chances of two different files producing the same hash are infinitesimal. Hashes are often provided on downloaded versions of software to make sure you are getting the real thing. This is important, especially with open source software, where it may have been passed around quite a bit or downloaded from another site. The official Web site will usually post the correct hash of the latest version. If the two don’t match, then you know some changes have been made, possibly without the permission or knowl- edge of the software developers. The most popular hashing algorithm is called MD5. Digital Certificates Digital certificates are the “signature” of the Internet commerce world. These use a combination of encryption types to provide authentication. They prove that who you are connecting to is really who they say they are. Simply put, a certificate is a “certification” of where the information is coming from. A certificate contains the public Howlett_CH09.fm Page 284 Thursday, June 24, 2004 11:12 PM Types of Encryption 285 key of the organization encrypted with either its private key or the private key of a signing authority. Using a signing or certificate authority is considered the more secure method of the two. If you can decrypt the certificate with their public key, then you can reasonably assume the Web site belongs to that organization. Certificates are usually tied to a particular domain. They can be issued by a central entity, called a Certificate Authority (CA), or created and signed locally as described above. There are several of these organizations, the biggest of which is VeriSign, the com- pany that also runs the domain names system. They have sanctioned many other compa- nies to offer certificates under their authority. Getting a certificate from VeriSign or one of the companies it authorizes is like having someone vouch for you. Generally, they will not issue you a certificate until they verify the information you are putting in the certificate, either by phone or via some kind of paper documentation, such as a corporate charter. Once they “certify” you, they will take this information, including the URLs you are going to use the certificate for, and digitally “sign” it by encrypting it with their private key. Then a Web server or other program can use this certificate. When outside users receive some data, such as a Web page from the server, and it has a certificate attached, they can use public key cryptography to decrypt the certificate and verify your identity. Certificates are used most often at e-commerce Web sites, but they can also be used for any form of com- munications. SSH and Nessus both can use certificates for authentication. VPNs also can use certificates for authentication instead of passwords. Encryption Protocols IPsec It’s a well-known fact that the IP protocol as designed originally was not very secure. IP version 4 (IPv4), which is what most of the world uses for IP communications, doesn’t provide any kind of authentication or confidentiality. Packet payloads are sent in the clear, and packet headers can easily be modified since they are not verified at the desti- nation. Many Internet attacks rely on this basic insecurity in the Internet infrastructure. A new IP standard, called IPv6, was developed to provide authentication and confidentiality via encryption. It also expanded the IP address space by using a 128-bit address rather than the 32-bit currently used and improved on a number of other things as well. Fully implementing the IPv6 standard would require wide-scale hardware upgrades, so IPv6 deployment has been pretty slow. However, an implementation of security for IP, called IPsec, was developed that wouldn’t require major changes in the addressing scheme. Hardware vendors have jumped on this, and IPsec has gradually become a de facto standard for creating Internet VPNs. IPsec is not a specific encryption algorithm, but rather a framework for encrypting and verifying packets within the IP protocol. IPsec can use different algorithms and can be implemented in whole or just partially. A combination of public key and private key cryp- tography is used to encrypt the packet contents, and hashes add authentication as well. This function is called Authentication Header (AH). With AH, a hash is made of the IP header and passed along. When the packet arrives at the destination, a new hash is made of each header. If it doesn’t compare to the one sent, then you know the header has been Howlett_CH09.fm Page 285 Thursday, June 24, 2004 11:12 PM 286 Chapter 9 • Encryption Tools altered somehow in transit. This provides a high level of assurance that the packet came from where it says it does. You may choose to do encryption of the packet payload but not do AH, as this can slow down the throughput. AH can also get fouled up in some environ- ments with NAT or firewalls. There are also different two operation modes you can run IPsec in: tunnel mode or transport mode. In tunnel mode , the entire packet—header and all—is encapsulated and encrypted, placed in another packet, and forwarded to a central VPN processor. The endpoints decrypt the packets and then forward them to the correct IP. A benefit of this method is that outsiders can’t even tell what the final destination is for the encrypted packet. Another advantage is that the VPN can be controlled and administered from a few central points. The downside is that this requires dedicated hardware at both ends to do the tunneling. In transport mode , only the packet payloads are encrypted; the headers are sent intact. This makes deployment a little easier and requires less infrastructure. You can still do AH when using transport mode and verify the source address of the packets Point-to-Point Tunneling Protocol (PPTP) PPTP is a standard that was developed by Microsoft, 3Com, and other large companies to provide encryption. Microsoft has added it to Windows 98 and later releases. This made it seem a likely candidate to be the major standard for widespread encryption technology. However, some major flaws were discovered in PPTP, which limited its acceptance. When Microsoft bundled IPsec with Windows 2000, it seemed a tacit admission that IPsec had won as the new encryption stan- dard. However, PPTP is still a useful and inexpensive protocol for setting up VPNs between older Windows PCs. Layer Two Tunneling Protocol (L2TP) This is another industry-developed proto- col, and is endorsed by Microsoft and Cisco. Although used frequently in hardware-based encryption devices, its use in software is relatively limited. Secure Socket Layer (SSL) This protocol was designed specifically for use on the Web, although it can be used for almost any type of TCP communications. Netscape orig- inally developed it for their browser to help stimulate e-commerce. SSL provides data encryption, authentication on both ends, and message integrity using certificates. Most of the time, SSL is used when connecting to a Web server so that we know the information we send it is being protected along the way. Most people don’t even realize that SSL is running in the background. Usually it only authenticates one end, the server side, since most end users don’t have certificates. Encryption Applications Phil Zimmerman is a programmer who was heavily involved with human rights. He was concerned that the growing use of computers and communication networks would make it easier for the state security agencies of repressive regimes to intercept and gather informa- tion on dissidents. Phil wanted to write some software that would help these people keep Howlett_CH09.fm Page 286 Thursday, June 24, 2004 11:12 PM Types of Encryption 287 their information private and safe from the eyes of the brutal regimes that ruled them. This software could quite literally save people’s lives. He also didn’t entirely trust his own gov- ernment not to observe his personal data as it traveled across interconnected networks. He knew how easy it would be for the government to build systems to search every line of every e-mail for certain key words. He wanted to provide people with a way to protect and guarantee their constitutional right to privacy. He called his software Pretty Good Privacy (PGP), as he felt it did a good enough job to protect the data from smaller countries’ intelligence forces. However, the U.S. informa- tion security agency, NSA, didn’t see it that way. Zimmerman was investigated for violat- ing federal munitions export laws for allowing his software to be downloaded out of the country. He originally intended on founding a company to sell his innovation. However, when the government came after him, he freely distributed the software over the Internet to get it widely distributed. He did subsequently form a company to market commercial versions of the software, but there are open source implementations of PGP all over the Internet. Some of them are more popular than others, and some are for niche applications such as e-mail encryption. The next section reviews the official PGP Corporation freeware version as well as a full open source version. You can find a list of all the implementations of PGP at www.cypherspace.org/openpgp/. PGP Freeware: A Public Key Encryption Tool PGP Freeware Author/primary contact: Phil Zimmerman Web site: www.pgp.com Platforms: Multiple platforms including all Windows and Linux License: Freeware for noncommercial use Version reviewed: 8.0.2 Other resources: www.pgpi.com Mailing lists: PGP Freeware Help Team IETF OpenPGP working group PGP users mailing list PGP/MIME working group PGPi developers mailing list PGPi translators mailing list Pgplib developers mailing list All these lists can be accessed and subscribed to at www.pgpi.org/links/mailinglists/en/. Howlett_CH09.fm Page 287 Thursday, June 24, 2004 11:12 PM 288 Chapter 9 • Encryption Tools MIT maintains the official freeware version of PGP. Since it is licensed from Phil Zimmerman and PGP Corporation, you can be reasonably sure of its integrity and validity. The downside of the PGP freeware is that it is licensed for personal use only, so you can use it for your personal e-mail or for educational purposes if you are student. If you are going to use this version of PGP, make sure that you carefully read the license and under- stand it. While this version of PGP is open source and freeware, there are considerable restrictions on what you can use it for. Remember, open source doesn’t always mean free. If you want the best of both worlds, both the most current version and ease of use and sup- port, you should look into buying a full license from PGP Corporation. It runs about $125 for a single user, and has a discount for volume purchases. If you can’t or won’t pay, then the next tool, GnuPG, which is a fully free implementation of PGP, may be of more inter- est to you The official PGP from PGP Corporation does have some excellent features. • A built-in VPN client, IPsec 3DES VPN, which can be used to communicate securely with anyone who has PGP 8.0 or later. • The ability to build self-decrypted archives to send PGP messages to someone who doesn’t have PGP software loaded. • Deleted file wiping, which is the ability to permanently delete a file by overwriting the data on the disk multiple times. • Free space wiping, which is the same concept as deleted file wiping, but for your disk free space that may contain traces of old data. • Integrated command line support for those familiar with old-style commands. • Plug-ins for major e-mail programs, including Outlook, Eudora, and Claris Emailer (paid version only). • Proxy support, which is useful for users behind a proxy firewall (paid version only). • PGPDisk, which lets you encrypt a whole volume or subvolume of your disk so that encryption and decryption of your data happens automatically (paid version only). Before you install and begin using PGP, you should understand a little about how it works and the principles behind it. This section is not meant to give you detailed training and understanding of cryptography or PGP; you can refer to the many books on those sub- jects. But you should come out of this chapter being able to encrypt and decrypt messages using PGP. USENET Newsgroups: Alt.security.pgp Comp.security.pgp.announce Comp.security.pgp.discuss Comp.security.pgp.resources Comp.security.pgp.tech PGP Freeware: A Public Key Encryption Tool Howlett_CH09.fm Page 288 Thursday, June 24, 2004 11:12 PM . site: www.pgp.com Platforms: Multiple platforms including all Windows and Linux License: Freeware for noncommercial use Version reviewed: 8.0.2 Other resources: www.pgpi.com Mailing lists: PGP. Newsgroups: Alt .security. pgp Comp .security. pgp.announce Comp .security. pgp.discuss Comp .security. pgp.resources Comp .security. pgp.tech PGP Freeware: A Public Key Encryption Tool Howlett_CH09.fm Page 288. function used today is factoring large prime numbers. It is easy to multiply two prime numbers together and get a product. However, to determine which of the many possibilities are the two factors of