Cryptography For Dummies by Chey Cobb John Wiley & Sons © 2004 ISBN:0764541889 This guide to keeping your data safe offers the latest security techniques and advice on choosing and using cryptography products It covers terminology, specific encryption technologies, pros and cons of different implementations, and more Table of Contents Cryptography for Dummies Introduction Part I - Crypto Basics & What You Really Need to Know Chapter 1 Chapter 2 Chapter 3 Chapter 4 - A Primer on Crypto Basics - Major League Algorithms - Deciding What You Really Need - Locks and Keys Part II - Public Key Infrastructure Chapter 5 - The PKI Primer Chapter 6 - PKI Bits and Pieces Chapter 7 - All Keyed Up! Part III - Putting Encryption Technologies to Work for You Chapter 8 - Securing E-Mail from Prying Eyes Chapter 9 - File and Storage Strategies Chapter 10 - Authentication Systems Chapter 11 - Secure E-Commerce Chapter 12 - Virtual Private Network (VPN) Encryption Chapter 13 - Wireless Encryption Basics Part IV - The Part of Tens Chapter 14 - The Ten Best Encryption Web Sites The Ten Most Commonly Misunderstood Chapter 15 Encryption Terms Chapter 16 - Cryptography Do’s and Don’ts Chapter 17 - Ten Principles of “Cryptiquette” Chapter 18 - Ten Very Useful Encryption Products Part V - Appendixes Appendix A - Cryptographic Attacks Appendix B - Glossary Appendix C - Encryption Export Controls Index List of Figures List of Tables List of Sidebars Back Cover Protect yourself and your business from online eavesdroppers—it’s easier than you think! If you were hoping for a flame-throwing watch or flying a car, we’re sorry—this isn’t James Bond’s equipment manual Cryptography is a common-sense way to secure stuff on the Internet, and this friendly guidebook makes it easy to understand Discover how you can protect information with keys, ciphers, PKIs, certificates, and more Discover how to: Analyze off-the-shelf encryption products Decide what type of security you need Create and manage keys Issue digital signatures and certificates Set up SSL for e-commerce Enable wireless encryption About the Author Chey Cobb, CISSP, author of Network Security For Dummies was Chief Security Officer for a national Reconnaissance Office (NRO) overseas location She is a nationally recognized computer security expert Cryptography for Dummies by Chey Cobb, CISSP Published by Wiley Publishing, Inc 111 River Street Hoboken, NJ 07030-5774 Copyright © 2004 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, e-mail: permcoordinator@wiley.com Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates in the United States and other countries, and may not be used without written permission All other trademarks are the property of their respective owners Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose No warranty may be created or extended by sales representatives or written sales materials The advice and strategies contained herein may not be suitable for your situation You should consult with a professional where appropriate Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S at 800-762-2974, outside the U.S at 317-572-3993, or fax 317572-4002 Wiley also publishes its books in a variety of electronic formats Some content that appears in print may not be available in electronic books Library of Congress Control Number: 2003105686 ISBN: 0764541889 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 1O/QY/QR/QU/IN About the Author Chey Ewertz Cobb, CISSP, began working in computer security in 1989 Since then she has managed her own computer security consulting company, Cobb Associates, working for such clients as Apple Computers and Sun Microsystems She later worked for the government, creating a secure network at Cape Canaveral, assisting in the security at Patrick Air Force Base, and later as a technical security officer for the National Reconnaissance Office (NRO), which is more secretive than the NSA During her work in security, she had the opportunity to evaluate and manage cryptosystems for private industry and the U.S Intelligence Agencies Chey now writes books on computer security (Computer Security Handbook, 4th Edition and Network Security For Dummies), writes articles for magazines, and speaks at computer security conferences Dedication To R W Ewertz, Jr He was my role model and inspiration when things got tough Acknowledgments First of all, let me thank Andrea Boucher and Melody Layne who saw me through thick and thin and never lost faith in me (at least they never let on that they did!) I enjoy working with them both, and any writer who has the opportunity to work with them should count himself/herself lucky! Secondly, I want to thank Dave Brussin, Ryan Upton, Josh Beneloh, Jon Callas, and Dave Del Torto for setting me on the correct path when my explanations strayed Thanks so much for lending me your brainwork! Last, but not least, Stephen My love, my life, and my everything Publisher’s Acknowledgments We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/ Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Media Development Project Editor: Andrea C Boucher Acquisitions Editor: Melody Layne Technical Editor: Tim Crothers Editorial Manager: Carol Sheehan Media Development Manager: Laura VanWinkle Media Development Supervisor: Richard Graves Editorial Assistant: Amanda Foxworth Cartoons: Rich Tennant (www.the5thwave.com) Production Project Coordinator: Maridee Ennis Layout and Graphics: Joyce Haughey, Andrea Dahl, Stephanie D Jumper, Jacque Schneider, Melanee Wolven Proofreaders: Andy Hollandbeck, Carl William Pierce, TECHBOOKS Production Services Indexer: TECHBOOKS Production Services Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary C Corder, Editorial Director Publishing for Consumer Dummies Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director Composition Services Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services Introduction Overview Congratulations! You’ve successfully navigated through the gazillion computer books on the bookstore shelves and finally found just what you were looking for — a book on cryptography that you can read and actually understand! Just thumb through some of the chapters here and you’ll soon realize that you don’t need a degree in advanced mathematics, nor do you need to be the world’s biggest brainiac to understand this stuff If you have a basic understanding of computers and networking, and you have an interest in increasing your data and communications security, then this is just the book for you What I’m talking about here is cryptography — you know, crypto, geek talk, secret coding, cypherpunk’n If you have heard of the word cryptography, you’ll know that it is one of those subjects that many people are aware of, but very few people can actually tell you what it’s all about Frankly, just the mention of the word cryptography scares the heck out of people — even experienced network administrators! And to be honest, a lot of the books on the subject are more suited as college textbooks than business “how-to” guides or intros to the subject, and have contributed to the atmosphere of FUD — fear, uncertainty, and doubt — about cryptography Yep, the subject can be scary as all get-out So, how do you decide whether or not you should use cryptography? I’ll help you answer that question with questions and checklists Before you go on to that chapter, however, there are many situations in which cryptography could or should be used Here’s a preview of some situations: Your company relies heavily upon its trade secrets to gain a competitive edge over your competitors If an unauthorized person got access to those trade secrets, it could spell disaster for your entire company You work in the health care industry and are required by the HIPAA legislation to protect personal information You get notice from a federal authority that your protection methods are about to be scrutinized because there have been complaints about the way you have handled personal information You’re an attorney who has been charged with prosecuting someone guilty of war crimes, drug trafficking, or any situation where witnesses and evidence need to be fiercely protected Obviously, you wouldn’t want your evidence or your witnesses compromised Cryptography is a complex subject, I won’t kid you there, but it could definitely save a lot of headaches if it were used in any of the situations mentioned above Additionally, adding cryptography to your security doesn’t necessarily have to be expensive or impossible to understand That’s why I wrote this book I’m here to take the fear out of the equation and to help you get it right the first go-round After you read through a few sections of this book, you’ll be spouting the jargon like a true techno-geek and you’ll even be able to understand what you’re talking about I’ll give you some advance warning, though: You’ll be seeing a lot of information about keys in this book because (and excuse the cliché) the key to cryptography is the keys That is perhaps the most confusing thing about cryptography — that the word “key” can be used to mean more than one thing I wish I could change the terminology so it wouldn’t get so confusing, but I have to consider the real world, too The terminology used in this book is based on what you are really likely to encounter Chapter 3: Deciding What You Really Need Figure 3-1: Protecting the data in transit and not the data at rest Chapter 5: The PKI Primer Figure 5-1: The purposes for which this digital certificate can be used Figure 5-2: The Digital Certificate options in the Mozilla Web browser are found in the Preferences menu Figure 5-3: The PGP properties dialog box which shows the fingerprint associated with the public key Figure 5-4: Checking the properties of an invalid digital certificate Chapter 7: All Keyed Up! Figure 7-1: Which key would you trust? Figure 7-2: Two halves make the public and private keys Figure 7-3: Boris uses his private key and Natasha’s public key to encrypt a message Figure 7-4: Natasha decrypts Boris’s message Chapter 8: Securing E-Mail from Prying Eyes Figure 8-1: Icons for Microsoft Outlook and Microsoft Outlook Express Figure 8-2: Tools@@ >Options@@ >Security Tab in Outlook Express Figure 8-3: The Advanced settings to make sure your mail is sent encrypted Figure 8-4: The first page of the application process for Thawte personal digital certificates Figure 8-5: Viewing your personal certificates at Thawte Figure 8-6: Fetch and Install Certificate from Thawte’s Web site Figure 8-7: Advanced options in Outlook Express to use encryption Figure 8-8: Encrypting your message Figure 8-9: The Outlook Express dialog box that indicated you are opening an encrypted message Figure 8-10: Select the e-mail programs you will be using with PGP Figure 8-11: Judging the quality of your passphrase in the PGP Key Generation Wizard Figure 8-12: Accessing the PGP Options menu Figure 8-13: Listing of PGP public key servers in the Options@@->Servers tab Figure 8-14: Setting up the algorithm choices in the Advanced options Figure 8-15: Sending your key to a PGP public key server Figure 8-16: Searching for Chey’s key on the MIT public key server Figure 8-17: Receiving a PGP public key as an e-mail attachment Figure 8-18: The PGP buttons in your e-mail program Figure 8-19: Selecting the keys to use for encrypting an e-mail message Figure 8-20: Entering your secret passphrase to decrypt a message Chapter 11: Secure E-Commerce Figure 11-1: The exchange of communications for encrypted ecommerce transactions Figure 11-2: An invalid SSL certificate alert Figure 11-3: Root certificate uses and its expiration date Chapter 13: Wireless Encryption Basics Figure 13-1: Some war-chalking symbols and their meanings List of Tables Chapter 10: Authentication Systems Table 10-1: Authentication Protocols Chapter 11: Secure E-Commerce Table 11-1: The E-Commerce Manager’s Checklist List of Sidebars Chapter 1: A Primer on Crypto Basics Cryptography through the ages The German Enigma cipher machine The art of cryptanalysis Chapter 2: Major League Algorithms Introducing Boris and Natasha Chapter 3: Deciding What You Really Need California declares encryption a necessity Chapter 4: Locks and Keys Back in the old days ... 572-3447, fax (317) 572-4447, e-mail: permcoordinator @wiley. com Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies. com, and related... a nationally recognized computer security expert Cryptography for Dummies by Chey Cobb, CISSP Published by Wiley Publishing, Inc 111 River Street Hoboken, NJ 07030-5774 Copyright © 2004 by Wiley Publishing, Inc., Indianapolis, Indiana... encountered cryptography or encryption before, I suggest you at least give it a browse Chapter 1: A Primer on Crypto Basics In This Chapter It’s not just for spies anymore Basic information on early cryptography