Previous Table of Contents Next


Security Risks and Countermeasures

The Net is rife with risks. Hackers, crackers, saboteurs and other unsavory characters abound, eagerly attacking the Net and its users at every opportunity. The risks include system intrusion, unauthorized data access, system sabotage, planting of viruses, theft of data, theft of credit card numbers, and theft of passwords. While the Internet and WWW can’t be blamed for the concepts and practice of mischief, fraud, theft, and other socially unacceptable forms of behavior, they certainly provide another high-tech cyberalley on the Information Superhighway. As noted by Panchatantra in the fifth century B.C.: “Not a cow, nor a gift of land, nor yet a gift of food, is so important as the gift of safety, which is declared to be the great gift among all gifts in this world.”

CERT (Computer Emergency Response Team) at Carnegie-Mellon University comprises a group of experts which are responsible for overseeing security issues on The Net. While it is highly doubtful that a single security measure or standard will prevail in the near and distant future, there exists a number of options, including message encryption, authentication, and authorization. Firewalls, incorporating much of the above, recently have gained the spotlight in terms of a defense mechanism.

Encryption

Encryption involves scrambling and compressing the data prior to transmission. The receiving device will be provided with the necessary logic in the form of a key to decrypt the transmitted information. Encryption logic generally resides in firmware included in standalone devices, although it can be built into virtually any device. For instance, such logic now is being incorporated into routers, which can encrypt/decrypt data on a packet-by-packet basis. Encryption comes in two basic flavors, private key, and public key.

Private key encryption, also known as single-key or secret-key encryption, requires that the key be kept secret.

Public key encryption involves the RSA encryption (encoding) key that can be used by all authorized network users—the key for decoding is kept secret. Public key encryption is freely available on the Net via a program known as PGP (Pretty Good Privacy), developed by Philip Zimmerman. PGP was under a cloud for some time, as there was concern that it was so powerful as to be in violation of U.S. technology export laws. By the way, encryption technology technically is classified under U.S. law as a form of munitions. The commercial version of PGP is known as ViaCrypt PGP, offering an improved user interface.

Data Encryption Standards

Data encryption standards include DPF (Data Private Facility), DES, RSA and Clipper. DES (Data Encryption Standard), which uses a challenge-response approach and intelligent tokens, was formulated by the U.S. National Bureau of Standards. RSA, named after its developers, Rivest, Shamir and Adleman, is the standard for public key encryption. Clipper, an encryption standard developed by the U.S. government, uses escrowed keys to permit government deciphering through a back door. Clipper, which is non-exportable, is used extensively by the U.S. government and those who wish to do business with it. Encryption programs used on the Net include SSL, S-HTTP, and combinations of them.

Secure Socket Layer (SSL)
from Netscape negotiates point-to-point security between client and server, including type of encryption scheme and exchange of encryption keys. SSL sends messages over a socket, which is a secure channel at the connection layer, existing in virtually every TCP/IP application. While SSL can accommodate a number of encryption algorithms, Netscape has licensed RSA Data Security’s BSafe to provide end-to-end encryption, as well as key creation and certification. Netscape’s Netsite Commerce Server technology, including SSL, has been licensed by the likes of DEC, Novell, the Bank of America and Delphi. Socket, by the way, is an operating system abstraction that allows application programs to automatically access communications protocols. The concept was developed by Bolt Beranek and Newman in conjunction with the company’s early work on TCP/IP.
Secure HyperText Transport Protocol (S-HTTP)
from Enterprise Integration Technologies also negotiates point-to-point security between client and server although at the application layer. EIT has licensed RSA Data Security’s BSafe TIPEM (Toolkit for Interoperable Privacy-Enhanced Messaging). S-HTTP is a superset of HTTP and, therefore, is specific to The Web. Several manufacturers of Web servers have announced plans to include S-HTTP in their products. S-HTTP has gained the support of the WWW Consortium, and looks to be moving toward acceptance as a de facto standard.
SSL and S-HTTP
are being linked by Terisa Systems, Inc., which was founded by RSA and EIT. Investments in the company and its technology have been made by IBM, CompuServe, America Online, Prodigy and Netscape.

Authentication

Authentication provides a means by which network managers can authenticate the identity of those attempting access to computing resources and the data they house. Authentication consists of Password Protection and Intelligent Tokens.

Password protection
should be imposed to restrict individuals on a site, host, application, screen, and field level. Passwords should be of reasonably long length, be alphanumeric in nature and be changed periodically. There is a current trend toward the use of dedicated password servers for password management.
Intelligent tokens
are hardware devices that generate one-time passwords to be verified by a secure server. They often work on a cumbersome challenge-response basis.


Previous Table of Contents Next