The basic idea of key-based cryptography is that you take
a chunk of
data (plain text) and scramble it up (ciphertext) so that the
original
information is hidden beneath a level of encryption. In theory,
only the
person (or machine) doing the scrambling and the recipient of
the
ciphertext knows how to decrypt (unscramble) it, because it will
have been encrypted
using an agreed-upon set of keys or a specific
cipher and passphrase (key).
This key-based method of cryptography is common, wherein the
key in
question is only known to the persons or machines doing the encrypting
and
decrypting. Think of it like a car key. The owner of the car
has the key,
obviously. When the owner walks away from the car, she locks
it and keeps
the key safely secured. No one can get into or use the car without
some
sort of "brute force."
The responsibility of protecting the key rests solely with
the owner of
the car. If the owner puts a set of keys in one of those magnetized
key
holders underneath the car, that's a very loose method of
security. If the owner keeps the key with her at all times, even
showering with
it on a chain around her neck, that's a pretty good level of
key security.
But say the owner's friend needs to borrow the car, so the
owner
passes along an extra set of keys for the friend to use. Both
people can
now drive the car, but the security of the key itself is compromised
because someone else has it. If the friend makes copies of the
key (for other
people to use when the owner is out of town, say), the level
of security
becomes even more diluted. Eventually, the original lock-and-key
security
will be lost entirely, and in order to recover it, the owner
will have to have new locks put on the
car and new keys made.
Keys used in encrypted communications have the same problems
as
conventional keys: They can be lost, stolen, even bought and
sold. And some
can be discovered by crackers through a method called "social
engineering."
Crackers don't necessarily use a serious amount of CPU cycles
to
crack a cipher. Most of the time, they just ask for the password
from an
unsuspecting technician. Or maybe they call up your receptionist
"just to
chat" and glean a tidbit or two of crucial information. You'd
be surprised at
how often this occurs.
Sometimes crackers play on the notion that most people choose
passwords that are easy to crack, like any word found in a dictionary.
Words like "hopscotch," "meteor," or "porcupine" may seem like
nice,
hard-to-guess and easy-to-remember non sequiturs, but they're
all bad
passwords because most password-cracking software cycles through
a
dictionary. If your password is anywhere in that dictionary,
then say
bye-bye to your sensitive data. Better passwords are alphanumeric
and nonsensical,
such as "1Am*Sh$b" or "BA8Hw2Lq."
There are methods of cryptography that don't rely on keys
at all,
but even those aren't foolproof. If the decryption program is
essentially
the key itself, then the machine becomes one big, concrete representation
of the
key, which can be stolen. For example, take the infamous Enigma
machine. This machine was used by the Germans in World War II
to encrypt
and decrypt secret messages. Although it looked like a typewriter
on
steroids, the Enigma machine was not built to type plain text.
Based on a
complex series of settings, wheels, and rotors, the typed text
was
skewed ever so slightly, so as to produce the encrypted data.
In this
instance, the machine was the key; it proved to be a very valuable
piece of equipment, especially in the hands of the Allies.
Taking all of this into consideration social engineering,
careless
people holding keys, encryption embedded into machines themselves
you
may wonder if your sensitive data is really safe. If you keep
your systems
locked down, keep your private keys private, don't use an Enigma
machine,
and don't give your root password to your receptionist, your
data is
probably pretty safe. The techniques outlined in this tutorial
will assist
you as you attempt to reach a comfortable level of security,
but be advised
that these few Web-based tricks only scratch the surface of data
encryption
and security.
next page»