Google Search


Wednesday, July 11, 2007

Cryptography Do's and Don'ts

Most hacks against computer networks could have been avoided — if only someone had installed a security patch or made simple changes in a configuration file. Encryption often fails because someone forgot to do something — or they did something incorrectly. Avoid some common pitfalls by remembering what to do or not to do during an encrypting project.

Do be sure the plain text is destroyed after a document is encrypted

Many, many people make this mistake! They go to all the time and effort to encrypt a document before storing it or sending it off to someone else, and then they save the unencrypted document on their personal hard drive or on a file server. If an unauthorized person gained access to the file server or the personal computer, all the security of the encryption is lost. Not only that, but if the attacker has both the encrypted document and the plaintext document, he could figure out what your key is.

The commercial version of PGP has a feature that allows you to thoroughly destroy a plaintext document by erasing the file and totally scrambling the bits numerous times. Other commercial and freeware programs have this capability, too, but always use one that you trust and not just something you found on the Web.

If you must store a document in its plaintext form, move the file to a server that isn't connected to the network.

Do protect your key recovery database and other key servers to the greatest extent possible

You know what a gut-wrenching feeling it is to discover that you have lost your key ring — your house keys, car keys, mailbox key, key to your mother's condo, your pied-a-terre in the south of France. When you lose your keys, you just know that someone is going to steal your car and enter your house. Not only that, but it's a pain to replace all the locks and get new keys. It's not that much different if an unauthorized person gets your encryption keys.

If your encryption keys are stolen because someone has stolen them from your server, your first job is to secure the server so that it can't happen again — this means physical access to the server as well. Next, you have to revoke all the existing keys and generate and issue new ones. Don't forget to tell the staff what has happened, too, and why these steps are necessary.

Don't store your private keys on the hard drive of your personal computing device

For the same reason that you need to secure your key servers in the company office, you need to make sure that people's private keys are adequately protected on their workstations and laptops. Laptops are particularly vulnerable to theft and, if the private key is left on the hard drive in a default location, it makes it child's play to use that key.

When keys are generated, the cryptosystem often saves the private keys in a default location on the hard drive. Hackers and other attackers know exactly where to look for these keys and they know how to search the hard drive for keys that are stored in different directories than the default. The best thing to do is to have keys stored on some sort of removable media such as a USB keychain drive. You can password protect the USB drive as well.

Do make sure your servers' operating systems are "hardened" before you install cryptological systems on them

All operating systems, as they come installed from the factory, have numerous security holes in them. "Hardening" the operating system means changing all the vulnerable default settings and installing security patches that come from the vendors. Some operating systems are better than others as far as security goes, but Windows systems are notoriously bad when it comes to security.

You want to make sure your key servers other important servers of your encryption system are hardened so they aren't so easily hacked.

Do train your users against social engineering

Social engineering is just a euphemism for "con job," and it happens every day. Employees get calls from someone purporting to be from the IT department and are asked to give up their passphrases and keys, among other things. Employees do this because they are afraid to challenge authority.

Give your employees permission to challenge anyone who asks them to do something that may compromise security. Tell your employees what needs protecting and what doesn't. In that way you make everyone aware of potential problems and you create a large team of "cyber cops" who are working for you instead of against you.

Do test your cryptosystem after you have it up and running

Most people are content to set up an encryption program and just leave it at that. What they forget to check is that the system actually encrypts data correctly. The most common problem is that the encryption program is not actually creating an initialization vector that is random enough.

Check with your vendor for software to test your system or search the Web for software that can do this for you.

Don't install a cryptosystem yourself if you're not sure what you're doing

As with any program installation, if you don't know what you are doing, you can really muck up the program badly. Usually there are numerous dialog boxes to answer during the installation as well as directory location and other decisions to make. With a cryptosystem, this is not the time to chuck the manual and try to do it on your own. If you install the program incorrectly, chances are your encryption won't work correctly either.

Read the manual, call your vendor support, read up about potential problems on the Internet before you install a cryptosystem. If you can, find someone who has a large amount of experience with these types of systems and hire him or her short term to help you out.

Don't use unknown, untested algorithms

If an algorithm is unknown or secret, that means it hasn't been tested to see if it can be broken or not. If you come across an algorithm you've never heard of before, do some research on the Internet to see if anyone else of note is using it. (If you want opinions on something, the Internet is the place to find it!)

One last word on unknown algorithms: If it hasn't been tested and you're not sure of the reputation of the person who created it, how can you be sure it's trustworthy? In this day and age of Internet scams, someone could release an "algorithm" that's really a Trojan program to be used to break the security of your system. Buyer beware!

No comments: