NetPERLs.com  Security

Security on the Internet has become more and more important. The casual user of the internet may well ask why he or she should concern himself or herself with security. The answer is quite simple: You should be concerned with security because unless you do, somebody out there will be able to do whatever you can do. Unlike you, that somebody may have malicious intent. More importantly, that somebody could be anywhere in the world.

So should you be paranoid now? Well a little paranoia is good. On the other hand, the most secure computer in the world is one that is not connected with any other computers and has no users. It is, of course, not very useful. So the sensible answer is to take reasonable precautions and trust that criminals, spies and the government have no interest in you.

Public Key Encryption to the Rescue
In the computer/information age, one of the revolutionary developments in society is that anybody with a personal computer has the ability to encrypt messages that will take even the United States Government that spend billions of dollars on computers and really smart people a non-trivial amount of time to crack (of course, they won't say how long a non-trivial amount of time is). One would hope that it takes criminals and everybody else a while to do that also.

The reason why this is possible is a system called Public Key Encryption (PKE). The exact method involves a great deal of mathematics. Suffice it to say that it involves very large prime numbers. (A prime number is a number that is evenly divisible by only the number one and the number itself. 23 is a prime number, but 21 is not since 21=3x7.) What makes public key encryption work is that you generate two keys using an algorithm that involves large primes. You pick one of these keys as the public key and the other as the private key. You then publish the public key for all the world to see. The private key you keep top secret.

When anybody wants to send you a secret message, they encrypt the message using your public key. However, the encryption algorithm is such that the public key cannot be used to decrypt the message, only the private key can be used to do that. Actually, given a big enough computer, the messages could be decoded. However, the more bits there is in the encryption key, the more effort is involved. With present day computers, 56 bit keys are easy to break. It is reputed that the US government can do it in a fraction of a second. Adding a bit approximately doubles the required effort. Current practice is to use 128 bits which is reputed to take enough effort that it is not worth anybody's while to crack. In other words, it will cost the crook more to crack the message with your credit card number in it than he would be able to steal from you.

Actually, public key encryption has another useful feature: It is symmetric. What that means is that if you encrypt a message using your private key, that message can be decrypted only with your public key. Now this is obviously not the way to send a secret message because evreybody will be able to read it. However, this can be used to sign messages, that is to certify that you are really who you say you are.

Isn't my phone line secure?
The internet is a packet switching network. That means any message you send has an "envelope" put around it which contains the destination address as well as your address. If you use a dailup service or are lucky enough to be on a DSL or ISDN or even T1 circuit, your computer sends the message to your Internet Service Provider (ISP) computer. This computer looks at the envelope, reads the address, and sends it to another computer, which sends it to another computer, and eventually to the destination computer. Actually some of these computers are special computers called routers, which do nothing but forward messages, but that's just semantics.

The important point is that when you make a phone call, you esentially get a copper wire dedicated just to your call. (Actually even that is no longer true, but you can think of it that way.) However, when you send a message over the internet, your messages gets jumbled up with everybody else's messages and it passes through many computers along the way. Fortunately, computers are not as nosey as humans, so they just look at the address and pass it on appropriately.

However, the messages are really open for anyone to read. It is possible to use a "packet sniffer" to read all the messages as they go by. On a cable modem circuit, you can sniff all packages of all the computers on your circuit. Your computer is generally polite and throws away messages not intended for it, but a program like tcpdump will allow you to read all those packets. In principle, anybody along the whole series of computers along the way can sniff your messages.

I don't send secret messages!
You may not care if somebody reads the jokes you send to your friend, so you only want to encrypt the email you send to your lover. However, bear in mind that on the Internet, messages are sent between your computer and other computers for many other purposes than just email.

Computers are pretty gullible. When you are retrieving your mail from your ISP's computer, you tell the computer who you are by giving it your user name. Since your user name has to be widely know for people to send you mail and such, the computer asks you to certify who you really are by giving it a password. That password is sent from your computer to the other computer as a message. All somebody has to do to impersonate you to any such computer is to steal that message that contains your password and read it.

This is actually very easily done. There are billions of messages flying all over the internet all the time. However, the TCP/IP protocol that is used for much of the traffic has a serial number that starts at 0 for every series of messages between you and another computer. So people have written programs that analyze the start of all these messages and see if they can pick a password out of it. The destination address is also part of the message, so not only do they know your password, they also know the computer on which to use it. So a malicious person can figure out your password very easily.

Your password is used in a large number of applications. Your mail reader sends your password when you retrieve your mail. When using telnet or ftp to conncet to another computer, you are asked for your password to tell the other computer it is OK to let you log in. If your password is stolen, the thief can do everything on the target computer that you are allowed to do, because that computer will believe that the thief is you.

Solutions
Public Key Encryption offers some neat solutions. For example, instead of using telnet to log into a remote computer, you can use Secure SHell (ssh). With ssh, the computers initially exchange public keys. All traffic between the computers is encrypted. The sending computer uses the public key of the receiving computer to encrypt the messages, while the receiving computer uses its private key to decrypt it. So while anybody along the way may see the messages, the messages cannot be read because it is encrypted.

If you are on a Unix system, you can download and compile ssh from here. The installation follows the standard GNU procedure: configure, make, make install. If you are on a Windows or Macintosh system, you can buy ssh or get a free version. A list of available implementations are available here. A popular Windows implementation is TTSSH which requires TeraTerm Pro.

In addition to its default function as a replacement to telnet, ssh also has a port forwarding feature. For example, if you want to use ftp over a secure link, you invoke ftp within ssh. The idea is that on the local machine, ssh intercepts traffic from ftp, and on the remote machine, ssh connects to the server. In between, all traffic is encrypted and therefore secure.

A few other applications uses the same idea, but integrates it so the user does not have to do anything special. Netscape, for example, introduced something called the Secure Socket Layer (SSL). An SSL enabled web server such as Apache-SSL sends a public key to your web browser. The browser then encripts the reply which may enclose your credit card number with this key and sends the message to the server. The server uses its private key to decrypt the message.


|Home |Services |Systems |Download |Security |Help |Clients |Staff |Site Map |

Page updated 01-Dec-1999 by webmaster@netperls.com
Copyright © 1999, NetPERLs, Inc. - All Rights Reserved