Networks can be classified as network (WAN) or local area networks
(LAN). Safety is a need for both. Computers in a WAN can be thousands of miles away;
computers in a LAN is generally close, as in the same building or facility. Data switch
devices can be used in local area networks, WAN, but not as often.
Internet security is necessary to prevent unauthorized changes to your website. Business
sales-related information products online such as software companies that allow their
paying customers to download updates, need a method to differentiate between paying customers and
visitors not to pay.
Security administrators face the risk that the attacker is able to enter the network. The
Attacks can vary directly affect both hackers and employees with automated attacks
network worms. As an attacker can:
Read access: read or copy confidential information.
• Write access: write a Trojan on the network can infect the system with a virus or a plant
or backdoors. The attacker can also destroy confidential information by deleting it or by writing more
it.
• Denial of service: denying authorized users the normal network services. An attack can consume CPU
time or the bandwidth of the network, or fill in the memory.
The security risks using an Internet server misconfiguration include FTP (File
Transfer Protocol) settings. If access to your FTP server is allowed to set to avoid
unauthorized changes to files.
Must be secure telecommunications link between the transfer of data between the host
computer network systems. One important form of network security is the encryption
preserve the confidentiality of transmitted data. Encryption algorithms can be symmetric (private
key) or asymmetric (public key).
The two encryption methods are popular in the links and end to end security. Old security
traffic independently of each communication, it ensures the messages from the source to
destination. Link layer occurs at the level of communication line a little ', explaining how it moves
nodes. Entry of information from beginning to end sales to the network through its decryption
starting point, providing information on the safety of the interior nodes.
You should have a list of authorized users, generally or specifically:
• Who is authorized to structures?
• When can they come from?
• For what purposes can they go?
There are several tools to help IT managers to implement a security plan, including
encryption tools, packet filtering and routing, and firewalls.
You must have a security policy of the network. Your company must also internal security companies
policy, once you decide how important it is to protect the integrity of the computer system and
the security of your website.
The plan for internal security should be distributed to all who use the facility, written
instructions to the workers the correct use of passwords. Tell them what kind of words that are not
be used as passwords and policies on how passwords should be changed often.
It must be positive before authentication, a user can access a terminal, an online application, or
network, and we recommend that the date and time constraints. Employees must be
access to information on a need to know. Unauthorized use to disable or lock a
terminal. Diskless workstations can provide a safer environment.
Passwords
Most software packages on the LAN or communication, including encryption and security features. Passwords
included in most packages. However, people generally do not have to choose good passwords or
change them often enough. Hackers can easily breach of security by guessing passwords.
The password strength is significantly reduced when users choose good passwords.
People tend to make some mistakes. To share with others or write them. If
You must enter a password to remember that to be defeated. These are good
Guidelines on choosing passwords:
• Do not choose a password that is a word or a name in English or other. Hackers often
use dictionaries to discover the passwords.
• Avoid patterns, 123456, 12468, ASDF or QWERTY (keyboard).
• Do not use names like Las Vegas or Florida.
• If your system requires that the password contains letters and numbers, not just add a number
of a word. Hackers know that most people choose a word and add digital (eg CAT1
or 1CAT).
• Encourage a mix of uppercase and lowercase. Non-alphabetic characters are also
more difficult for hackers to guess passwords.
• an excellent technique is to use the first letter of sentences to create a password. Esimerkiksi''I
He was born in New York "would give the IWBINY password. Although it is not a word that is easy to
guess it's easy to remember.
• Change passwords on a regular basis, to encourage the planning of information systems will require new
passwords. The system must maintain a history of old passwords and controls to ensure that users
use the same password or choose to have used recently.
Allows users of safety guidelines and to give new users a safety course and how to choose a
correct password. Users must understand why a good password is required. The Symantec Web site,
manufacturers of security software, advice on choosing a good password, so that users can assess
the strength of those who choose:
http://www.symantec.com/avcenter/security/passwords/passwordanalysis/html
Passwords provide good protection against casual hackers and amateur hackers but experience can
generally bypass the system password, especially in the UNIX environment. The software is
ready to help new hackers, even if they have a little 'knowledge, to find or guess the password.
The goal of most hackers is to get unlimited access to the computer system, usually by:
• Finding mistakes or errors in the software system
• Enjoy a faulty installation
• The search for human error
Many hackers are authorized users limited access to try to get unlimited access. These pirates
is a valid user name and password and looking for weaknesses in the system.
In most UNIX systems, passwords are stored in an encrypted file. Some systems use a shadow
password file with the original data are stored. Passwords are usually encrypted data
Encryption Standard (DES) algorithm.
The encryption method used is essentially irreversible. While it is easy to encrypt a password is
very difficult, almost impossible to decipher, but hackers can find the password over the
brute force, especially those consisting of only six little letters. Passwords for accounts
that may attract hackers should not, obviously, is in lower case only.
A serious design flaw can sometimes lead to the creation of a "universal" password, which
meets the requirements for registration in the program, without the attacker does not know the correct
password. In one case, for example, a hacker can get a very long password. Could crush
real password, allowing access of pirates.
Modem connections
Each time a user connects to the network via a modem, additional risks are introduced into the
system. These can be minimized by the modem dial-in.
Simply keep a secret phone number is not enough. Many of the hackers who plays in all
phone numbers on a full time code could discover.
In the past, many companies are using a dial-back can reduce the risk of a modem. Nowadays, caller ID
achieves the same goal. In essence, the network allows access only from pre-identified
phone numbers. The obvious disadvantage is that the phone numbers of authorized users must
be known in advance. This makes it difficult for users who travel.
Another way to minimize dial the modem to use hardware encryption devices on both
at the ends of the connection, but these are usually expensive.
Good communication software program has a number of protocol options, enabling
communication between different types of devices. Some programs check the error in the data or
software. Desirable features of communication programs, menus
assist the storage of the phone book, and redial the connection and automatically.
Saboteur Tools
While recent years have developed ingenious methods to preserve safety
many systems is still surprisingly unclear. Saboteurs have on hand a wide variety of
techniques to overcome safety, including:
Trojan Horse: The saboteur places a hidden agenda in the regular company.
The system operates normally when the program collects data hidden programs, change and
files, destroyed data, or causes, including the complete shutdown of operations. Trojans can be
programmed to destroy all traces of its existence after the execution.
Techniques of salami: The author adapts a computer to cause very small changes,
It is unlikely to be discovered, but whose cumulative effect can be significant. For example
attacker could steal 10 cents from the wages of every person and transfer it to your own
account.
Back Door or hatch: the development of a computer program, sometimes the programmers to add code
allow them to circumvent standard security procedures. Once you complete the programming code,
accidentally or deliberately, may remain in the program. Attackers use this add-on code
bypass security restrictions.
Time Bomb / Logic bomb: A code can be inserted into a computer program that causes harm when a
pre-condition occurs.
Masquerade: A computer program was written to simulate a real program, perhaps the display of the journal
and related dialogue. When a user tries to connect, the program captures the user ID and
password and displays an error message prompting the user to log in again. The second time, the
The program allows the user to log on, the user may never know that the first log-in was wrong to seize
access code.
Cleaning System: Generally, when you "delete" the data, that data is not actually destroyed;
Instead, space is available to write the computer later. Scavenger may be an opportunity to
to steal sensitive data that the user thought had been deleted but are actually still available.
Viruses: Viruses are like Trojan horses, except that the code to repeat itself illegal. The virus can
spread rapidly throughout the system to its eradication can be expensive and inconvenient. To defend
against viruses, be careful using the programs from floppy disks or copy software newsletter
tables, or outside the company. Use only discs to verify the sources. The best precaution is to use
commercial antivirus on all downloaded files before using them.
Data Manipulation: The most common and easier to commit fraud is to add or change data
before or during breastfeeding. The best way to determine this is to use control software to investigate transactions
and the review of pathways, which shows additions, deletions and changes to data files. Using the total number of lots,
total number of hash, and the review can also prevent this type of crime.
• A lot of them all is a reconciliation of total daily transactions processed by the micro-and
Manually totals determined by a person other than the operator of the computer. The team must deviations
be studied.
• A total of hash is obtained by adding the values that would not normally be added, such as employees
product numbers and the total has no other meaning than for control purposes.
• A check digit is used to check if an identification number (eg, account number, the employee
number) has been entered correctly by adding an estimate of the identification number and compare
result of a check digit.
Vehicles for road transport: physical transport of road vehicles to reach areas controlled by occurs when an authorized
employee goes through a door with a magnetic card and a worker is not allowed behind
Also entering the premises. Unauthorised use is capable of committing a crime. In
e parasite, an authorized employee leaves a terminal or a desktop computer and unauthorized
individual to use to access it.
Design secure networks *
Architecture of network hardware, software, data link control, standard
topologies and protocols. A protocol regarding the release of the computers and transfer
information. There must be one of the security control measures in each component architecture to ensure
the exchange of reliable and accurate information. Otherwise, system integrity may be compromised.
In designing the network, it is necessary to take into account three factors:
1. The user must get the best response time and performance. Minimize response time
reducing the delay between transmission and reception of information, this is especially important for interactive
sessions between user applications. Average flow to transfer the maximum amount of data
unit time.
2. Data must be transmitted over the network along the way leastcost as long as other factors,
whose reliability is not compromised. The path of least cost is usually the shortest path between
devices with as few intermediate components. Low-priority data can be transmitted through
Telephone lines are relatively inexpensive, high priority data can be transferred via broadband cost
satellite channels.
The third reliability should be maximized to ensure the correct reception of all data. The reliability of the network include
the ability not only to deliver error-free data, but also to recover errors or data loss. The
network diagnostic system should be able to locate problems and can even isolate component
A faulty component from the network.
Media Network
When you select a media network, you must consider:
* Shim et al. Information Systems Management Manual (NJ: Prentice-Hall, 1999).
• Technical reliability
• The type of business you are in
• The number of people who need to access data simultaneously
• Number of Microphones
• appearance of existing equipment
• Frequency of update
• Compatibility
• Costs
• Geographical spread
• operating software support and network
• Software Applications
• Extensibility (adding workstations)
• Restricted to a PC (or terminal can be used more cheaply?)
• Easy access to share material and information
• The need to obtain a variety of devices, including other networks and mainframe
• Refinery operations
• Speed
• Storage
• Maintenance
• Noise
• The mechanisms for connectivity
• Network capacity to perform tasks without corrupting the data
Network structures
Network configuration or topology is the physical form of the layout of the network connection
stations. A node is a workstation. A bridge is a connection between two similar networks. Networking
The protocols are the software implementations to support data transfer network. The server is
micro-, or devices in performing such tasks as data storage within the LAN.
Network servers are of several types. A dedicated server is a central computer used only to manage
network traffic. A computer used simultaneously as a local work station is known as non-dedicated
server. In general, dedicated servers offer faster performance of the network, since no
demands of local users, and network drives. In addition, these machines are not likely to
accidents caused by errors of local users. Dedicated servers are expensive, can not be disconnected
the network and use the stand-alone computers. No dedicated servers are higher in terms of price performance
ratio for companies who need occasional use of the server as a local workstation.
The most common types of network topology are:
• The hierarchical topology (also called vertical or tree structure) is interesting for several reasons.
Software to control the network topology is simple and provides a focal point for
control and troubleshooting. However, it also presents potential bottlenecks and reliability problems.
Network properties can be completely lost if there is an error to the next level.
• The horizontal (or bus) topology popular in LANs offer easier movement between devices. This
topology allows all units to receive each transmission, in other words, only one station broadcasts
more stations. The biggest disadvantage is that since all computers share a single channel,
failure results in loss of channel network. One way to avoid this problem is
redundant channels. Another drawback of this topology is that a lack of concentration points
makes it difficult to isolate the fault. A bus network generally requires a minimum distance between
taps to reduce noise. To identify a problem, each element of the system must be revised. A bus topology is
proposed for shared databases, but not too simple message switching. It employs at least topology
to cover a geographic area, while at the same time with full connectivity.
• The star topology is widely used for data communication systems. The software is not complicated, and
traffic control is simple. All traffic coming from the center or center of the star. Although
similar to a hierarchical star topology network, however, is divided into narrower
processing capabilities. Polar routes data traffic to other components. It will also isolate faults
this configuration is relatively simple. Potential bottleneck of a hub can cause serious
reliability problems, however. One way to increase reliability is to establish a redundant backup
center node.
A star network is the best when there is a need to capture and process data at multiple locations with end of day
distribution to various remote users. It is easy to identify errors in the system, since each
communication must go through a controller. Maintenance is easy, if a central computer
the network fails. It has a high initial cost, because each node is connected to the host
computer in addition to the price of the host. Expansion is simple: You only need to run a wire
new terminal to the host computer.
• Ring topology sends the data flow in a circular direction. Each station receives the data and then
send it to the next. A major advantage is that the bottlenecks, such as hierarchical or star
networks are relatively rare. The structure is organized. The main disadvantage is that
The entire network can be lost if the channel between two nodes fails. The creation of a backup channel can be
usually alleviates this problem. Other ways to remove it automatically switches to route traffic
around the failed node, or redundant cables.
A ring network is more reliable and less expensive when there is a communication between a minimum of
terminals. This type of network is the best, when you have multiple users in different locations, which are
access to updated data permanently, because the data transmission may occur many
simultaneously. The ring network allows users to create and update shared databases. With a ring,
However, the greater the probability of error with respect to the star, because of the numerous intervening parties
manage data. In light of this, the information should ring to make the whole cake before it was removed
network.
• The mesh topology is very reliable, although complex. Its structure is relatively safe
bottlenecks and other flaws. Variety of paths to make a relatively easy route to carry
around the faulty components or nodes busy.
LAN and WAN
WAN and LAN topologies often take different forms. WAN structure tends to be more
irregular. When an organization is usually rented lines at considerable cost, he tries to keep
fully utilized. To do this, data for a geographic area, often conducted through a channel;
irregularly shaped WAN.
The topology of the network tends to be more structured. Since the local network channels in a relatively
homeowners low-cost, usually not related to the maximum use of channels.
In addition, because local networks usually live in one building, the situation is inherently
structured. Local networks are flexible, fast and compatible. They maximize equipment utilization, reduce
processing costs, reduce errors and facilitate the flow of information.
LAN uses ordinary telephone lines, coaxial cable, fiber optics, or other devices such as interfaces. Fiber
to produce a good performance and reliability, but are expensive. LAN performance depends
physical design, supported, and the bandwidth of transmission. Bandwidth of the band
for a channel, it reflects the transmission speed over the network. As more devices are part of a LAN,
transmission rate decreases.
Two or more LANs can be connected. Each node is a group of stations (subnet).
LAN communicate with each other. Benefits of network interface is:
• The total cost of the network are lower.
• the different sub-networks to meet specific needs, by increasing flexibility.
• The cost of sub-networks more reliable and higher can be used for critical activities.
• If one LAN fails, the other still works.
The disadvantages are as follows:
• The complexity is increased.
• Some network functions may not be able to cross the borders of the network.
Communications security
Communication systems used to link data between two or more sites must be reliable, private,
and secure. Communication systems are easily affected by environmental factors, the team
malfunctions and software problems. Attacks on computers that do not require physical access drop
under the control of communications security.
The increasing use of information technology has increased the dependence on telecommunications. All
types of data, voice, video and transferred to the traditional networks. Communication
Security means that the physical connections to networks running at all times.
It also means that during the data transfer failures, delays and disruptions
blocked. Ensure that unauthorized interception, modification, or otherwise
interception of communications.
Six aspects of communications security are:
1. Online Security: Restrict unauthorized access to communication lines connecting the various
parts of computer systems.
2. Transmission Security: prevent the unauthorized interception of communications.
3rd Digital signatures: authentication of the sender or the integrity message to the recipient. A Secure Digital card
The signature process consists of (1) The method to sign the document, making it impossible to counterfeit,
and (2) to validate that the signature is that if it claims to be.
4. Security Encryption: Rendering the data unintelligible, if the transmission is intercepted by
unauthorized persons. Security coding (encryption) of sensitive data is required. When
information should be used, can be decoded. A common method is the DES encryption. For more
security, the double encryption can be used: Encryption is processed with two different keys.
(You can also encrypt files on a hard drive to prevent an intruder to read data.)
5th Issue of security: prevents electromagnetic radiation from electronic devices. These emissions
Wireless communications may be intercepted by unauthorized persons.
6th Technical security: prevention of the use of equipment such as microphones, transmitters, or intercepts
intercept the data transmission. Security modems allow only authorized users access to confidential data
information. The modem can be a degree of security. Different users can be classified into different
safety codes. There can be a password and has memory. Can be integrated into the audit trail,
allowing you to control who has access to private files.
RVA provides communications services at a time and specialized data processing. Usually, a company
no direct control over the security of a truck. However, Van safety has a direct effect on the client
global security.
Communications security can be in the form of:
• Access control to protect against misuse of the network. For example, Kerberos
authentication software business can be added to a security system to verify the existence of a user
encrypt passwords sent over the network. Password and user authentication control other
devices such as SecurID from Security Dynamics (800-SECURID) Basque Data Security and Access
Key II (800-238-2726).
Do not accept a prepaid card, if not by a user of the network. Hackers tend to spend their own
funds. Review of billing data communications and check all connections from one host to another. Check all dial
terminal users. Phone numbers confidential and changed periodically? Control specialists
should attempt to gain unauthorized access to the network to check if the security is working properly.
• Identification, which identifies the origin of a message in the network, digital
signals or legalization.
• Data confidentiality, which prevents unauthorized transmission of information within
communication process.
• Data Integrity, which protects against unauthorized changes (eg addition, deletion) of data at a time
the points of origin and destination, such as cryptographic methods. Anti-virus software should be
installed on the network server and workstation to alert users when the virus tries to enter
system.
• Authentication, which justifies the identification of an original entity or user within the network,
Check that the company is actually one is asserted and the data transferred
is appropriate. Examples of passwords for security checks, time stamping, synchronized with the controls,
Non-repudiation, and multi-way handshake. Biometric identification methods for measuring body
characteristics. The dynamic typing is another possibility for identification.
• Digital Signature, the private key to sign messages.
• Routing control, which inhibits the flow of data to the network elements identified as hazardous, such as relays,
links or subnets.
• Traffic padding, data analysis, and reasonableness.
• minimize interference, eliminating or reducing radar / radio transmission interference. To
a small network, a workstation can be used for backing up and restoring other nodes. Great
network, you can back up multiple servers, because failure could have devastating effects
the entire system. Access to backup files should be carefully monitored.
Token-Ring and Ethernet Networks
Traditional Token Ring and Ethernet networks operate on the principle of diffusion, transmitting information in
units called frames. Each box contains information on a variety of items, including the sender
and the receiver responds. The sender transmits a framework that each receiver can see.
At one point a single computer network, radio and all the other sheep.
A second computer to send, when the first was completed. Even if all the machines on the network can be seen
the spread of the computer chassis, under ideal conditions, the computer whose address is
address of the recipient's body must be able to use the contents of a frame.
Sniffer
Snifters are programs designed to capture certain information. Network managers use to snifters
analyze network traffic and network statistics. The pirates, however, can be used to steal drinks
information such as passwords.
Some actions may be to minimize the risk of sniffing. The most obvious is to limit access. If a hacker can
internet access, snifters can not be used. But because it is often possible to restrict access to
tight networks, alternatives must be considered.
Connected to the versions of the Token Ring and Ethernet networks are able to minimize the smell. When power
LAN, each user has its own switch port. A virtual connection is established with the
destination port for each frame sent. If the destination address in the not mach, the risk
sniffing was associated with significantly reduced. Networks generally more expensive;
networks, are quite rare.
Probably the best way to minimize the risk sniffing is data encryption. It is important that the key does
sent over the network. Traditional details such as time spent to improve encryption
system.
Data flow
The data switched data paths through the network equipment of destinations. For example, these
equipment to route data around the devices not occupied or channels.
Routers at each site are used to communicate with routers on other sites. Routers provide information
on individuals and the resources available in the LAN. They are responsible for directing the flow
information. You can configure the router for some types, such as FTP or Telnet
provide access into or out. It is also possible to enable or disable certain routers
receive data only from certain network addresses.
The path and packet filtering requires considerable technical expertise and time. Most routers
not to provide an audit trail and security, although you should know:
• Who tried to break into the computer system
• How many times it was
• What are the ways they used to try to break into
Data
The transfer of data between computers on the network used in three ways:
• The transfer is simple in one direction. An example is radio or TV broadcast.
Simplex transmission is rare in the networks.
• Half-duplex transmission, which is found in many systems that can flow in both directions, but not both at the
same time. In other words, once a request is transmitted to a device, you should expect a response to
returns.
• full-duplex transmission can transmit information in both directions at the same time not
stop-and-wait aspect of the system of half-duplex. Because of its large capacity and fast response
time, two-way communication is common.
Layers of Security
It must be ensured in different layers. As well as opportunities for networking and communications
items should be safe. Make sure you have control of host computers and subnets.
Network traffic can be more subnets, each with its own security levels, according
confidentiality and importance. Each may require security services and the different commands. Note that
safety aspects of each subnet must be distributed to gateways to integrate
safety factors in routing decisions.
Network Backup
Backup feature is particularly important in networks, so that if a computer is not another can take
load. This can be critical in certain areas, such as financing.
Secure Sockets Layer
When Secure Sockets Layer (SSL) is enabled (see
http://developer1.netscape.com/docs/manuals/security/sslin/contents.htm), a Web browser,
showing a lock or a similar symbol to indicate that data transfer is secure. Another way to know if a
Web site is secure is to look at: par''https Start: / / "instead of" http:// ".
Most Web-based monetary transactions are secured by SSL. Many heavy web / Client Products
support SSL connections. In order to do business on the Internet, you must have access to such a server and
as a digital certificate.
When using SSL encryption will significantly improve the security and confidentiality, does not slow down
InterChange Communications: All information is encrypted and then discharged.
The SSL protocol was developed by Netscape. It acts as a security protocol layered on top
transport protocol underlying connection such as HTTP, Telnet, NNTP, FTP, and TCP / IP. SSL
integrated into the Netscape client and server products.
When building a website, you can enable SSL by configuring a security-enabled secure http (https) process
on the server. Web pages that require SSL access can be specified. Common Gateway Interface
(CGI), the routines can be written on the server side SSL for integration with existing applications.
SSL provides data encryption, integrity checks of data, and provides the server and, if necessary,
client authentication for a TCP / IP. SSL is open and the property. Encryption,
encryption and authentication, are open to applications with SSL.
SSL is widely used to encrypt and authenticate communications between clients and servers
On the Web. Standard Transport Layer Security (TLS) is an Internet Engineering Task Force (IETF) has
based on SSL.
You can confirm and authenticate the identity of the SSL server when sending sensitive information, such as
as the number of credit card to the server. The digital certificate is used to prove the authenticity of the key functions
SSL. Anyone with the right software can become a certification authority (CA), but usually
Only some of the trusted certificate that the browser is programmed to accept, VeriSign, Inc. is one of
better known.
The techniques of public key cryptography can be used to verify a server certificate and public ID are
valid. Similarly, a server can verify the client certificate and public ID are valid. Without
public key cryptography, encrypted communication could take place between two or more users
If shared keys. Each user would have to maintain several keys to communicate with
different users.
Public key encryption (see Chapter 4) allows parties to communicate securely without sharing
secret keys. Each party will set up a pair of keys: a private key and public key. The public key is
available to all nodes in a network, is used to encrypt messages for the node. The private key used to
decrypt the messages never leave the node.
TCP / IP (Transmission Control Protocol / Internet Protocol) provides rules for transport and
routing data over the Internet. Protocols such as Hypertext Transport Protocol (HTTP) use TCP / IP
perform tasks such as displaying Web pages. SSL works in the middle between the TCP / IP
higher level protocols such as HTTP, SSL allows clients and servers to authenticate
themselves and make a secure connection possible.
"Strength" of an SSL connection depends on the level of bits: 40 bits SSL connections tend to be
low, 128-bit SSL connection is extremely strong. 128 bits is about 340 times septillion
(340,000,000,000,000,000,000,000,000) larger than 40 bits.
Currently it is illegal for U.S. companies to export anything at international level over a 56-bit encryption.
Security software companies are trying to overcome these limitations by developing encryption
technology outside the United States.
The SSL protocol includes two subprotocols. SSL record format will be defined
used for data transfer. SSL Handshake Protocol defines how the protocol registration
the exchange of data between client and server when the SSL connection is first established. It is used to
or authenticate the server to the client or the client to the server. It also allows client and server
select encryption algorithms or encryption supported by the client and server.
Public key encryption and symmetric key used by SSL. Although symmetric key
encryption is generally faster than public-key encryption provides better authentication. The common ciphers
are:
• Data Encryption Standard (DES). Triple DES is triple DES, and supports 168-bit
encryption. Its basic dimensions makes it one of the strongest figures supported by SSL.
• Digital Signature Algorithm (DSA) for authentication of digital signatures.
• Key Exchange Algorithm (KEA) for key exchange.
• Message Digest (MD5) is used to create digital signatures. It 'is commonly used as a zero.
• RSA, a trade name for authentication and encryption. RSA key exchange is common
for SSL connections, the figure is the most popular for commercial applications.
• Secure Hash Algorithm (SHA-1), secure data transmission.
• Skipjack, a classified symmetric-key algorithm used in the Fortezza-compliant hardware. The
Fortezza encryption system is used by U.S. government agencies, sensitive but unclassified
data. FORTEZZA numbers instead of RSA KEA. FORTEZZA cards and diets are used for client
approval.
Performance can be affected when using public key cryptography, which is generally limited to digital
signatures and small amounts of data. Symmetric key encryption such as DES, are generally used to
data in bulk.
The security administrator must decide which cipher to turn plans
nature of the data, the need for privacy and security, and speed of the encryption algorithm. The national
the origin of the parts is another consideration, some data may be used only in the United States and
Canada. So if your organization off the lower figure, you automatically restrict access to
customers in the United States and Canada.
SSL Handshake
The following sequence of events is a typical SSL connection:
• The customer provides the server with its own SSL version number, cipher settings, and other
related to data communications.
• The server provides the client SSL version number, cipher settings, and other
communications information.
• The server sends its certificate, asking the client certificate if necessary.
• The client authenticates the server. If the server can not be authenticated, the client is notified that
encrypted and authenticated connection can not be established.
• The client creates a "pre-master" secret SSL connection, and encrypts with the server
public key. Encrypted pre-master is then sent to the server. You may also ask to sign
and send data, and its certificate to authenticate.
• The session will be terminated if the server can not accept clients.
• Server uses its private key to end the pre-master secret and produce the "master"
pre-master.
• Using the master secret, session keys are generated by the client and server. These symmetrical
keys used to encrypt and decrypt data. The keys and data is not tampered
with between the time sent and time received.
• The SSL session begins once the handshake is complete. The client and server use the session
key to encrypt and decrypt data and verify the data integrity.
Authentication
Approval of two clients and servers need to encrypt data with a key of a public-private partnership
key pair and decrypt with the other. For server authentication the client encrypts the pre-master
The secret is the server's public key. Its private key alone can not remove the pre-master
secret. This provides reasonable assurance about the identity of the client server.
To authenticate the client-bit random number data using its private key. In other
In other words, it creates a digital signature that can be validated using the public key in the client
certificate if the corresponding private key was used. If the server can not validate
digital signature, the session ends.
SSLRef
SSLRef has developed a software developer tool-kit to help the security features of the TCP / IP
applications using SSL. ANSI C source code is provided for built-in TCP / IP
applications. SSLRef can be downloaded free for noncommercial use only. Although there is no license
SSLRef restrictions, restrictions on exports.
Kerberos
The Kerberos protocol is used in a client / server to authenticate the client to the server
and the server to the client. After confirming the identity, Kerberos authentication can then be used to encrypt data.
Kerberos does not send through any data that could allow an attacker to mimic the user.
Kerberos is available as source code of the Massachusetts Institute of Technology
and is also sold by several vendors of commercial software products.
When a client accesses a network server, the client claims to be running on behalf
an authorized user. Without authentication, there is virtually no security. Kerberos
authentication, the client verifies your identity on the server.
In a traditional setting, the user identity is verified by checking the password during the
process connection. Kerberos authentication without the user would enter a password to access
each network service. At least, difficult, and it still does not provide security during
access to services on a remote machine. Without encryption, it would be easy for anyone to intercept
password during transport.
Kerberos eliminates the need for passwords. Instead, the key used to encrypt and decrypt the short
messages and provide a basis for approval. The client to prove its identity, has a ticket
issued by the Kerberos server. Secret information, such as a password, that only
authorized user is known on the ticket.
Kerberos is not effective against attacks, password guessing. An attacker who captures a pair of encrypted
Messages can launch an attack of random passwords, trying to see if the decrypt messages.
Kerberos assumes that the workstations or machines are reasonably safe and only the network
connections are more vulnerable. A trusted path for the password. For example, if the password is
entered into a program containing a Trojan horse (ie, the program was modified to capture
certain information), Kerberos will not give any protection. Furthermore, if the transmissions between
user and the authentication program can be intercepted, Kerberos will not work.
Both user and service network must have the keys stored with Kerberos authentication
server. The user key is derived from a password selected by the user. Network key is selected
randomly.
Many types of software used by the international community has to Kerberos. Because the United States
restricted export of cryptography, a version of Kerberos is called bone are available at International
users. OF all the routines have been stripped of Bones, which is used to "trick" other programs
to believe that Kerberos is installed.
To use Kerberos, a Kerberos principal must be established. This principle is as a normal account
a machine, some information such as your username and password associated with it. The
information is stored encrypted in the Kerberos database. To be effective, must be Kerberos
An integrated computer system. It protects only the information about the software, which is configured to use it.
The server, if possible, must be physically secure. Ideally, the machine must be dedicated to
running an authentication server. Access is strictly limited to the machine.
Initial password for each user must be registered with the authentication server. Registration
the procedure depends on the number of users. Personal registration is the best control, if
number of users is low. Consider other procedures, such as a record in the program on a trusted system,
when the number of users is very large.
Several tools can improve the security provided by Kerberos. Passwords generated by a single use
The device is particularly useful. Commercial products are available that combine one-time passwords, Kerberos.