While you might consider an attacker (cryptanalyst) one of the bad guys, keep in mind that legitimate people try to break encryption schemes. The original designer of the scheme might contract with known hackers and expert cryptanalysts to find weaknesses in their schemes. In some cases, the designer will announce a public challenge in which hundreds or thousands of dollars are rewarded to anyone that successfully cracks a scheme.

In fact, any cryptographic technique that has not been subjected to continuous scrutiny and attack should be suspect. If a system is broken, the designers can reassess its value under the conditions of the successful attack, assuming the attacker reveals his or her techniques. Also, just because a system is broken does not mean it is unsuitable for use. The attackers may have broken the system under optimal conditions using equipment that is not usually available to regular people. Some cryptosystems are rated in terms of the number of years and the price in millions of dollars worth of computing equipment it would take to break them!

Often a strong system will have a weakness that is discovered by chance or through methodical testing. In some cases, a cryptosystem is suspect because it is believed that the designers deliberately included weaknesses, called trap doors, that only the designers know about. For example, many believe that U.S. Government-endorsed cryptosystems have secret weaknesses that enable agencies such as the NSA to easily break codes using its huge resources of cryptographers and computers. The reasoning is that the NSA is interested in national security and has good reason to design in such weaknesses, but many businesses and private agencies are concerned about potential threats to the privacy of their information when using these government-endorsed systems.

Applying Cryptography

With the expansion of the Internet and the growth of electronic commerce, cryptography has become critical to business transactions and legal exchanges. This section outlines some of the more common areas where cryptography can be put to use. Then it’s on to a discussion of the different cryptosystems and how they do what they do.

The growth of fast and inexpensive computers is responsible for the boom in the use of cryptography. Fast processing systems can quickly turn ordinary text into something that would take years to decipher without a key. At the same time, computer networks are one of the major reasons why cryptography is needed. People are connected to shared networks on which data transmissions are not private. Anyone equipped with a packet monitoring utility or device (analogous to a radio receiver for radio transmissions) can easily view the contents of frames or packets as they flow by on the network.

In addition, users have access to shared data systems where they can potentially view files or system information, either openly or by hacking through weak security systems. Encryption can be applied to stored data to protect it from hackers that are successful at breaking through security access schemes.

So the two main areas of concern related to security are the potential for attacks on stored information and the potential that someone will monitor transmissions.

The Threats of Hackers and Eavesdroppers

As mentioned, the growth of the Internet has heightened concerns about transmitting data over public networks, but readers should also be concerned about transmitting data on internal corporate networks. Most corporate networks today link many different departments and divisions of the company. Can you trust people in other parts of the company and be sure that they will not use the network as a means to get at data on centralized or departmental systems, or even user’s computers? How can you protect sensitive information from users that have high-level access to systems and directories?

The following illustrates some of the security problems that exist on many networks today.

•  A user transmits a sensitive e-mail message to another user. A third party on the same LAN uses a packet monitoring device to capture the message and read its private information.

•  In the same scenario above, the third party actually intercepts a message, changes its contents, and then forwards it to the intended recipient. The recipient unsuspectingly accepts the bogus message, and perhaps carries out some action based on the contents that wrongly benefits the third party.

•  A user is logging on to a server that does not use encrypted passwords. Another person who is monitoring the line and captures the password logs on as the user, thus gaining unauthorized access to information on the server.

•  A system administrator fails to learn the security aspects and requirements of a system and unwittingly grants another user access to a directory that contains system information. The user discovers that he has access to this directory and cannot resist the temptation to “experiment” or alter system settings for his benefit.

How easy is it to monitor and capture network traffic? Monitoring is now relatively easy and common thanks to inexpensive monitoring devices, often called sniffers, that run in network-connected computers. “Hackers” operating from inside your organization can monitor traffic on networks that they are directly connected to. They watch for information sent “in the clear,” as unencrypted text. Passwords are the usual target. Even though most network operating systems now provide secure encrypted logons, users occasionally connect to servers or applications that transmit plaintext passwords. The problem is that users often use the same password for all systems, so hackers that capture a plaintext password can often use the same password to sign on to more secure systems.

Hackers on the Internet operate on a network that is traditionally very open. Hackers start by breaking into a vulnerable ISP and monitoring traffic that passes through their Internet connections. They use search routines to sift through packets and locate items of interest such as passwords or codes that indicate various business transactions. They then trace the route and attempt to break into systems using information gleaned from the packets. Some sites are simply not secured enough to keep such hackers at bay.

Most web browsers now have the capability to set up secure sessions with web servers that implement security protocols. The web browser and server can automatically negotiate an encryption scheme to use and then encrypt all subsequent transmissions. In cases of electronic commerce, the server will initiate a secure session and the user’s web browser will pop up a dialog box that indicates that a secure session is about to begin.