PUBLIC KEY CRYPTOSTRUCTURE – HAKIN9 E-BOOK 1/2012

Dear Readers. In our attempt to become more accessible to you and meet the challenges and expectations of the ever-changing tech world, this E-book is available in both .pdf and .epub formats, contained within a single .rar file.

Data Encryption Software
by Hans Fouche
The need for encryption has existed ever since man has learned to comprehend another man’s written language. But it was not until WW I that encryption hardware was used on a massive scale. While we are quite used to the fact that encryption is pretty common on the Internet, we may not realize that in the physical world it may be found not only in military areas, government buildings or corporate headquarters, but also in places as mundane as retail stores. But what are the most common rules governing encryption and what makes good encryption software?

Replacing Tokens with Digital Certificates for User Authentication on Remote VPN. Is this a Bad Idea?
by Luciano Ferrari
Imagine that you were sent a request by senior management, you have a new mission: reduce the costs of the tokens license, improve the user experience via something simpler and keep the same level of security for your remote VPN users. Would you say no? Would you say that this impossible to achieve? Or would you investigate and try to deliver a solution for the business? If you believe this is impossible, I can tell you that you can have something that comes very close.

SafeSlinger: Easy-to-Use and Secure Public-Key Exchange
by Michael W. Farb, Yue-Hsun Lin, Jonathan McCune and Adrian Perrig
For many current Internet applications, users experience a crisis of confidence. Is the email or message we received from the claimed individual or was it sent by an impostor? Cryptography alone cannot address this problem. We have many useful protocols such as SSL or PGP for entities that already share authentic key material, but the root of the problem still remains: how do we obtain the authentic public key from the intended resource or individual? The global certification process for SSL is not without drawbacks and weaknesses, and the usability challenges of decentralized mechanisms such as PGP are well-known.

Choosing Algorithms to Standardise
by Chris J. Mitchell
The developers of the ISO/IEC standard on encryption, ISO/IEC 18033, are facing a dilemma. To maximise interoperability and make life as simple as possible for developers, the smallest possible number of algorithms should be standardised; however, despite this, there seems to be an inexorable growth in the number of standardised algorithms. We put this problem into historical context, and review efforts to devise ways of restricting the numbers of standardised algorithms dating back to the beginning of the development of ISO/IEC 18033. We then consider how and why these efforts have proved inadequate, leading to an almost uncontrollably large number of standardised algorithms. Finally, we discuss recent efforts to address this situation, which appear to have ramifications not only for ISO/IEC but for almost any body seeking to standardise a set of general purpose techniques.

The RSA Algorithm – The Ups and Downs
by Chuck Easttom
RSA is currently the most widely used asymmetric algorithm (Yeh, Huang, Lin & Chang, 2009; Ambedkar, Gupta, Gautam & Bedi, 2011; Stallings, 2010; Mao, 2011). The algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT. The letters RSA are the initials of their surnames. The algorithm is based on some interesting relationships with prime numbers. The security of RSA derives from the fact that it is difficult to factor a large integer composed of two or more large prime factors.

How to Improve the Security of Your SSL/TLS Web Server
by Eric Tews
HTTPS – HTTP over the SSL/TLS protocol – is the de-facto standard when it comes to securing websites in the Internet. HTTPS is used for online banking, social networks, live-streaming of music and audio, email, instant messaging and many more applications. The SSL/TLS protocol provides a secure tunnel, through which the HTTP traffic between a web browser and a web server can be transported, if both sides support this protocol. SSL/TLS encrypts the traffic, providing
confidentiality and prevents the traffic from unauthorized and unnoticed modifications, providing integrity protection. To ensure the authenticity of the website, a digital certificate according to the X.509 standard is used.

Stripping SSL Encryption
by Praful Agarwal and Sulabh Jain
Web servers and Web browsers rely on the Secure Sockets Layer (SSL) protocol to create a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When aWeb browser points to a secured domain, a level of encryption is established based on the type of SSL Certificate as well as the client Web browser, operating system and host server’s capabilities. That is why SSL Certificates feature a range of encryption levels such as “up to 256-bit”.
We would like to introduce a tool called “SSL strip” which is based around a Man-in-the-Middle attack (MitM), where users in a particular network can be forcedly redirected from the secure HTTPS to the insecure version (HTTP) of a web page.

Everyday Cryptography: Yet Another Book about Cryptography
by Keith Martin
Cryptography is a subject whose relevance to everyday life has undergone a dramatic transformation in the last few decades. It used to manifest itself in the public imagination through its historical use, primarily to protect military communications, and through recreational puzzles. However, largely due to the development of computer networks, particularly the Internet, most of
us now use cryptography on a daily basis.
As a result there is a substantial interest in cryptography amongst a wide audience that includes information security users and practitioners, researchers, students on university courses, and even the general public. This explains why there are so many books on the subject of cryptography.