Web as a medium for business applications on the Internet is the most attractive tool for interactive & multimedia capabilities. Rapid development of the Web server is quite fast, it can be seen clearly from the chart the growth of the Web server on the Internet is published by the WebCrawler one of the major search engines on the Internet. Questions that often surface when we are faced with the reality of doing business on the Internet via Netscape Navigator or Microsoft Explorer include:
1. Why have security features?
2. What are the minimal risk that should be covered by the Internet users?
3. How can security technology secures your browser from this risk?
4. To what extent is the existing security features in the browser can help us withstand the risks are there?
5. How can we see the level of security of the document that we are currently seeing.
6. How do we know that we are using Navigator which is operating in encrypted mode?
7. Is such a method is needed certification / authentication to use the Internet safely?
8. Is it possible / safe to send personal information over the Internet, such as credit card numbers?
9. Whether to enable security features then we will add the limitation to access various sites on the Internet?
Well let's look at the answers from each of the questions that often appear one by one.
Why have security features?
Security is a basic prerequisite because it is basically the Internet is an insecure network. Millions of computers form a network of public Internet where communication can be heard in the middle of the road. As data moves from sender to receiver, certainly through multiple connections (routers etc.) before reaching its final destination. This means that other computers outside the two computers that communicate with each other is very likely to access that data. Therefore, security is an absolute prerequisite if we want the data we are saved through the public network.
Risk anything that should be covered by the Internet users?
Basically when the data is sent over the Internet will be open on three (3) kinds of security risks, namely:
1. Eavesdropping - listening to the conversation of the computer between the two computers are talking privately.
2. Manipulation - the computer will replace the information in the transmitted data.
3. Impersonation - a computer will pretend to be another computer (eg a computer where the transaction of trade).
Actually this situation is exactly the same as our condition when purchasing mail order over the phone. Third above the risk will occur during mail order transactions.
How can security technology secures your browser from this risk?
At this time there are a lot of software development and computer security that can be run on a computer network. One of the rapidly evolving include Secure Socket Layer (SSL) developed by Netscape. SSL is basically a set of rules that tells the step that must be passed to increase the level of communications security. SSL rules are designed to do:
1. Encryption, to overcome the eavesdropping
2. Data integrity, to overcome the manipulation
3. Authentication, to cope with impersonation
It should be understood that SSL will only protect us when the transmission data only. This is called network security. SSL protocol at all will not protect the data - before and after the communication made. It means we have to believe fully that the seller / merchant does not give credit card numbers that we have to others.
To what extent is the existing security features in the browser can help us withstand the risks are there?
The Internet is basically an insecure network. Actually there is no security techniques in the world who dare to claim as a technique that can not be translucent / safest. For that we need intensified its Internet users to ensure its safety to do a few things below:
1. Always use the latest version of the software used. Generally, software vendors will release the latest version to fix various security holes / bugs.
2. As far as possible use the highest security version. Currently Netscape users in the U.S. & Canada can use Netscape software that has 128-bit key that will provide much higher security than 40-bit key that is currently be exported out of U.S.. Regulation in the U.S. is being fought for the change to allow the use of high-bit key.
Setting up the security system?
Basically, a security system will be divided into two major things, namely:
1. Cipher suites are kryptografi algorithm that is used for a communication; generally used several algorithms at once. SSL uses an algorithm to verify identities, one for encryption of data on traded, and a longer algorithm for message integrity.
2. Certification is used for binding a (client or server) to a public key. A sertifikatpada essentially a data file with several pieces of information in it. This information includes:
• "Name" which explains the certificate holder.
• Public key of certificate holder.
• Authority certificate, which will provide such information, serial number, expiration date, and digital fingerprint.
.
How do we know that we operate browse're in a safe condition?
If you are using Netscape then in the destination URL should be https instead of http:// so there is the letter "s" after http. In addition, at the bottom left corner, images of the connected - not separate as usual at the time of surgery performed.
Is certification required to use the Internet safely?
Sertikat required by at least one of the units / computers that communicate using SSL. Since 1996, certification is generally done by the server, which will authenticate the identity and receive information from visitors to their site in a protected communications environment. This pattern is widely used by many sites that sell goods on the Internet. Today more and more individuals who have a personal user certification primarily to send mail safely and for authentication purposes.
How about sending personal information like credit card numbers?
We can send your credit card number if at the time the security is enabled in brwoser (https) as well as on the server. By using the communication channels has enabled the protection it will be reduced risk of fraud, etc. at the time the information is transmitted over the Internet.
One thing we have to guard is that we have full confidence in receiving such financial information. Security technology will only secure lines of communication but it will not security us to people who are reckless behind the server there.
Is the security features would limit the possibility for us to access the Internet site?
Not at all, even we can still receive mail & news both in encrypted and non-transparent manner.
Hopefully a few answers from the Frequently Asked Questions (FAQ) above will give some idea about the ongoing effort to secure Internet for businesses. Next we will further deepen some of the issues related to the development of security protocol itself. Security protocol development efforts in line with the various attempts to download the challenge / breaking the protocol which is an international contest.
Secure Sockets Layer
Netscape has been designing & specifying the protocol to ensure data security between application layer protocol (such as HTTP, Telnet, NNTP or FTP) and TCP / IP. Security protocols it is called, Secure Sockets Layer (SSL), which provides data encryption, server authentication, message integrity and options for client authentication during connection TCP / IP takes place.
SSL protocol is basically a non-proprietary & open. MD5 and RC4, two of cryptographic components (very good) from the SSL, designed by Ron Rivest of RSA Laboratories
1. send mail to ietf-tls-request@w3.org
2. in the subject write "subscribe"
It is also a mailing list can subscribe ssl-talk@netscape.com which by the way:
1. send mail to ssl-talk-request@netscape.com
2. in the subject write "subscribe"
To learn more of the SSL can be obtained by visiting the following sites:
1. http://home.netscape.com/eng/ssl3/index.html - which explains in detail of the Secure Sockets Layer version 3.
2. http://home.netscape.com/info/security-doc.html - documentation from Netscape about the security aspect.
3. http://home.netscape.com/assist/security/ssl/protocol.html - Secure Socket Layer.
4. http://home.netscape.com/assist/security/ssl/howitworks.html - how SSL works.
5. http://www.consensus.com/security/ssl-talk-faq.html - Frequently Asked Questions (FAQ) about SSL.
RSA
RSA is headquartered in Redwood City, California
Public-Key Cryptographics Standards (PKCS)
developed since 1991 with Apple, Digital, Lotus, Microsoft, MIT, Northern Telecom, Novell and Sun. Standard yng developed include things such as RSA encryption, Diffie-Hellman key agreement, password-based encryption, extended-certificate syntax, cryptographic message syntax, private-key information syntax, and certification request syntax. Details of articles on a variety of these standards can be easily taken from the RSA in http://www.rsa.com/ Homepage.
To conduct information dissemination and interaction with experts / enthusiasts world kriptograpfi several mailing lists have been created by RSA regulated through majordomo@rsa.com. The mailing list is:
pkcs-tng@rsa.com - PKCS The Next Generation.
cryptoki@rsa.com - Cryptographic Token Interface Standard.
pica@rsa.com - Platform-Independent Cryptography API.
Pretty Good Privacy (PGP)
PGP is one for the security protocol that is widely used on the Internet in addition to SSL. PGP is actually far more difficult in the collapse rather than SSL. This is due to the length of keys used in PGP is much longer than the SSL so that the forcible break-ins are very difficult to do, albeit with a few million computers in parallel. Discussions about this a lot done in the newsgroups sci.crypt and alt.security.pgp - seems to indicate that there is consensus that PGP - Pretty Good.
Just picture to break PGP by PGP 1024-bit key messages will need about 300,000,000,000 MIPS year. So really it takes a lot of time & money to make inroad it. To view the details of the attack to PGP can be seen on the FAQ located at http://axion.physics.ubc.ca/pgp-attack.html.
International versions of PGP Software in coordinated by Stale Schumacher
http://www.ifi.uio.no/pgp/download.shtml
ftp://ftp.ifi.uio.no/pub/pgp/
ftp://ftp.encomix.es/pub/pgp/
ftp://ftp.ox.ac.uk/pub/crypto/pgp/
Or via e-mail by sending mail to pgp@hypnotech.com with PGP GET command in Subject.
Places to find more information about PGP can be made via the Internet:
http://www.ifi.uio.no/pgp/
http://www.prairienet.org/ ~ jalicqui / pgpfaq.txt
ftp://ftp.uu.net/usenet/news.answers/pgp-faq/where-is-PGP.Z
http://world.std.com/ ~ franl / pgp / pgp-passphrase-faq.html
http://axion.physics.ubc.ca/pgp-attack.html
ftp://net-dist.mit.edu/pub/PGP/PGP_FAQ
http://world.std.com/ ~ franl / pgp / pgp.html
http://www.mit.edu:8001/people/warlord/pgp-faq.html
Burglary Business Security Systems.
As we all know that no system is perfect in this world. Therefore, attempts to break into security systems developed in recent years even in my contest on the Internet to test the extent to which level of difficulty to penetrate the security system. Results from the burglary attempt is usually a feedback for the designers of security protocol for which was repaired. It's good writing done in chronological order.
July 14, 1996: It Finney posting of SSL challenge: a record of "secure" session that Netscape uses the RC4 algorithm in encrypt-128-EXPORT-40.
August 15, 1996: Two groups of successfully solving the challenge SSL. The first group is David Byers and Eric Young
According to Damien, in order to solve the SSL with 40-bit key takes about 40 pieces of high end Pentium PC on the hook in a computer network so it can be solved in parallel to reinforce computational skills. Please note that Damien uses about 120 computers in parallel to solve it. The time needed to solve the challenge with a force of 120 computer is about 8 days (maximum estimate will take 15 days).
August 17, 1996: Netscape submit their official responds. Although most people disagree (as underestimate) the figure of U.S. $ 10,000 for the cost of cracking algorithms SSL RC4-128 on them.
From this moment began the efforts of the cyberpunk to unite & form a network of "key cracking ring" to see how fast we we can dismantle that the encrypted session using many machines on the Internet in parallel from the ring.
19 August 1996: It Finney returned to post the second challenge of SSL to the cyberpunk to "key cracking ring". Coordinate these activities by Adam Back and Piete Brooks.
August 24, 1996: "Key cracking ring" which is a collection of computers working in parallel through the Internet network began working on the challenge, August 19, conducted at 18:00 GMT. In less than 32 hours of the results obtained!
17 September 1996: Ian Goldberg and David Wagner managed to break into a pseudo-random number generator of the Netscape Navigator 1.1. They managed to get into the session key within a few hours from a workstation.
As we saw above that in order to solve a secure SSL session with 40-bit key it takes a long time (days) 120 computer with the power of computing in parallel. This shows how difficult it is to solve a secure session. With the effort to exported versions of Netscape SSL is more secure with 128-bit key it will be increasingly difficult to penetrate the protection will exist.
Summary
Basically a variety of security algorithms developed to secure data transmission over public computer network Internet is able to secure the transmission line so it is quite safe. To break into a session that has been secured, it takes a lot of time & computers working in parallel.
We all hope that the government of the United States will soften their export regulations so that a strong security program can be exported easily to the outside of the United States &finally will enhance the security of data transmission over the Internet so that it will add to the spirit world's attempt to seek on the Internet.
Just added various newsgroup on the Internet that discuss various issues related to security include:
alt.anonymous
alt.anonymous.messages
alt.privacy.clipper
alt.security
alt.security.pgp
alt.security.ripem
alt.security.keydist
alt.society.civil-liberty
comp.compression
comp.org.eff.news
comp.org.eff.talk
comp.patents
comp.risks
comp.society.privacy
comp.security.announce
misc.legal.computing
sci.crypt
sci.math
talk.politics.crypto
Hopefully this long enough to provide outlines of an ongoing effort to secure Internet for businesses. Also expected to be the starting point for colleagues who want to explore further the issue of security / security on the Internet.
0 comments:
Post a Comment