What is Internet security all about? Get to know the basics.Most of the information passed across the Internet is not particularly sensitive. In fact, most is it is specifically designed to be as widely read as possible.
But some information is sensitive. For example, when ordering from a site via credit card, the credit card number is transmitted across the Internet from the browser to the server. In theory, a third party could intercept this information at some point on the network between the browser and the server. To prevent this, some form of encryption can be used so that even if someone intercepts the data they cannot decode it back to the original credit card number. Obviously both the browser and the server need to use the same encryption method. The most widely used system for the Web at present is the SSL.
SSL stands for Secure Socket Layer, a protocol developed by Netscape for secure transactions across the Web. It uses a form of public key encryption, where the information can be encoded by the browser using a publicly available public key, but can only be decoded by some one who knows the corresponding private key.
SSL encryption and Ciphers
Although it is the SSL standard that defines how the encryption is applied to web transactions, the actual encryption itself is performed by a number of cipher algorithms. When an SSL browser and SSL server first communicate they mutually pick a cipher algorithm that both support. Some commonly used ciphers are listed below:
3DES, 168 bit: These are well proven, 168 bit, triple encryption ciphers. Supported by products based on SSLeay such as Stronghold and SafePassage but not by products from Microsoft or Netscape.
IDEA, 128 bit: This cipher uses 128 bit keys but it is not commonly found in Web browsers or servers. It is possible to use triple-IDEA with 384 bit keys though it will be very slow. In the USA and Europe a licence from Ascom AG is required to use these ciphers.
RC4 and RC2, 128 bit: These ciphers use 128 bit keys that normally offer a high degree of security. In the USA a licence from RSA is required to use these ciphers.
Export RC4 and RC2, 40 bit: These ciphers use 40 bit keys but are otherwise identical to their equivalent 128 bit versions. Servers and browsers produced by Netscape and Microsoft support these ciphers. In the USA a licence from RSA is required to use these ciphers.An interactive tool from Netcraft is available which can query any secure website and show which ciphers it supports. Experts agree that 40 bit encryption does not provide an adequate level of safety and there have been several publicised hacks.
A panel of cryptographic experts including Whitefield Diffie, the inventor of public key cryptography, issued a report in January 1996. It said that a minimum of 75 bits was necessary for "adequate protection against the most serious threats" and 90 bits was necessary to thwart advances in hacking techniques for the next 20 years.
US arms exports restriction
The US government imposes export restrictions on arms, in a set of rules called ITAR (International Traffic in Arms Regulations). Among the restricted arms is "Strong" encryption software. Software that implements SSL in the US cannot be exported because of these rules (actually it can be exported to Canada, but no further).
SSL enabled software can be exported outside the US if the software can only encrypt using a maximum 40 bit key. Commercial server vendors in the US such as Netscape and Microsoft export secure servers using this weakened 40 bit encryption. Recent legislations allow for registered companies to export software that uses 56 bit keys, but only if they allow the US government to access the data under certain circumstances. This is normally done by allowing a third party to store or recover the keys -- a system referred to as "key escrow". The higher levels of encryption can also be exported to approved financial institutions (mainly banks).
Key escrow
The US and other governments are worried that they cannot access information once it has been encrypted. They would like to be able to decrypt all encrypted data. For some time, the US government has only supported encryption schemes that would allow them to decrypt the encrypted data if necessary, such as the "Clipper" chip. In normal (secure) encryption, the only people who can decrypt the data are the sender and the recipient, who between them have the necessary keys. But in key escrow schemes a third party will also have the ability to decrypt the data (this third party may be the developer of the encryption product, the US government, or some other "trusted" organisation). Key escrow is also called key storage or key recovery.
Certificates
A server certificate is a piece of digitally-encrypted information that lets the browser know what organisation it is accessing. Certificates can be obtained from a certificate authority, which uses its position as a third party to verify that the organisation using these certificates is what it says it is. Probably the best known authority is Verisign in the US. To get a certificate from Verisign the server in use must be approved.