Curing remote-access security ailments

By Hal Stern, Unix Insider |  Security

As you evaluate data-security implementations, examine the impact
on users. Asking the users to encrypt each file they send over
the network is not entirely practical; they may not know what files
are local and which are remote and they are not likely to pause before
each file access or mail message delivery. The higher you go in the
network protocol stack, generally, the less transparent encryption
becomes. At a superficial level, you can protect data by encrypting
files with PGP or the Unix crypt utility. Users then send the encrypted
files over the network, where they are converted back to clear text by
the recipient. It's far from transparent, but this approach often
suffices in a pinch where you need to send selected files or e-mail
messages over untrusted networks.

The drawback to crypt is that it uses a private key
mechanism -- anyone wishing to decrypt the file needs the password
used to encrypt it. You need to exchange passwords "out of band" --
via Federal Express, snail mail, or telephone calls to maintain some
sense of password integrity. PGP uses public key encryption, so you
can decipher a file with the sender's public key that can be e-mailed
to you or picked up via ftp. Of course, concerns about IP address
spoofing and DNS attacks may make you question where the public keys
came from and if they were also spoofed, so PGP allows you to build
"key rings" that require multiple verifications of a key from trusted
parties. (We'll talk about PGP and its applications in more detail next
month.)

The encrypted-file solution layers encryption on top of the
application, leaving the application's protocols and implementation
unchanged. If you have access to source code, it's possible to build
integrity into the application, having it perform authentication and
packet- or request-level encryption. Good examples are the secure ftp
and telnet systems developed at Texas A&M University, and available
from the Purdue COAST archives.
Encryption-enabled applications are more transparent than
user-driven file encryption, but they require care and feeding from
the system administration side.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question