Next Page

  1. Introduction
  2. Security Functions
  3. Algorithm and Protocol Types
  4. Security Protocols
  5. Security Attacks
  6. Terms
  7. Credits

CTDP Security Reference Manual Version 0.3.0 August 21, 2004

Revised from Version 0.2.0 September 1, 2000

This document is under construction and is not complete!

Introduction

This Security Reference Manual is written with several purposes in mind. It is not written as a complete guide to computer security but is intended to give enough information to allow the reader to make somewhat competent security decisions without having to do a great deal of reading or study. The information contained in this document is not guaranteed to be accurate and the writer assumes no responsibility of the reader's use of any information contained herein. This document also provides information to allow the reader to do further study. The main objectives of this document are to:

  1. Define terms
  2. Introduce security functions.
  3. Introduce some of the main security protocols, and explains how they fit into the security scheme. (RSA, Diffie-Helman)
  4. Give the reader fundamental knowledge to allow for better decision making, without a great deal of reading or study.

This Security Reference Manual is an introduction to computer security. It is written to explain some aspects of computer security with regard to functionality. This guide will be mainly concerned with:

  • How user authentication is performed.
  • How passwords are stored and transmitted.
  • How to be sure the party contacted is who they say they are (verification or nonrepudiation).

Although this guide is not intended to explain the various protocols in providing the above functionalities, it will explain enough for the reader to realize the purpose and use of some protocols. This guide will not talk about:

  • Development of security protocols.
  • Security vulnerabilities of operating systems or applications.
  • Setting security traps for hackers.
  • Setting up firewalls.

There are several areas of security expertise which include but are not limited to:

  1. Security protocols, their strengths, weaknesses, and how they work.
  2. Being able to write security algorithms, both in mathematical formulas and/or write the programs. Normally a mathematician is best qualified here
  3. Knowing various security vulnerabilities of certain operating systems and knowing how to guard against them.
  4. Knowing how to set traps for those who try to break into systems.
  5. Knowing how to set up effective and secure firewalls to keep hackers from other networks or the internet from breaking into private networks.

Computer security defined in this document primarily is about enciphering and deciphering what is called plaintext. Plaintext is un-enciphered data which may be text or any other form of data. Please be aware that when it comes to the art of inventing data enciphering protocols, there are very specialized people in these fields. Therefore it is extremely unlikely that any one or group not specialized in these areas will successfully invent their own security protocols and have them be effectively secure. Most of us are dependent upon the specialists. We will likely use a published protocol with published key management and key generation schemes. However if you want to develop a specialized team of cryptographers, it is my opinion that you will want brilliant mathematicians, not generally programmers or engineers. This is because much math is required and math specialists are most skilled in this area. Also the math specialist has a desire to work on math problems, whereas the programmer or engineer likes to work on logic, development or design problems. However the programmer or engineer if they have a strong desire to concentrate on math and show talent in this area, may qualify for these specialized jobs. To be effective, I recommend a team of at least 5 people specialize in this area with half the team checking the work of the other half.

Keeping the encryption algorithm secret is not security.

Cryptography provides:

  • Confidentiality - Being sure the message cannot be read and understood by intruders.
  • Authentification - The receiver of the message should be able to be sure of the origin of the message.
  • Integrity - The receiver of the message should be able to tell the message was not modified by an outsider.
  • Nonrepuditation - There is proof that the sender sent the message.

Functions required for a secure system.

  • Key management
  • Key generation
  • Digital signatures
  • Encryption schemes

Useful functions.

  • One way hash functions - A function that can be easily performed one way but is difficult or impossible to reverse.
  • Salting - Adding random data to a password prior to performing a one way hash on it. This is a means of stopping a dictionary attack.
  • Key based encryption/decryption algorithms which are of two types:
    • Symmetric - The encryption and decryption key are the same.
    • Asymmetric (Public Key) - The encryption key and decryption key are different and one is kept private and the other is public.

These algorithms and their use will be explained later in this document.

Attacks:

  • Man in the middle attack