Training

Slide 1:Cryptography and the Web Lincoln Stein Whitehead Institute/MIT Center for Genome Research

Slide 2:Cryptography The art of secret message writing. Creating texts that can only be read by authorized individuals only.

Slide 3:Simple Cryptography

Slide 4:Caesar Cipher

Slide 5:Rotating Key Cipher

Slide 6:General Principles Longer keys make better ciphers Random keys make better ciphers Good ciphers produce �random� ciphertext Best keys are used once and thrown away

Slide 7:Symmetric (Private Key) Cryptography Examples: DES, RC4, RC5, IDEA, Skipjack Advantages: fast, ciphertext secure Disadvantages: must distribute key in advance, key must not be divulged

Slide 8:DES: Data Encryption Standard Widely published & used - federal standard Complex series of bit substitutions, permutations and recombinations Basic DES: 56-bit keys Crackable in about a day using specialized hardware Triple DES: effective 112-bit key Uncrackable by known techniques

Slide 9:Asymmetric (Public Key) Cryptography

Slide 10:RSA Algorithm patented by RSA Data Security Uses special properties of modular arithmetic C = Pe (mod n) P = Cd (mod n) e, d, and n all hundreds of digits long and derived from a pair of large prime numbers Keys lengths from 512 to 1024 bits

Slide 11:Public Key Encryption: The Frills

Slide 12:Digital Envelopes

Slide 13:Digital Signatures

Slide 14:Message Digests

Slide 15:Certifying Authorities

Slide 16:Hierarchy of Trust

Slide 17:Secure, Verifiable Transmission

Slide 18:Public Key Cryptography on the Web Secure Socket Layer (SSL) Netscape Communications Corporation Secure HTTP (SHTTP) Commerce Net

Slide 19:SSL and SHTTP, similarities RSA public key cryptography MD5 message digests Variety of private key systems Strong cryptography for use in U.S. Weakened cryptography for export.

Slide 20:SSL and SHTTP, differences

Slide 21:Secure Servers Netscape Commerce Server Microsoft Internet Information Server WebSite Professional Quarterdeck/WebSTAR Professional OpenMarket Secure Server Apache SSL Many others!

Slide 22:Secure Servers: Costs Server software Requires license from RSA Data Security Often free for noncommercial use $200-$1000 for commercial use Export forbidden Server certificate $290 for initial certificate $95 each additional servers $75 annual renewal fee

Slide 23:Secure Servers: Set-up Install & configure server software Create �distinguished name� for your site Fill out server certificate application at Verisign�s Web site Pay the piper Generate key pair and �certificate request� Mail certificate request to Verisign Install signed certificate on your server

Slide 24:Using SSL

Slide 25:Signed Certificate

Slide 26:Applying for a Server Certificate

Slide 27:Filling out Certificate Request

Slide 28:The Signed Certificate

Slide 29:Encryption and U.S. Legal System RSA algorithm patented in U.S. but not recognized by international patent law Must pay licensing fee within U.S. Free outside U.S. Strong encryption keys classified as �munitions� under U.S. export laws A crime to export software with strong encryption FTPable browsers & servers restricted to crippled 40-bit secret keys Main effect has been to hamper distribution of strong software

Slide 30:SSL Failures Two well-publicized incidents in 1995 40-bit secret key used in export versions vulnerable to brute force attack Single encrypted message vulnerable to cracking in a few weeks on a network of workstations Specialized hardware (probably) can crack in a matter of hours Implementation problem Navigator 2.0 used predictable random number generator to generate secret keys Messages crackable in a few minutes on conventional workstation

Slide 31:Web Encryption Isn�t Panacea Protect data at browser side & server side Server certificates vouchsafe name of server but not honesty of merchant! Protect integrity of browser & server software

Slide 32:URLs SSL Protocol http://home.netscape.com/newsref/std/SSL.html SHTTP Protocol http://www.eit.com/projects/s-http/ Verisign http://www.verisign.com/ RSA Data Security http://www.rsa.com/