[plug.gif]The Network Connection

        By Dr. Philip Baczewski, Assistand Director, Academic Computing Services, and BITNET INFOREP (ac12@unt.edu). This column is a continuing feature of Benchmarks intended to present news and information on various aspects of wide area networks.

        How Secure is Your Internet Mail?

        Over the past years, much news and attention has been devoted to Internet security. A couple of specific examples are the problems with hackers gaining unauthorized access to systems, as depicted in Clifford Stoll's The Cuckoo's Egg,(Stoll, Clifford, The Cuckoo's Egg, Doubelday, New York, 1989) and the very much publicized Internet worm incident that temporarily shut down many Internet-connected computers in 1988.(Hafner, Katie and John Markoff, Cyberpunks, Outlaws and Hackers on the Computer Frontier, Simon and Schuster, New York, 1991.) A bigger issue of Internet security exists on a smaller scale. If you don't know already, Internet mail is not, by default, secure. It is not necessarily insecure, but since it is transmitted in clear text and may pass through two or more machines before being delivered, the chance does exist that it could be inadvertently or intentionally copied or intercepted along the way.

        There are several existing and upcoming solutions to making Internet E-mail more secure. A new Internet standard called Privacy Enhanced Mail (PEM) proposes a structure for transmitting and authenticating secure E-mail. An existing public-domain program named PGP (Pretty Good Privacy) written by Philip Zimmerman implements a solution similar to that specified in the PEM standard. Both implement the Rivest-Shamir-Adleman (RSA) public key system of cryptography. By applying an advanced level of cryptography to mail and files sent over the Internet, it is possible to ensure a reasonable degree of security.

        Complex Issues

        The issues surrounding RSA security are diverse and sometimes complex. However, the technical issues are not as confusing sometimes as the political ones. The U.S. Federal government has imposed export restrictions on certain types of encryption technologies. RSA security is included in these restrictions, and when a copy of PGP was posted on an anonymous FTP server that was openly accessible by those outside of the U.S. and Canada, certain agencies of the U.S. government were quick to begin pointing fingers, ultimately resulting in some difficulties for Philip Zimmerman. Today, the distribution of PGP is somewhat controlled and restricted to use in the U.S. by U.S. citizens or residents. In spite of these complications, however, PGP remains a quite useful program.

        If you are familiar with computer programs that perform encryption, you know that when you want to make information secure, you usually do so by providing a key word or phrase which is used as the basis for calculating the encrypted information values. To reverse the process and decode the information, you have to provide the same key as was used for the encryption. As long as you are the only person who knows the key, then your information will be reasonably secure; however, once you wish to transmit information to someone else in a secure fashion, a single-key encryption method becomes problematic. Finding a secure way to transmit that key can be difficult or impossible, especially if you want to do so automatically and electronically.RSA security uses a concept called duel key encryption. It is implemented with both a public key and a private key, terms which you are likely to hear more and more often as this scheme is integrated into messaging applications. The RSA algorithm uses a scheme in which information encoded with one key can only be decoded with the other. In other words, if a file is encrypted using the public key then it can only be decoded using the corresponding private key. The reverse is also true. In practical terms, public/private key encryption lets you digitally sign a document using your private key (in your possession only), and encrypt a document intended for someone else using their public key (acquired directly from that person or from an authenticated representative). Other people can send you information encrypted using your public key that only you can decode using your private key.

        PGP

        PGP is one program that implements RSA security for the purposes of encoding electronic mail. PGP is not the only program available, but an intriguing aspect of it is that the author has placed it in the public domain. If previous programs are any indication (Kermit, for example), PGP could become a de facto standard for Internet mail security. Both PGP and the PEM standard do not actually use the RSA algorithm to encrypt an entire message. Instead, they employ a standard single-key encryption method (Data Encryption Standard or DES) with a randomly generated key, and then encrypt that single key using RSA. This method provides the authentication and security features of RSA, but with the speed of a single-key algorithm.

        PGP performs a number of functions in support of E-mail security management. It will allow you to generate a key pair: a private key for signing your mail, and a public key which you can distribute to others as their verification of your signature. It will maintain a key ring where you can store your and other's public keys. Most importantly, it will encrypt and sign files and allow you to generate them in two formats: a binary file for local access (i.e. encrypted for local security purposes only or for transfer by binary FTP), or an ascii-encoded version that can be sent across the Internet via E-mail.

        PGP is available in versions for MS-DOS, Macintosh, and UNIX. It can be obtained via Anonymous FTP from net-dist.mit.edu, in the directory, /pub/PGP (the Massachusetts Institute of Technology serves as the official distribution point for PGP). You must first acquire the README file in that directory which will provide you instructions on the procedure for acquiring PGP from that site. Because of the restrictions on the distribution of PGP, you will actually need to telnet to the MIT machine and verify your status within the U.S. and agree to abide by the export and licensing restrictions. Because you want your security program to be secure from tampering, it's best to get it from the most reputable source possible. The distribution process at MIT provides some controls on distribution, but more importantly to you, also assures you of a reputable source.

        Further Information

        More information about RSA security in general and about the PGP program can be found in the PGP documentation, which provides some excellent background material on some of the cryptography issues as well as some history of the PGP program. The file names are PGPDOC1.TXT and PGPDOC2.TXT and are distributed with the program. Another way to learn about PGP, RSA security, and the PEM standard is to read the USENET news groups alt.security.pgp, alt.security.ripem, info.pem-dev, and sci.crypt.

        It's likely that the next generation of E-mail programs will include security as a feature. A proposal to integrate PEM or PGP within the MIME standard is also in the works. With the increasing expansion of the Internet, and the advent of more commercial communication via electronic means, the ability to authenticate electronic communication becomes more and more important. Awareness of these issues now will make it easier to take full advantage of the Internet in the coming years.



        Previous Article <== ==> Next Article

        If you have problems or questions about this server, please contact us as soon as possible. You can send mail to the following address: www@unt.edu