Page 125 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 125

Unit 8: Cryptography and Encryption




          commonly employed by many operating systems to encrypt passwords. Hash functions, then,  Notes
          provide a measure of the integrity of a file.

                                      Figure  8.7: Hash  Function


















          Broadly  speaking, a cryptographic hash function should behave as  much as possible like  a
          random function while still being deterministic and efficiently computable.
          A cryptographic hash function is considered insecure if either of the following is computationally
          feasible:
          1.   Finding a (previously unseen) message that matches a given digest.
          2.   Finding “collisions”, wherein two different messages have the same message digest.
          An attacker who can do either of these things might, for example, use them to substitute an
          unauthorized message for an authorized one.
          Ideally, it  should not even be feasible to find two messages whose  digests are substantially
          similar; nor would one want an attacker to be able to learn anything useful about a message
          given only its digest. Of course, the attacker learns at least one piece of information, the digest
          itself, which for instance gives the attacker the ability to recognize the same message should it
          occur again.

          8.5.4 Pretty Good Privacy (PGP)

          It is one of today’s most widely used public key cryptography programs. Developed by Philip
          Zimmermann in the early 1990s and long the subject of controversy, PGP is available as a plug-
          in for many e-mail clients, such as Claris Emailer, Microsoft Outlook/Outlook Express, and
          Qualcomm Eudora.
          PGP can be used to sign or encrypt e-mail messages with the mere click of the mouse. Depending
          upon the version of PGP, the software uses SHA or MD5 for calculating the message hash; CAST,
          Triple-DES, or IDEA for encryption; and RSA or DSS/Diffie-Hellman for key exchange and
          digital signatures.

          When PGP is first installed, the user has to create a key-pair. One key, the public key, can be
          advertised and widely circulated. The private key is  protected by use of a passphrase.  The
          passphrase has to be entered every time the user accesses their private key.
          Figure  8.8  shows  a  PGP  signed  message.  This  message  will  not  be  kept  secret  from  an
          eavesdropper, but a recipient can be assured that the message has not been altered from what the
          sender transmitted. In this instance, the sender signs the message using their own private key.
          The receiver uses the sender’s public key to verify the signature; the public key is taken from the
          receiver’s keyring based on the sender’s e-mail address.



                                           LOVELY PROFESSIONAL UNIVERSITY                                   119
   120   121   122   123   124   125   126   127   128   129   130