Internet Security SECRETS

Publisher: IDG, 1996, 758 pages

ISBN: 1-56884-457-3

Last modified: March 15, 2022, 2:27 p.m.

Synopsis

Uncover the little-known and undocumented security features of the world's most popular network with this insider's guide from security guru John Vacca. Vacca reveals how to protect yourself against the greatest threat to Internet growth — hackers with too much free time on their hands! You'll learn the best ways to protect your data on the Internet, the easiest ways to effectively manage and distribute large databases of public keys, the safest ways to connect your Local Area Network to the Internet, and much more" Don't let security concerns keep you from exploring everything the Internet has to offer — minimize your risks with the tips and techniques you'll learn in Internet Security SECRETS.

Learn the Best Security Secrets NOW!

Expert Advice for fending of the most common forms of security attacks, including snooping, masquerading, message modification, message replay, message delay, and service denial.
Implement security strategies corporate-wide — determine goals, roles and responsibilities
Learn the ins and outs of Secure HTTP (S-HTTP) from message protection to negotiation headers
Insider tips and techniques for implementing secure messaging with Privacy Enhabced Mail (PEM) specification, Riordan's Privacy Enhanced Mail (RIPEM) progrm, Pretty Good Privacy (PGP), Firewalls, and more!
Effectively use digital signatures and timestamps quickly and easily
Two's company and three's a security breach — learn how to share files safely
Comprehensive coverage of security on the World Wide Web, including international implications and protocol enhancements for secure commercial transactions
Two BONUS appendixes provide a survey of, and improvements to, password security, and a glossary of terms and acronyms

Part I: Identifying Internet Security Threats

Computer Crime

Computer Crime Initiative

Determining the scope of the computer crime problem
Internet vulnerabilities versus World Wide Web site system vulnerabilities
Training prosecutors and agents
Domestic law enforcement investigative coordination
Formulating an international response to computer crime
Current laws and proposals for legislative change
Formulating uniform policies

Improving Security on the Internet

Recent incidents weren't the first…
…and wont be the last

Fighting Criminals in Cyberspace

White-collar crime
Theft
Smuggling
Terrorism
Bomb making
Porn
Kiddie porn
Combating cybercrime

The National Performance Review

Internet security
National Crisis Response Clearinghouse

A Self-Fulfilling Prophecy
Guardians of the Internet: Security Incident Response Efforts

CERT
Behind the scenes
Be alert
Frequent hacks
Minimizing risks
FIRST

Endnotes

Problems in Managing Keys

An Overview of Public-Key Systems
Certificates

Using certificates
Issuing certificates

Storing Keys

Attacks on certifying authorities
Lost keys and compromising positions

Certificate Revocation Lists

Expired keys
Lost private keys
Compromised private keys
Validity of time-stamped documents
Storing private keys
Finding someone else's public key

Endnotes

Internet Security Attacks

Hack Attack!

FBI manhunt nabs Kevin Mitnick
Hiring hackers

Recent Internet Security Incidents

Password sniffers
Vulnerability in NCSA HTTP Daemon for UNIX
Internet security sniffer cracker program
Government Internet security incidents

Real-World Attack Examples

The Air Force Information Warfare Center
Johnson Space Center

Endnotes

Part II: Preparing a Defense

Network Service Providers' Computer Security Mission

NSP Guidelines

Security guidelines
Elaborating on the guidelines

Improving Local Security
Internet Security Accounting Architecture for NSPs
Goals for a Usage Reporting Architecture
The Usage Reporting Function

Measuring policy compliance
Rational cost allocation recovery
Network policy and usage reporting
The nature of Internet security usage reporting

Meters

Meter placement
Meter structure
Collection issues

Examples

A single segment LAN
An extended (campus or facility-wide) LAN
A regional network
A national backbone

Endnotes

Organizations, Roles, and Responsibilities

Why Internet Security Management Is Important

Responsibilities of network managers
Responsibilities of host system managers
Problems and resolutions
The illusion of Internet security management

Roles

NIST's Internet Security Activities

Information Infrastructure Task Force
OMB Circular A-130
Federal Networking Council

National Research and Education Network
Security architecture for the NREN
Security action plan for the NREN

Internet Society Security Activities

Internet security policy
Privacy-Enhanced Mail

International Standards Bodies

ISO
ITU
CEN
ECMA
Internet Standards
ISO Standards
Obtaining standards documents

Endnotes

Facets of Internet Security

Security Services

Advanced authentication
Public-key infrastructure
Obstacles to deployment

Data Integrity: Penetration Testing

Intrusion detection
Security awareness
Exercise of due care
Key-management issues
Assessment and identification of infiltration threat sources
Controlled simulation
Risk management
Penetration-testing methodology
Formation of a penetration-testing team
Penetration-team functions
Capabilities and requirements
Physical working requirements
Organizational requirements
Conducting a penetration test

Endnotes

Privacy and the National Information Infrastructure

The Role of the Internet in the NII
Principles for Providing and Using Personal Information

General principles for the National Information Infrastructure
Principles for information collectors
Principles for information users
Consequences of providing personal information to others

Privacy and the NII
Authentication

Definition of authentication
Authentication techniques
Authentication devices
Message authentication
An authentication service

Specialized Secured Servers

Names and credentials
Identity-based authorization

Access Control

Examples of access control
Controlling access
Enforcement
Accessing networks remotely
A security challenge
Remote access
Encryption
Algorithms
Firewall protection
Security management

Endnotes

Physical Security

What Is Physical Security?
Management Reviews
Review of Construction Plans

Site location
Computer room and equipment location within a building

Access to Equipment and Facilities
Physical Security Guidelines
Electrical Considerations
Environmental Controls

Environmental physical security guidelines
Air conditioning

Links Outside Central Computer Rooms

Guidelines for links
Access doors

Emergency Procedures
Fire Detection
Fire Suppression

Fire suppression guidelines
Water damage guidelines

General Housekeeping
Endnotes

Part III: Implementing Internet Security Strategies

Data Encryption Standard

NIST Data Encryption Standard Limitations and Guidelines

The RSA digital signature
The certificate
Certification hierarchies

DES Software and Technical Data Controls

Problems with the status quo
National security issues
Banking transactions
Domestic personal and corporate communications
Authentication in the private sector
Technology issues
DES is doomed
Economic issues
Constitutional issues
Regulatory issues
Recommendations for implementation

Endnotes

Clipper Technology

Encryption: A Law Enforcement Perspective

Wiretaps is a tool of law enforcement
Technology and the capability to tap

Strong Cryptography: A Double Standard

Telecommunications transformed government
Communications intelligence
Communications security
Export control
Prospects for the future

EES Encryption

EES decryption by law enforcement
Security of the system
Use of escrowed encryption

The DES Dilemma

Holding keys in escrow
Safeguards
Whom do you trust?
Escro alternatives
Will Clipper catch on?

EES Issues

Privacy concerns raised by EES
Impact of EES on export
Interoperability issues raised by EES
EES: Hardware versus software
Impact of EES on the U.S. computer industry

Endnotes

Pretty Good Privacy (PGP) Program

How PGP Works
PGP Availability as a Programming Library
Usable PGP Platforms
Obtaining PGP

MIT PGP 2.6.2
ViaCrypt PGP 2.7.1
PGP 2.6.2I
A note on ftpmail

Encrypting/Decrypting Messages
Creating a Secondary Key File
Handling Multiple Addresses
Obtaining Scripts to Integrate PGP with E-mail
Decrypting Encrypted Messages
Generating a Key with PGP for UNIX
How Secure Is PGP?
Breaking Up PGP by Trying All Possible Keys

Securing conventional cryptographic options
NSA — Cracking RSA
Cracking RSA publicly
Securing option
Pass phrase or password
Forgetting pass phrases
The best way to crack PGP
Secret decoder ring
Choosing a pass phrase
Remembering a pass phrase
Tamper-proof
Verifying signatures
Trapdoors
Multiuser systems
RSA: A hybrid mix

Keys and Sizes

Adding new keys to a key ring
Extracting multiple keys
Specifying which keys to use
Unknown signator
Getting PGP to display trust parameters on a key
Make your key available via finger

Message Signatures

Signing a message while still leaving it readable
Forging signatures
Legally binding signatures

Key Signatures

To sign a key
Signing your own key
Signing X's key
Verifying someones identity
Signing bogus keys
Key signing parties

Revoking a Key When It's Lost or Stolen
Public-Key Servers
Genesis: And Then There Was PGP

Who are the users?

The Safety Factor
The Illegal Factor
The Legal Factor

Is PGP legal?
Back door legality
Revealing your pass phrase
Paranoia

Intellectual Property Restrictions

Intellectual property restrictions in Canada
Intellectual property restrictions outside of North America

Commercial Versions of PGP
Cost
Commercial Use
Endnotes

Firewalls

Why Firewall?
Design Decisions
Levels of Threat
Firewalls and Their Components

Screening router
Bastion host
Dual-homed gateway
Screened-host gateway
Screened subnet
Application-level gateway (proxy gateway)
Hybrid gateways

Firewalls Using Screening Routers
Dual-Homed Gateways
Screened-Host Gateways
Screened Subnets
Hybrid Gateways
IP Packet Filtering for Improving Firewall Security

How packet filters make decisions
How packet filtering rules are specified
A packet filtering example
Packet filtering caveats
Filtering-related characteristics of application protocols
Problems with current packet filtering implementations
Providing better filter specification mechanisms
Conclusions

UNIX Internet Security Firewalls

Risk, threat, and vulnerability
UNIX Internet security architecture

Public or Nonprivate Connectivity

Router (firewall physical layer)
Dual-homed UNIX gateway server (firewall logical layer)
Computers on the local-area network
Additional security enhancements
Security policy

Endnotes

Toolkits and Methods for Building Internet Firewalls

Overview
Design Philosophy
Configuration and Components
Logging
Electronic Mail
Domain Name Service (DNS)
File Transfer Protocol
Telnet
UDP-Based Services
TCP Access and Use
TCP Plug-Board Connection Server
User Authentication
Testing Firewalls
Future Directions
Observations
Availability
Endnotes

Digital Signatures and Timestamps

Cryptography

Modern symmetric ciphers
Public-key cryptography
Public-key cryptosystems in practice

Electronic Payment

Net Cash
Credit card
Encryption
E-credit card
E-check
Simple e-cash
Complex e-cash

Privacy of Electronic Transactions

Handling cryptographic transactions
Digital credentials

Comparing Prepaid Smart Cards

Card types
Comparison

Digital Signatures

Security of a signature scheme
IBM's digital signature scheme

Plain Text Signatures: Are They Legal?

Forming contracts
Proving it
Forgeries
Cryptography's role

Digital Timestamping Service
Endnotes

Improving Management of Keys

Keeper of the Keys

Get a key pair
Sharing private keys among users

Public-Key Servers
Stable Large E-Mail Databases (SLED)
Verifying 30-Year-Old Signatures
Endnotes

Securing Electronic Mail

Reviewing PGP — Pretty Good Privacy

PGP — what is it?
Why use PGP?
Where to get PGP
What's in PGP?

PGP/PEM Encryption

Using PGP and PEM within HTTP
Distribution of keys
Deflector shields

Secure Solutions for Message Encryption and Authentication
An Overview of Message Processing

Types of keys
Processing procedures
Processing steps
Error cases
Encryption algorithms, modes, and parameters
Privacy-enhancement message transformations: constraints
Encapsulation mechanism
Per-message encapsulated header fields
Encrypted
MIC-Only
MIC-Clear
CRL
Content-Domain field
DEK-Info field
Per-message fields in encapsulated headers
Originator-ID fields
Originator-ID-Asymmetric field
Originator-ID-Symmetric field
Originator-Certificate field
MIC-Info field
Variable occurrence of fields in encapsulated headers
Issuer-Certificate field
Per-recipient fields in encapsulated headers
Recipient-ID fields
Recipient-ID-Asymmetric and Symmetric fields
Key-Info field
Symmetric key management
Asymmetric key management

Key Management

Data encrypting keys (DEKs)
Interchange keys (IKs)
Subfield definitions
Cryptoperiod issues

User Naming
Example User Interface and Implementation
Minimum Essential Requirements
Patent Statement
Certificate-Based Key Management
Overview of Approach
Architecture: Scope and Restrictions

Relationship to X.509 architecture
Entities' roles and responsibilities
Interoperation across boundaries of a certification hierarchy
Certificate revocation
Certificate definition and usage: contents and use
Version number
Serial number
Subject name
Issuer name
Validity period
Subject public component
Certification signature
Validation conventions
Relation with X.509 certificate specification

Algorithms, Modes, and Identifiers

Symmetric encryption algorithms and modes
Asymmetric encryption algorithms and modes

Integrity-Check Algorithms

Message authentication code (MAC)
RSA-MD2 message digest algorithm

RIPEM

Obtaining RIPEM
Om what mailer will RIPEM run?
RSA — what is it?
DES — what is it?
Fingerprint "like MD5"
Distributing and authenticating keys
Patented algorithms in standards such as PEM
RSADSI and PKP
RIPEM public keys
PGP
RPEM — what about it?
MIME
TIS/PEM

Attacks on RIPEM

Cryptanalysis attacks
Key-management attacks
Playback attacks
Local attacks
Untrusted partner attacks
Traffic analysis attacks

Secure Electronic Mail

Sending cipher text through secure e-mail channels: radix-64 format
Setting parameters in the PGP configuration file
Sending ASCII text files across different machine environments
Using PGP as a better uuencode

Liability for En-Route or Encrypted E-Mail

Facts
Criminal law
Civil law
Analysis
Encryption
Threats to your e-mail privacy
Secure electronic mail projects
Advanced health information systems: telemedicine and the law

Endnotes

Securing Servers

Purpose
Secure Server Requirements and Pilot Scenario
Scope
Making Your Server More Secure
Proposals for Secure Servers/HTTP

NCSA HTTP: PGP/PEM encryption scheme
Secure NCSA HTTPD
CERN HTTP
The IETF HTTP Security Working Group
Shen
Netscape SSL protocol
S-HTTP
AT&T Bell Laboratories
SimpleMD5
Digest security scheme

Securing Internet Information Servers

Need for security
General guidelines for establishing information servers

Securing Anonymous FTP Servers

FTP server vulnerabilities
FTP server configuration issues
How to secure an anonymous FTP server: Create the FTP user
Additional configuration for SunOS
Establishing an incoming file area
Advanced features: Public FTP servers

Securing Gopher Servers

Gopher server vulnerabilities
How to configure a Gopher server using configuration options

Securing World Wide Web Servers

WWW network protocol
WWW server vulnerabilities
How to configure a WWW server: General guidelines
Using configuration options

Global Internetworking

The need for network security
Network considerations
Network security issues
Secure network management
A view into the future

Endnotes

Security Aspects of the World Wide Web

Secure HTTP

Features of S-HTTP
Modes of operation

HTTP Encapsulation

The request line
The status line
Secure HTTP header lines
Content

Message Format Option Cryptographic Encapsulation

Content-Privacy-Domain: PKCS-7
Signature
Content-Privacy-Domain: PEM/PGP

Negotiation Overview
Negotiation Header Format
Parametrization for Variable-Length Key Ciphers
Negotiation Headers: S-HTTP-Privacy-Domains
S-HTTP-Certificate-Types
S-HTTP-Key-Exchange-Algorithms
S-HTTP-Signature-Algorithms
S-HTTP-Message-Digest-Algorithms
S-HTTP-Symmetric-Content-Algorithms
S-HTTP-Symmetric-Header-Algorithms
S-HTTP-privacy-Enhancements
Your-Key-Pattern

Cover key patterns
Auth key patterns
Signing key pattern
Kerberos ID pattern

Example
Defaults
New HTTP Header Lines

Secureity-Scheme
Encryption-Identity
Certificate-Info
Key-Assign
Nonces

Retriable Server Status Error Reports

Retry for option (re)negotiation
Specific retry behavior: Unauthorized 401 and PaymentRequired 402
Limitations on automatic retries

Other Issues: Compatibility of Servers with Old Clients

HTML and URL format extensions
Server conventions: certificate requests
Browser presentation: transaction security status

Implementation, Recommendations, and Requirements
Protocol Syntax Summary

S-HTTP (unencapsulated) non-negotiation headers
HTTP (encapsulated) non-negotiation headers
Encapsulated negotiation headers
HTTP methods
Server status reports
HTML anchor attributes
HTML elements
Server conventions

Future Work

Encapsulation formats
Interaction with future versions of HTTP

Beyond S-HTTP

Combining industry-leading Secure HTTP and SSL technologies
What is SSL?
What about S-HTTP?
Unified security approach to electronic commerce

Endnotes

Part IV: Results and Future Directions

Ensuring Secure Commercial Transactions on the Internet

The New Approach and How It Differs

Securing commercial communication transactions on the Internet
Commercial payment transactions
Blind signatures for untraceable payments
Extending the envelope analogy
Leaving the analogy
Ensuring secure credential commercial transactions on the Internet
The basic credential system
Revealing only necessary information
Preventing use of untimely information
Micr- and macro-comparisons: Advantages to individuals

NetBill: A Secure Internet Commercial Transaction System

The market for information
A NetBill scenario
NetBill architecture
The NetBill transaction protocol
Protocol failure analysis
NetBill account management
NetBill costs and interaction with financial institutions
An example of NetBill with Mosaic

Additional Issues
Personal Privacy and Security during Commercial Transactions on the Internet

Tools
Collusion analysis
Anonymous credit card
National health insurance
Generalizations of collusion analysis

The Secure Commerce Model

Transactions
Funds transfer
Settlement
Security considerations

Payment Switches for Commercial Transactions on the Internet

Network-based order entry
On-line payment servers
Off-line digital cash
Digital analogs of conventional financial instruments
Multiple authentication technologies

The NetCheque Perspective

Requirements
Payment models
The NetCheque system
Implementation overview
Status

High-Security Digital Payment Systems on the Internet

Devices
Basic functionality
The special security goals of CAFE
Security techniques

Endnotes

Commercial Satellite and International Encryption Options, Implications, and Enhancements

Overal Goal of the Unidata IDD

Current system
National system
Leveraging the investment
The problem
Model Internet distribution system
The work to be done
Current status: Software development
Network management
Functions of IDD sites
Deployment
Regional redistribution
Network information servers
Contributions

Commercial Satellite Link Traffic Analysis and Confidentiality

Traffic analysis
Confidentiality
Link physical security characteristics
Protocol specifications
Protocol implementation

Space Flight Projects: Command Uplink and Downlink

Signal power
Uplink and downlink
Modulation and demodulation
Multiplexing
Coherence

Endnotes

National Security Agency's Multilevel Information Systems Security Initiative for the Internet

The MISSI Approach

Evolution
Affordability and performance

Current DOD Web Site Systems Communications Environment
Future DOD Internet and Web Site Systems Communications Environment with MISSI Solutions
MISSI Product Suite
MISSI Security Profiles
NSA Mosaic-Fortezza Technology Project

Infrastructure
Mosaic-Fortezza security services
Fortezza Crypto Card
Mosaic-Fortezza
Early solutions for providing secret-to-unclassified capability
MISSI solution for providing unclassified through secret and beyond Applique

Endnotes

Moral and Ethical Concerns

Privacy in a Technological Society
Invasions of Privacy
Digital Privacy: Ethical and Moral Issues

The Clipper chip: pros and cons
Other encryption alternatives
Clinton administration policy: rants and raves
Ethical considerations

The End of Privacy

Ubiquitous computing
Universal connectivity
Wireless technology
Public key cryptography and digital signatures
Global positioning systems
Unicard utopia
Where are they now?

Endnotes

Summary and Recommendations

General Principles for the National Information Infrastructure
Responsibilities of Original Collectors of Personal Information
Responsibilities of Information Users

Acquisition and use principles
Protection principle
Education principle
Fairness principle

Rights and Responsibilities of Individuals Who Provide Personal Information

Awareness principles
Principle of redress

The New Alliance: Gaining on Security
Break-Ins to the NASA Internet Gateway

The scenario
Masquerade strategies
Consequences of the attacks
Lessons learned

Information Warfare
Secrecy — Smoke and Mirrors

Practical application of encryption devices: Time value of information
Determining the security level of a device
Selection of device level
Selection of device type
Voice: What is it?
Common factors of voice communication systems
Data communication over voice systems
Special concerns for cellular systems
What does this have to do with encryption?
Telephone systems: The future
Radio systems: The future
DES: The data encryption standard
Software-based encryption
The security of cellular telephones
A cruise to danger on a Clipper chip
The ultimate question

Web Site and Internet Security Solutions

Encrypting data
Freedom of speech
Hate speech
Intellectual property
Trade war
Safe Internet practices for children

Recommendations

Lessons and conclusions
Recommendations for action

Endnotes

Part V: Appendixes

Foiling the Cracker: A Survey of, and Improvements to, Password Security

Password Vulnerability

The survey and initial results
Method of attack
Summary of results

Action, Reaction, and Proaction

A proactive password checker

Conclusion (and Sermon)
Endnote

Glossary of Terms and Acronyms

Reviews