The Importance of Various IT Security Issues

As statistics show, it is precisely errors and illiterate actions of personnel (Fig. 8.2) that cause the greatest losses to enterprises. Not without reason has become conventional wisdom someone aptly abandoned the phrase " user more unpredictable than a hacker. "

 

 

 

Fig. 8.2. According to Computer Security, personnel errors account for more than 50% of the causes of losses in the enterprise

 

To reduce staff errors, you need to have a basic understanding of secure communications.

Modern network - a multi-component structure, including desktops, mobile computers, access to the Internet and other components. So a universal solution to ensure the protection of some abstract organization does not exist. The protection of various components can be built on different principles, and the choice of the optimal strategy for protecting corporate data is a task as complex as any other task of complex informatization. Office employees who are not professionally involved in security issues are not required to have sufficient knowledge to protect the corporate network, but they must have an idea of what security systems are used, what their essence is and, most importantly, how to interact with these systems in order to work in The office was safe.

 

 

 

 

Lecture 15: Crypto Protection and Secure Communications

 

Tags: password, software, email, cryptography, the crypto, identification of Custom e - la, server, plaintext, algorithm, encryption, word, key, symmetric encryption, symmetric key, asymmetric encryption, algorithm asymmetric crypto - Bani, decryption, authenticity, electronic signature, public key, an attacker, CA, the certification Authority, the digital signature, user certificates, certification authority, issuer of the certificate, the private key, the issue of certificates, software, computer, user, of Internet, Symbol Item, software, security, management, certificate, manager Have, image, value, data encryption, the Outlook, Access, a digital certificate, an address

 

What is cryptography?

So far, we have considered the problem of restricting access to information of persons who have a password in advance that provides them with access to the system.

However, if we talk about secure communications, more complex tasks arise here. Suppose we need to send a document over the Web. If we protect the document with a password, then in order for anyone who receives a protected document to be able to open it, it is necessary to provide a password to him as well, but how to make the password unavailable to other people?

Consider a specific example. Let employee A send his colleague B an important document by e-mail (Fig. 10.1.).

 

 

 

Fig. 10.1. An e-mail can be easily read at the intermediate points of his travel on the Web, for example, on the provider's server

 

It is known that a letter and attached files can be easily read at intermediate points of its travel on the Web, for example, on the provider's server.

Therefore, receiving a letter, B asks himself the following questions. Was this document really sent by A, and not by another person posing as A? Was the document intercepted and modified during the delivery process? Has the document been read by anyone other than him? In other words, he is worried about the verification of sender and message authentication and the confidentiality of the message. As will be shown below, all of these problems are solved by modern cryptography.

Cryptography (from the Greek. Cryptos - "secret") - is the science and technology of encryption of important information to protect it from unauthorized changes and ¹ access. Cryptography serves not only to translate texts into an unreadable encrypted form, but also allows you to solve authentication and user identification tasks when working on the Web.

It should be noted that on the Web we communicate not only with people, but also with various services. For example, when we are going to download a program from a server, it is also important for us to know that this server belongs to the development company, and not to the pirate company that distributes unlicensed software that may contain viruses.

Key Encryption

We will consider the process of encryption with a key using a specific example.

Suppose we need to encrypt the plain text "Hello Vasya" using the simplest algorithm - replacing letters with their numbers in the alphabet. As a result, we get an encrypted text of the form: 17 18 10 3 6 20 3 1 19 33. Obviously, if an outsider recognizes the encryption algorithm, then it will be impossible to use it in the future.

This is easy to avoid if you use encryption with the key. In order to clarify the essence of the encryption process with a key, we give a simple example (Fig. 10.2).

 

 

 

Fig. 10.2. Secret Key Encryption Principle

 

Let us write out the letters of the text and write down their numbers in the alphabet below them. The third line we write the letters of the key, repeating this word on the whole line. Under the letters of the key, we write their numbers in the alphabet, and in the fourth line we write the amount, which will be the encrypted message: 20 19 29 36, etc. 

Knowing the key and the algorithm, it is easy to decrypt the message: 20 - 3 = 17, and the 17th letter of the alphabet is "P", etc. Even if the attacker knows the algorithm, but the key is unknown, it is impossible to read the message without a lengthy key selection procedure. Thus, one algorithm can be used with many keys for different communication channels, assigning a separate key to each correspondent.

The longer the cipher key, the more it will take to sort through various combinations during decryption, and the more difficult it is to decode the message.

Symmetric Key Encryption

Consider a specific example: let correspondents A and B write each other a letter (Fig. 10.3). Each has its own secret key (a specific secret code), which can be used to encrypt data before sending it to the network. In order to more clearly depict the encryption scheme, we will use pictograms (Fig. 10.2), i.e. portray the key as a regular key, and the encrypted message as a document sealed in an envelope. Then the process of encryption and decryption can be represented in the form shown in Fig. 10.3.   

 

 

Fig. 10.3. Secret (symmetric) key encryption scheme

 

User A encrypts the message with his secret key, sends the message over the Network, and receiver B (using the same secret key) decrypts the message. If you look at the figure, it is easy to verify that the circuit is symmetrical. Left and right users use the same (symmetric) keys, so this type of encryption is called encryption with a symmetric key.

The secret key encryption method has certain disadvantages. First of all, symmetric encryption does not solve the authentication problem. For example, A may write a letter to a certain third party C and declare that B did so.

In addition, the symmetric key must be installed on the computer of the sender and recipient before exchanging secret messages. Obviously, encryption for safe communication on the Internet makes sense when correspondents do not need to meet in person. The problem occurs when transferring the secret key. Indeed, if A sends B the secret key in unencrypted form, it can be intercepted. If the key is sent in encrypted form, then B will not be able to receive it. For correspondence with several correspondents, you must have one key for each correspondent, which is inconvenient. In order to solve these problems, an asymmetric encryption scheme (public key encryption) was proposed.

Asymmetric Encryption

Asymmetric encryption, or encryption using a public key, is based on the use of a pair of keys: private (private) and public (public).

The message can be encrypted with both a private and a public key, and decrypted only with the second key from a pair. That is, a message encrypted with a private key can only be decrypted with a public key, and vice versa. The private key is known only to the owner and it cannot be transferred to anyone, while the public key is distributed openly and is known to all correspondents.

A pair of keys - private and public - can be used both for solving authentication problems and for secrecy (confidentiality).

According to the first scheme (Fig. 10.4), user A sends the public key in advance to his correspondents B and C, and then sends them a message encrypted with his private key.

 

Fig. 10.4. Only A could send a message (only he has a private key), i.e. authentication problem resolved. But, for example, B is not sure that C did not read the letter. Thus, confidentiality is not ensured.

 

The scheme providing secrecy (confidentiality) is presented in fig. 10.5.

 

 

Fig. 10.5. Only A can read the message, since only he has the private key that reveals the message, that is, the privacy problem is resolved. But A cannot be sure that the message was not sent by C, posing as B. Thus, authentication is not provided

 

Thus, in order to ensure confidential messaging in the correspondence of two persons, it is necessary to have two key pairs.

When encrypting using a key pair (Fig. 10.5), A does not need to send its public key to all correspondents. It is much more convenient to put this key on the Web on a server with open access. Then everyone can download this key and send A secret message, which, apart from it, no one will read.