Message Privacy

New technologies make it possible to monitor all types of information that one individual might send to another. Carnivore is one example of such a technology. This controversial program was developed by the Federal Bureau of Investigation (FBI) to give the U.S. government the ability to monitor the Internet and email activities of suspected criminals.

Some Internet applications have little or no built-in security. Instant messaging (IM) is a good example. Many corporations allow or use IM, but it was built for chatting, not security. Most IM applications lack encryption capabilities, have insecure password management, and have features that actively work to bypass firewalls. IM can be vulnerable to sniffing attacks, can be used to spread viruses and worms, and can be targeted for buffer overflow attacks.

Standard email is also very insecure. Sending an email message is much like sending a postcard to Mom through the U.S. Mail. Anyone who happens to see the card during transit can read the message you sent her from your trip to Niagara Falls. If you need a little privacy, you must use encryption. Using encryption is the equivalent of sending a letter: The sealed envelope will prevent the casual snoop from learning about your trip to Niagara Falls. Email protection mechanisms include Pretty Good Privacy (PGP), Secure Multipurpose Internet Mail Extensions (S/MIME), and Privacy Enhanced Mail (PEM).

PGP

Phil Zimmerman initially developed Pretty Good Privacy (PGP) in 1991 as a free email security application. It is as close to military grade encryption as a private individual can get and works well at securing email. Unlike public key infrastructure (PKI), PGP works by using a web of trust. Users distribute and sign their own public keys. Unlike the PKI certificate authority, this web of trust requires users to determine how much they trust the other parties they exchange keys with. PGP is a hybrid cryptosystem, in that it uses both public and private encryption. Some of the algorithms PGP can use include Triple DES and Twofish for symmetric encryption, and Diffie-Hellman, Digital Signature Standard (DSS), and RSA for asymmetric encryption.

S/MIME

Secure Multipurpose Internet Mail Extensions (S/MIME) secures email by using X.509 certificates for authentication. The public key cryptographic standard is used to provide encryption. It can work in one of two modes: signed and enveloped. Signing mode provides integrity and authentication. Enveloped mode provides confidentiality, authentication, and integrity.

Privacy Enhanced Mail (PEM)

PEM is an older email security standard. It provides encryption, authentication, and X.509 certificate-based key management.

The CISSP Cram Sheet

A Note from Series Editor Ed Tittel

About the Author

Acknowledgments

We Want to Hear from You!

Introduction

Self-Assessment

The CISSP Certification Exam

Physical Security

Security-Management Practices

Access-Control Systems and Methodology

System Architecture and Models

Telecommunications and Network Security

Applications and Systems-Development Security

Operations Security

Business Continuity Planning

Law, Investigations, and Ethics

Cryptography

Practice Exam 1

Answers to Practice Exam 1

Practice Exam 2

Answers to Practice Exam 2



CISSP Exam Cram 2
CISSP Exam Cram 2
ISBN: 078973446X
EAN: 2147483647
Year: 2003
Pages: 204
Authors: Michael Gregg

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net