Secure dbAccess IDS Server

Home

Products
   IDS Server
   IDS JDBC Driver
  .NET Data Provider
  .NET SQL Driver
   What's New
Download
   IDS Server Trial
   ODBC Drivers
   Other Tools
Pricing

Ordering

Support
   FAQ
   Articles
   JDBC Quick Start
Company
   About Us
   Our Customers
   Contact


 

The Internet and Intranet connecting IDS Server and its client components (IDS JDBC Driver IDS .NET Data Provider and .NET SQL Driver) are unprotected communication channels. They are vulnerable to hackers and eavesdroppers who can intercept and even alter the transmitted data. IDS Server can use the Secure Socket Layer v3 (SSL) protocol to protect the communication with its three client components. This feature is called Secure dbAccess. The SSL protocol is a widely accepted industry standard for secure communication introduced by Netscape Communications Inc. Secure dbAccess comes in two variants:

Public-Key Secure JDBC
A public-key cryptosystem does not require the two communicating parties to possess any shared secret prior to establishing a secure communication link. This is the most flexible and commonly used cryptosystem in digital communication, and the implementation of such system in IDS Server is called Public-Key Secure dbAccess.

Public-Key Secure dbAccess is suitable for protecting the JDBC and .NET access of an unknown client, such as an anonymous user accessing a public web site. An example application would be a Java-based shopping cart system in which the database transaction through the IDS JDBC Driver is secured.

Secret Key Secure JDBC
IDS Server also implements the SSL protocol with a secret key cryptosystem, also called Secret Key Secure dbAccess. The SSL protocol in Public-Key Secure JDBC supports only server side authentication. Secret Key Secure JDBC is offered as an alternative to client side authentication.

Secret Key Secure dbAccess requires that both the client and the server share an identical secret key which will be used to encrypt and decrypt the communication stream. Only parties that have this secret key will be able to read the exchanged data, thus preventing eavesdropper from obtaining sensitive information, such as username, password and database data.

How Safe is Secure dbAccess

The SSL protocol supports many combinations of public-key digital signatures, key exchange protocols and symmetric ciphers. These combinations are also called cipher-suites. The specification of cipher-suites supported by IDS Server is as follows:

Key Exchange:

RSA or Diffie-Hellman (authenticated or anonymous)

Digital Signature:

RSA or ElGamal

Symmetric Ciphers:

56-bit DES, 168-bit Triple DES, 40-bit DES, 128-bit Blowfish

Message Digest:

SHA-1

Diffie-Hellman
Diffie-Hellman is a public key exchange algorithm invented in 1976 by two Stanford University scholars Whitfield Diffie and Martin Hellman [2]. They are the initial bearer of the concept of public-key cryptography. While the original Diffie-Hellman protocol is vulnerable to the "man in the middle" attack, the combination of Diffie-Hellman and a digital signature algorithm [3] is safe.

RSA
The RSA is a public-key algorithm that can be used for both encryption and digital signatures. Ronald Rivest, Adi Shamir, and Leonard Adleman developed the RSA algorithm in 1977 [9]. RSA stands for the first letter in each of its inventors’ last names.  The security of the RSA algorithm is based on the assumption that factoring is difficult.  The discovery of an easy method of factoring would “break” RSA.  However, RSA has stand the test of time and proven to be the industry standard for public-key cryptography.

What is ElGamal?
ElGamal is a public-key algorithm introduced in 1985 by T. ElGamal [4]. There is no successful attack on this algorithm ever reported. In 1994, several independent research teams presented their findings that all discrete logarithm based public-key digital signature algorithms are variants of a generalized "meta" algorithm [5][6][7][8]. The entire family of these variants including ElGamal and DSA are considered equally safe.

It is important to understand that the security of any public-key cryptography now known to man is by no means in absolute terms. The "bet" is on the difficulty of deducing the private key from the public key. This depends on the length of the public/private key pair and the computing power that might be used to "crack" the key pair.

The key length of ElGamal supported by IDS Server can range from 256-bit to arbitrarily long. A key length ranging from 1024 to 2048 bits are considered safe for the next 20 years [1]. Of course, this prediction is based on the current computing power and the rough estimate of hardware and cryptanalysis advances in the near future.

DES and Blowfish
Digital Encryption Standard (DES) was designed by a team of IBM researcher in the early 1970s. It was adopted as a federal standard in 1976 and later approved by ANSI as a private-sector standard in 1981. DES is a long standing and most scrutinized symmetric cipher.

The Blowfish cipher was designed by Bruce Schneier [1] in 1994. This algorithm is faster than DES and supports up to 448-bit long keys, far longer than the 56-bit key size of DES. Since its publication, Blowfish has received intense cryptanalysis and is still unbroken.

In June of 1997, a team orchestrated by a Loveland, Colorado programmer Rocke Verser, successfully "cracked" a 56-bit DES encrypted message, a $10,000 challenge posted by RSADSI. The significance of this team effort is that they did it by fragmenting and distributing the problem solving process to thousands of computers throughout the country, and it was a 90MHz Pentium PC that found the 56-bit key. One can consider this team lucky, because they have only searched 25% of the total probable keys in five months.

What does this event mean? Obviously, if your adversary can harvest more computing power than this team, your 56-bit DES encrypted message will be equally if not more vulnerable. It is silly not to predict that years from now anyone with a reasonable financial support will break this message with only a handful of more powerful computers in hours or less.

Fortunately, despite all these, it will still take the entire planet’s computing power 1011 years to break a 128-bit symmetric cipher [1]. Therefore, at lease to the best knowledge of current cryptanalysis, 168-bit Triple DES and 128-bit Blowfish supported by Secure JDBC are safe.

Message Digest and SHA-1
Message digest, also called one-way hashing function, is a function that calculates the "finger print" of a message. Two different messages, no matter how minor the differences are, are ensured to yield two different finger prints (or digests) by the one-way hashing function.

SHA-1 stands for Secure Hash Algorithm version 1. It was designed by NIST and NSA as part of the Digital Signature Standard mentioned earlier. SHA-1 produces a 160-bit digest, which is longer than many other counterparts. There is no known report of the breaking of SHA-1.

What is SSLeay?
SSLeay is a Secure Socket Layer and cryptography C programming library written by Eric Young of CryptSoft Pty Ltd, Australia. This library is widely respected by the cryptography community, and some of its source code are used by major players in the data security industry such as RSADSI and Netscape Communications. The SSLeay library has already been used to build many successful commercial security products such as the Stronghold secure Web server from UKWeb and the Sioux secure Web server from Thawte Consulting. The server side Secure JDBC feature of IDS Server is implemented using parts of the SSLeay library.

References

[1] B. Schneier, "Applied Cryptography," 2nd Edition, John Wiley & Sons, Inc., 1996. ISBN 0-471-12845-7, ISBN 0-471-11709-0.

[2] W. Diffie and M.E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, v. IT-22, n. 6, Nov 1976, pp. 644-654.

[3] W. Diffie, P.C. van Oorschot, and M.J. Wiener, "Authentication and Authenticated Key Exchanges," Designs, Codes and Cryptography, v. 2, 1992, 107-125.

[4] T. ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," Advances in Cryptography: Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 10-18.

[5] P. Horster, H. Peterson, and M. Michels, "Meta-ElGamal Signature Schemes," Proceedings of the 2nd Annual ACM Conference on Computer and Communications Security, ACM Press, 1994, pp. 96-107.

[6] P. Horster, H. Peterson, and M. Michels, "Meta Message Recovery and Meta Blind Signature Schemes Based on the Discrete Logarithm Problem and their Applications," Advances in Cryptography -- ASIACRYPT ‘94 Proceedings, Springer-Verlag, 1995, pp. 224-237.

[7] L. Harn and Y. Xu, "Design of Generalized ElGamal Type Digital Signature Schemes Based on Discrete Logarithm," Electronics Letters, v. 30, n 24, 24 Nov 1994, p. 2025-2026.

[8] K. Nyberg and R.A. Rueppel, "Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem," Advance in Cryptology--EUROCRYPT ‘94 Proceedings, Springer-Verlag, 1994, pp. 368-377.

[9] R.L. Rivest, A. Shamir, and L.M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM (2) 21 (1978), 120-126.
Copyright c 1997-2006 IDS Software. All rights reserved.