|
|||||||||
Home |
The Internet and Intranet connecting IDS Server and its client components (IDS JDBC Driver IDS .NET Data Provider and .NET SQL Driver) are unprotected communication channels. They are vulnerable to hackers and eavesdroppers who can intercept and even alter the transmitted data. IDS Server can use the Secure Socket Layer v3 (SSL) protocol to protect the communication with its three client components. This feature is called Secure dbAccess. The SSL protocol is a widely accepted industry standard for secure communication introduced by Netscape Communications Inc. Secure dbAccess comes in two variants:
The SSL protocol supports many combinations of public-key digital signatures, key exchange protocols and symmetric ciphers. These combinations are also called cipher-suites. The specification of cipher-suites supported by IDS Server is as follows:
Diffie-Hellman RSA What is ElGamal? It is important to understand that the security of any public-key cryptography now known to man is by no means in absolute terms. The "bet" is on the difficulty of deducing the private key from the public key. This depends on the length of the public/private key pair and the computing power that might be used to "crack" the key pair. The key length of ElGamal supported by IDS Server can range from 256-bit to arbitrarily long. A key length ranging from 1024 to 2048 bits are considered safe for the next 20 years [1]. Of course, this prediction is based on the current computing power and the rough estimate of hardware and cryptanalysis advances in the near future. DES and Blowfish The Blowfish cipher was designed by Bruce Schneier [1] in 1994. This algorithm is faster than DES and supports up to 448-bit long keys, far longer than the 56-bit key size of DES. Since its publication, Blowfish has received intense cryptanalysis and is still unbroken. In June of 1997, a team orchestrated by a Loveland, Colorado programmer Rocke Verser, successfully "cracked" a 56-bit DES encrypted message, a $10,000 challenge posted by RSADSI. The significance of this team effort is that they did it by fragmenting and distributing the problem solving process to thousands of computers throughout the country, and it was a 90MHz Pentium PC that found the 56-bit key. One can consider this team lucky, because they have only searched 25% of the total probable keys in five months. What does this event mean? Obviously, if your adversary can harvest more computing power than this team, your 56-bit DES encrypted message will be equally if not more vulnerable. It is silly not to predict that years from now anyone with a reasonable financial support will break this message with only a handful of more powerful computers in hours or less. Fortunately, despite all these, it will still take the entire planet’s computing power 1011 years to break a 128-bit symmetric cipher [1]. Therefore, at lease to the best knowledge of current cryptanalysis, 168-bit Triple DES and 128-bit Blowfish supported by Secure JDBC are safe. Message Digest and SHA-1 SHA-1 stands for Secure Hash Algorithm version 1. It was designed by NIST and NSA as part of the Digital Signature Standard mentioned earlier. SHA-1 produces a 160-bit digest, which is longer than many other counterparts. There is no known report of the breaking of SHA-1. What is SSLeay? References [1] B. Schneier, "Applied Cryptography," 2nd Edition, John Wiley & Sons, Inc., 1996. ISBN 0-471-12845-7, ISBN 0-471-11709-0. [2] W. Diffie and M.E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, v. IT-22, n. 6, Nov 1976, pp. 644-654. [3] W. Diffie, P.C. van Oorschot, and M.J. Wiener, "Authentication and Authenticated Key Exchanges," Designs, Codes and Cryptography, v. 2, 1992, 107-125. [4] T. ElGamal, "A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms," Advances in Cryptography: Proceedings of CRYPTO 84, Springer-Verlag, 1985, pp. 10-18. [5] P. Horster, H. Peterson, and M. Michels, "Meta-ElGamal Signature Schemes," Proceedings of the 2nd Annual ACM Conference on Computer and Communications Security, ACM Press, 1994, pp. 96-107. [6] P. Horster, H. Peterson, and M. Michels, "Meta Message Recovery and Meta Blind Signature Schemes Based on the Discrete Logarithm Problem and their Applications," Advances in Cryptography -- ASIACRYPT ‘94 Proceedings, Springer-Verlag, 1995, pp. 224-237. [7] L. Harn and Y. Xu, "Design of Generalized ElGamal Type Digital Signature Schemes Based on Discrete Logarithm," Electronics Letters, v. 30, n 24, 24 Nov 1994, p. 2025-2026. [8] K. Nyberg and R.A. Rueppel, "Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem," Advance in Cryptology--EUROCRYPT ‘94 Proceedings, Springer-Verlag, 1994, pp. 368-377. [9] R.L. Rivest, A. Shamir, and L.M. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM (2) 21 (1978), 120-126. |
||||||||
Copyright c 1997-2006 IDS Software. All rights reserved. |