The incredible growth of the Internet has excited businesses and consumers alike with its promise of

changing the way we live and work. But a major concern has been just how secure the Internet is,
especially when you're sending sensitive information through it. --

There's a whole lot of information that we don't want other people to see, such as: Credit-card
information, Social Security numbers, Private correspondence, Personal details, Sensitive company
information, and Bank-account information.--

Many of you probably hear on the news, every so often, “A popular website has been compromised
and many people have had their personal data stolen!” When a website is compromised, it puts
thousands at risk for one of many possible types of identity theft. It is rare that a site is hacked to
this extent: usually, the data is collected through look alike sites, through spyware, or through other
means of collection; most of which happen on a single-user basis. It makes many people nervous
when giving out personal information to anyone online because they are not sure what can really
happen, and they do not have all the facts.--

Hackers are commonly thought of as the bad guys, the people who make your computer go as slow
as heck, and the people who steal your identity. In reality, they are actually the opposite. Hackers
are the good guys who test security vulnerabilities and fix them. Government agencies, software
companies (including Microsoft), and internet security companies employ hundreds of hackers to
test their software before its release. They try to hack the software to make sure that when it ships,
people are not going to be able to use it for malicious purposes.--

Cracker is a term that isn’t used much outside of the security world. A cracker is someone who
exploits holes in a program for malicious use. For example, the people who create game keygens are
crackers, meaning what they do is illegal. Normally both hackers and crackers are referred as
hackers, unless a distinction needs to be made; most people think of the two as the same---

Information security is provided on computers and over the Internet by a variety of methods. The
most popular forms of security all rely on encryption, the process of encoding information in such a
way that only the person (or computer) with the key can decode it. ---

Encryption Systems

Computer encryption is based on the science of cryptography, which has been used throughout
history. Before the digital age, the biggest users of cryptography were governments, particularly for
military purposes. The existence of coded messages has been verified as far back as the Roman
Empire. But most forms of cryptography in use these days rely on computers, simply because a
human-based code is too easy for a computer to crack. ---

Cryptography is the science of information security. The word is derived from the Greek kryptos,
meaning hidden. Cryptography is closely related to the disciplines of cryptology and cryptanalysis.
Cryptography includes techniques such as microdots, merging words with images, and other ways to
hide information in storage or transit. However, in today's computer-centric world, cryptography is
most often associated with scrambling plaintext (ordinary text, sometimes referred to as cleartext)
into ciphertext (a process called encryption), then back again (known as decryption). Individuals
who practice this field are known as cryptographers---
Modern cryptography concerns itself with the following four objectives:

1. Confidentiality (the information cannot be understood by anyone for whom it was

2. Integrity (the information cannot be altered in storage or transit between sender and
intended receiver without the alteration being detected)

3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or
her intentions in the creation or transmission of the information)

4. Authentication (the sender and receiver can confirm each other’s identity and the
origin/destination of the information)

5. Procedures and protocols that meet some or all of these criteria are known as
cryptosystems.

Cryptosystems are often thought to refer only to mathematical procedures and computer programs;
however, they also include the regulation of human behavior, such as choosing hard-to-guess
passwords, logging off unused systems, and not discussing sensitive procedures with outsiders.

Why Have Cryptography

Encryption is the science of changing data so that it is unrecognisable and useless to an unauthorised
person. Decryption is changing it back to its original form. The most secure techniques use a
mathematical algorithm and a variable value known as a 'key'. The selected key (often any random
character string) is input on encryption and is integral to the changing of the data. The EXACT same
key MUST be input to enable decryption of the data. This is the basis of the protection.... if the key
(sometimes called a password) is only known by authorized individual(s), the data cannot be
exposed to other parties. Only those who know the key can decrypt it. This is known as 'private key'
cryptography, which is the most well known form.

Most computer encryption systems belong in one of two categories: Symmetric-key encryption
Asymmetric / Public-key encryption

Symmetric Key

In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a
packet of information before it is sent over the network to another computer. Symmetric-key
requires that you know which computers will be talking to each other so you can install the key on
each one. Symmetric-key encryption is essentially the same as a secret code that each of the two
computers must know in order to decode the information. The code provides the key to decoding
the message. Think of it like this: You create a coded message to send to a friend in which each letter
is substituted with the letter that is two down from it in the alphabet. So "A" becomes "C," and "B"
becomes "D". You have already told a trusted friend that the code is "Shift by 2". Your friend gets the
message and decodes it. Anyone else who sees the message will see only nonsense.

Asymmetric Key
There is a second kind of encryption, which uses one key to encrypt, and a different key to decrypt.
Such a system is called an asymmetric cryptosystem. It has the advantage that many people can use
the encryption key to encrypt messages for a recipient, but only the recipient who has the
decryption key can read and understand them. When the encryption key is published for anyone to
use, then this is called a public key cryptosystem, since one of the two keys is public.

To implement public-key encryption on a large scale, such as a secure Web server might need,
requires a different approach. This is where digital certificates come in. A digital certificate is
basically a bit of information that says that the Web server is trusted by an independent source
known as a certificate authority. The certificate authority acts as a middleman that both computers
trust. It confirms that each computer is in fact who it says it is, and then provides the public keys of
each computer to the other.

Public Key: SSL: A popular implementation of public-key encryption is the Secure Sockets Layer
(SSL). Originally developed by Netscape, SSL is an Internet security protocol used by Internet
browsers and Web servers to transmit sensitive information. SSL has become part of an overall
security protocol known as Transport Layer Security (TLS).

In your browser, you can tell when you are using a secure protocol, such as TLS, in a couple of
different ways. You will notice that the "http" in the address line is replaced with "https," and you
should see a small padlock in the status bar at the bottom of the browser window.

Public-key encryption takes a lot of computing, so most systems use a combination of public-key and
symmetry.

When two computers initiate a secure session, one computer creates a symmetric key and sends it
to the other computer using public-key encryption.

The two computers can then communicate using symmetric-key encryption.

Once the session is finished, each computer discards the symmetric key used for that session.

Any additional sessions require that a new symmetric key be created, and the process is repeated

Hashing Algorithms

The key in public-key encryption is based on a hash value. This is a value that is computed from a
base input number using a hashing algorithm. Essentially, the hash value is a summary of the
original value. The important thing about a hash value is that it is nearly impossible to derive the
original input number without knowing the data used to create the hash value.

You can see how hard it would be to determine that the value 1,525,381 came from the
multiplication of 10,667 and 143. But if you knew that the multiplier was 143, then it would be very
easy to calculate the value 10,667.

Public-key encryption is actually much more complex than this example, but that is the basic idea.
Public keys generally use complex algorithms and very large hash values for encrypting, including 40-
bit or even 128-bit numbers. A 128-bit number has a possible 2 128 or 3,402,823,669,209,384,634,
633,746, 074, 300,000,000,000,000,000,000,000,000,000,000,000,000 different combinations! This
would be like trying to find one particular grain of sand in the Sahara Desert.

Digital certificates - To implement public key encryption on a large scale, such as a secure Web
server might need, requires a different approach. This is where digital certificates come in. A digital
certificate is essentially a bit of information that says the Web server is trusted by an independent
source known as a Certificate Authority. The Certificate Authority acts as the middleman that both
computers trust. It confirms that each computer is in fact who they say they are and then provides
the public keys of each computer to the other. The Digital Signature Standard (DSS) is based on a
type of public key encryption method that uses the Digital Signature Algorithm (DSA). DSS is the
format for digital signatures that has been endorsed by the US government. The DSA algorithm
consists of a private key that only the originator of the document (signer) knows and a public key.

Key Management

As the entire operation is dependent upon the security of the keys, it is sometimes appropriate to
devise a fairly complex mechanism to manage them. Where a single individual is involved, often
direct input of a value or string will suffice. The 'memorised' value will then be re-input to retrieve
the data, similar to password usage. Sometimes, many individuals are involved, with a requirement
for unique keys to be sent to each for retrieval/decryption of transmitted data. In this case, the keys
themselves may be encrypted. A number of comprehensive and proven key management systems
are available for these situations.

CRYPTOGRAPHY KEY BASICS

The two components required to encrypt data are an algorithm and a key. The algorithm generally
known, and the key is kept secret.

The key is a very large number that should be impossible to guess, and of a size that makes
exhaustive search impractical.

In a symmetric cryptosystem, the same key is used for encryption and decryption. In an asymmetric
cryptosystem, the key used for decryption is different from the key used for encryption.

THE KEY PAIR

In an asymmetric system the encryption and decryption keys are different but related. The
encryption key is known as the public key and the decryption key is known as the private key. The
public and private keys are known as a key pair.

Where a certification authority is used, remember that it is the public key that is certified and not
the private key. This may seem obvious, but it is not unknown for a user to insist on having his
private key certified!

KEY COMPONENT

Keys should whenever possible be distributed by electronic means, enciphered under previously
established higher-level keys. There comes a point, of course when no higher-level key exists and it
is necessary to establish the key manually.
A common way of doing this is to split the key into several parts (components) and entrust the parts
to a number of key management personnel. The idea is that none of the key parts should contain
enough information to reveal anything about the key itself.

Usually, the key is combined by means of the exclusive-OR operation within a secure environment.

In the case of DES keys, there should be an odd number of components, each component having odd
parity. Odd parity is preserved when all the components are combined. Further, each component
should be accompanied by a key check value to guard against keying errors when the component is
entered into the system.

A key check value for the combined components should also be available as a final check when the
last component is entered.

A problem that occurs with depressing regularity in the real world is when it is necessary to re-enter
a key from its components. This is always an emergency situation, and it is usually found that one or
more of the key component holders cannot be found. For this reason it is prudent to arrange
matters so that the components are distributed among the key holders in such a way that not all of
them need to be present. For example, if there are three components (C1, C2, C3) and three key
holders (H1, H2, H3) then H1 could have (C2, C3), H2 could have (C1, C3) and H3 could have (C1, C2).
In this arrangement any two out of the three key holders would be sufficient. In more sophisticated
systems the components may be held on smart cards.

Cryptographic Algorithms

There are of course a wide range of cryptographic algorithms in use. The following are amongst the
most well known:
DES
This is the 'Data Encryption Standard'. This is a cipher that operates on 64-bit blocks of data, using a
56-bit key. It is a 'private key' system.

RSA
RSA is a public-key system designed by Rivest, Shamir, and Adleman.

HASH
A 'hash algorithm' is used for computing a condensed representation of a fixed length message/file.
This is sometimes known as a 'message digest', or a 'fingerprint'..

AES
This is the Advanced Encryption Standard (using the Rijndael block cipher) approved by NIST.

SHA-1
SHA-1 is a hashing algorithm similar in structure to MD5, but producing a digest of 160 bits (20
bytes).Because of the large digest size, it is less likely that two different messages will have the same
SHA-1 message digest. For this reason SHA-1 is recommended in preference to MD5.

HMAC
HMAC is a hashing method that uses a key in conjunction with an algorithm such as MD5 or SHA-1.
Thus one can refer to HMAC-MD5 and HMAC-SHA1.
MD5
MD5 is a 128 bit message digest function. It was developed by Ron Rivest.

Authentication

As stated earlier, encryption is the process of taking all of the data that one computer is sending to
another and encoding it into a form that only the other computer will be able to decode. Another
process, authentication, is used to verify that the information comes from a trusted source. Basically,
if information is "authentic," you know who created it and you know that it has not been altered in
any way since that person created it. These two processes, encryption and authentication, work
hand-in-hand to create a secure environment.

There are several ways to authenticate a person or information on a computer: Password - The use
of a user name and password provide the most common form of authentication. You enter your
name and password when prompted by the computer. It checks the pair against a secure file to
confirm. If either the name or password do not match, then you are not allowed further access.

Digital certificates - To implement public key encryption on a large scale, such as a secure Web
server might need, requires a different approach. This is where digital certificates come in. A digital
certificate is essentially a bit of information that says the Web server is trusted by an independent
source known as a Certificate Authority. The Certificate Authority acts as the middleman that both
computers trust. It confirms that each computer is in fact who they say they are and then provides
the public keys of each computer to the other. The Digital Signature Standard (DSS) is based on a
type of public key encryption method that uses the Digital Signature Algorithm (DSA). DSS is the
format for digital signatures that has been endorsed by the US government. The DSA algorithm
consists of a private key that only the originator of the document (signer) knows and a public key.

Public key encryption - Public key encryption uses a combination of a private key and a public key.
The private key is known only to your computer while the public key is given by your computer to
any computer that wants to communicate securely with it. To decode an encrypted message, a
computer must use the public key provided by the originating computer and it's own private key.
The key is based on a hash value. This is a value that is computed from a base input number using a
hashing algorithm. The important thing about a hash value is that it is nearly impossible to derive
the original input number without knowing the data used to create the hash value. Here's a simple
example: You can see how hard it would be to determine that the value of 1525381 came from the
multiplication of 10667 and 143. But if you knew that the multiplier was 143, then it would be very
easy to calculate the value of 10667. Public key encryption is much more complex than this example
but that is the basic idea. Public keys generally use complex algorithms and very large hash values
for encrypting: 40-bit or even 128-bit numbers. A 128-bit number has a possible 2 128 different
combinations. That's as many combinations as there are water molecules in 2.7 million olympic size
swimming pools. Even the tiniest water droplet you can image has billions and billions of water
molecules in it!