![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
The limitations imposed by the operating systems must be coupled with the types of passwords chosen by the users. Most people do not use control characters or non-alphanumeric characters in their passwords; in fact, most users only use lowercase letters. Many people choose a name or word as a password, yielding an even more limited set of encryption keys, in a statistical sense. Why does any of this matter? Because if your password file is stolen, such as from a directory without adequate protection, an off-line attack can be launched by encrypting every possible word and looking for a match; this is called a dictionary attack. Exhibit 8-8-4 shows the amount of time required to perform an exhaustive search of all possible keys with a processor able to examine one million keys per second. Clearly, longer passwords provide better protection than shorter ones. But care must be taken so that a wider combination of character combinations are used to obtain the best possible protection. A truly random eight-character password, for example, might withstand an attack for over a half-billion years, but the password patterns of most users suggest that an eight-character password is only safe for a month.
Better protection can be provided by use of secure protocols over the local network or the Internet. Secure protocols offer a variety of functions:
A variety of cryptographic schemes are used to provide the functions listed above. Cryptographic algorithms are generally classified as follows:
Exhibit 8-8-5 summarizes some of the more common protocols used for secure communications. The underlying mathematics for all of these protocols are well-documented in the literature and that is one of the reasons that these schemes are believed to be secure; well-known algorithms have received a great deal of scrutiny and age is the best test of a cryptographic algorithm. In general, users are advised to not trust secret cryptographic protocols; a high level of cryptographic security is provided by the choice of the key, not the secrecy of the algorithm.
SUMMARY Is the number of people using your corporate computing and communications resources grows, so does your vulnerability. When you attach your LAN to the public Internet, your exposure increases even more. Computer and network managers should employ as much security as is affordable, determined by putting a price tag on the level of risk, the amount of exposure, and the cost of the corruption, theft, or loss of your organizations data. In particular, critical information must be protected as much as possible. Internal and external information servers should be isolated from each other. And all users should be made to understand their role in helping to keep the site secure and the information safe. When connecting a LAN to the public Internet, some form of firewall protection, such as packet filtering and/or proxy servers, should be employed. Be forewarned, however, that many sites employ a security through obscurity philosophy; they maintain a low profile on the Internet, dont advertise host names, dont advertise user names, etc. This approach is doomed to fail in the long run since there are very few secrets on the Internet. While this discussion of security has emphasized the Internet, do not be lulled into a false sense of security because the firewall is in place. Indeed, some studies have concluded that the vast majority up to 80% of the break-ins at a site are inside jobs. While the firewall may protect you from the outside, all of the potential problems that existed before the LAN was connected to the Internet are still present. Organizations must still take adequate precautions to physically protect your computer and network site, and take steps to stop unauthorized access to facilities and network resources. Indeed, the thief who stole a computer from the headquarters building of Visa International in November 1996 may have done more potential damage than a hacker could have given Visas generally tight network security. Physical site security is a particular concern at academic sites where the public has access to terminals and PCs, and only the network or computer may be able to stop the unauthorized user.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |