1. Go to a popular online e-commerce site like Amazon.com. Place several items in your shopping cart, and then go to check out. When you reach the screen that asks for your credit card number, right-click on the Web browser and select “Properties.” What can you find out about the cryptosystems and protocols in use to protect this transaction?
The primary methodology of cryptologic protection for the site that I tested, which was indeed Amazon.com, is provided by the well-known security purveyor Symantec. We already know that Symantec has a rich history of providing private users and organizations with intricate security protocol suites, which often come in packages that can be tailored to the specific need. If one navigated their way to the certificate properties for the secure checkout on Amazon, they would be met with the following information: “The page you are viewing was encrypted before being transmitted over the internet.” 128 bit encryption. Websites with an https address are normally encrypted and show a green lock next to the address.
2. Repeat exercise 1 on a different Web site. Does this site use the same or different protocols? Describe them.
Some protocols that other websites use are:
PCT: The Private Communications Technology (PCT) is a transport layer security protocol similar to SSL that was developed by Microsoft because of shortcomings in SSL 2.0. The SSL 2.0 problems were also addressed in SSL 3.0 and, as a result, use of PCT is decreasing. Nevertheless, Microsoft intends to continue supporting PCT because several large Microsoft customers on their corporate intranets are using it.
SET: The Secure Electronic Transaction (SET) protocol is an online payment protocol designed to facilitate the use of credit cards on the Internet.
The fundamental motivation behind SET is to speed transactions while reducing fraud. To speed transactions, the protocol automates the “buy” process by having the consumer’s computer automatically provide the consumer’s credit card number and other payment information, rather than forcing the consumer to type this information into a form in a web browser. To reduce fraud, SET was designed so that the merchant would never have access to the consumer’s actual credit card number. Instead, the merchant would receive an encrypted credit card number that could only be decrypted by the merchant’s bank.
3. Perform a Web search for “Symantec Desktop Email Encryption (powered by PGP Technology).” Download and install the trial version. Using the tool and your favorite e-mail program, send a PGP-signed e-email to your instructor. What looks different in this e-mail compared with your other e-mails?
Encryption Desktop provides comprehensive security for desktops and laptops, making it possible for enterprises, workgroups, and individuals to protect sensitive information without changing the existing IT infrastructure. After installation, Symantec Desktop Email inserts itself between your email client and your mail server and watches your email traffic. The software automatically and transparently encrypts, signs, decrypts, and verifies email message through policies you defined for you by administrators, or policies you control if you are not part of a Symantec Encryption Server-managed environment. You do not have to do anything special; just create your messages using your email client and send them. Notifier alerts are a feature of Symantec Encryption Desktop that both tell you what is going on with your messaging and give you control over it. For example, when you send an encrypted message, the
Notifier alert appears in the lower right corner of your screen.
4. Perform a Web search for “Announcing the Advanced Encryption Standard (AES).” Read this document, which is a FIPS 197 standard. Write a short overview of the development and implementation of this cryptosystem.
This standard specifies the Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. Rijndael was designed to handle additional block sizes and key lengths, but they are not adopted in this standard. AES has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES), which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the data. AES is based on a design principle known as a substitution-permutation network, a combination of both substitution and permutation, and is fast in both software and hardware.
5. Search the Web for “steganographic tools.” What do you find? Download and install a trial version of one of the tools. Embed a short text file within an image. In a side-by-side comparison, can you tell the difference between the original image and the image with the embedded file?
A steganography software tool allows a user to embed hidden data inside a carrier file, such as an image or video, and later extract that data.
It is not necessary to conceal the message in the original file at all. Thus, it is not necessary to modify the original file and thus, it is difficult to detect anything. If a given section is subjected to successive bitwise manipulation to generate the cyphertext, then there is no evidence in the original file to show that it is being used to encrypt a file. However large the image is, after you embed it, your InDesign file becomes that much larger.