Josh Hogan

Chapter 8: Cryptography

Exercises

1)      Go to a popular online e-commerce sit like Amazon.com. Place several items in your shopping cart, and then go to checkout. When you reach the screen that asks for your credit car number, right click on the web browser and select “Properties.” What can you find out about the cryptosystems and protocols in use to protect this transaction?

·         I have never done this before and it I really interesting that you can see this stuff. The cryptosystem and protocols that Amazon uses to protect transactions are HTTP (Hyper Text Transfer Protocol) which is pretty standard across all platforms on the web, and TLS 1.0 RC4 with 128-bit encryption and RSA with 1024 bit exchange. I also got a message that appeared in the secure checkout tab that tells you that the page has already been encrypted.

4)      Perform a Web search for “Announcing the Advanced Encryption Standard (AES).” Read this document, which is a FIPS 197 standard. Write a short overview of the development and implementation of this cryptosystem.

·         The Advanced Encryption Standard, (AES) is used to specify a FIPS-approved algorithm that is encrypted and is used to provide protection to the electronic data. It’s main purpose is to encrypt and decrypt information. It works when you have plain text, which is what the data is normally, that gets encrypted to what is known as ciphertext. This gets sent across the web and then when it reaches the destination, there is a key that will decrypt the ciphertext back into plain text. It has become a main concern in the modern life that we are secured with our data and  is very important to make people feel secure while online. There are people who don’t actually believe that this is considered safe because theoretically, these patterns of bits could be figured out by someone, but this is very impractical unless they possess the key needed to decrypt.

Case Exercises

1) Was Charlie exaggerating when he gave Peter an estimate for the time required to crack the encryption key using a brute force attack?

·         Yes, Charlie was exaggerating when he gave Peter an estimate for the time that would be required when using a brute force attack to crack the encryption key. Charlie told Peter that it would take “a hundred trillion years or so” to get the plain text of the encrypted file using brute force. Don’t get me wrong, using Brute force will take a decent amount of time to crack, depending on how long the passphrase is. He is just stating that it will take some time to crack the passphrase.

2) Are there any tools that someone like Peter could use safely, other than a PKI-based system that implements key recovery, to avoid losing his passphrase?

·         There are quite a few different software and tools available that aren’t PKI-based to crack passwords or just change a password if you forgot yours. One that comes to mind is something that we used to use in the Marine Corps called a Hirens Boot CD. When people would lock themselves out of there computer, you would Insert the Hirens disc, start the computer and boot it from hard drive, log in as the admin and change any account password that you want.

Ethical Decision Making

1)      Would the use of such a tool be an ethical violation on Charlie’s part? Is it Illegal?

·         Yes, this is extremely unethical of Charlie to do. Especially if the employees don’t know that he did it. It would be very helpful to Peter at this time but still, unethical. However, this is not illegal in most jurisdictions.

2)       Suppose that Charlie had implemented the key logger with the knowledge and approval of senior company executives, and that every employee had signed a release that acknowledged the company can record all information entered on company systems. Two days after Peter’s call, Charlie calls back to give Peter his key: “We got lucky and cracked it early.” Charlie says this to preserve Peter’s illusion of privacy. Is such a “little white lie” an ethical action on Charlie’s part?

 

·         I would say that this is an ethical action on Charlies part. Employers are using key loggers without their employee’s knowledge all over the place and it is legal in many cases. So, Charlie doing what he is told by his supervisors, and reporting back to Peter and keeping the employer’s little secret I think is ethical for Charlie and is a better question to ask about the superiors.