Page 452 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 452

If your message requires confidentiality, integrity, authentication,
                    and nonrepudiation, you should encrypt and digitally sign the

                    message.

               It is always the responsibility of the sender to put proper mechanisms
               in place to ensure that the security (that is, confidentiality, integrity,
               authenticity, and nonrepudiation) of a message or transmission is
               maintained.

               One of the most in-demand applications of cryptography is encrypting
               and signing email messages. Until recently, encrypted email required
               the use of complex, awkward software that in turn required manual

               intervention and complicated key exchange procedures. An increased
               emphasis on security in recent years resulted in the implementation of
               strong encryption technology in mainstream email packages. Next,
               we’ll look at some of the secure email standards in widespread use
               today.


               Pretty Good Privacy

               Phil Zimmerman’s Pretty Good Privacy (PGP) secure email system

               appeared on the computer security scene in 1991. It combines the CA
               hierarchy described earlier in this chapter with the “web of trust”
               concept—that is, you must become trusted by one or more PGP users
               to begin using the system. You then accept their judgment regarding
               the validity of additional users and, by extension, trust a multilevel
               “web” of users descending from your initial trust judgments.

               PGP initially encountered a number of hurdles to widespread use. The

               most difficult obstruction was the U.S. government export regulations,
               which treated encryption technology as munitions and prohibited the
               distribution of strong encryption technology outside the United States.
               Fortunately, this restriction has since been repealed, and PGP may be
               freely distributed to most countries.

               PGP is available in two versions. The commercial version uses RSA for
               key exchange, IDEA for encryption/decryption, and MD5 for message

               digest production. The freeware version (based on the extremely
               similar OpenPGP standard) uses Diffie-Hellman key exchange, the
               Carlisle Adams/Stafford Tavares (CAST) 128-bit
   447   448   449   450   451   452   453   454   455   456   457