Encrypting in Networking: Implications of Unencrypted Data

[Reshma]

What is encrypting in networking? What does it mean if unencrypted information is sent across the net? What are the implications if this happens?

 

[dduardo]

http://en.wikipedia.org/wiki/Encryption

 

[ramollari]

Encrypting in networking is a difficult goal in comparison local encrypting! There are two parties that may not know each other and need to communicate in the presence of hackers that pose man-in-the middle attacks. That's why public key cryptography is essential in networks, but combined with authentication services from Key Distribution Centers like Kerberos to protect from man-in-the-middle attacks.

 

[TsunamiJoe]

basically encrypting is taking a set of data and changing it, then forming an algorythm that can change it back, giving said algorythm to the reciever so that the reciever can then decrypt the algorythm and view the data - a message M, is transferred into a ciphertext C by an encryption E, which is then sent to the user and then decrypted D - thus $$M:M->E=C$$ so that then when sent to the user $$C:C->D=M$$

if you want more information on cryptography(encryption/decryption and algorythm development for security purposes) PM me

 

[Reshma]

Hi TsunamiJoe

I use Mozilla Firefox as my browser. What happens is, whenever I type in my login ID and password and register I get a message box saying "The information you are sending is unencrypted and could be viewed by a third party". I usually click on 'OK'. But my fear is, is there a possibility my account could be hacked if I sent unencrypted information?
P.S. I get the same message box whenever I post a thread.

 

[chroot]

This site does not use encryption; it is therefore possible for someone experienced to get your password if they monitor the initial traffic between the site and your computer. It's really not worth worrying about.

- Warren

 

[Reshma]

Thanks. Problem solved!

 

[ramollari]

This site does not use encryption; it is therefore possible for someone experienced to get your password if they monitor the initial traffic between the site and your computer. It's really not worth worrying about.

- Warren

If I am not wrong it is the case that this site would need a certificate from a trusted Certification Authority in order to get a public key to be used for encrypting the information.
Encryption in a network is like a nightmare, because it is vulnerable to attacks.

 

[dduardo]

You don't need to buy a certificate from an authority, you can create your own. The user will be prompted to accept the certificate since the it is not signed by an authority supported by the browser. Data will still be encrypted.

 

[TsunamiJoe]

yep he is completely correct (^_^) but yah there are a lot of sites that arent encrypted, and most often its nothing to worry about, unless your somewhere you know you shouldn't be (^_-) - but if your worried about hacks and viruses just read articles from symantec(i love the company hate the software) about security, the most important thing to protecting yourself is personal know-how

 

[chroot]

TsunamiJoe,

This topic (encryption) has nothing to do with malware like viruses. As far as I'm aware, Symantec is not involved in cryptography. Encryption just keeps your information private.

- Warren

 

[TsunamiJoe]

his reason for worrying about encryption was a fear of a third party stealing his information, which is something symantec does deal with, most often a third party breaks your encryption with a hack and/or a virus to bypass it, thus needing more/better encryption and additional protection against said dangers of viewing already unencrypted data. As of late a lot of the viruses being massively spread are ones that are not downloaded on there own, but ones that find unencrypted sources and put there coding into that source so that when it is viewed the user without protection catches the virus, thus showing why you can merely view a website and receive a virus due to a lack of encryption on pages and a lack of encryption between the user and the server

 

[chroot]

TsunamiJoe,

That might as well have been word salad; you seem to have a very poor understanding of how computers work. The simple fact is that encryption and malware are two very different things, and they are only rarely related. You can't break encryption with a hack, though you can break programs which use encryption. Futhermore, an encrypted page (say, via SSL) can certainly still be used to transfer a virus. SSL encryption just encrypts the contents of HTTP traffic as it moves across the 'net; it has nothing to do with what's contained in that HTTP traffic.

- Warren

 

[Reshma]

So what is the best way to maintain security of your account in an unencrypted site?

 

[Reshma]

his reason for worrying about encryption was a fear of a third party stealing his information,

BTW, it is her :grumpy:

 

[master_coda]

So what is the best way to maintain security of your account in an unencrypted site?

You can't. If the website isn't particularly interested in security, there isn't really anything you can do on your end to compensate for that. Just don't entrust private information to such a site.

 

[TsunamiJoe]

That might as well have been word salad; you seem to have a very poor understanding of how computers work.

how dare you assume you know my extent of computer knowlage,

In order to break encryption you need a hacking program to do so, I have created and tested algorythms by using hacks to brute force them, the ONLY way to break encryption is to have another program run a series of tests(not neccisarely brute forcing, occasionaly your lucky enough to know the type of algorythm being tested so that you can narrow your testing down to fewer methods) on the encryption in order to find the key to it in order to decrypt the file and read it/edit it or stop it. Secondly NOONE manualy breaks encryptions and most often never manualy hack through a security program, encryption and malware are polar opposites, yes, but they are always related in the fact you can't sent anyone malware without either a) breaking encryption or b) bypassing it, of which we are daily developing new methods to not allow said programs to merely bypass our encryption protocols

also to help prevent being hijacked by unsecure sites don't ever say yes to those boxes that pop up asking if so and so's company can be trusted - unless your on microsoft.com and similar sites and the company of which is asking permission is microsoft

 

[graphic7]

also to help prevent being hijacked by unsecure sites don't ever say yes to those boxes that pop up asking if so and so's company can be trusted - unless your on microsoft.com and similar sites and the company of which is asking permission is microsoft

I never get those boxes.

 

[chroot]

how dare you assume you know my extent of computer knowlage,

I'm not assuming it. You're making it obvious.

In order to break encryption you need a hacking program to do so, I have created and tested algorythms by using hacks to brute force them, the ONLY way to break encryption is to have another program run a series of tests(not neccisarely brute forcing, occasionaly your lucky enough to know the type of algorythm being tested so that you can narrow your testing down to fewer methods) on the encryption in order to find the key to it in order to decrypt the file and read it/edit it or stop it.

I'm aware of breaking a cryptosystem via brute force, and by making use of weaknesses in the algorithm to narrow the keyspace. This is not my concern.

My concern is that you claim people break encryption with viruses and malware -- something that, to my knowledge, has never been done. I have yet to learn of a virus that contains within it cracking code.

The simple fact is that it's easier to break a program and read the message out of a memory buffer before encryption than it is to mount an attack on the cipertext itself. It's also easier to drive over to the person's house and confiscate their computer equipment. No one is writing viruses or other malware which break cryptosystems. If you believe such things exist, please provide a reference. Otherwise, please stop making such silly claims.

the fact you can't sent anyone malware without either a) breaking encryption or b) bypassing it, of which we are daily developing new methods to not allow said programs to merely bypass our encryption protocols

I can send someone malware over plaintext email. Most malware programs are downloaded unwittingly through unsecure browsers by people who thoughtlessly press the "OK" button. The vast majority of websites don't use any encryption, and the vast majority of malware delivery doesn't involve any kind of encryption. I have no idea why you keep repeating yourself, but you're wrong.

- Warren

 

[TsunamiJoe]

I've suddenly come to the conclusion that we're argueing the same side of a story, but with a misunderstanding between us.

My concern is that you claim people break encryption with viruses and malware -- something that, to my knowledge, has never been done. I have yet to learn of a virus that contains within it cracking code.

It appears as though my interpretation of malware is much broader than your own, which is causing the confusion, I interpret malware as anything that tampers with another program. So that anything to break encryption classifies to me as malware

I can send someone malware over plaintext email. Most malware programs are downloaded unwittingly through unsecure browsers by people who thoughtlessly press the "OK" button.

That would be called bypassing the security by convincing an unsuspecting user to click on something so that you don't have to deal with the security measures otherwise, its as if you walk up to a door, and instead of burning it down, you knock on it to get the other person to open it.

Most virus' such as trojan horses and less powerfull tracking codes more often bypass security by hiding itself within the code of another file, which is one of the major security issues of a lot of todays filesharing programs, that when you download a file, say a calculator, somewhere along the line a virus has essentialy broken the encryption using the computers decrypting devices and hides itself in the file.

So no I'm not saying a file itself has a full encryption breaking program in itself, but most often has simple lines of code that access your own computers decryption certificates.

 

[chroot]

TsunamiJoe,

Yes, it appears to be a disagreement on terminology. I can accept that you consider the word "malware" to include programs which can break cryptosystems. That isn't my definition, but that's okay. As far as I know, there have never been any self-replicating viruses, trojans, worms, or other programs that actually do cryptanalysis, however.

I also think we're in disagreement about the scope of the words "encryption" and "decryption." You said:

that when you download a file, say a calculator, somewhere along the line a virus has essentialy broken the encryption using the computers decrypting devices and hides itself in the file.

Neither the filesharing program nor the calculator program uses any kind of cryptography. A cryptosystem is defined by an algorithm (DES, IDEA, RSA, TwoFish, etc.), and a set of (usually rigid) protocols by which two parties communicate securely. A cryptanalysis program examines a piece ciphertext and tries to recover the corresponding plaintext. That's breaking encryption.

When a virus infects an executable, that's not "breaking encryption." When a trojan horse installs something in the Windows registry, that's not "breaking encryption."

- Warren

 

[TsunamiJoe]

When a virus infects an executable, that's not "breaking encryption." When a trojan horse installs something in the Windows registry, that's not "breaking encryption."

I am in complete agreement with that statement. But what I was trying to express was, when you code something then make it an executable it is essentialy encrypted into a certain format(hexidecimal etc etc) which, personaly, I don't believe either of us can read, nor translate in efficient time.

There are programs which are encrypted and need to be decrypted before executing, same goes for messages(which are most common, the only programs I know that are encrypted are programs made by a single person whom is also trying to test algorythms or a certification program), also most filesharing programs will essential "encrypt the stream" of data, so that while in progress of being recieved, the data persay isn't being encrypted, but the stream is, for instance cars drive through a tunnel, the cars are the data, being completely unchanged, yet there's the tunnel which protects the cars from something falling on top of them to destroy them, malware. Now granted these streams are very rarely secure enough to prevent third party breakage when a person is trying to attain the information, but they are most often secure enough to prevent any computerised automatic viruses from infecting said files before they reach you.

 

[chroot]

I am in complete agreement with that statement. But what I was trying to express was, when you code something then make it an executable it is essentialy encrypted into a certain format(hexidecimal etc etc) which, personaly, I don't believe either of us can read, nor translate in efficient time.

That is not encryption! Machine code is definitely readable -- all you need is a table of the opcodes!

also most filesharing programs will essential "encrypt the stream" of data

I don't believe this is true. Please provide a reference.

so that while in progress of being recieved, the data persay isn't being encrypted, but the stream is, for instance cars drive through a tunnel, the cars are the data, being completely unchanged, yet there's the tunnel which protects the cars from something falling on top of them to destroy them, malware.

This is a very poor analogy. How can you encrypt a stream of data without encrypting the data? That doesn't even make any sense.

Now granted these streams are very rarely secure enough to prevent third party breakage when a person is trying to attain the information, but they are most often secure enough to prevent any computerised automatic viruses from infecting said files before they reach you.

How is a virus going to infect a stream of bytes going across the network? That would involve a very sophisticated attack on the TCP/IP protocol itself, which, again, I don't think has ever been done. If you think it has been done, please provide a reference.

- Warren

 

[TsunamiJoe]

That is not encryption! Machine code is definitely readable -- all you need is a table of the opcodes!

as i said you cannot translate it efficiently, and secondly you can form a cryptographic algorithym to translate them into machine code, which is what the machine does

This is a very poor analogy. How can you encrypt a stream of data without encrypting the data? That doesn't even make any sense.

for instance when sending data through the ports, you can protect the port by not allowing access into it, which is done often through authorization strictly between machines without users knowing it

How is a virus going to infect a stream of bytes going across the network?

Could you perhaps reiterate this? But if your saying what I think you are, then its the same way that someone would intercept an encrypted message before it gets to one of the users, just its done by more or less random from a person's computer which he has initiated a program into spread a virus. But again I could just be reading that wrong, and just to declare a network to me is a connection between any 2 or more machines whether it be person to server, person to person, or sever to person.

 

[master_coda]

as i said you cannot translate it efficiently, and secondly you can form a cryptographic algorithym to translate them into machine code, which is what the machine does


for instance when sending data through the ports, you can protect the port by not allowing access into it, which is done often through authorization strictly between machines without users knowing it

You seem to be using an extremely overgeneralized meaning of encryption. In general, just translating data between two different encodings is not considered to be encryption. And I've certainly never heard anyone claim that port blocking is a form of encryption.

 

[chroot]

as i said you cannot translate it efficiently, and secondly you can form a cryptographic algorithym to translate them into machine code, which is what the machine does

It's not a cryptographic algorithm. In the very strictest sense, ASCII could be considered a substitution cipher (it replaces a character with a number), but it's just a representation, and is not done to protect information. Sorry, but you're using the word incorrectly. If you intend to seek formal education on the topic, you should start using (and spelling) the words properly. Arguing with me about the meaning of words is just a silly waste of both our time; I know more about this topic than do you.

for instance when sending data through the ports, you can protect the port by not allowing access into it, which is done often through authorization strictly between machines without users knowing it

Again, this is not encryption. You seem to think that any kind of protection mechanism is cryptography, but that's just simply not true.

Could you perhaps reiterate this? But if your saying what I think you are, then its the same way that someone would intercept an encrypted message before it gets to one of the users, just its done by more or less random from a person's computer which he has initiated a program into spread a virus. But again I could just be reading that wrong, and just to declare a network to me is a connection between any 2 or more machines whether it be person to server, person to person, or sever to person.

Viruses tack executable code onto executable programs. In order for a virus to infect a file as its bytes are being sent across the network, the virus would have to interact with both peers on the network, performing a very elaborate middle-man attack, crafting new packets with the right sequencing information to maintain contuinity for the duration of the connection.

As far as I know, it's never been done, and viruses do not infect files as they are being transferred byte-by-byte across the network. If you do not have references to such viruses, you shouldn't be saying such things happen.

- Warren

 

[Reshma]

I can send someone malware over plaintext email. Most malware programs are downloaded unwittingly through unsecure browsers by people who thoughtlessly press the "OK" button.

Interesting discussion here

Can someone define what exactly is an 'unsecure' browser? What is the difference between a malware and a virus? Since it is not possible to break encryption using viruses, that leaves me with one question: Are unencrypted sites more prone to virus?

 

[ramollari]

Interesting discussion here

The discussion here is mainly driven by the misconception of TsunamiJoe that Security and Encryption are synonymous.

Can someone define what exactly is an 'unsecure' browser?

An 'unsecure' browser can have many interpretations. In terms of encryption at least, virtually all browsers support it when requested. Unsecure browsers are usually the ones that are not careful with what they download (or do not notify the user), including malware, or applets/add-ons that perform file processing. There are several other security measures that a good browser can take, but I am not competent enough to list them here.

What is the difference between a malware and a virus?

A virus is actually a kind of malware, that runs on a local machine and copies itself in the permanent storage. Malware also includes Troyan horses (downloadable viruses that communicate with the source machine), worms, time bombs, and others.

Since it is not possible to break encryption using viruses, that leaves me with one question: Are unencrypted sites more prone to virus?

The answer is NO. The only role of encryption per se is to ensure privacy of exchanged messages, that should be clear to you. Viruses/Troyan horses can enter the machine regardless of whether the data is cyphertext or plaintext. Encryption as a mechanism is also useful for other security objectives (data integrity, authentication, non-repudiation).

 

[Reshma]

Thanks for your inputs, Ramollari.

 

[TsunamiJoe]

And I've certainly never heard anyone claim that port blocking is a form of encryption.

I wasn't speaking of port blocking, but when requiring a set of passwords of which are encrypted so that they cannot be plainely seen, except by the other communicating machine.

the virus would have to interact with both peers on the network, performing a very elaborate middle-man attack,

This is not entirely so, when using a file sharing program, most often the program will merely know your IP, so that someone wanting access to the information being sent could merely "spoof" there IP and pretend they were one of the machines(personaly i would say that the user receiving the file would be the one to spoof, as to promote less work by the middleman in not having to get into the other persons system prior, but to instead just walk into the connect) then simultaniously send it out to the real user spoofing the senders' IP.

I know more about this topic than you do.

I was not claiming your ignorance, I'm merely presenting another side to an arguement, and if you wish to degrade to using pety comments such as this to proove your point, then I no longer have any position in this debate anymore. It was nice, and a great debate while it was being upheld properly. I hope you, Reshma, got the answers you were seeking.

 

[chroot]

I wasn't speaking of port blocking, but when requiring a set of passwords of which are encrypted so that they can be planely seen, except by the other communicating machine.

You didn't realize you were talking about port blocking, but you were. There are no port-level cryptographic authorization schemes. You can deny connections by IP, but that's about it. Anyone can connect to an open port on another machine. Authorization using cryptography is done by a server servicing that port at the application level -- much, much higher than the port itself.

This is not entirely so, when using a file sharing program, most often the program will merely know your IP, so that someone wanting access to the information being sent could merely "spoof" there IP and pretend they were one of the machines(personaly i would say that the user receiving the file would be the one to spoof, as to promote less work by the middleman in not having to get into the other persons system prior, but to instead just walk into the connect) then simultaniously send it out to the real user spoofing the senders' IP.

And where would the real packets go? Would you just use your super-laser-ray and obliterate them off the ethernet wires?

I was not claiming your ignorance, I'm merely presenting another side to an arguement, and if you wish to degrade to using pety comments such as this to proove your point, then I no longer have any position in this debate anymore. It was nice, and a great debate while it was being upheld properly. I hope you, Reshma, got the answers you were seeking.

We're not conducting a debate. You're saying things that are wrong. I, and others, are correcting you. Whether or not it's worth doing, only you can say.

- Warren