Home > News > How are your Internet secrets being protected?

How are your Internet secrets being protected?

From Cavalier Daily
November 15, 2001

By Jon Erdman and Michael Neve

Note: This article was an assignment in CS 588.

The Internet has enormously impacted the every day life of students. The Web has been transformed into a giant electronic store. Millions of credit card numbers and financial statements move through the Internet each day. Most users simply trust that their information is safe without any knowledge of how their secrets are protected. But how safe are they?

Locking secrets

According to Mark Smith, manager of desktop computing support at Information Technology and Communication, communications over the Internet are as "secure as a phone call." Anyone with the correct equipment could tap into your messages.

Stronger security is required for the delicate nature of many transactions that take place over the Internet. Encrypting or scrambling messages can offer the necessary protection.

Encryption works much like a lockbox and key. If you were to send a secret message to your friend you could write it on a piece of paper, lock it inside a safe and send your friend the safe. If he or she has the key to the safe it can be opened and the message read. As long as no one else has a copy of the key and you trust the quality of the safe, your secret is secure.

Decrypting e-lingo
  • key: a string of ones and zeroes that a computer uses to communicate with a secure Web site. The chances of guessing a 128-bit key are 10,000 times more remote than winning the Virginia lottery five days in a row.
  • "https": the beginning of a Web site that is sending and receiving encrypted information. In other words, the secure version of "http."
  • handshake: the process by which computers establish a secure connection to exchange information. This involves exchanging a key between server and user.
Source: webopedia.internet.com

Encryption works in much the same way. By encrypting a message you are putting it into a safe and using ones and zeroes as the key. If the receiver of the message has the key they can decrypt, or unlock, the message.

Trading keys

When dealing in the physical world you simply can give someone a key in person. Over the Internet things are not as easy.

The process of sharing a secret key is called the "handshake." The handshake begins when the user asks for a secure connection from the system. This generally will happen before a user logs onto a Web site.

In the second step, the server will send some information about itself to the user's computer. Part of the message will be the server's certificate. Certificates contain the "thumbprint" of the server, a number that only the server can generate. The user's computer verifies that they have connected with whom they intend to by using the certificate.

The certificate also contains information that will allow the user to send the server a secret key, finishing the handshake.

After the secret key is exchanged, there is the problem of how to communicate using the key. There are a variety of protocols available, all with differing levels of security. As part of the handshake, the systems exchange information about which protocols they support and choose the most secure for future communications.

Most new Web browsers support 128 bit keys, where each bit is either a one or a zero. The chances of an attacker randomly guessing the right key are about 10,000 times more difficult than winning the jackpot in Virginia's "The Big Game" lottery five days in a row.

Of course, hackers always aren't randomly guessing and they may be able to try lots of keys in a short amount of time using sophisticated computer software.

Associate Computer Science Professor David Evans points out that "security is not just a property of the key. A really long key with a bad encryption algorithm or a bad password is still weak."

What you can do

All of the complex protocols computers use to transmit secure information are useless if users do not protect themselves. The easiest way for an attacker to acquire your private information could be through what you do, or don't do, to protect yourself.

Only give out your private information to a Web site that you trust. According to Evans, you can judge a Web site in the same way you can judge a normal business.

"If it has been around a while, is well established, or is a publicly traded company, that can account for a lot," Evans said.

When you are transmitting private information be sure to use safe methods. If a Web site begins with "https" it is using encryption to protect your data. "Https is the secure version of http," Smith said.

Of course, none of this security matters if someone can gain direct access to your accounts. If an attacker can figure out the password to your e-mail or any of the Web sites you interact with, they may uncover credit card numbers, bank account statements, social security numbers and countless other secrets.

Still, some attacks use low-tech means to trick users into revealing their passwords. These methods, called social engineering, focus on fooling users into revealing their passwords. In a common social engineering trick a hacker will e-mail or telephone an unsuspecting user and ask for their password, claiming to be a system administrator. The best rule of thumb is to never give your password to anyone.

According to Evans, security breaches happen hundreds of times a day.

"A lot of incidents are not publicized since the companies don't want to publicize they are vulnerable," Evans said.

The best way to protect yourself is to be educated. The more you know about the dangers that you face, the better protected you will be.


Original Article | Local Copy

 

More news about David E Evans

 

Return To List