As confidential information flows across networks, communications security has become a major concern for users and businesses. Everyone is looking to protect themselves against fraudulent use of their data or malicious intrusions into computer systems.
In addition, a multitude of viruses are spreading without the users’ knowledge in downloaded files. Viruses can destroy documents or even cause the total loss of information stored in the machines. The current trend is to implement access control mechanisms and secure protocols that provide several services: authentication, confidentiality, integrity, non-repudiation.
- Authentication consists in asking a user to prove his identity (by providing a password or biometric data, for example);
- confidentiality guarantees users that no data can be read and exploited by a malicious third party;
- integrity assures users that their data has not been unduly modified during transmission over the network;
- non-repudiation prevents a user from denying the reality of a data exchange.
Several security mechanisms are implemented in data transmission to ensure the above services. The main ones are
- encryption, which prevents unauthorized users from reading the data;
- notarization of exchanges, which keeps a trace of the exchange with a trusted third party, to prove later the existence of the communication;
- stuffing, which is a technique of permanent transmission of a flow of useless information to hide the important ones;
- digital signature, which computes a block of control data from the user’s identity.
Encryption and digital signature exploit sophisticated computational algorithms that operate with the help of keys. The algorithm is symmetrical if the key used to encrypt the message is identical to the one used to decrypt it; it is asymmetrical when different keys are used for the two operations (see cryptology).
The symmetrical process is known since the Antiquity: it was necessary to have (or to know) the secret key chosen by the transmitter to decode the message at its reception. In this case, the security of the system is based on the safety of the transmission of the secret key. With the increase in computing power of today’s computers, the keys used are increasingly long binary data sequences.
The American DES (data encryption standard) system used a 48-bit key for a long time; it is now based on 128-bit keys.
To prevent the hacking of a single key, asymmetric multi-key systems are used, in which each user has a public key, which can be used by everyone, and a private key, which is secret and never transmitted, to decipher the messages intended for him.
The security of an asymmetric system relies on the impossibility of performing decryption calculations in a reasonable time without possessing the secret key. The public key encryption algorithms RSA (Rivest Shamir Adleman) and DH (Diffie Hellman) are the best known and most widely used.
To authenticate themselves while guaranteeing the confidentiality of the exchanges, two users will use their public and private keys in the following way: A sends to B a random number encrypted with B’s public key. B returns to A, encrypted with A’s public key, the same random number that he was able to decode with his own secret key. Only B could do this decoding, which authenticates him to A. The authentication of A using the same principle, the two interlocutors are mutually sure of their correspondent, at the end of these exchanges.
The authentication can also use a trusted third party, the authentication server, which delivers authentication certificates to the participants after exchanges of the type described above.
The certificates provided by the server are time-stamped, which prevents the subsequent reuse of a certificate by an intruder.
Finally, firewall routers protect a network by blocking access to data and machines