<<---Back
to Micke´s Web Security Main Page
Other cryptographic
methods
last changed 980613 by Micke
Pettersson
Here is a description of different methods we studied, but they proved
to be insufficient for our needs:
Contents on this page:
SSH,
Secure Shell.
SSH-Secure Shell [ ] was developed to replace the unsecure
protocols rsh, rlogin, rcp, rdist and is used to log in to computer over
network, execute commands in remote machine and to move files from one
machine to another.
It contains public key encrypted authentication and secret
key encrypted communication that also have MAC for integrity control. But
SSH does not have support for authentication of the strong type with certificates
so it is not complete enough for our demands.
PEM, Private Enhanced
Mail.
Pem [ ]is an Internet standard for secure email, a standard
that was created by Internet Research Task Force (IRTF) Privacy and Security
Research Group (PSRG) during the years 1983 - 1993. Security is achieved
by the use of strong authentication with certificates, session key exchange
with public key algorithms, integrity check by hashing and encryption with
secret key algorithms. It is not limited to a specific OS or specific users
so there are a lot of products using PEM. PEM does only handle messages
specified in RFC 822 (ASCII text messages) and we wants to send other things
than just text.
MOSS, MIME
Object Security Services.
MOSS[ ], defined in RFC 1828 and is proposed as Internet
Standard in RFC 1847 and RFC 1848 October 1995. MOSS is a protocol that
offers Privacy Enhanced Mail services (integrity check, secret key encryption
and authentication) for MIME objects. It lacks support for session key
exchange. Not very widely used, only one known application implemented
as Unix source code, it is big and complex and only offers DES encryption.
Bad specification leads to different implementations of the same protocol.
Not good enough for our demands.
PCT, Private Communication Technology
When Netscape had developed SSLv2, many people found
out that it had some problems. Microsoft did not wait for the next version,
they developed their own protocol PCT[ ] in which they took all the goodies
from SSLv2. But when SSLv3 came out on the market, it contained all the
things that PCT contained as well a lot of extras, so PCT fell into the
shadows.
SHEN,
SHEN[ ] is a high level replacement for existing HTTP
protocol, developed by Hallow-Baker, CERN. It has fallen into the shadows
and nowadays it is hard to find information about Shen.
PGP, Pretty Good Privacy.
PGP [ ] is not a standard, merely a product that is available
as freeware. PGP is a one-man-show that offers weak authentication, integrity
check and encryption. It lacks support for strong authentication, certificates.
It was developed in the early days when only text was sent. To be able
to send today’s type of information the user is required to do a lot of
manual work, which has lead to less use.
References:
SSH (Secure Shell) Remote Login Program:
HYPERLINK http://www.cs.hut.fi/ssh/
The details of PEM can be found in Internet RFCs
1421 through 1424, see HYPERLINK ftp://ftp.rsa.com/pub/
MOSS FAQ published on the web,
HYPERLINK ftp://ftp.tis.com/pub/MOSS/FAQ
Shen Security Enhancements to HTTP:
HYPERLINK http://www.ncsa.uiuc.edu/SDG/IT94/Proceedings/Security/hallam-baker/Shen/Documentation/paper.html
PGP Pretty Good Privacy homepage at MIT :
HYPERLINK http://web.mit.edu/network/pgp.html
Created 980414 by Micke Pettersson, mikael.pettersson@tsl.uu.se, http://www3.tsl.uu.se/~micke