Chapter 9. Good password. How to protect your page in social network From theft? 9.1. Choosing a good password Many users use passwords like 1, 1234, QWERTY, and then surprised why their mailbox Or a page in the social network of hacker. The answer is simple - to her

Protect this feature for those who do not want to be amended in his text. If you click on the Protect Document button and select a command to limit formatting and editing, an additional panel will appear (Fig. 1.115). How can you see from the picture you can

How to protect the laptop laptop - the product is strong enough. Nevertheless, there are many situations in the outside world that can destroy a laptop computer. It may seem strange, but most laptops die with very trivial circumstances. Nic

- (anti-vandal cabinet) (eng. Protective Cabinet) Telecommunication cabinet, for placement and protection of telecommunication equipment (servers, routers, switches, modems, telephone stationsElements of optical cross ... ... Wikipedia

Electronic key - This term has other values, see the electronic key (values). Electronic key (also hardware key, sometimes Dongl from English. Dongle) hardwaredesigned to protect software (software) and data from ... ... Wikipedia

PGP - Pretty Good Privacy by Philip Tsimmermann Developer Philip Tsimmermann written on Multi Language Operational linux system, Mac OS X, Windows First Issue 1991 Website ... Wikipedia

Cipher Vernama - (Other Title: English One Time Pad Scheme of disposable notebooks) In cryptography Symmetric encryption system, invented in 1917 by AT T Major Joseph Moborn and Hilbert. Cipher Vernama ... ... Wikipedia

Dongle - Electronic key (also hardware key, sometimes dong from English. Dongle) hardware tool for protecting software (software) and data from copying, illegal use and unauthorized distribution. ... ... Wikipedia

Algorithm Diffe - Algorithm Diffi Helmana (English Diffie Hellman, DH) Algorithm, allowing two sides to get a common secret key using unprotected from listening, but protected from the change channel. This key can be used ... Wikipedia

Non-liberated cipher - (Vername code) - In cryptography, a whole class of systems with absolute cryptographic resistance, widely known as "Disposable notepads / liners" .. Contents 1 Creating history 2 Description ... Wikipedia

Algorithm Diffy - Helmana - (English. Diffie Hellman, DH) Algorithm that allows two sides to get a common secret key using unprotected by listening, but protected from substitution, communication channel. This key can be used to encrypt further exchange with ... ... Wikipedia

WPA. - And WPA2 (Wi Fi Protected Access) is an updated device certification program wireless communication. WPA technology has come to replace protection technology wireless networks WEP The advantages of WPA are strengthened data security ... Wikipedia

Disposable notebook

Shipoblot - Vernama cipher (Other Title: Eng. One Time Pad Disposable Notebook Schemes) In cryptography Symmetric encryption system, invented in 1917 by AT T Major Joseph Moborn and Hilbert. Cipher Vername is ... ... Wikipedia

The popularity of PKI-based solutions continues to grow - more and more sites go to HTTPS, enterprises are implementing digital certificates for authentication of users and computers, S / MIME proves its spength and encryption email, and as a way to check the source of messages to counteract phishing. But encryption and authentication in these applications are practically meaningless without proper keys.

Each time when issuing a digital certificate from the certification authority (CA) or a self-signed certificate, you need to generate a pair of closed and open keys. According to best practices, your secret keys must be protected and be, well ... Secret! If someone gets them, can, depending on the type of certificate, create phishing sites with the certificate of your organization in address lineAuthenticate B. corporate networks, issuing yourself for you, sign applications or documents from your face or read your encrypted emails.

In many cases, the secret keys are personal certificates of your employees (and, consequently, part of the personal data of the organization), so their protection is equal to protecting fingerprints when using biometric credentials. You will not let the hakwar get a fingerprint? The same with secret keys.

In this article we will discuss options for protecting and storing closed keys. As you see, these options may differ slightly depending on the type of certificate (s) and on how you use it (for example, recommendations for SSL / TLS certificates are different from recommendations for end-user certificates).

Certificate / Key Stores and Browsers

In some operating systems And browsers have certificate vaults or keys. These are software databases that locally on your computer store a pair of closed and open keys as part of the certificate. Such key storage is quite popular: many applications automatically searcable keys here, and you do not need to manually specify the certificate file every time, so this is a fairly convenient option.

Another plus of this option is quite easy to customize. You can enable / disable export closed keyturn on for him reliable protection (Password entry each time using a certificate), and you can create backups if the closed key is exported. In addition, when you turn on roaming profiles in Windows, the certificate is attached to the profile and becomes available at the entrance to another computer with this profile.

If you decide to choose this option, you should consider several aspects. First, even if you mark the closed key as an uncomportable, some utilities can bypass this protection (that is, the impossibility of exports is not guaranteed). In addition, if someone worked under your accounting, And you did not include strong closed key protection (password when using a certificate), then they can use your certificate. Finally, if your private key is marked as exported, then someone for your computer will be able to export it. Even if you have a secret key protection, the password does not ask when exporting.

And Last: Chrome and IE use Windows Certificate Storage, while Firefox has its own certificate store (from Mozilla). This means that if you import a certificate in the Windows Storage, then Chrome and IE will automatically find it, and there is no Firefox.

Typical applications:

• Applications for digital signature (for example, Adobe Acrobat., Microsoft Outlook and Office will access the Windows Certificate Storage [Custom]).
• Microsoft IIS server also searches for SSL certificates in Windows Certificate Storage [General for Computer].
• Client authentication (user or computer), depending on the settings, most often refers to the Windows Certificate Storage.
• Signature code in Windows (applications and drivers).

Files.pfx i.jks (keys repositories)

If you decide to save the file on the remote server, you should especially take care of restricting access to it. If someone gets access, you can use your certificate. Similarly, you should be especially careful with the easy copying and distribution of these files. Although it is a great convenience for you, but at the same time an attacker will simply make a copy if it gets access to your keys repository. The closed key password is still needed to efficiently use the copied file. This is another reason to use reliable passwords out of 15 and more characters containing capital letters, numbers and special symbols. With this storage option, you need to consider another thing: the end user is superimposed more responsibility from the point of view of where the file is located and whether it is stored correctly.

If you can not use cryptographic equipment or storage windows keys (Described above), but still want to improve security (instead of just place the key storage file on a computer), you can record this file on a flash drive, which will lie in a safe place. Of course, some convenience is lost here, so if you often use the signature, then you will rather want to store the file locally to facilitate access.

Typical applications:

• Signing a Windows or Java code.
• FDA ESG and IRS IDES use.pfx for safe communication with American civil services.
• Some web servers (for example, Apache Tomcat or JBOSS).

Cryptographic Tokens and Smart Cards

As casually mentioned above, you can enhance security if you store a secret key on separate hardware. But there is a big difference Between the use of cryptographic tokens or smart cards and standard flash drives. With cryptographic equipment, the key is generated on the equipment itself and is not exported. The closed key never leaves the device, which greatly makes it difficult to extract access and compromising.

Note: If you want to further protect the private key, which has already been generated earlier (i.e. not on the token), then you can import.pfx file to the token, and then delete the original.pfx.

With a token, every time you use a certificate to enter a password. This means that even if someone gets your token, it will still need a password. The key storage in the token means that you can safely use the same certificate on multiple computers without the need to create multiple copies and passing the export / import process. Cryptographic equipment complies with FIPS, which is required for some sectoral and government regulations.

Of course, there are some other considerations that should be borne in mind if you decide to choose this option. In addition to the additional difficulties of token management, this option may not work with automatic assemblies due to the requirement to enter a password each time using the certificate. There is also no way to create a backup certificate, since the closed key is not exported (lack of additional security). Finally, in some scenarios, this storage option is simply impossible. For example, if specialized devices do not support tokens or smart cards. Or in situations where employees do not have physical access to the computer, and work with remote terminals.

Typical applications:

Compliance with regulatory requirements is one of the main causes of the use of cryptographic tokens.

• It is necessary for signing the extended check code (EV) in accordance with the recommendations of the CA / Browser forum.
• Recommended for standard code signature in accordance with the minimum CA Security Council requirements. Certification centers are required to recommend cryptographic equipment as the main option for issuing certificates. If the cryptographic equipment is not issued, the client must sign an agreement, which will store a private key on some removable equipment (which is removed after signing).
• Required for digital signature and receiving trusted status in adobe programs, in accordance with the requirements of Adobe Approved TRUST LIST (AATL).
• Sectoral rules such as CFR 21 part 11 from FDA and digital signature requirements in individual countries often talk about the secret key, which is in the sole ownership of the owner. Storage on cryptographic equipment meets these requirements.

Hardware Cryptographic Modules (HSM)

HSM is another hardware storage solution, especially if you do not want to rely on separate tokens or it seems too burdensome. While the tokens are more oriented on manual entry or individual applications (for example, signing a small amount of documents or code, authentication in VPN or other networks), then HSM provides APIs, support automated workflows and automated assembly. They also comply with FIPS requirements and usually provide a higher rating than tokens.

Traditionally, HSM is local physical devices that require qualified resources to manage and provide basic requirements and SLAs. HSM maintenance may be expensive and resource-intensive process, which in the past prevented the spread of this technology. Fortunately, in recent years, HSM cloud modules have appeared, which provide many of the advantages of local HSM, without needing local maintenance.

An example is a familiar Key Vault service in the Microsoft Azure cloud, which stores cryptographic keys in the cloud HSM from Microsoft. If you have small organizationthat will not allow you to buy and manage your own HSM, then this is a great solution that is integrated with public certification centers, including Globalsign.

If you are considering a version with the signature of documents, we recently launched a new Digital Signing Service service, where it is also used cloud storage HSM for closed keys. It is worth noting that the new service supports individual signatures of all employees. In the past, most HSM-solutions for the signature were supported only by identifiers at the level of departments or organizations (for example, accounting, marketing, finance), and not individuals (for example, John DW). Consequently, to work at the level of individual employees, organizations had to deploy the tokens infruster, which, as we noted above, may be burdensome. With this new service, digital signatures of individual employees are implemented without the need to independently manage HSM (and without the risk of loss of tokens by employees).

Typical applications:

• Signature of documents or code in large quantities.
• SSL (depending on server configuration).
• The CA infrastructure for the work of its own CA (root CA, subordinate CA, RFC 3161 time label server) in offline or online (root CA, as a rule, works offline).

Future key storage methods

As more and more devices are connected to the network with the need for authentication and secure data exchange, many developers and manufacturers turn to PKI-based solutions. In turn, this leads to new considerations, requirements and technologies for protecting closed keys. Below are two trends that we see in this area.

Trusted platform module (TPM)

IoT has created a problem when a lot of anonymously interacting devices facilitate hackers intercept messages or device impersonation. The TPM module is introduced at the production stage for protection cryptographic key And, therefore, for reliable identification of the device.

During production, steam is generated from closed and open keys. The public key goes to the certification authority for signing and issuing a digital certificate. The closed key never leaves the device. It is stored on the chip and cannot be exported / copied / destroyed. Now the certificate is a device passport, and the protected private key forms the hardware root of trust.

Physically unconnected functions (PUF)

The PUF technology in combination with a trusted implementation medium (Tee) is an attractive solution if required inexpensive, easy to integrate and ultra-safe key protection. PUF along with PKI make up an exhaustive solution for identification.

Our INTRINSIC ID partner has developed such a SRAM PUF key preparation system, which manufactures unique, fake and copy device identifiers on the hardware level. Using our certification services, we translate these identifiers into digital certificates by adding PKI capabilities. Thus, each device is assigned a unique, protected to cloning a pair of keys, which is not stored on the device in the disabled state, but the device can recreate this key on request. It protects against the attack on the disabled device.

Certification keys

If the keys are in some ways are transmitted to the remote location, they must be checked upon receipt on the subject of whether they are not subject to intervention during the transmission process. This can be done manually or use some form of digital signature.

Open keys are designed to publish or transmit to other users and must be certified as owned key pair owner. Certification is carried out using the Central Certificate Bureau (Certification Authority, CA). In this case, CA provides a digital signature on the open key, and thanks to this, the CA with trust perceives the fact that the public key belongs to the Keyword holder (see Fig. 5).

Fig. 5. Public key certification in Certificate Bureau

Without the correct certification of the key and its owner, an attacker can introduce its own keys and, thus, overcome the protection of all transmitted and authenticated information.

Open keys open key pair do not require privacy protection. They only require ensuring integrity protection through the use of certificates. The secret key of the open key pair should be kept all the time in secret.

If the attacker receives a copy of the secret key, it appears the ability to read all confidential traffic addressed to the owner of the key pair, as well as digital signing information as the owner of the key pair. Protection of the secret key must apply to all copies of it. Therefore, the file containing the key must be protected, as well as any archive media on which this file can be recorded. Most of the key protection systems are implemented by using passwords. This protection allows you to protect the keys from random spy actions, but not from a joint directional attack. The password used to protect the key must be selected thoroughly to confront attacks by rough strength. but best way The key protection is, first of all, preventing the access of an attacker to a key file.

It is necessary to protect all the key keys using the secret keys. If the key is contained in the file, this file must be protected anywhere where it is not (including archival carriers). If the key is in memory, it is necessary to take measures to protect the memory space from research by users or processes. Similarly, in the case of a dump (discharge of data on hDD) Kernel, the kernel file must be protected, as it may contain the key.