Next:
1 Appendix 1: Dictionary
Security Status and Issues
&
Electronic Commerce on the Internet
APPENDICES
Denis Arnaud
July 1995
A Postscript version is also available here.
1 Appendix 1: Dictionary of Security Related Terms and Abreviations
2 Appendix 2: An example of User-level Security Policy
3 Appendix 3: General Questions About RSA's Cryptography
3.1 General
3.1.1 What is encryption?
3.1.2 What is authentication? What is a digital signature?
3.1.3 What is public-key cryptography?
3.1.4 What are the advantages and disadvantages of public-key cryptography over secret-key cryptography?
3.1.5 Is cryptography patentable in the U.S.?
3.1.6 Is cryptography exportable from the U.S.?
3.2 RSA
3.2.1 What is RSA?
3.2.2 Why use RSA rather than DES?
3.2.3 How fast is RSA?
3.2.4 How much extra message length is caused by using RSA?
3.2.5 What would it take to break RSA?
3.2.6 Are strong primes necessary in RSA?
3.2.7 How large a modulus (key) should be used in RSA?
3.2.8 How large should the primes be?
3.2.9 How does one find random numbers for keys?
3.2.10 What if users of RSA run out of distinct primes?
3.2.11 How do you know if a number is prime?
3.2.12 How is RSA used for encryption in practice?
3.2.13 How is RSA used for authentication in practice?
3.2.14 Does RSA help detect altered documents and transmission errors?
3.2.15 What are alternatives to RSA?
3.2.16 Is RSA currently in use today?
3.2.17 Is RSA an official standard today?
3.2.18 Is RSA a de facto standard? Why is a de facto standard important?
3.2.19 Is RSA patented?
3.2.20 Can RSA be exported from the U.S.?
3.3 Key Management
3.3.1 What key management issues are involved in public-key cryptography?
3.3.2 Who needs a key?
3.3.3 How does one get a key pair?
3.3.4 Should a public key or private key be shared among users?
3.3.5 What are certificates?
3.3.6 How are certificates used?
3.3.7 Who issues certificates and how?
3.3.8 What is a CSU, or, How do certifying authorities store their private keys?
3.3.9 Are certifying authorities susceptible to attack?
3.3.10 What if the certifying authority's key is lost or compromised?
3.3.11 What are Certificate Revocation Lists (CRLs)?
3.3.12 What happens when a key expires?
3.3.13 What happens if I lose my private key?
3.3.14 What happens if my private key is compromised?
3.3.15 How should I store my private key?
3.3.16 How do I find someone else's public key?
3.3.17 How can signatures remain valid beyond the expiration dates of their keys, or, How do you verify a 20-year-old signature?
3.3.18 What is a digital time-stamping service?
3.4 Factoring and Discrete Log
3.4.1 What is a one-way function?
3.4.2 What is the significance of one-way functions for cryptography?
3.4.3 What is the factoring problem?
3.4.4 What is the significance of factoring in cryptography?
3.4.5 Has factoring been getting easier?
3.4.6 What are the best factoring methods in use today?
3.4.7 What are the prospects for theoretical factoring breakthroughs?
3.4.8 What is the RSA Factoring Challenge?
3.4.9 What is the discrete log problem?
3.4.10 Which is easier, factoring or discrete log?
3.5 DES
3.5.1 What is DES?
3.5.2 Has DES been broken?
3.5.3 How does one use DES securely?
3.5.4 Can DES be exported from the U.S.?
3.5.5 What are the alternatives to DES?
3.5.6 Is DES a group?
3.6 Capstone, Clipper and DSS
3.6.1 What is Capstone?
3.6.2 What is Clipper?
3.6.3 How does the Clipper chip work?
3.6.4 Who are the escrow agencies?
3.6.5 What is Skipjack?
3.6.6 Why is Clipper controversial?
3.6.7 What is the current status of Clipper?
3.6.8 What is DSS?
3.6.9 Is DSS secure?
3.6.10 Is use of DSS covered by any patents?
3.6.11 What is the current status of DSS?
3.7 NIST and NSA
3.7.1 What is NIST?
3.7.2 What role does NIST play in cryptography?
3.7.3 What is the NSA?
3.7.4 What role does the NSA play in commercial cryptography?
3.8 Misceallenous
3.8.1 What is the legal status of documents signed with digital signatures?
3.8.2 What is a hash function? What is a message digest?
3.8.3 What are MD2, MD4 and MD5?
3.8.4 What is SHS?
3.8.5 3..8..5. What is Kerberos?
3.8.6 What are RC2 and RC4?
3.8.7 What is PEM?
3.8.8 What is RIPEM?
3.8.9 What is PKCS?
3.8.10 What is RSAREF?
4 Appendix 4: More about SSL and S-HTTP
4.1 Security Assessment of the SSL Protocol
4.1.1 Introduction
4.1.2 Security Service Requirements
4.1.3 Other Factors
4.2 Security Assessment of the SHTTP Protocol
4.2.1 Introduction
4.2.2 Security Service Requirements
4.2.3 Other Factors
4.3 Conclusion
5 Appendix 5: Some sites which handle secure payments on the Internet
6 Appendix 6: Selected List of Internet Security Vendors
6.1 Vendors and Suppliers of TCP/IP Firewall Systems
6.2 Encryption Products
6.3 Encryption Products on the Net
7 Appendix 7: Smart Card Technology
7.1 Introduction
7.2 Terminology
7.3 Smart Card Technology
7.3.1 Basic Concepts
7.3.2 Physical Characteristics
7.3.3 Logical Characteristics
7.3.4 Life Cycle
7.4 Standards
7.5 Why Smart Cards In A Company?
7.5.1 Two-Factor Authentication
7.5.2 Secure Storage
7.5.3 Encryption and Key Generation
8 Appendix 8: Putting the Web to Work Inside Your Business
8.1 Forword
8.2 Introduction
8.3 Internal Use of the Web: An Exploding Market
8.4 Improving Internal Communications
8.4.1 Sales and Marketing Applications
8.4.2 Product Development Applications
8.4.3 Customer Service and Support Applications
8.4.4 Human Resources Applications
8.4.5 Finance Applications
8.5 The Future Of Internal Web Applications
8.6 Conclusion
9 Appendix 9: Companies To Cast Parents As Cybercops
About this document ...
Denis Arnaud
12/19/1997