The Defensative Platform will often warn you that you may be passing sensitive information over the network in "clear text" or via outdated encryption protocols (example SSL Version 3.0) that have been compromised. This article is meant to help you understand the basics of encryption so other articles on 'clear text passwords' & 'keeping software up to date' make more sense.
Encryption is a method of protecting data from people you don't want to see it. For example, when you use your credit card on a website, your computer encrypts that information so that others can't steal your personal data as its being transferred.
Did you ever play with a decoder ring when you were a child? You could use your ring to 'encode' a message using a secret cipher, and only other people with that cipher could read the message and everyone else just saw random text. Well that was an example of encryption...
So essentially encryption is a process that converts original information, also called plain text into a difficult-to-interpret form called ciphertext and it's done by using an encryption algorithm (a formula used to turn plain text into ciphertext).
Why do people use encryption? 4 primary reasons:
1. Authentication - Protects personal data such as passwords.
2. Privacy - Provides for confidentiality of private information.
3. Integrity - Ensures that a document or file has not been altered.
4. Accountability - Prevents denial or plagiarism.
Here is a great book you may want to consider purchasing:
Note: If you would like to do a free course on cryptography the Khan Academy has a wonder course you can find here for intermediate users.
There are two types of encryption- Asymmetric and Symmetric.
Asymmetric - The sender and recipient obtain the same encryption program.
- If someone wants to send you an encrypted message, you first need to generate a public key and a private key with your encryption application. You then send that person the public key.
- Using an asymmetric algorithm and your public key, the sender scrambles the message into "ciphertext".
- They send you the ciphertest.
- You run the ciphertext through your encryption program, which decodes the message using your private key. If you want to send a message back, you need the sender's public key.
Symmetric - The sender and recipient obtain the same encryption program.
- To send an encrypted message, you compose the message and then create an encryption key you'll use to scramble it.
- You send the key (which can take the form of a password or a file) to the recipient via a route different from the one you'll use to send the message.
- Using an algorithm and the key, the encryption application turns your plain text into "ciphertext".
- You send the ciphertext message to the recipient.
- The recipient runs the ciphertext through the same application, which uses the algorithm and the key to decrypt and read the message.
Although, symmetric encryption is fast, it is not as safe as asymmetric encryption because someone could “steal” the key and decode the messages. But because of its speed, it's commonly used for e-commerce transactions. Asymmetric encryption is more complex--and more secure. Asymmetric encryption's added safety comes at a price: More computation is required, so the process takes longer.
Secure Sockets Layer (SSL) is a cryptographic protocol designed to provide communication security over a computer network. SSL uses X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message authentication codes for message integrity and as a by-product, message authentication.
Transport Layer Security (TLS) is the successor to the Secure Sockets Layer (SSL). It is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message.
TLS is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. The TLS Handshake Protocol allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before data is exchanged. The TLS protocol is based on Netscape's SSL 3.0 protocol; however, TLS and SSL are not inter-operable. The TLS protocol does contain a mechanism that allows TLS implementation to back down to SSL 3.0--and therein lies a problem called POODLE.
A POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. POODLE exemplifies a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of inter-operability.
So even with encryption you have to stay diligent as it can be hacked if you are not staying ahead of the bad guys. For example a new variant of the original POODLE attack was announced on December 8, 2014. This attack exploits implementation flaws in the TLS 1.0 - 1.2 protocols. Even though TLS specifications require servers to check the padding, some implementations fail to validate it properly, which makes some servers vulnerable to POODLE even if they disable SSL 3.0