Cryptography Reference
In-Depth Information
CHAPTER
1
Understanding Internet Security
How secure is the data that you transmit on the Internet? How vulnerable is
your personal data to hackers? Even computer-literate, experienced program-
mers fi nd it's hard to answer these questions with certainty. You probably know
that standard encryption algorithms are used to protect data — you've likely
heard of public-key algorithms such as RSA and DSA — and you may know
that the U.S. government's Data Encryption Standard has been replaced by an
Advanced Encryption Standard. Everybody knows about the lock icon in their
browsers that indicates that the session is protected by HTTPS. You've most
likely heard of PGP for e-mail security (even if you gave up on it after failing
to convince your friends to use it).
In all likelihood, though, you've also heard of
man in the middle attacks
,
timing
attacks
,
side-channel attacks
, and various other attacks that aim to compromise
privacy and security. Anybody with a web browser has been presented with the
ominous warning message that “This site's security cannot be trusted — either
the certifi cate has expired, or it was issued by a certifi cate authority you have
chosen not to trust.” Every week, you can read about some new zero-day exploit
uncovered by security researchers that requires a round of frantic patching. As
a professional programmer, you may feel you ought to know exactly what that
means — yet trying to decipher these messages and determine whether you
should really be worried or not takes you down the rabbit hole of IETF, PKCS,
FIPS, NIST, ITU, and ASN. You may have tried to go straight to the source and
read RFC 2246, which describes TLS, but you may have discovered, to your
