Security demands focus the need for authentication, encryption, and digital signatures in embedded network devices as more devices are connected to the Internet. Attacks on desktops, servers, and PCs are increasing because of common platforms and languages, such as Visual Basic, and the number of Internet-connected PCs.
Soon, the number of embedded devices connected to the Internet will be greater than the number of PCs, making them ideal targets for a range of attackers. Unsecured and unverifiable transmission of information will still occur, although secured and verifiable transmissions will be required, especially for key actions like downloading programs or data to an embedded device.
Authentication, digital signatures, and encryption are generally based on a set of keys and algorithms for transforming digital data, called clear text, into an encrypted form and back again. Digital signatures are based on the encryption of a checksum of the data being signed. Secure authentication is accomplished using digital signatures.
Today's popular forms of encryption use a private key or a public key approach. The private key method employs shared secret keys that are typically identical, while the latter approach uses a pair of keys: one secret and one public.
Digital signatures can implement either approach for encrypting data that will confirm the validity of other data. Frequently, the encrypted data is a checksum. The encrypted checksum and its matching data are usually paired to make verification easier. Pairing allows additional digital signatures to be associated with the unencrypted data. Likewise, another digital signature could be applied to the combination.
Digital signature verification can be performed using two mechanisms. The first decrypts the signature and compares the decrypted information with that generated from the signed information. The second generates a copy of the encrypted information and compares the encrypted data. A match using either technique indicates that the clear text has been signed.
Digital signatures can be employed for authorization. These are often called certificates or tickets. In such cases, the encrypted information will usually be larger than the clear text. For example, Kerberos is a server-based authentication system that uses digital signatures. Authentication details are hidden in the encrypted information so the details can't be extracted from an intercepted signature packet. Digital signatures often have time stamps and lifetime information. Lifetimes of minutes or hours are often implemented to let remote applications access resources on a remote server.
A public key infrastructure (PKI) is a centralized method for securely managing and distributing public keys. The keys are delivered as certificates, each with one or more digital signatures from a certificate authority (CA). A certificate holder can trust the key if it verifies and trusts that the digital signatures and the lifetime of the certificate haven't expired. PKIs are typically implemented for keys used with e-mail, Web browsers, and remote-access services.
See associated figures:
Private key encryption
Public key encryption
Digital signature verification
Digital signature verification
Encrypted or signed communication
| ENCRYPTION | ||||||
| Title | Name | Standard | Organization | Description/Web site | ||
| Blowfish | Blowfish | n/a | n/a | Encryption algorithm developed by Bruce Schneier http://www.counterpane.com/bfsverlag.html |
||
| 3DES | Triple DES | FIPS PUB 46-3NIST | Applies DES using three 56-bit keys | |||
| DES | Data Encryption Standard | FIPS PUB 46-3 | NIST | 56-bit private key encryption algorithm | ||
| DH/DSS | Diffie-Hellman/Digital Signature Standard |
Popular encryption standard developed by Diffie and Hellman | ||||
| MD5 | Message Digest | RFC 1321 | IETF | Encryption algorithm developed by Ronald L. Rivest of MIT | ||
| P1363 | P1363 | P1363 | IEEE | Encryption standards group http://www.manta.ieee.org |
||
| PGP | Pretty Good Privacy | RFC 2440 | IETF | Public key encryption algorithm http://www.pgpi.org, http://www.pgp.com |
||
| RSA | R. Rivest, A. Shamir, L. Adleman | PKCS | Public key encryption algorithm developed by RSA Security Inc. | |||
| GSSAPI | Generic Security Services API | RFC 1508 | IETF | Security-related API definitions | ||
| SHA | Secure Hash Algorithm | FIPS PUB 180-1 | NIST | Encryption algorithm | ||
| AUTHENTICATION | ||||||
| Title | Name | Standard | Organization | Description/Web site | ||
| Kerberos | Kerberos | RFC 1510 | IETF | Server-based public key authentication system http://web.mit.edu/kerberos/www/ |
||
| RADIUS | Remote Authentication Dial In User Service | RFC 2865 | IETF | Used to manage remote access servers | ||
| DIGITAL SIGNATURES AND CERTIFICATES | ||||||
| Title | Name | Standard | Organization | Description/Web site | ||
| DSS | Digital Signature Standard | FIPS PUB 186 | NIST | Uses DES | ||
| ISAKMP | Internet Security Association and Key Management Protocol | RFC 2408 | IETF | Key management system used with IPsec | ||
| X.509 | Public key certificate | X.509 | ITU | X.500 digital certificate standard | ||
| COMMUNICATION LINKS | ||||||
| Title | Name | Standard | Organization | Description/Web site | ||
| SSH | Secure Shell 1 | Draft | IETF | Secure terminal and application virtual private networks connections http://www.ietf.org/html.charters/secsh-charter.html |
||
| SSH2 | Secure Shell 2 | Draft | IETF | Secure terminal and application virtual private networks connections http://www.ssh.org/specs.html |
||
| IPsec | IP security | RFC 2411 | IETF | Used for virtual private networks (VPN) http://www.ietf.org/html.charters/ipsec-charter.html |
||
| SSL | Secure Socket Layer | n/a | Netscape | Secure Internet connection | ||
| OpenSSL | Open SSL | n/a | OpenSSL | Open-source implementation of SSL and TSL http://www.openssl.org |
||
| TSL | Transport Security Layer | RFC 2246 | IETF | Alternative to SSL | ||
| SHTTP | Secure Hypertext Transfer Protocol | RFC 2660 | IETF | Secure version of HTTP for secure Web server access | ||
| APPLICATION SPECIFIC | ||||||
| Title | Name | Standard | Organization | Description/Web site | ||
| S/MIME | Secure-MIME | RFC 2311 | IETF | E-mail encryption and digital signature standard | ||
| OpenPGP | Open Pretty Good Privacy | RFC 2440 | IETF | E-mail encryption and digital signature standard http://www.ietf.org |
||
| DNSSEC | Domain Name Server Security | RFC 3008 | IETF | Domain name server (DNS) secure update protocol | ||
| ORGANIZATIONS | ||||||
| Title | Organization | Web site | ||||
| ANSI | American National Standards Institute | http://www.x9.org | ||||
| IEEE | Institute of Electrical and Electronic Engineers | http://www.ieee.org | ||||
| IETF | Internet Engineering Task Force | http://www.ietf.org | ||||
| ISO | International Standards Organization | http://www.iso.org | ||||
| ITU | International Telecommunications Union | http://www.itu.ch | ||||
| NIST | U.S. National Institute of Standards and Technology | http://www.nist.gov | ||||
| OG | Open Group | http://www.opengroup.org | ||||
| PGPI | PGP International | http://pgpi.org | ||||
| PKCS | Public Key Cryptography Standard | http://www.rsasecurity.com | ||||