Web www.surf.org.uk

search
cyrus
cyrus sasl
deliver patch
cyrus pwcheck
ldap
squid auth
BBC ticker
Latest from BBC
bspline
visual perl qt
piano chord & scale finder
contact us
 


Top Tips for Ensuring Security, Confidentiality and Authenticity of Data over a Distributed Network

By Simon Loader

To ensure confidentiality, security and authenticity for a message over a distributed network crossing the internet many things need to be done with both companies networks. Each network at each company needs to be sure the security of there local network is safe. This is done by a variety of means.
A firewall is needed for monitoring and controlling traffic to and from the internet at the transport layer to make sure communications are the type of communication the companies allows via its security policy. In order to stop people from creating their own connections to the internet tight auditing of the companies network is required, auditing the software that runs inside the network is important to remove the chance of any spy software running. A security policy needs to be in place to decided what people can access and how.

At the physical layer a company could op for some using optical fibre throughout to reduce that chance of snooping but this tends to prove impractical on a local LAN. Avoiding the use of radio networks as much as possible, these are easily snooped. If radio must be then encryption at the data link layer is important. This is generally done using a shared secret that may change overtime after the first connection. This type of security can only be used internally to the local corporation network as once connected to the internet data link layer encryption will not be possible (ignoring tunnelling over IP).

Once the data is to be sent over the internet then the physical layer and data-link layer can not be encrypted as stated before. This is because routers operate at layer 3 the network layer to make routing decision. So the payload inside data at the network layer does not need to be decipherable but the headers added at network layer are used make routing decisions and do need to be readable. At the network layer it is common to encrypt data from the gateway/connection to the internet at one company to the gateway/connection of another company. These often again use a shared key which is changes over time and all data sent over the internet is encrypted and deciphered at the other end. This does mean however that inside both companies’ networks the data travels unencrypted. There is no authenticity of sender as well except that they are able to send data via the encrypted network layer at the company.

At the transport layer it is also possible to encrypt data for a known type of protocol which has to be agreed before hand. This encrypts a connection end to end for an application which means it travels over the local network encrypted as well as through the public internet network. Security at the transport layer provides some level of authenticity that the connection is to the person although it can not provide full authentication. It is however a good source of confidentiality as the only place data exists deciphered is in the local and remote machines and it should not be possible to snoop to find out the contents.

Full authenticity is only really possible at the application layer. Data encrypted at this level passes through all the other levels encrypted. There are numerous types of encryption that can be used to send data. The use of public key encryption will allow the data to be sent in the full knowledge that the sender and receiver can be authenticated and the data can only be deciphered by the intended recipient. With public key encryption it is possible to swap public keys in order to allow 2 companies to communicate. Once something is encrypted with one half of the key (public or private) it is only possible to decipher it with its combined other half. Therefore if a message is first encrypted with one company’s private key and then with the others public key only the intended recipient can decode it and then use the first company’s public key to prove they sent it.


About the author: Simon Loader is a UNIX and email specialist who runs Surf, a free IT resource and downloads website, in his spare time . Many of the downloads and articles on Surf created by Simon are featured in technical websites all over the world. To access FREE downloads and information covering several diverse IT topics visit www.surf.org.uk.