Opportunistic encryption

From Wikipedia, the free encyclopedia

Jump to: navigation, search
 This article may require cleanup to meet Wikipedia's quality standards.
Please improve this article if you can. (July 2006)

Opportunistic Encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems. It is sometimes described as "Better Than Nothing Security"[1][2] or ANONSEC. Opportunistic encryption can be used to combat passive wiretapping.[3] It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not mandatory. Yet, it does make the encryption of most internet traffic easy to implement, which has been a significant impediment to the mass adoption of Internet traffic security.

Contents

[edit] Routers

The FreeS/WAN project was one of the early proponents of OE. OpenSWAN has also been ported to the OpenWRT project and runs on Linksys WRT54G (and family) routers.[4] Openswan uses DNS records to facilitate the key exchange between the systems.[1]

It is possible to use OpenVPN and networking protocols to set up dynamic VPN links which act similar to OE for specific domains.[5]

[edit] Linux

The FreeS/WAN and forks such as Openswan and strongSwan offer VPNs which can also operate in OE mode using IPsec based technology.

[edit] Windows OS

Windows platforms have an implementation of OE installed by default. This method uses IPsec to secure the traffic and is a simple procedure to turn on. It is accessed via the MMC and "Ip Security Policies on Local Computer" and then edit the properties to assign the "(Request Security)" policy. This will turn on optional IPsec in a Kerberos environment.

In a non-Kerberos environment, a certificate from a Certificate Authority (CA) which is common to any system with which you communicate securely is required, Thawte Freemail for example.

Many systems also have problems when either side is behind a NAT. This problem is addressed by NAT Traversal (NAT-T) and is accomplished by adding a DWORD of 2 to the registry: HKLM\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule [6] Using the filtering options provided in MMC, it is possible to tailor the networking to require, request or permit traffic to various domains and protocols to use encryption.

[edit] E-mail

Opportunistic Encryption can also be used for specific traffic like e-mail using the STARTTLS Internet Message Access Protocol extension. With this implementation, it is not necessary to obtain a certificate from a certificate authority, as a self-signed certificate can be used.

Many systems employ a variant with third party addons to traditional email packages by first attempting to obtain an encryption key and if unsuccessful, then it sends the email in the clear. PGP, Hushmail, Ciphire, among others can all be setup to work in this mode.

[edit] VoIP

Some VoIP solutions provide for painless encryption of voice traffic when possible. The Sipura and Linksys lines of analog telephony adapters (ATA) include a hardware implementation of SRTP with the installation of a certificate from Voxilla, a VoIP information site. When the call is placed an attempt is made to use SRTP, if successful a series of tones are played into the handset, if not the call proceeds without using encryption. Skype and Amicima use only secure connections and the Gizmo Project attempts a secure connection between their clients. Phil Zimmermann, Alan Johnston, and Jon Callas have proposed a new VoIP encryption protocol called ZRTP. They have an implementation of it called Zfone whose source and compiled binaries are available.

[edit] Websites

For encrypting WWW/HTTP connections, typically HTTPS is used. This can also be used for opportunistic website encryption. Most browsers verify the webserver's identity to make sure that an SSL certificate is signed by a trusted Certificate Authority. The easiest way to enable opportunistic website encryption is by using self-signed certificates, but this causes browsers to display a warning each time the website is visited unless the user imports the website's certificate into their browser.

[edit] See also

Cryptography Portal

[edit] References

  1. ^ Better-Than-Nothing Security (btns). Retrieved on 2007-10-24.
  2. ^ ANONSEC Mailing list. Retrieved on 2007-10-24.
  3. ^ Gilmore, John (2003-05-13). FreeS/WAN Project: History and Politics. Retrieved on 2007-11-24.
  4. ^ IPSec Howto. OpenWrt Community wiki. Retrieved on 2007-10-24.
  5. ^ Creating a Dynamic VPN. Retrieved on 2007-10-24.
  6. ^ L2TP/IPsec NAT-T update for Windows XP and Windows 2000. Microsoft. Retrieved on 2007-10-24.

[edit] External links

Retrieved from "http://en.wikipedia.org/wiki/Opportunistic_encryption"
Personal tools