At 10:35 AM 12/19/00 -0500, Scoville, Chad wrote:
I've been actively reading posts on this list for about two years now, and I'm in he process of actually trying to design/implement a data network where security is of the utmost priority. Where is a good starting point to find out about packages using algorithms which are unbreakable as of yet. All of the traffic will remain domestically within the US. The traffic will be SMTP.
It would be illmatic if someone could reccomend a good reading list (current) on the bleeding edge of cryptography.
You don't want to be on the bleeding edge of cryptography; you want to be on the calm, boring and stuffy edge. The bleeding edge is for academic mathematicians, not for people with high-importance security problems. You might want to be on the bleeding edge of firewalling and implementation - depends on your need for speed, number of locations you're supporting, and price-sensitivity. Unbreakable algorithms are easy, and have been for years. Triple DES or the newly certified Rijndael AES standard are both as strong as you need (if you're paranoid, stick to 3DES; Rijndael is newer, and while it's had just about everybody trying to crack it and survived, and the US NIST (and hence NSA) has certified it, newer isn't better in this business.) RC4 with 128-bit keys is also strong enough, if it's been implemented properly; if applied wrong, it fails badly, so make sure you're using a competent implementation. For public-key cryptosystems, either RSA or the Elliptic-Curve systems are strong enough, given sufficiently long keys, though the definition of "long enough" has grown by a few bits since then. 1024-bit RSA is fine for anything not involving decades of time or large numbers of dead bodies, but 2048 isn't hard either. For implementation, if you don't _really_ know what you're doing, and since you're asking about a good reading list, you don't, if this is for your business, you need to *hire* *somebody* who does know what they're doing, and you probably want them to buy commercial products backed by businesses with some development capital that will fix bugs and maintain stuff, and you need to look at the security of your processes. Because it doesn't matter how unbreakable your algorithms are if some insider has access to the router with the password written on a yellow sticky note, or if somebody can mail you a Microsoft Loves You virus that forwards your email inbox to kgb.com. At first glance, it sounds like your application probably calls for either Cisco routers using their IPSEC features (if your remote endpoints are big enough to use a router), or a Nortel or Cisco IPSEC box at your headquarters location with IPSEC client software running on your PCs or Linux boxes. But you haven't talked about network scale, speeds, sizes, number of locations, etc., so those are just generic guesses. Depending on what you're doing (user population, turnover, employees vs. customers, etc.), you may also want some kind of Public Key Infrastructure, or that may just be a bunch of bogus hype irrelevant to your needs. Another possible approach is PGP-encrypted email - PGP Inc. used to do gateway boxes that could forward and encrypt mail and enforce encryption policies; if they still do this, that may also be an answer. You could also see if SSH has anything to offer. The classic reading list on crypto starts with Bruce Schneier's Applied Cryptography, plus however much of it's 1000+ item bibliography makes sense for you. Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639