[dba-Tech] Security and OpenSSL

[Jim Lawrence]

Preamble: No one, especially in any major business would not use security. It is not just for protecting access of the network and guarding company data but also for communication between other companies and governments. This protection basically requires good encryption. 

Standard encryption for most mail or Transport Layer Security (TLS) is of little security as it can be cracked at the same speed of transfer. Mail was sent in little more than plain text until the late nineties. Times have moved on but mail security has not. (https://en.wikipedia.org/wiki/Transport_Layer_Security). There are many companies that offer better mail security but unfortunately they tend to be web based so the act of creating mail through them is compromised at both ends...rendering them open to "man in the middle" attacks or/and being compromised at the on line mail company level. If a company, government or person wishes some sort of security, on line solution are not the answer. 

Overview: From a recent BBC article describing the internet, they used the tradition "iceberg" analogy. The top of the iceberg, about 15 to 20 percent is our standard open internet traffic. Most of us only use this level unless we are required to support a business or government agency. About 75 to 80 percent of all internet traffic uses the second layer which is described as the "grey net". Most corporations and government agencies do their day to day operations at this level. This layer, has various levels of encryption applied to the data being managed. The bottom layer has been described as the dark net. This is where all highly secure, good and bad actors, mange their various clandestine affairs and business dealing. Here we can expect the highest levels of security and encryption to be applied.Though only about 5 to 10 percent of the total traffic, this layer has been rapidly expanding. Regardless to what we have been hearing, all but a few of the transactions in this layer are of criminal nature or what we might consider criminal.   
 
Virtual Private Networks (VPN). Using this method, theoretically, any data or mail can be transferred safely without further concern. One of the very best and open source VPNs is OpenSSL. All major internet companies use the product. It is managed through  the Linux Foundation (http://www.linuxfoundation.org). Its client can be installed on all computers, regardless of OS.(https://www.openssl.org/) Any company should be using this form of communication. For Windows clients there are a number of sites which provide instructions on how to install the client: (http://www.herongyang.com/Cryptography/OpenSSL-Installation-on-Windows.html). Here is a good site giving information on how to use the command line to setup and configure your own OpenSSL server: (http://users.dcc.uchile.cl/~pcamacho/tutorial/crypto/openssl/openssl_intro.html). When choosing a secure VPN, as there are always bugs, the products speed at dealing with compromises should be one of the major deciding factors. OpenSSL, being as it is industries' major VPNs, its repair speed must be stellar (https://openssl.org/blog/blog/2015/09/01/openssl-security-a-year-in-review/) and so far, fix duration far exceed the computer industry levels. Aside: Any tech still using Telnet should be sanctioned ;-)

There are many forms of encryption that can be used but many older ciphers can be compromised if sufficient resources are applied. The mail TLS, MD5, PGP, SHA1-256 and even RSA below 1024 is crackable. The best encryption method, so far is AES-256. It is a open source math algorithm and currently there is not enough computer power in the world to break it.  It should be noted that the higher the level of encryption the slower the data transfer rate becomes. If transfer performance becomes an issue or static data must be encrypted the following products are available (http://lifehacker.com/five-best-file-encryption-tools-5677725). Note that AES encryption should always be selected and also note that certain products distribute the keys to central locations outside the users control or jurisdiction or copies of keys are just stored on an easily accessible drive directory on the current computer. Some techs, if they are supporting a number of businesses can use the Yubi key for absolute security (http://www.amazon.com/Yubico-Y-073-YubiKey-Nano/dp/B00NHSHI8E/). If  anyone is really interested in using and setting up the Yubi key method, a link to an instruction podcast can be can be posted.

This of course only covers transfer methods between two secure and setup sites. For hidden movement around the web, products that modify the packet headers and proxy servers that mask the user's location and do not store log information are strongly recommended. It should be noted, that certain governments demand that all transaction information must be recorded so picking the appropriate proxy servers is important. If anyone is interested, I have researched a couple of very good proxies and will pass that information along is asked.

Jim