Lab 3 -28072009-

Today’s lab is all about authentication can basic cryptography. 

During this lab, we are taught to implement data encryption, local password policy on Windows 2003 and implement asymmetric cryptography using Pretty Good Privacy (PGP). 

In Windows 2003, users are able to encrypt data in file or folder to prevent others from reading their private data. Although this method is not fully secured but at least it helps to make hacker more difficult to hack into the system. To encrypt data, users can choose the “Encrypt Contents to Secure Data” in the properties of the data. This will make this data only available and accessible by the user who encrypts the data. 

Besides, password length can be set by administrator to enforce user to create a more secure password with minimum length. This is to make the cracking process of password harder. After the password length has been set, users need to create password according to the minimum length set by administrator. 

Complexity of password is also an important issue in creating password. The more complex the password, the more difficult to be cracked. A complex password should contain combination of numbers, uppercase and lowercase alphabet and special characters. In windows 2003, administrator is able to set the password policy so that user creates a complex password. 

To further enhance the security of system, administrator is allowed to set the account lockout policy. This function is to disable an account for a specific amount of time after a certain number of failed logon attempts. If the account is lockout, user can either wait for 30minutes or contact administrator to reset the counter for next time login. 

Pretty Good Privacy (PGP) is a public key encryption program that provides cryptographic privacy and authentication originally written by Phil Zimmermann in 1991. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications. Over the past few years, PGP has become a de-facto standard for encryption of email on the Internet.

How PGP works actually? When a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression saves modem transmission time and disk space and, more importantly, strengthens cryptographic security. Most cryptanalysis techniques exploit patterns found in the plaintext to crack the cipher. Compression reduces these patterns in the plaintext, thereby greatly enhancing resistance to cryptanalysis. (Files that are too short to compress or which don't compress well aren't compressed.) 

PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient. 

Decryption works in the reverse. The recipient's copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext.

The combination of the two encryption methods combines the convenience of public key encryption with the speed of conventional encryption. Conventional encryption is about 1, 000 times faster than public key encryption. Public key encryption in turn provides a solution to key distribution and data transmission issues. Used together, performance and key distribution are improved without any sacrifice in security.