SANS InfoSec Reading Room - Encryption & VPNs

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 93 papers as of Nov 22, 2009

Best Practices in Data Protection: Encryption, Key Management and Tokenization

By: nuBridges, inc (posted on September 29, 2009)

Best practices in encryption, key management and tokenization and how an integrated, multi-level solution can effectively meet these best practices.

Six Ways to Reduce PCI DSS Audit Scope by Tokenizing Cardholder data

By: nuBridges, inc (posted on September 29, 2009)

Exploring the use of tokenization as a best practice in improving PCi dss compliance, while at the same time minimizing the cost and complexity of PCi dss compliance by reducing audit scope.

The challenge of securely storing and transporting large files across a corporate Wide Area Network

By: Jeremy Gibb (posted on October 26, 2007)

Securing Key Distribution with Quantum Cryptography

By: Bradford Bartlett (posted on August 15, 2004)

Quantum cryptography recently made headlines this year when European Union members announced their intention to invest $13 million in the research and development of a secure communications system based on this technology.

Elliptic Curve Cryptography and Smart Cards

By: Ahmad Kayali (posted on April 8, 2004)

Elliptic curve cryptosystems (ECCs) are becoming more popular because of the reduced number of key bits required in comparison to other cryptosystems (for example, a 160 bit ECC has roughly the same security strength as 1024 bit RSA).

Understanding and Configuring IPSec between Cisco Routers

By: Ryan Ettl (posted on March 25, 2004)

This paper will provide insight for a secure solution to address this business need using Virtual Private Networking.

SSL Remote Access VPNs: Is this the end of IPSec?

By: Steven Ferrigni (posted on December 13, 2003)

This paper looks at the two VPN technologies with respect to remote access, discusses the advantages and disadvantages of each and whether they can co-exist.

S-Box Modifications and Their Effect in DES-like Encryption Systems

By: Joe Gargiulo (posted on October 31, 2003)

This paper presents the substitution boxes (s-boxes) found in many block ciphers, and more specifically in DES-like encryption systems.

Configuring Secure Shell with TCP Wrappers on Solaris 2.8

By: Jane Micheller (posted on October 31, 2003)

This paper shows how to setup the OpenSSH version 3.4 on Solaris 2.8 platform, beginning with the development of the product and illustrates packet captures.

Issues When Using IPsec Over Geosynchronous Satellite Links

By: Greg Totsline (posted on October 31, 2003)

This paper describes the salient points of TCP over satellite links, performance enhancing proxies, IPsec, and the issues with the combined use of these technologies.

Appropriate Use of Network Encryption Technologies

By: Kenneth Forward (posted on October 31, 2003)

This paper will describe virtual private networks and other network encryption technologies such as secure sockets layer - what they are, and what protections they provide.

Network Based VPNs

By: Olivier Strahler (posted on October 31, 2003)

This paper focuses on this particular type of VPN. First, it provides a short history on the evolution of VPNs, then it explains what is meant by Network based VPNs.

Using GPL Software For Email and File Encryption

By: David Tucker (posted on October 31, 2003)

Privacy is important, the security of information is sometimes legally required, and internet communication often does not provide this necessary security inherently.

Attacks on PGP: A Users Perspective

By: Ryan Thomas (posted on October 31, 2003)

The focus of this paper is to inform users of the practical and theoretical strategies that may be used in an attempt to compromise PGP (Pretty Good Privacy), potentially exposing the contents of a PGP encrypted message to an attacker.

IPSec Tunnel Creation

By: Chris Gutridge (posted on October 31, 2003)

The purpose of this paper is to detail, explain, and illustrate the specific processes that occur in creating an IPSec VPN tunnel.

Instant Message Security - Analysis Of Cerulean Studios Trillian Application

By: Michael Murphy (posted on October 31, 2003)

This paper outlines the underlying security risks of Instant Messaging (IM) focusing on an analysis of Cerulean Studios' Trillian application.

MPLS - VPN Services and Security

By: Ravi Sinha (posted on October 31, 2003)

The information will provide the foundation for the discussion on providing scalable VPN services in a MPLS environment.

Randomness and Entropy - An Introduction

By: Chris Thorn (posted on October 31, 2003)

This paper will attempt to bring together information pertaining to concepts and definitions of randomness and entropy.

No Single Killer App for PKI

By: Cliff Schiller (posted on October 31, 2003)

This paper presents the author's perspective on the real benefits of PKI as a technology.

A Review of Chaffing and Winnowing

By: David Spence (posted on October 31, 2003)

This paper presents an overview of Chaffing and Winnowing as described by Ronald Rivest and a review of a secure Chaffing and Winnowing scheme called Chaffinch.

Remote Access IPSec VPNs: Pros and Cons of 2 Common Clients

By: Jason Everard (posted on October 31, 2003)

This paper discusses two client options for creating this encrypted and authenticated connection, as well as options for working around the deficiencies of the current IPSec standard by combining IPSec with L2TP or by using proprietary functions to accomplish the same.

Applied Encryption: Ensuring Integrity of Tactical Data

By: Jennifer Skalski-Pay (posted on October 31, 2003)

This paper will provide the reader with a low-level understanding of the Global Command and Control System-Maritime (GCCS-M), CST, Track Database Manager (Tdbm) and SIPRNet.

An Overview of Cryptographic Hash Functions and Their Uses

By: John Silva (posted on October 31, 2003)

This paper provides a discussion of how the two related fields of encryption and hash functions are complementary, not replacement technologies for one another.

BUSINESS PARTNER VPN: NEEDED NOW

By: Karen Duncanson (posted on October 31, 2003)

This paper takes a look at Business Partner VPN and focus on challenges now being dealt with in the face of requirements for a VPN that promises end to end security between two separate business entities and even between the users within those entities.

Remote Access VPN - Security Concerns and Policy Enforcement

By: Mike Stines (posted on October 31, 2003)

The recommendations contained within this paper can assist in a secure and successful implementation of a remote-access VPN.

The Risks Involved With Open and Closed Public Key Infrastructure

By: Philip Hlavaty (posted on October 31, 2003)

This paper will present some of the risks and liability issues involved with PKI, such as the enormous risks behind the open PKI model and why it never flourished in the marketplace.

The mathematics behind the security features that the computing industry takes for granted

By: Ricky Wald (posted on October 31, 2003)

This paper aims to explain mathematical/encryption concepts that are fundamental to security as it was in the past, as it is today and my vision for the future.

A Consumer Guide for Personal File and Disk Encryption Programs

By: Scott Baldwin (posted on October 31, 2003)

This paper will give you the knowledge to select an encryption product that matches your needs.

Is the future of cryptography in qubits

By: Wayne Redmond (posted on October 31, 2003)

In a beautiful irony, quantum computers may break current cryptography but quantum mechanics also offer hope to cryptography in quantum key distribution.

Cryptography: What is secure?

By: Willy Jiang (posted on October 31, 2003)

This paper looks at how security is achieved by discussing basic substitution and transposition operations, to get an appreciation of security in cryptography and recommend basic approach to implement cryptography.

PGP for Everyday Use

By: Jeremy Hoel (posted on October 31, 2003)

This paper has shown how to get PGP, protect files on your drive, protect your e-mail messages and manipulate your key ring.

IPSec Interoperability between OpenBSD, Linux and Sonicwall

By: Daniel de Young (posted on October 31, 2003)

This paper discusses OpenBSD project, Linux FreeS/WAN project and Sonicwall Inc., each providing cost effective IPSec implementations with excellent reliability and some of the issues surrounding their interoperability.

Demystifying DSS: The Digital Signature Standard

By: Richard Brehove (posted on October 31, 2003)

This paper examines the requirements of signatures, outlines the technologies involved in creating digital signatures, and describes the components of the Digital Signature Standard (DSS).

Security Implications of SSH

By: Bill Pfeifer (posted on October 31, 2003)

This paper provides a high-level discussion of some of the security considerations associated with SSH, as well as some potential methods of addressing those considerations.

Prime Numbers in Public Key Cryptography

By: Gerald Crow (posted on October 31, 2003)

This paper explores some of the basic properties of prime numbers and several theorems associated with them, and presents moderate detail on two of the most common asymmetric algorithms and the manner in which they employ prime numbers.

When Security Counts: Securing a Test Server with a VPN Connection

By: Patricia Hulsey (posted on October 31, 2003)

This paper describes the design choices of a deployment for a router-to-router VPN connection using the Windows 2000 platform VPN server.

Quantum Cryptography: Is Your Data Safe Even When Somebody Looks?

By: Tom Klitsner (posted on October 31, 2003)

While, for the most part, quantum computing devices are decades away (at least) from being practical, in the area of quantum cryptography - in particular the secure distribution of cryptographic keys - there exist strategies and systems that are feasible (perhaps even practical) today.

PGP: A Hybrid Solution

By: Jessica J. Benz (posted on October 31, 2003)

Symmetric and asymmetric cryptography both have advantages and disadvantages that will be discussed in this paper.

What Is an MPLS VPN Anyway?

By: Kelly DeGeest (posted on October 31, 2003)

This paper will give a basic understanding of how a MPLS VPN works.

Identification with Zero Knowledge Protocols

By: Annarita Giani (posted on October 31, 2003)

The idea of proving knowledge of some assertion without revealing any information about the assertion itself is very attractive. This paper discusses Zero-Knowledge protocols which allow this kind of scenario.

Quantum Encryption vs Quantum Computing: Will the Defense or Offense Dominate?

By: Bob Gourley (posted on October 31, 2003)

Quantum encryption will soon provide unbreakable ciphers and this paper examines these topics by providing a snapshot of current research.

Virtual Network Computing and Secure Shell

By: Damian Koziel (posted on October 31, 2003)

Many hightech professionals to work from home increasing the system administrator's challenge of maintaining and troubleshooting a company's heterogeneous and sprawling computing system from a central location through Virtual Network Computing.

The Day DES Died

By: Paul Van De Zande (posted on October 31, 2003)

This paper takes a look at DES, the characteristics of the RSA challenges and compare DES to other cryptosystems to discover which ones are secure and why.

Encryption Regulation: A First Amendment Perspective

By: Linda K. Mickna (posted on October 31, 2003)

Through the use of cryptography, communications and information transmitted and stored by computers can be protected from unauthorized access.

Interoperability in PKI

By: Roger Pyon (posted on October 31, 2003)

This paper will introduce some of the interoperability issues in PKI which applies to processing and managing the establishment of those trust and the challenges it faces.

An Overview of Computer Security as Told Through War Stories

By: Ronald Seidl (posted on October 31, 2003)

This paper discusses awareness training by telling stories that show problems in way that most people can clearly see.

One Fish, Two Fish, Red Fish, Blowfish A History of Cryptography and it's Application in Soci

By: Joseph Kasten (posted on October 31, 2003)

Crypto sciences are used in almost every electronic device to ordinary computer based software on the home personal computer.

Securing Remote Users VPN Access to Your Company LAN

By: Klavs Klavsen (posted on October 31, 2003)

This paper is intended to be an introduction to the Security issues you face and the solutions you can choose between, when you want to give your remote users access to your Company Network via VPN.

A Business Perspective on PKI: Why Many PKI Implementations Fail, and Success Factors To Consider

By: Leslie Peckham (posted on October 31, 2003)

This paper is intended to provide an overview of PKI and how a PKI implementation affects the entire organization.

A Discussion of SSH Secure Shell

By: Shawn Lewis (posted on October 31, 2003)

The purpose of this paper is to build on the Introduction to SSH Secure Shell paper written by Damian Zwamborn (www.sans.org/infosecFAQ/encryption.intro_SSH.htm).

History of Encryption

By: Melis Jackob (posted on October 31, 2003)

This paper shows that the field of Cryptography has evolved tremendously since the Assyrian and Egyptian time, and as the technology progresses, it will be easier to cultivate the power of distributed processing and break the different encryption algorithms such DES or triple DES.

Quantum Encryption - A Means to Perfect Security?

By: Bruce Auburn (posted on October 31, 2003)

This paper addresses the issue of public key cryptography.

NAT Traversal: Peace Agreement Between NAT and IPSec

By: Haluk Aydin (posted on October 31, 2003)

After merging two different works from different vendors, NAT-T is the most promising solution for the near future so that some vendors started implementing it in their VPN products.

Who's Who in AES?

By: Kyle Jones (posted on October 31, 2003)

This paper is going to introduce the new Advanced Encryption Standard, or AES, the winning algorithm, its competitors, the specifications set forth, and decision making process of NIST.

Implementing NAT on Checkpoint Firewall-1

By: Eugene Ng (posted on October 31, 2003)

This paper addresses implementing secure NAT rules and policies and excellent documentation on network topologies.

Protecting Sensitive Data in Secure Domains

By: Mikael Trosell (posted on October 31, 2003)

The basic idea of Secure Domains is to move parts of the network into secure zones, either based on the classification of the data or their being part of a project that can be centralized in a specific zone and are considered as sensitive.

Key and Certificate Management in Public Key Infrastructure Technology

By: Sriram Ranganathan (posted on October 31, 2003)

The intent of this paper is to provide an overview and briefly discuss the various phases involved in Key and Certificate management.

The Advanced Encryption System (AES) Development Effort: Overview and Update

By: William M. Tatun (posted on October 31, 2003)

The purpose and objective of this paper is to provide a brief overview of where we've been and an update of where we are headed in the United States Department of Commerce's quest for a suitable standard algorithm that can be used to protect sensitive data in the future.

Implementing PKI in a Heterogeneous Environment A Primer on Digital Certificate And Key Formats

By: Tim R. Sills (posted on October 31, 2003)

This document will discuss the various file formats for both X.509 digital certificates and encryption keys.

The Weakest Link: The Human Factor Lessons Learned from the German WWII Enigma Cryptosystem

By: Bradley Fulton (posted on October 31, 2003)

This paper highlights the need for security professionals and management to not overlook the weakest link in security systems - that being the human factor.

E-Mail Security with S/MIME

By: George Kuzmowycz (posted on October 31, 2003)

The intent of this paper is to present an overview of the history, design, usage and the current state of market and community acceptance of S/MIME while contrasting it, where appropriate, to PGP.

AES: The Making of a New Encryption Standard

By: Mitch Richards (posted on October 31, 2003)

This paper describes the issues, programs, and processes related to the development of standards.

Public Key Infrastructure Issues in an Academic Healthcare Setting

By: Liviu Groza (posted on October 31, 2003)

The paper intends to give a general overview several specific issues related to the PKI deployment process emphasizing the particularities of a mixed environment.

IPsec's Role in Network Security: Past, Present, Future

By: Christopher Smith (posted on October 31, 2003)

IPSec is used to create tunnels for Virtual Private Networks (VPN), and also provide confidentiality, authenticity, and integrity of data through use of encryption algorithms.

Implementing "Dual-Sided" VPN's

By: Kenneth Boudreaux (posted on October 31, 2003)

This paper discusses a solution for using a public network for data communications that could satisfy the security requirements for data transmission.

Integrate HMAC Capable Token into User Authentication Mechanism and Public Key Infrastructure

By: Shanhui Tan (posted on October 31, 2003)

This paper describes using a HMAC capable token in user authentication or public key infrastructure (PKI) to derive user private key or produce message digest for digital signature scheme.

Using SSL with Client Access Express for AS/400

By: Jose Guerrero (posted on October 31, 2003)

This paper is meant to help those who are in need of securing a Client Access connection with their AS/400.

Analysis of a Secure Time Stamp Device

By: Chris Russell (posted on October 31, 2003)

This paper discusses the design of a Secure Time Stamp device used to securely timestamp digital data, such as computer documents, files, and raw binary data of arbitrary format.

Strong Authentication and Authorization model Using PKI, PMI, and Directory

By: Jong Wook Lee (posted on October 31, 2003)

This paper presents a strong authentication and authorization model using three standard frameworks.

Securing Certificate Revocation List Infrastructures

By: Eddie Turkaly (posted on October 31, 2003)

This paper takes a closer look at the security issues when implementing a secure CRL infrastructure.

Cryptographic Services - A Brief Overview

By: Larry D Bennett (posted on October 31, 2003)

This paper examines the use of cryptography in implementing the services of authentication, integrity, non-repudiation, and confidentiality.

PKI and Information Security Awareness: Opportunity and Obligation

By: Jerry K Brown (posted on October 31, 2003)

This paper discusses the single most difficult criterion for a successful PKI rollout: user acceptance.

Cryptanalysis of RSA: A Survey

By: Carlos Cid (posted on October 31, 2003)

In this paper we give a survey of the main methods used in attacks against the RSA cryptosystem. We describe the main factoring methods, attacks on the underlying mathematical function, as well as attacks that exploit details in implementations of the algorithm.

A Review of the Diffie-Hellman Algorithm and its Use in Secure Internet Protocols

By: David A. Carts (posted on October 31, 2003)

This paper will present an overview of the Diffie-Hellman Key Exchange algorithm and review several common cryptographic techniques in use on the Internet today that incorporate Diffie-Hellman.

Basic Cryptanalysis Techniques

By: Craig Smith (posted on October 31, 2003)

Because of the complexity involved with cryptanalysis work, this paper focuses on the basic techniques needed to decipher monoalphabetic encryption ciphers and cryptograms.

Implementing Site-to-Site IPSec Between a Cisco Router and Linux FreeS/WAN

By: Neil L. Cleveland (posted on October 31, 2003)

This paper begins by providing a brief overview of IPSec, the features, differences, issues surrounding Cisco's IOS IPSec offering versus the FreeS/WAN offering and then describes an example implementation.

Stunnel: SSLing Internet Services Easily

By: Wesley Wong (posted on October 31, 2003)

This paper provides a method to securely use existing clear-text protocols under SSL without any need to modify the existing software or source code.

Knock Knock...Who's there? Do you know who is accessing your VPN?

By: Norma Jean Schaefer (posted on October 31, 2003)

Although VPNs secure data across public networks, potential information security risks include remote users' networks, PCs, systems, and this paper focuses on the need for strong authentication.

Comparing BGP/MPLS and IPSec VPNs

By: Gary Alterson (posted on October 31, 2003)

This paper gives an overview of MPLS and then discusses the mechanisms used to provide VPNs based upon BGP/MPLS and IPSec.

An Overview of Hardware Security Modules

By: Jim Attridge (posted on October 31, 2003)

This paper intends to introduce the concept of a cryptographic hardware device. It will describe its functions, uses and implementations.

Multiprotocol Label Switching Virtual Private Networks and the enterprise - Do they fit in the security model?

By: Michael Stoos (posted on October 31, 2003)

Multiprotocol label switching virtual private networks have gained press as a new service provider method to provide a secure path in the public Internet space.

Roll Your Own Crypto Services (Using Open Source and Free Cryptography)

By: Edward C. Donahue (posted on October 31, 2003)

This paper surveys the open source software available to secure the most common applications: email and file encryption, web access and server oriented services, IPsec and VPNs, and finally, remote session encryption.

Secure Access of Network Resources by Remote Clients

By: Glendon MacDonald (posted on October 31, 2003)

This paper will identify the threats that remote access poses to corporate network security including those involving hackers, malicious applications and the use of weak access and physical controls.

Vulnerability's of IPSEC: A Discussion of Possible Weaknesses in IPSEC Implementation and Pro

By: Daniel Clark (posted on October 31, 2003)

This paper will discuss the protocol suite IPSEC, with a view to analyzing the various weaknesses have been or could be identified within the protocol.

Decommissioning Certification Authorities

By: Claudia N. Lukas (posted on October 31, 2003)

This paper reviews these guidelines and discusses terminating a Certification Authority.

The Ease of Steganography and Camouflage

By: John Bartlett (posted on October 31, 2003)

In this paper we will look at the ease of use of one particular program, and the ability to detect steganographic material created by the program.

A Vulnerability Assessment of Roaming Soft Certificate PKI Solutions

By: Stephen Wilson (posted on October 31, 2003)

This paper highlights the security engineering and deployment considerations by presenting a systematic vulnerability assessment of the common roaming architecture.

PKI, The What, The Why, and The How

By: Duncan Wood (posted on October 31, 2003)

This paper discusses Public Key Architecture (PKI) and why governments are introducing legislation for information privacy.

VPN-1 SecureClient - Check Point's Solution for Secure Intranet Extension

By: Ryan Gibbons (posted on October 31, 2003)

This paper addresses why SecureClient is widely compatible and has a small footprint, making it appealing to organizations that use Check Point products and are considering such functionality.

Infrastructure Design Considerations When Using Client Certificates

By: Tim Hollingshead (posted on October 31, 2003)

This paper will investigate some of the considerations that should be evaluated when looking to bring a new technology into the design of an application.

Creating a Secure VPN with Cisco Concentrator and ACE Radius/SecurID

By: Nathan Lasnoski (posted on October 31, 2003)

Using a VPN, companies can expand the reach of their corporate network beyond their expensive leased lines by using the assets provided by the Internet.

Cryptography - Business Value Behind the Myth

By: Jeff Christianson (posted on October 31, 2003)

The purpose of this paper is to help information technology professionals make informed decisions about using cryptographic solutions to secure electronic business transactions.

OpenVPN and the SSL VPN Revolution

By: Charlie Hosner (posted on )

True SSL VPNs are beginning to appear in the market. One of the best, and definitely the least expensive, is the open source SSL VPN, OpenVPN.