This file is intended as a "getting-started" guide to security (authentication and encryption) support in Karma. It should be used in conjuction with the library reference documentation, which documents all the functions available for authentication and encryption. This document describes how to "roll-your-own" secure applications. Of more interest is the section on security in the Karma communications guide which describes how to configure your security requirements for Karma connections in one simple file. Purpose: -------- The need for authentication and encryption is constantly increasing as more people gain access to the Internet and more people use it to conduct their daily business. As more people conduct financial transactions over the Internet, the potential for breach of privacy and fraud is enormous. The demand for secure network applications is set to explode. Architecture: ------------- Like the rest of the library, the security support in Karma is built on a layered approach. The various packages in the Karma library which provide security support are listed below, grouped by layer. Level 2 ======= The package provides strong encryption. Currently, only IDEA (International Data Encryption Algorithm) is supported (using the more secure Cipher Feedback Mode). Below is some information on the algorithm: The IDEA(tm) block cipher is covered by a patent held by ETH and a Swiss company called Ascom-Tech AG. The Swiss patent number is PCT/CH91/00117. International patents are pending. IDEA(tm) is a trademark of Ascom-Tech AG. There is no license fee required for noncommercial use. Commercial users may obtain licensing details from Dieter Profos, Ascom Tech AG, Solothurn Lab, Postfach 151, 4502 Solothurn, Switzerland, Tel +41 65 242885, Fax +41 65 235761. The IDEA block cipher uses a 64-bit block size, and a 128-bit key size. It breaks the 64-bit cipher block into four 16-bit words because all of the primitive inner operations are done with 16-bit arithmetic. It likewise breaks the 128-bit cipher key into eight 16-bit words. For further information on the IDEA cipher, see these papers: 1) Xuejia Lai, "Detailed Description and a Software Implementation of the IPES Cipher", Institute for Signal and Information Processing, ETH-Zentrum, Zurich, Switzerland, 1991 2) Xuejia Lai, James L. Massey, Sean Murphy, "Markov Ciphers and Differential Cryptanalysis", Advances in Cryptology- EUROCRYPT'91 The package provides message digest (secure hash) algorithms. While CRC algorithms have the potential for fraud (a document may be forged and yet have the same CRC checksum as a document with a published checksum), this is not computationally feasible with secure hash algorithms. Currently, only the MD5 algorithm is supported (developed by Ron Rivest). The package provides a random pool of bytes which may be used in cryptographic applications (such as IDEA session key generation). Ordinary random number generators are not suited to cryptographic applications. Level 3 ======= The package provides an encrypting filter mechanism for Channels. Once a channel is created, the data transfer may be secured by pushing an encryption filter onto the channels converter stack. Currently, only IDEA encryption is supported. The package utilites PGP (Philip R. Zimmermann's Pretty Good Privacy) to encrypt blocks of data. To decrypt, PGPdaemon is used (part of the PGPsendmail/Unix Suite available from: ftp.atnf.csiro.au:pub/people/rgooch). Level 4 ======= The package integrates all the security support in Karma into a flexible, simple to use scheme which is transparent to applications. See the Karma communications guide for details. Restrictions: ------------- Some countries have repressive laws which either restrict the use of encryption or the export of encryption technology (sometimes termed "munitions"). While many consider the the effective policing of these laws an impossibility, it is still prudent to familiarise yourself with the laws of countries: - you use encryption within - you export encryption software from (such as downloading from a U.S.A. ftp site). - you import encryption software into Naturally, the author cannot assume any responsibility for your actions.