|
Opportunistic Encryption (OE) allows for "encryption for secure communication without any pre-arrangement specific to the pair of systems involved." Or in general terms, "I'd like to talk to Bob, with encryption if available". This provides a level of security which is sometimes described as "Better Than Nothing Security"* or ANONSEC. It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not forced. It does make the encryption of most internet traffic easy to implement, which has been a significant impediment to the mass adoption of Internet traffic security.
Windows The simplest way to start using opportunistic encryption is if you have a Windows system. Windows platforms have an implementation of OE installed by default. This method uses IPsec to secure the traffic and is a simple procedure to turn on. Start -> Run -> MMC Add "Ip Security Policies on Local Computer" and then edit the properties to assign the "(Request Security)" policy. This will turn on optional IPsec in a Kerberos environment. You probably also need to do two more things: To get it to work in a non Kerberos environment, you need to install a certificate from a Certificate Authority (CA) which is common to any system with which you communicate securely, Thawte Freemail for example. You probably also need to allow for systems behind a NAT, this includes most home users. NAT Traversal (NAT-T) is accomplished by adding the following DWORD to the registry: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesIPsecAssumeUDPEncapsulationContextOnSendRule with a value of 2 and reboot. Opportunistic Encryption can also be used for specific traffic like e-mail using the STARTTLS Internet Message Access Protocol extension. With this implementation, it is not necessary to obtain a certificate from a certificate authority, as a self-signed certificate can be used. Many systems employ a variant with third party addons to traditional email packages by first attempting to obtain an encryption key and if unsuccessful, then it sends the email in the clear. PGP, Hushmail, , among others can all be setup to work in this mode. VoIP Some VoIP solutions provide for painless encryption of voice traffic when possible. The Sipura and Linksys lines of Analog Telephony Adapters (ATA) include a hardware implementation of SRTP with the installation of a certificate from Voxilla, a VoIP information site. When the call is placed an attempt is made to use SRTP, if successful a series of tones are played into the handset, if not the call proceeds without using encryption. Skype and Amicima use only secure connections and the Gizmo Project attempts a secure connection between their clients. Phil Zimmermann, Alan Johnston, and Jon Callas have proposed a new VoIP encryption protocol called ZRTP. They have an implementation of it called Zfone whose source and compiled binaries are available. See also | ||||||||
|
| |||||||||
 |
|
| |