

Home 
The Internet and Intranet connecting IDS Server and its client components (IDS JDBC Driver IDS .NET Data Provider and .NET SQL Driver) are unprotected communication channels. They are vulnerable to hackers and eavesdroppers who can intercept and even alter the transmitted data. IDS Server can use the Secure Socket Layer v3 (SSL) protocol to protect the communication with its three client components. This feature is called Secure dbAccess. The SSL protocol is a widely accepted industry standard for secure communication introduced by Netscape Communications Inc. Secure dbAccess comes in two variants:
The SSL protocol supports many combinations of publickey digital signatures, key exchange protocols and symmetric ciphers. These combinations are also called ciphersuites. The specification of ciphersuites supported by IDS Server is as follows:
DiffieHellman RSA What is ElGamal? It is important to understand that the security of any publickey cryptography now known to man is by no means in absolute terms. The "bet" is on the difficulty of deducing the private key from the public key. This depends on the length of the public/private key pair and the computing power that might be used to "crack" the key pair. The key length of ElGamal supported by IDS Server can range from 256bit to arbitrarily long. A key length ranging from 1024 to 2048 bits are considered safe for the next 20 years [1]. Of course, this prediction is based on the current computing power and the rough estimate of hardware and cryptanalysis advances in the near future. DES and Blowfish The Blowfish cipher was designed by Bruce Schneier [1] in 1994. This algorithm is faster than DES and supports up to 448bit long keys, far longer than the 56bit key size of DES. Since its publication, Blowfish has received intense cryptanalysis and is still unbroken. In June of 1997, a team orchestrated by a Loveland, Colorado programmer Rocke Verser, successfully "cracked" a 56bit DES encrypted message, a $10,000 challenge posted by RSADSI. The significance of this team effort is that they did it by fragmenting and distributing the problem solving process to thousands of computers throughout the country, and it was a 90MHz Pentium PC that found the 56bit key. One can consider this team lucky, because they have only searched 25% of the total probable keys in five months. What does this event mean? Obviously, if your adversary can harvest more computing power than this team, your 56bit DES encrypted message will be equally if not more vulnerable. It is silly not to predict that years from now anyone with a reasonable financial support will break this message with only a handful of more powerful computers in hours or less. Fortunately, despite all these, it will still take the entire planet’s computing power 10^{11} years to break a 128bit symmetric cipher [1]. Therefore, at lease to the best knowledge of current cryptanalysis, 168bit Triple DES and 128bit Blowfish supported by Secure JDBC are safe. Message Digest and SHA1 SHA1 stands for Secure Hash Algorithm version 1. It was designed by NIST and NSA as part of the Digital Signature Standard mentioned earlier. SHA1 produces a 160bit digest, which is longer than many other counterparts. There is no known report of the breaking of SHA1. What is SSLeay? References [1] B. Schneier, "Applied Cryptography," 2nd Edition, John Wiley & Sons, Inc., 1996. ISBN 0471128457, ISBN 0471117090. [2] W. Diffie and M.E. Hellman, "New Directions in Cryptography," IEEE Transactions on Information Theory, v. IT22, n. 6, Nov 1976, pp. 644654. [3] W. Diffie, P.C. van Oorschot, and M.J. Wiener, "Authentication and Authenticated Key Exchanges," Designs, Codes and Cryptography, v. 2, 1992, 107125. [4] T. ElGamal, "A PublicKey Cryptosystem and a Signature Scheme Based on Discrete Logarithms," Advances in Cryptography: Proceedings of CRYPTO 84, SpringerVerlag, 1985, pp. 1018. [5] P. Horster, H. Peterson, and M. Michels, "MetaElGamal Signature Schemes," Proceedings of the 2nd Annual ACM Conference on Computer and Communications Security, ACM Press, 1994, pp. 96107. [6] P. Horster, H. Peterson, and M. Michels, "Meta Message Recovery and Meta Blind Signature Schemes Based on the Discrete Logarithm Problem and their Applications," Advances in Cryptography  ASIACRYPT ‘94 Proceedings, SpringerVerlag, 1995, pp. 224237. [7] L. Harn and Y. Xu, "Design of Generalized ElGamal Type Digital Signature Schemes Based on Discrete Logarithm," Electronics Letters, v. 30, n 24, 24 Nov 1994, p. 20252026. [8] K. Nyberg and R.A. Rueppel, "Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem," Advance in CryptologyEUROCRYPT ‘94 Proceedings, SpringerVerlag, 1994, pp. 368377. [9] R.L. Rivest, A. Shamir, and L.M. Adleman, “A method for obtaining digital signatures and publickey cryptosystems,” Communications of the ACM (2) 21 (1978), 120126. 

Copyright c 19972006 IDS Software. All rights reserved. 