Security Questions

Discussion in 'ArmyNet Announcements' started by ArmyNET_Assistance, Jan 23, 2008.


    ArmyNET uses the Internet to connect the user with its servers. The Internet is the infrastructure over which emails, files and Web pages are passed across the information super highway. Note that ArmyNET uses the secure Hyper Text Transport Protocol (HTTPS) as opposed to the standard World Wide Web HTTP (which remains insecure), to pass this information. In short all the information sent from the ArmyNET server to your PC is protected by the highest standards of Internet encryption.

    What is Encryption?

    The process of encryption hides data or the contents of a message in such a way that the original information can be recovered through a corresponding decryption process. Encryption and decryption are common techniques in cryptography, the scientific discipline behind secure communications.

    Many different encryption/decryption processes or algorithms exist. It turns out that in cryptography, it's very difficult to keep the logic of an algorithm truly secret. Especially on the Internet, it's generally much easier to use well-known public algorithms, and rely on alternative forms of protection.

    What is a Key?

    In computer cryptography, a key is a long sequence of bits used by encryption / decryption algorithms. For example, the following represents a hypothetical 40-bit key (note that ArmyNET uses a 128-bit key!):

    00001010 01101001 10011110 00011100 01010101
    A given encryption algorithm takes the original message, and a key, and alters the original message mathematically based on the key's bits to create a new encrypted message. Likewise, a decryption algorithm takes an encrypted message and restores it to its original form using one or more keys.

    Some cryptographic algorithms use a single key for both encryption and decryption. Such a key must be kept secret; otherwise, anyone who had knowledge of the key used to send a message could supply that key to the decryption algorithm to read that message.

    Other algorithms use one key for encryption and a second, different key for decryption. In this case the encryption key can remain public, because without knowledge of the decryption key, messages cannot be read.

    In general, keys provide the necessary protection to encrypt and decrypt network communications on the Internet. Modern Web browsers use the Secure Sockets Layer (SSL) protocol for secure transactions like ecommerce purchases and banking. SSL works by using a public key for encryption and a different private key for decryption.

    Because SSL encryption depends so heavily on keys, one normally measures the effectiveness or strength of SSL encryption in terms of key length - number of bits in the key.

    The early implementations of SSL in Web browsers, first Netscape 3 and then Microsoft Internet Explorer 3, used a 40-bit SSL encryption standard. Unfortunately, 40-bit encryption proved too easy to decipher or crack in practice. To decipher an SSL communication, one simply needs to generate the correct decoding key.

    In cryptography, a common deciphering technique is brute-force decryption; essentially, using a computer to exhaustively calculate and try every possible key one by one. 2-bit encryption, for example, involves four possible key values:

    00, 01, 10, and 11
    3-bit encryption involves eight possible values, 4-bit encryption 16 possible values, and so on. Mathematically speaking, 2n possible values exist for an n-bit key.

    While 240 may seem like a very large number, it is not very difficult for modern computers to crack this many combinations in a reasonable time period. The makers of Web browser software recognized the need to increase the strength of encryption and moved to a new standard, 128-bit encryption several years ago.

    Compared to 40-bit encryption, 128-bit encryption offers 88 additional bits of key length. This translates to 288 or a huge 309,485,009,821,345,068,724,781,056 additional combinations required for a brute-force crack.

    Based on the past history of improvements in computer performance, security experts expect that 128-bit encryption will work well on the Internet for at least the next ten years. No one has managed to break it and as soon as someone does - it will be fixed and improved.

    ArmyNET therefore uses the latest (128-bit public key encryption) technology to safeguard the information and is only accessible by registered users.

    Safety Features

    If ArmyNet is inactive for a period of time, it will "timeout" - requiring users to login again. Note that while the technology used is the highest level of Internet security, the user remains the weakness within the overall system. Internet banks have never been hacked - instead hackers send fraudulent messages to registered users, asking them for their User ID and Password. Once they have this information, they can then login and steal the information. In the same way that a soldier must never give their ID card away (or their online bank user id and password details) - never disclose your User ID and password to anyone. Choose a password that only you will know and change it on a regular basis.

    Access to ArmyNET can be gained from any Internet enabled PC. Note that when accessing ArmyNET from an insecure location (such as an Internet Cafe) there is a chance that someone (not authorised to view the contents of ArmyNET) could take steps to see the information 'over your shoulder'. For this reason, users must remain vigilant and not save or print any aspects of the ArmyNET pages from vulnerable hardware. It is for this reason that information classified RESTRICTED and above must not be published on ArmyNET. Note that for security reasons, Army intranets may prevent attachments to be added to ArmyNET mail.


    Access to certain areas of ArmyNET can be denied to registered users, not authorised to see them. There are 3 levels of access to pages within ArmyNET:

    Public Access - Open access allows all users to see all areas of ArmyNET.

    Private Access - All users can see that a particular area exists; however, only those authorised to enter the area can actually view the information.

    Hidden Access - Only users authorised to see an area with hidden access can see it on their desktop and view the pages or information.