Opportunistic Encryption

Opportunistic Encryption (OE) allows for "encryption for secure communication without any pre-arrangement specific to the pair of systems involved." Or in general terms, "I'd like to talk to Bob, with encryption if available".

This provides a level of security which is sometimes described as "Better Than Nothing Security" {Link without Title} {Link without Title} or ANONSEC. It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not forced. It does make the encryption of most internet traffic easy to implement, which has been a significant impediment to the mass adoption of Internet traffic security.

ROUTERS

The uses DNS records to facilitate the key exchange between the systems. {Link without Title}

It is possible to use OpenVPN and networking protocols to set up dynamic VPN links which act similar to OE for specific domains.

LINUX

The FreeS/WAN and forks offer VPNs which can also operate in OE mode using IPsec based technology.

WINDOWS OS

Windows platforms have an implementation of OE installed by default. This method uses IPsec to secure the traffic and is a simple procedure to turn on.
It is accessed via the environment.

To use windows OE in a non Kerberos environment, you need to install a certificate from a Certificate Authority (CA) which is common to any system with which you communicate securely, Thawte Freemail for example.

Many systems also have problems when either side is behind a NAT. This problem is addressed by NAT Traversal ( NAT-T ) and is accomplished by adding the following DWORD to the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule
with a value of 2 and reboot. Using the filtering options provided in MMC, it is possible to tailor the networking to require, request or permit traffic to various domains and protocols to use encryption.

E-MAIL

Opportunistic Encryption can also be used for specific traffic like E-mail using the STARTTLS Internet Message Access Protocol extension. With this implementation, it is not necessary to obtain a certificate from a Certificate Authority , as a self-signed certificate can be used.

RFC 2487 STARTTLS

STARTTLS and postfix

STARTTLS and Exchange

Many systems employ a variant with third party addons to traditional email packages by first attempting to obtain an encryption key and if unsuccessful, then it sends the email in the clear. PGP , Hushmail , Ciphire , among others can all be setup to work in this mode.

VOIP

Some , if successful a series of tones are played into the handset, if not the call proceeds without using encryption. Skype and Amicima use only secure connections and the Gizmo Project attempts a secure connection between their clients. Phil Zimmermann , Alan Johnston, and Jon Callas have proposed a new VoIP encryption protocol called ZRTP . They have an implementation of it called Zfone whose source and compiled binaries are available.

WEBSITES

For encrypting WWW/HTTP connections, typically HTTPS is used. This can also be used for opportunistic website encryption. Most browsers verify the webserver's identity to make sure that an SSL certificate is signed by a 'trusted' Certificate Authority . The easiest way to enable opportunistic website encryption is by using self-signed certificates, doing this will cause browsers to display a warning each time the website is visited unless the user imports the websites certificate into their browser.

Projects such as LibreSSL offer free certificates from a common root certificate, all you have to do is load this certificate into your browser and no more warnings will appear. However, since LibreSSL doesn't do any verification checks on the information stored in the certificate this has the effect of by-passing the authentication layer of the underlying SSL protocol, connections to servers using LibreSSL certificates should not be trusted for any kinds of financial or sensitive information.

SEE ALSO

FreeS/WAN

IPSec

John Gilmore

Openswan

OpenVPN

Pretty Good Privacy

SRTP

StrongSwan

Zfone

ZRTP

cf. Multifactor Authentication

Opportunistic website encryption

EXTERNAL LINKS

Windows OE HOWTO

Windows KB article on NAT-T and DH2048

IETF BTNS WG

	CATEGORIES ABOUT OPPORTUNISTIC ENCRYPTION

	cryptographic software

	network-related software

	internet privacy

	APPAREL
	BABY
	BEAUTY
	BOOKS
	CAR TOYS
	CELL PHONES
	DVD'S
	ELECTRONICS
	GOURMET FOOD
	GROCERIES
	HEALTH & PERSONAL
	HOME & GARDEN
	JEWELRY
	MUSIC
	MUSIC INSTRUMENTS
	OFFICE PRODUCTS
	SOFTWARE
	SPORTING GOODS
	TOOLS & HARDWARE
	TOYS
	VIDEO GAMES
	SHOPPING HOME

	MORE SHOPPING...

Information About

Opportunistic Encryption