翻译 2006年06月06日 23:14:00

Why data encryption is no substitute for comprehensive security


《endurer注:1。substitute for 代替...;替换..., 取代...》

by  Jonathan Yarden

作者:Jonathan Yarden

翻译:endurer 2006-06-06 第1


Keywords:  Authentication and encryption | Security | E-mail messages | Security threats

关键字:证明和加密 | 安全 | 电子邮件信息 | 安全威胁


Jonathan Yarden asserts that data encryption can actually increase security risks if you apply it without considering how it will affect other IT functions. Find out why he stresses that data encryption is only one of the tools in a comprehensive Internet security setup.


Jonathan Yarden声称,如果你不考虑对其它IT功能影响地应用数据加密,实际上增加了安全风险。看看他为何强调数据加密只是英特网综合安全设置中的一个工具。



In all my years in the computing industry, I have seen a number of technologies come, go, and resurface. Without a doubt, one of most interesting is data encryption; yet, the general public still doesn't seem to have a firm grasp on it.


《endurer注:1。a number of:许多,若干
2。Without a doubt:当然,毫无问题,无疑地
3。general public: 公众
4。seem to:似乎...
5。get a firm grasp of:牢牢地抓住》

 Part of the problem may be that many IT pros get their information about data encryption from security vendors. None of the vendors at the security seminars I have attended stress that data encryption is by no means a substitute for a comprehensive corporate security architecture. For instance, sometimes it only makes sense to use data encryption when no other alternatives exist; sometimes you don't need to use data encryption at all. You probably won't hear this in any security vendor seminar because they want to sell products—I just want to educate you.


《endurer注:1。Part of: 一部分(的一部分)
2。none of 中一个也没有;当中谁都不(当中没人)
3。by no means 决不
4。for instance 例如
5。makes sense 有意义,讲得通
6。at all:完全,根本》

Know when to use data encryption


Data encryption is of little use unless you apply it to specifically mitigate a risk or to address a legal requirement. In fact, if you apply data encryption without consideration for how it will affect other IT functions, it can actually increase risks in other areas of the enterprise.


《endurer注:1。legal requirement 法律要件》

A striking example of the misuse of data encryption is when IT pros use encrypted file systems where this type of security is simply not needed. Windows and almost all major operating systems can support data encrypted file systems, but most corporations would be hard pressed to find a general use for such security. Even so, many corporations adopt the use of encrypted file systems because they believe this protects their information if a system is compromised. This is generally not true; the real security issue is keeping the system protected from compromise in the first place. An encrypted file system is not a reason to stop being vigilant when applying updates and patches. Also, backups are a must because, if you lose the decryption keys, your data is lost.


《endurer注:1。be hard pressed to do sth.: 做...很困难
2。general use 通用,一般用途
3。use for 用于,用作
4。even so 虽然如此
5。 in the first place:起初,首先》

There are specific cases where it makes sense to use data encryption. However, many IT pros decide to use data encryption because they assume this means they will have "improved" security. For example, a company that implements a VPN system using IPSEC isn't immune from a worm or virus if its virus scanner only inspects e-mail at the firewall border. A solution is to enforce virus and worm scanning at the e-mail server, as well as at the network perimeter; this guarantees that internal e-mail messages are properly scanned for malicious content.


《endurer注:1。be immunized from:v. 对...免疫
2。As well As (除...之外)也,既...又;也,又》

Reconsider using SSL to pass sensitive data online


Many IT pros incorrectly assume their data are secure if they submit information using SSL. These two points are true: SSL encryption makes it much more difficult (perhaps with SSL V3 it may be close to impossible) to make use of data if it's intercepted; and SSL is more secure as a data transmission method over clear text. However, once the data is received and decrypted on the other side of the SSL connection, you no longer have any real control over it. Or, if your Windows system is infected with a keylogging Trojan, typing your credit card into a SSL session on a browser isn't going to prevent it from being stolen.

一些IT专家们不正确地假定如果使用SSL来提交信息,数据是安全的。有两点是真的:SSL加密使被截取的的数据更难利用(利用SSL V3,这有可能近于不可能);并且当数据传输方式基于明文件时,SSL更安全。然而,一旦数据在SSL连接的另一边接收和加密,你就不能再有实际控制。或者,如果你的Windows系统被一个记录按键的木马感染了,在浏览器r的SSL会话中中输入信用卡,不能防止被盗。

《endurer注:1。close to 接近于, 在附近》

The general belief of SSL providing security is precisely why many of the newer phishing scams that use SSL are tricking people into giving up personal information. SSL does not provide more than simple data transmission security. The real question is: What happens to the data afterwards?


《endurer注:1。trick into 哄骗...干》

Encrypt e-mail using archivers


《endurer注:1。archiver n.档案库存储器》

Secure e-mail is another area where corporations need some education. Most corporations do not need the level of e-mail security provided by PGP or built-in public key encryption in most e-mail systems.


《endurer注:1。PGP—Pretty Good Privacy,是一个基于RSA公匙加密体系的邮件加密软件。》

When someone needs to send a Word document or Excel spreadsheet securely, I usually suggest they use the data encryption features of archivers such as WinZip or WinRAR, and send the secure data as an attachment to a regular text e-mail. When the recipient gets the e-mail, they decrypt the archive using a previously established decryption password. While this is far from perfect, it's generally secure enough to lower the risk to minimal levels.




I must stress that data encryption is only one of the tools in a comprehensive Internet security setup. Regardless of the sales pitches, remember that the lowest common denominator in Internet security is people not technology.


《endurer注:1。regardless of 不管, 不顾
2。sales pitch兜揽生意的话
3。lowest common denominator〈数〉最小公分母》


为了保证在通信中数据的安全性,防止数据被窃取或篡改,对传输数据需要进行对称加密, 但是客户端和服务端在协商加密算法时,同样是不安全的,因此对协商过程再采用非对称 加密,采用非对称加密后客户端在获取公钥...
  • rich_family
  • rich_family
  • 2017年03月21日 09:49
  • 106


  • u013802231
  • u013802231
  • 2014年04月10日 17:12
  • 831

数据安全 Oracle之Valut

  • CHS007chs
  • CHS007chs
  • 2016年09月14日 15:33
  • 201


Verilog HDL和VHDL相比有很多优点,有C语言基础的话很容易上手。搜集了一些网上大神的经验总结和书上的例子,所以对于和我一样的初学者,这篇博客应该还是很有提高作用的,至于具体语法,任何一本书...
  • shengzhuzhu
  • shengzhuzhu
  • 2014年06月09日 23:54
  • 3843


摘要 本实用新型公开了一种复杂网络数据安全传输系统。本实用新型的目的在于提供一种从电厂到电网的稳定、可靠、实时的数据安全传输系统。本实用新型包括中调通讯服务器和数据传输服务器,其特征在于:所述的中调...
  • dongwenkai365506
  • dongwenkai365506
  • 2015年12月05日 13:39
  • 545


摘要 WebSocket为web应用和服务提供了双向实时通信信道,这篇论文概述了Websocket协议和这个API,并且描述了它提供的便利。本文的主要贡献是回顾和分析了与WS相关的安全问题,讨论了可...
  • lakeyoursll
  • lakeyoursll
  • 2016年11月17日 14:13
  • 5047


          1) 有一位病人来找精神科医师.     病人:我一直觉得我是一只鸟.     医生:喔.那很严重喔.从什么时候开始的.     病人:从我还是一只小鸟的时候.   2) 有一位神...
  • hitjinming
  • hitjinming
  • 2005年09月20日 17:05
  • 892

ios- POST数据加密-安全

ios- POST数据提交安全
  • wwenSpring
  • wwenSpring
  • 2016年02月18日 20:38
  • 1051

Dynamics CRM 打开数据加密报错及修改用户邮件保存报错的解决方法

在项目里会碰到在修改用户的电子邮件时报错的问题         然后跑到数据管理里打开数据加密又是报错           解决上述问题只需要做下数据库的更改即可,把标志位置1即可,记得要重启...
  • woniu1104913
  • woniu1104913
  • 2016年07月28日 17:05
  • 1220

Android安全升级的7.0: Nougat

Tamic http://www.jianshu.com/users/3bbb1ddf4fd5/latest_articles 今年夏天以来,Google做了多种增强的安全性在Android的7...
  • sk719887916
  • sk719887916
  • 2016年09月21日 19:38
  • 1315