OVERVIEW:

  • Describe the elements, purpose and basic method of encryption. 
  • Describe the purpose and basic method of digital signatures and certificates. 
  • Identify the purpose of and acronyms associated with secure internet transmission protocols. 
  • Describe, compare and contrast, symmetric and asymmetric encryption. 
  • Describe the purpose and value of virtual private networks (VPNs). 
  • Give examples of appropriate and inappropriate uses of symmetric and asymmetric encryption. 
  • Describe some emerging models for improving encryption. 

I. INTRO:

  • The growth in e-commerce and other internet-based technologies has increased risks from network-based exchanges between unrelated parties. 
  • This lesson considers threats and controls related to making sure the privacy and security of information and secure online financial exchanges. 

II. PRIVACY AND SECURITY ISSUES IN NETWORKED SYSTEMS: 

  • Encryption - This is the process of converting a plaintext message into a secure-coded form (ciphertext). 
    • Decryption reverses encryption (to read a message). Encryption technology uses a mathematical algorithm to translate cleartext (plaintext) - text that can be read and understood - into ciphertext. The ciphertext is the text that has been mathematically scrambled so that its meaning cannot be determined without decryption. 
    • Encryption can provide privacy (protection of data against unauthorized access) and authentication (user identification). It can protect stored (i.e. data at rest) or transmitted (i.e. data in motion) data and verify the data authenticity. 
    • Encryption is an essential but imperfect control. The security of encryption methods rests upon key length and secrecy. Generally, key security declines with use. 
  • “Key” Elements of Encryption - 
    • The encryption algorithm is the function or formula that encrypts and decrypts (by reversal) the data. 
    • The encryption key is the parameter or input into the algorithm that makes the encryption unique. The reader must have the key to decrypt the ciphertext. 
    • Key length is a determinant of strength. Longer keys are harder to encrypt. 
  • Symmetric Encryption -
    • Fast, simple, easy and less secure than asymmetric encryption. 
    • More often used in data stores (i.e. data at rest) since only one party then needs the single algorithm and key. 
    • Also called single-key encryption, symmetric encryption uses a single algorithm to encrypt and decrypt. 
    • The sender uses the encryption algorithm to create the ciphertext and sends the encrypted text to the recipient. 
    • The sender informs the recipient of the algorithm. 
    • The recipient reverses the algorithm to decrypt. 
  • Asymmetric Encryption -
    • Safer but more complicated than symmetric encryption. 
    • More often used with data-in-motion. 
    • Also called public/private key encryption.
    • Uses two paired encryption algorithms to encrypt and decrypt. 
    • If the public key is used to encrypt, the private key must be used to decrypt. Conversely, if the private key is used to encrypt, the public key must be used to decrypt. 
    • To acquire a public/private key pair, the user applies to a certificate authority (CA):
      • The CA registers the public key on its server and sends the private key to the user. 
      • When someone wants to communicate securely with the user, he or she accesses the public key from the CA server, encrypts the message, and sends it to the user. 
      • The user then uses the private key to decrypt the message. 
      • The transmission is secure because only the private key can decrypt the message and only the user has access to the private key. 
  • Quantum Encryption -
    • Quantum mechanics from physics is emerging as a technology that may revolutionize computing encryption. It uses the physical properties of light (photons) to generate seemingly complicated codes. 

III. Facilitating Secure Exchanges - E-commerce should occur only with high certainty regarding the identity of the trading partners and the reliability of the transaction data. Electronic identification methodologies and secure transmission technology are designed to provide such an environment. 

  • Digital Signatures
    • An electronic means of identifying a person or entity
    • Use public/private key pair technology to provide authentication of the sender and verification of the content of the message. 
    • The authentication process is based on the private key. 
    • Vulnerable to man-in-the-middle attacks in which the sender’s private and public key are artificial. A digital signature is like an envelope sealing with the King’s personal wax seal in the days of Kings. A thief may steal, or a forger may duplicate, the King’s seal. Therefore, the message from the King, or the e-mail - in the case of digital signatures - may not be from the person who the receiver thinks that it is from because a thief stole the seal (or the private key). 
  • Digital Certificates
    • For transactions requiring a high degree of assurance, a digital certificate provides a legally recognized electronic identification of the sender, and, verifies the integrity of the message content. 
      • Based on the public key infrastructure (PKI), which specifies protocols for managing and distributing cryptographic keys. 
      • In this system, a user requests a certificate from the certificate authority. The certificate author then completes a background check to verify identity before issuing the certificate. 
      • More secure than digital signatures. 

A certificate authority or certification authority (CA) – manages and issues digital certificates and public keys. The digital certificate certifies the ownership of a public key by the named subject (user) of the certificate. This allows others (relying parties) to rely upon signatures or assertions made by the private key that corresponds to the certified public key. 

Secure Internet Transmission Protocols -

Sensitive data sent via the internet is usually secured by one of two encryption protocols:

  1. Secure Sockets Layer (SSL) uses a combination of encryption schemes based on a PKI
  2. Secure Hypertext Transfer Protocol (S-HTTP) directs messages to secure ports using SSL-like cryptography. 

Secure Electronic Transactions (SET) 

  1. Developed by VISA and MasterCard. A protocol often used for consumer purchases made via the internet. Uses multiple encryption schemes based on a PKI. 
  2. Used by the merchant (i.e. the intermediary between the bank and customer) to securely transmit payment information and authenticate trading partner identity. 

Virtual Private Network (VPN) 

A secure way to connect to a private local area network (LAN) from a remote location, usually through an internet connection. Uses authentication to identify users and encryption to prevent unauthorized users from intercepting data. Should be part of an organization’s remote access security plan. 

IV. The Limits and Future of Encryption

A. Encryption must be part of a broader strategy to achieve confidentiality and security. It alone is insufficient. Access controls and strong authentication techniques help, as does limiting, as appropriate, user actions (read, write, change, delete, copy, etc.) when accessing confidential information. 

B. Encryption is something of an “arms” race with hackers. IT professionals and researchers are always improving encryption to remain ahead of hackers, who develop improved strategies for breaking encryption. 

C. Emerging strategies, currently being researched, for improving encryption include “honey” encryption, where wrong guesses about the encrypting key yield falsified data that looks correct but isn’t actually correct, and quantum encryption, where data is encrypted using the perplexing Alice-in-Wonderland-like qualities of quantum computers.