Cryptographic Methods
Original Post by Catherine Johnson
Cryptographic Methods:
Cryptography is the science of concealing information or encrypting information. Computers use complex cryptographic algorithms to enable data protection, data hiding, integrity checks, nonrepudiation services, policy enforcement, key management, and exchange, and many more (Conklin, 2018). Cryptography is classified into three types symmetric cryptography, asymmetric cryptography, and hash functions
Symmetric cryptography is also known as secret-key cryptography. It uses a single key to encrypt and decrypt data making it the simplest type of cryptography. A plain text with the key produces the same cipher similarly, the ciphertext with the key produces the plain text. “Symmetric encryption is useful for protecting data between parties with an established shared key and is also frequently used to store confidential data” (Burnett & Foster, 2004). This type of cryptography is suited for bulk encryption as it is fast and easy.
Asymmetric cryptography is also known as public-key cryptography. In this method, two keys are used to encrypt data. One for encoding and the other for decoding. One of the two keys stays private while the other is shared. The algorithms are based on integer factorization and discrete logarithmic problems. This encryption method is used for authentication and confidentiality.
The hash function is a special mathematical function. It performs a one-way function, which means that once the algorithm is processed, there is no feasible way to use the ciphertext to retrieve the plaintext that was used to generate it (Conklin, 2018). Hashes provide confidentiality but not integrity because even though we cannot determine the original text, we can ascertain the modified text. These are utilized in programs, text messages, and operating systems files.
Public Key Infrastructure (PKI):
It is an infrastructure that enables users to communicate securely. PKI uses the asymmetric method; one private key and one public key. The public key can only decrypt the file encrypted by the private key, which affirms the receiver and the sender’s information is secure during a transaction. The challenges PKI face is the storage and protection of the keys. The encryption keys can be stolen or unrecoverable based on the measures taken to store them. Additionally, failure to issue and renew certificates can cause large-scale connectivity issues.
Physical Security:
Physical security needs to be maintained to prevent attackers from gaining access to steal data. Physical security is essential in an organization to prevent unauthorized individuals from causing harm to the business. If systems and devices are physically accessed, all files, data, information, and networks can be compromised. Granting limited access to employees to computer rooms or server rooms can prevent theft and help with intentional and unintentional damages. Perimeter security is also important, especially for sites and server access. Furthermore, device management is crucial as well because stolen devices can cause data breaches. Organizations should implement endpoint security management to access devices outside the company’s network and keep them safe.
References
Conklin, Wm., A. et al. Principles of computer security: CompTIA security and beyond, fifth edition. Available from: Slingshot eReader, (5th Edition). McGraw-Hill Professional, 2018.
Burnett. M, Foster. J. C. 2004. Hacking the code ASP.Net web application security. https://www.sciencedirect.com/topics/computer-science/symmetric-cryptography
Original Post from Ayesha Syeda
They cannot protect everything against every threat. However, as we continue to expand our definition of threat, we can identify more threat types and better evaluate their impact on a business, including all the factors that go into designing a technological solution. When we apply technology to create new ideas, we can call the resulting new product or service a threat since it is something that increases the cost of doing business or causes competitors to re-evaluate where they are in the competitive hierarchy. For a company to be classified as a threat, it must: Have created, in some form or fashion, a product or service that has a market share of more than 30% and Have had a significant technological change that increases the cost of doing business by more than 20%. The threat must be significant enough to create a market opportunity for the company. The danger is that the threat increases the pressure on the organization to act quickly because, in the meantime, the company is in a quandary because of the risk that the information might be used against them by competitors, as one example, or the information might damage a competitor’s reputation. A solution can be to develop a system that will send alerts when there is a change in the information. This might require information systems that allow the users to track changes in the data. The company should have administrative, training, and educational staff to maintain control. As a company expands across national markets, the number of people in the country that need to be trained to serve the foreign market should be relatively small. In such cases, it is common to have multiple people who perform different tasks so that one specialist may need to be trained in one country and another in another.
Cryptographic weaknesses might be related to different classes of weaknesses, including the weaknesses in software design, the vulnerabilities of hardware, the weaknesses in communication and security networks, and others. Different cryptosystems can address two main types of weaknesses. A weakness in software design can be addressed by a software implementation that implements a robust design and provides several security features. For example, the device has a fingerprint scanner that can identify the person entering and leaving the hotel and stores the hotel guest’s name, phone number, and email address. Furthermore, the hotel provides a free Wi-Fi password if someone uses one of the hotel’s mobile phones in the hotel premises without permission. The hotel provides a service to guests to remotely connect their mobile phones to their Wi-Fi network. If a guest does not have the required device, they can connect their mobile phone to this application and use this data to charge their card. Once charged, the device is sent to the guest’s mobile phone. The mobile phone then connects to the charging station and allows the guest to use this card to continue their journey. There is no additional charge when using a mobile phone as a payment terminal.
The key for PKI is the identification of valid and invalid transactions within the transactions. We define valid as “anyone transaction that meets the following conditions”: The transaction inputs are valid. The transaction outputs are valid. The inputs are included in one of the inputs and are not modified. The outputs are included in one of the outputs and are not modified. We use three examples for validation. We consider a peer-to-peer instant messaging protocol as an example. The basic idea is the simple one. It allows anyone in the world to send an encrypted message in real-time. This means that no one will be able to read anything until the message is received by a third party and is decrypted. This is what makes instant messaging worthwhile. However, the messages contained within them are compassionate and easy to track. It also means that the sender of the secret message has access to it forever (Cambou et al., 2019). In addition to this, the sender also needs to be aware of the recipient’s location. If the recipient is in the same room as him/her, it is more challenging to get secure communication, and hence it is best to encrypt this session. For instance, senders can encrypt their messages only with the cipher AES or RSA, which means they cannot decrypt them by brute force. If this is the case, the sender needs to change the recipient’s destination or choose a different cipher and thus create a new session.
An excellent place to start is by examining their organization’s physical control procedures. These controls can be implemented via the training of key personnel, written policies, rules, or management processes. The security management team needs to know how to assess the security of the organization’s information systems to ensure that they are capable of maintaining and restoring data that is lost or stolen, as well as the availability of data and information to allow the success of business operations. This requires an understanding of technology, security, and digital transformation in the digital era. At ICAP, the security team is constantly challenged with deciding what new information technology applications to add to the existing inventory management system. The most obvious potential application would be in the handling of customer information. It is known that the use of an ERP system can provide more excellent information quality and lower inventory levels. However, integrating electronic and physical data within the same data warehouse can make the system more complex. However, as the number of physical elements in an electronic database increase, it is easier for IT to integrate data into the system. IT can also benefit from developing processes for storing and analyzing structured information. This analysis is often undertaken using software applications, such as structured reporting or text mining.
Reference:
Cambou, B., Philabaum, C., Booher, D., & Telesca, D. A. (2019, March). Response-based cryptographic methods with ternary physical unclonable functions. In Future of Information and Communication Conference (pp. 781-800). Springer, Cham.
Note
Read and respond in at least 200 words to at least two of your classmates’ postings, as well as any follow-up instructor questions directed at you, by the end of the workshop. Include citations to at least one credible information source in your replies.
