Cryptography and Network Security 1
Running head: LITERATURE REVIEW OF CRYPTOGRAPHY & NETWORK SECURITY
Literature Review o...
Cryptography and Network Security 2
Abstract
This literature review looks at the research that has been published in the a...
Cryptography and Network Security 3
CONTENTS
Abstract........................................................................
Cryptography and Network Security 4
Introduction -
Early vs. Modern Cryptography
Today’s cryptography is vastly more compl...
Cryptography and Network Security 5
the use of keys, which are associated with Web-based applications, ATMs, Ecommerce,
co...
Cryptography and Network Security 6
calculated by the use of the original two prime numbers. Using this encryption key wou...
Cryptography and Network Security 7
Introduction -
Overall Trends in the Research
In reviewing the research that has alrea...
Cryptography and Network Security 8
cryptographic hardware into embedded designs (Robinson, 2008). Although cryptography a...
Cryptography and Network Security 9
hackers, organized crime, terrorists, or enemy governments (Webb, 2006; S., E, 2007). ...
Cryptography and Network Security 10
Scholarly Literature
There is much skepticism surrounding cryptography. Fagin et al. ...
Cryptography and Network Security 11
Spantzel et al. offers a taxonomy for unifying the relationship-focused and credentia...
Cryptography and Network Security 12
proposed a new method named “hidden direct sequence” to enhance the security of CDMA
...
Cryptography and Network Security 13
society uses it. This relies on current laws, customs, regulations, and what we as a ...
Cryptography and Network Security 14
Walters (2007) proposes a draft IS security curriculum that should be incorporated in...
Cryptography and Network Security 15
(2006) stresses the importance of strong encryption key management and granular acces...
Cryptography and Network Security 16
scheme involving known chosen/plaintext attacks in which only one known chosen/plaint...
Cryptography and Network Security 17
cryptography—since it is based on secret keys that are short, easy to transfer, and e...
Cryptography and Network Security 18
Non-Scholarly Literature
As pointed out in Companies Integrate (2008) many corporatio...
Cryptography and Network Security 19
One of the biggest issues facing privacy and data security in the health industry tod...
Cryptography and Network Security 20
variances about those means. This quantum random noise is irreducible and cannot be f...
Cryptography and Network Security 21
And, finally, Webb reports the necessity of “hack-proof” design in embedded systems.
...
Cryptography and Network Security 22
Conclusions
A review of the scholarly and non-scholarly literature over the past deca...
Cryptography and Network Security 23
asymmetric key management system process where the public key is known to everyone an...
Cryptography and Network Security 24
References
Baker, M. (2005, January). Keeping a Secret. Technology Review, 108(1), 82...
Cryptography and Network Security 25
Harris, D. (2007, April 27). Has Anyone Seen My Data?. Electronic Design, 55(9), 41-4...
Cryptography and Network Security 26
Li, C., Li, S., Zhang, D., & Chen, G. (2006, February). Cryptanalysis of a data secur...
Cryptography and Network Security 27
S., E. (2007, February). HACK-PROOF INTERNET. Popular Science, 270(2), 48-49. Retriev...
Upcoming SlideShare
Loading in …5
×

Cryptoandnetworksecuritylitreview

356 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
356
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cryptoandnetworksecuritylitreview

  1. 1. Cryptography and Network Security 1 Running head: LITERATURE REVIEW OF CRYPTOGRAPHY & NETWORK SECURITY Literature Review of Cryptography and its Role in Network Security Principles and Practice Daniel Lloyd Calloway Capella University, OM8302, § 4 8 September 2008 Dr. Hannon, Instructor
  2. 2. Cryptography and Network Security 2 Abstract This literature review looks at the research that has been published in the area of cryptography as it relates to network data and global communications security. It compares and contrasts the research pointing out overall trends in what has already been published on this subject. It analyzes the role that cryptography has played and will play in the future relative to security. This review addresses cryptography around the central theme of the security that it provides or should provide individuals, corporations, and others in the modern age of computing technology, networking, and Web-based ecommerce. By reviewing both scholarly and non- scholarly works, it is our objective to make a case that continuing research into the use of cryptography is paramount in preserving the future of electronic data security and privacy as well as the continuing development of Web-based applications that will permit the growth of ecommerce business worldwide to be conducted over the Internet.
  3. 3. Cryptography and Network Security 3 CONTENTS Abstract............................................................................................................................................2 Introduction - Early vs. Modern Cryptography .............................................................................4 Introduction - Overall Trends in the Research...............................................................................7 Scholarly Literature .......................................................................................................................10 Non-Scholarly Literature ...............................................................................................................18 Conclusions....................................................................................................................................22 References......................................................................................................................................24
  4. 4. Cryptography and Network Security 4 Introduction - Early vs. Modern Cryptography Today’s cryptography is vastly more complex than its predecessor. Unlike the original use of cryptography in its classical roots where it was implemented to conceal both diplomatic and military secrets from the enemy, the cryptography of today, even though it still has far- reaching military implications, has expanded its domain, and has been designed to provide a cost-effective means of securing and thus protecting large amounts of electronic data that is stored and communicated across corporate networks worldwide. Cryptography offers the means for protecting this data all the while preserving the privacy of critical personal financial, medical, and ecommerce data that might end up in the hands of those who shouldn’t have access to it. There have been many advances in the area of modern cryptography that have emerged beginning in the 1970s as the development of strong encryption-based protocols and newly developed cryptographic applications began to appear on the scene. On January, 1977, the National Bureau of Standards (NBS) adopted a data encryption standard called the Data Encryption Standard (DES), which was a milestone in launching cryptography research and development into the modern age of computing technology. Moreover, cryptography found its way into the commercial arena when, on December, 1980, the same algorithm, DES, was adopted by the American National Standards Institute (ANSI). Following this milestone was yet another when a new concept was proposed to develop Public Key Cryptography (PKC), which is still undergoing research development today (Levy, 2001). When we speak of modern cryptography, we are generally referring to cryptosystems because the cryptography of today involves the study and practice of hiding information through
  5. 5. Cryptography and Network Security 5 the use of keys, which are associated with Web-based applications, ATMs, Ecommerce, computer passwords, and the like. Cryptography is considered not only a part of the branch of mathematics, but also a branch of computer science. There are two forms of cryptosystems: symmetric and asymmetric. Symmetric cryptosystems involve the use of a single key known as the secret key to encrypt and decrypt data or messages. Asymmetric cryptosystems, on the other hand, use one key (the public key) to encrypt messages or data, and a second key (the secret key) to decipher or decrypt those messages or data. For this reason, asymmetric cryptosystems are also known as public key cryptosystems. The problem that symmetric cryptosystems have always faced is the lack of a secure means for the sharing of the secret key by the individuals who wish to secure their data or communications. Public key cryptosystems solve this problem through the use of cryptographic algorithms used to create the public key and the secret key, such as DES, which has already been mentioned, and a much stronger algorithm, RSA. The RSA algorithm is the most popular form of public key cryptosystem, which was developed by Ron Rivest, Adi Shamir, and Leonard Adleman at the Massachusetts Institute of Technology in 1977 (Robinson, 2008). The RSA algorithm involves the process of generating the public key by multiplying two very large (100 digits or more) randomly chosen prime numbers, and then, by randomly choosing another very large number, called the encryption key. The public key would then consist of both the encryption key and the product of those two primes. Ron Rivest then developed a simple formula by which someone who wanted to scramble a message could use that public key to do so. The plaintext would then be converted to ciphertext, which was transformed by an equation that included that large product. Lastly, using an algorithm developed through the work of the great mathematician, Euclid, Ron Rivest provided for a decryption key—one that could only be
  6. 6. Cryptography and Network Security 6 calculated by the use of the original two prime numbers. Using this encryption key would unravel the ciphertext and transform it back into its original plaintext. What makes the RSA algorithm strong is the mathematics that is involved. Ascertaining the original randomly chosen prime numbers and the large randomly chosen number (encryption key) that was used to form the product that encrypted the data in the first place is nearly impossible (Levy, 2001). A very popular public key cryptosystem is known as Pretty Good Privacy (PGP), developed by Phil Zimmerman beginning in early 1991 (Levy, 2001). The strength of the keys that are created to encrypt and decrypt data or communications is a function of the length of those keys. Typically the longer the key, the stronger that key is. For example, a 56-bit key (consisting of 56 bits of data) would not be as strong as a 128-bit key. And, consequently, a 128- bit key would not be as strong as a 256- or 1024-bit key. Next, let’s address the overall trends identified in the research that has been conducted in the field of cryptography and network security.
  7. 7. Cryptography and Network Security 7 Introduction - Overall Trends in the Research In reviewing the research that has already been published with regard to cryptography and network security since the 1970s, some noteworthy trends have emerged. There is a prevailing myth that secrecy is good for security, and since cryptography is based on secrets, it may not be good for security in a practical sense (Schneier, 2004; Baker, 2005). The mathematics involved in good cryptography is very complex and often difficult to understand, but many software applications tend to hide the details from the user thus making cryptography a useful tool in providing network and data security (Robinson, 2008). Many companies are incorporating data encryption and data loss prevention plans, based on strong cryptographic techniques, into their network security strategic planning programs (Companies Integrate, 2006). Cryptographic long-term security is needed but is often difficult to achieve. Cryptography serves as the foundation for most IT security solutions, which include: (1) Digital signatures that are used to verify the authenticity of updates for computer operating systems, such as Windows XP; (2) Personal banking, ecommerce, and other Web-based applications that rely heavily on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for authentication and data security; and (3) The introduction of health cards that allow access to medical history, prescription history, and medical records in countries such as Germany, which contain the electronic health information of its citizens and which depend on digital signature and other encryption schemes for security and privacy of critical data (Perspectives for, 2006). There are product design criteria that designers can meet for implementing strong encryption protocols into software applications; however, strong public-key cryptography may prove too computationally expensive for small devices, and the alternative may be to incorporate
  8. 8. Cryptography and Network Security 8 cryptographic hardware into embedded designs (Robinson, 2008). Although cryptography and information security are multi-billion dollar industries, the economy of the world and the defense of almost every nation worldwide depend upon it and could not be carried out without it (Fagin, Baird, Humphries, & Schweitzer, 2008). An individual’s identity in the digital world could be controlled by what is termed the federated identity management system consisting of software components and protocols that manage the identify of individuals throughout their identity lifecycle (Bhargav-Spantzel, Camenisch, Gross, & Sommer, 2007). With the rise in threats to sensitive data from outsiders, encryption is seen as a necessary tool in ensuring corporate networks and individuals’ information is as secure as possible (Toubba, 2006). The ubiquity of the Internet makes it extremely difficult to trace and identify intruders of corporate networks and Internet-based businesses involved in ecommerce with the public domain. Primary security concerns are confidentiality, data integrity, data origin authenticity, agent authenticity, non- repudiation, and so on. Current cryptographic techniques, such as smart cards, PINs, password authentication, etc., have performed well in keeping data secure. However, the overall security of an encryption system depends upon its ability to keep cipher keys secret, while the typical human behavior is to write down passwords so they aren’t forgotten, which often makes security very vulnerable to compromise. The concept of biometric-based keys appears to be one possible solution to this dilemma (Hogue, Fairhurst, Howells, & Deravi, 2005). Security must be the primary design consideration from a mission-critical or safety-related product’s conception, through design and development, production, deployment, and the end of its lifecycle. Embedded systems that find themselves installed in devices that are an integral part of the manufacturing, health, transportation, and finance sectors, as well as the military, without having near-flawless strong cryptographic security built into them would be vulnerable to would-be
  9. 9. Cryptography and Network Security 9 hackers, organized crime, terrorists, or enemy governments (Webb, 2006; S., E, 2007). The concept of data hiding technologies whose aim is to solve modern network security, quality of services control, and secure communications, has been seen as a cost-effective alternative to other means of data security, which does not require protocol modifications, and is compatible with existing standards of multimedia compression and communications (Lovoshynovskiy, Deguillaume, Koval, & Pun, 2005). Security is an important aspect of any network, but in particular to wireless ad-hoc networks where mobile applications are deployed to perform specific tasks. Since these networks are wireless, the potential for hacking into them using mobile devices is greater as there is no clear line of defense for protecting them. The development of the Mobile Application Security System (MASS) utilizing a layered security approach and strong cryptographic techniques is seen as a viable low-cost solution to protecting these application-based wireless networks (Floyd, 2006). And, finally, a new concept in cryptographic security known as Quantum Encryption, which uses quantum fluctuations of laser light at the physical layer introduced into existing network transmission lines is seen as a means of enabling ultra-secure communications and near perfect security (Hughes, 2007). It is the intent of this review of the literature to look at what has been published regarding cryptography in recent years from the standpoint of network and data security and privacy, and to specifically address the role that cryptography plays in enabling this security.
  10. 10. Cryptography and Network Security 10 Scholarly Literature There is much skepticism surrounding cryptography. Fagin et al. (2008) indicates that there is progress being made in this area to remove the skepticism. The National Institute of Standards and Technology (NIST) has joined forces with the National Security Agency (NSA) to form the “Common Criteria” process known as the Common Criteria for Information Technology Security Evaluation 2005 whose aim it is to increase the confidence in cryptographic and information-related security products. Additionally, the Department of Defense (DoD) has enacted policy directives requiring Information Assurance (IA) professionals to receive information security training in addition to basic IA training for all of its DoD employees (Fagin et al.). Fagin et al. further notes that security today requires some level of skepticism and critical thinking. Bhargav-Spantzel et al. (2007) contends that there is a recent paradigm in identify management called user-centricity identity management. The study conducted by Bhargav- Spantzel et al. differentiated between two predominant notions: relationship-focused and credential-focused identity management. In the former approach, a user only maintains relationships with identity providers (IDPs) and thus every transaction providing identity information is conveyed to the appropriate IDP. In the latter approach, the user must obtain long-term credentials and store them in a local provider database. Bhargav-Spantzel et al. indicates that the most predominant identity management model on the Internet today is the silo model where users handle their own data and provide it to organizations separately. One solution to this dilemma offered by Bhargav-Spantzel et al. is the centralized federation model, such as Microsoft’s Passport, which removes the inconsistencies and redundancies of the silo model and provides the Web users a seamless experience. Bhargav-
  11. 11. Cryptography and Network Security 11 Spantzel et al. offers a taxonomy for unifying the relationship-focused and credential-focused identity management, and investigated the idea of a universal user-centric system, which incorporates the current approaches. The open research question offered by Bhargav-Spantzel et al. in their study is the search for a credential-based user-centric system that crosses the boundaries of user-centricity. The study also supports their approach in unifying the notions in user-centricity that could be useful in the field of user-centric federated identity management systems (FIMS). The study conducted by Bohli et al. (2007) examined popular proof models for group key establishment and the tools offered for analyzing group key establishment protocols in the presence of malicious participants. The framework introduced by Bohli et al. indicates that a protocol proposed by Katz & Yung (2003) offer guarantees of security against a single malicious participant, whereas a proposal offered by Kim, Lee & Lee (2004) fails to do so. Furthermore, Bohli et al. showed that established group key establishment schemes from CRYPTO 2003 and ASIACRYPT 2004 do not fully meet these requirements and proved a variant of the ASIACRYPT2004 group key establishment scheme based on the Computational Diffie-Hellman (CDH) assumption and the Random Oracle Model is secure in the strictest sense. In the area of wireless security, Tafaroji, & Falahati (2007) proposed a means of improving security of the code division multiple access (CDMA)—one of the most widely used wireless air link interfaces in 3G wireless communication—by applying an encryption algorithm over the spreading codes. In the Tafaroji et al. study the cross-correlation between outputs of encryption algorithm causing multi-user interference was studied thoroughly, since multi-user detection is the inherent characteristic of CDMA. A combination of encrypted and unencrypted M-sequence is used as the spreading code to mitigate system performance. Thus Tafaroji et al.
  12. 12. Cryptography and Network Security 12 proposed a new method named “hidden direct sequence” to enhance the security of CDMA systems through the application of the cryptographic algorithm in the channelization code. This secure spectrum-spreading method prevents eavesdroppers from hearing an intercepted message, and further prevents them from attempting to decipher the communication using the most powerful means. In a study conducted by Pistoia, Chandra, Fink, & Yahav (2007), three areas of security vulnerability in software systems were analyzed. These were: access-control, information flow, and application-programming interface conformance. Static analysis techniques were used to analyze two major areas of access-control: stack-based and role-based access control. Static analysis techniques were also used to address integrity violations and confidentiality violations, which comprise information flow. The study also discussed how static analysis could be used to verify the correct usage of security libraries and interfaces for component-based systems. In the area of chosen ciphertext attacks (CCA), Boneh, Canetti, Halevi, & Katz (2006) proposed a CCA-secure public-key encryption scheme based on identity-based encryption (IBE). These schemes provide for a new paradigm for achieving CCA-security, which avoids “proofs of well-formedness” that was the basis for previous constructions. Furthermore, by instantiating their constructions using known IBE constructions, Boneh et al. was able to obtain CCA-secure public-key encryption schemes whose performance was competitive with other CCA-secure schemes already in existence. Research conducted by Callas (2007) covered such topics as the social expectations of cryptography, the myth of non-repudiation, the paradox of stronger keys, cryptography and reliability, rights management, privacy enhancing technologies, new cryptographic ciphers, and legal changes regarding cryptography. The future of cryptography is dependent on the way that
  13. 13. Cryptography and Network Security 13 society uses it. This relies on current laws, customs, regulations, and what we as a society expect cryptography to do. Callas indicates that there are gaps in the research that are left to future researchers to address. Callas points out that the concept that digital signatures, used for signing documents and email, offer the property of non-repudiation—that the signer can’t say they didn’t sign the document—is a myth and they present examples to further explain it. The research goes on to explain that stronger cryptographic keys does not necessarily make the system more secure since stronger cryptography in a chaotic system might actually promote the chaotic state; thus the paradox of stronger keys. Callas differentiates between secure cryptography and reliability in safety systems by noting that security systems protect against intelligent attackers while reliability systems protect against unintelligent attackers. Ensuring the wrong people don’t have the cryptographic keys will ensure a secure cryptographic system while making certain the right people have the keys will ensure a reliable cryptographic system. Callas points out that the future of cryptography is dependent upon a strong key management system that will ensure the right people have the keys and the wrong people don’t gain access to the keys. Furthermore, Callas shows that there is another myth that there needs to be tradeoffs between security and privacy in the use of cryptography. They demonstrate that a cryptosystem can be private while being secure. New ciphers such as elliptic curve, bi-linear, and quantum cryptography are introduced in the study. And, finally, Callas points out that the way people think about data and communications privacy and security is a reflection of changes in the law that have come about by events like the terrorist attacks of September, 2001, and ubiquitous cryptography has played a major role in that shift. As a result, cryptography will play a critical role in protecting information now and in the future.
  14. 14. Cryptography and Network Security 14 Walters (2007) proposes a draft IS security curriculum that should be incorporated into the core body of knowledge of the business curriculum, and proposes that additional practical guidance to Accounting Information Security (AIS) educators who would like to incorporate IS security into their existing curriculum needs to be undertaken. Zanin, Di Pietro, & Mancini (2007) in their study present a new distributed signature protocol based on the RSA cryptographic algorithm, which is suitable for large-scale ad-hoc networks. This signature protocol is shown to be distributed, adaptive, and robust while remaining subject to tight security and architectural constraints. The study reveals that the robustness of this protocol scheme can be enhanced by involving only a fraction of the nodes on the network. Zanin et al. demonstrated that their protocol scheme is correct, because it allows a chosen number of nodes to produce a valid cryptographic signature; it is secure, because an attacker who compromises fewer than the given number of nodes is unable to disrupt the service or produce a bogus signature; and it is efficient, because of the low overhead in comparison to the number of features provided. Not only is security important in wired networks, but it is an important factor in any network, including wireless networks. Floyd (2006) devised a cryptographic solution to securing mobile ad-hoc networks that are especially vulnerable to malicious attacks since they possess no clear line of defense. This cryptographic system was dubbed, the Mobile Application Security System (MASS). This system was shown to prevent unauthorized modifications of mobile applications by other running applications and other hosts on the wireless network, by ensuring the mobile code was both authentic and authorized. Employing encryption based on cryptographic algorithms to secure consumer data is of paramount importance today, especially in the area of ecommerce on the Internet. Toubba
  15. 15. Cryptography and Network Security 15 (2006) stresses the importance of strong encryption key management and granular access control to Web-based applications. Toubba shows that corporations that store, transmit, and use consumer data must take steps to choose strong cryptographic solutions to protect this data, and to employ complementary network security procedures to maximize the overall effectiveness of the encryption product. Strong key management and granular access control are viewed as the complementary network security procedures. Furthermore, in another study conducted by Kodaganallur (2006), it was shown that the use of public key cryptography based on asymmetric key ciphers overcomes the shortcomings of using symmetric key ciphers in isolation by enabling confidentiality, message integrity, and authentication. Klappenecker (2004) further demonstrate the ability to break a cryptosystem and demonstrate that the authentication problem of their protocol that allowed them to break this seemingly “unbreakable data encryption” is fixable. Limitations in computer platform security in the use of cryptography are demonstrated in the study conducted by (Young, 2004). This study showed the experimental results of launching a crypto-viral payload on the Microsoft Windows platform, specifically on the Microsoft Cryptographic API. The study revealed that using eight types of API calls and 72 lines of C code, the payload was able to hybrid encrypt sensitive data and hold it hostage. The researchers in this study were able to develop a countermeasure to the crypto-viral attack, which forces the API caller to show that an authorized party can successfully recover the asymmetrically encrypted data. The importance of the use of strong cryptography in voice communication can’t be overstated. In a study conducted by Li., C, Li., S., Zhang, & Chen (2006), a new Voice-Over- Internet Protocol (VOIP) technique with a new hierarchical data security protection (HDSP) scheme was developed using a secret chaotic bit sequence. However, there are limitations in this
  16. 16. Cryptography and Network Security 16 scheme involving known chosen/plaintext attacks in which only one known chosen/plaintext attack was sufficient to break the secret key. Additionally, brute force attacks against HDSP indicate the security of HDSP to be weak in this regard. The researchers offer suggestions to strengthen HDSP, but cautioned against the use of HDSP in security-sensitive applications, especially if the secret key will be reused to encrypt more than one plaintext. One means of strengthening data encryption and authentication in cryptosystems on corporate networks is discussed in a study by Hogue et al. in which the feasibility of generating biometric key encryption is presented. Experimental analysis of this study revealed encouraging prospects for its use in modern cryptosystems. Recent developments have shown that network security, Quality of Service (QoS) and secure data communications over public networks (and the Internet) can benefit from theoretical data-hiding technologies. In their study, Lovoshynovskiy et al. demonstrated that cryptographic techniques for hiding data on heterogeneous public networks was a very cost-effective alternative to other network security measures, which do not require significant upfront investment, protocol modifications, and are totally compatible with existing multimedia compression and communication standards. These data hiding techniques include state-of-the- art watermarking, watermark-assisted multimedia processing, tamper proofing, and secure communications. Finally, in a study conducted by Schneier (2004), the researchers concluded that the argument that secrecy is good for security is a myth and worthy of rebuttal. They further demonstrated that secrecy is especially not good for security with respect for vulnerability and reliability information. They also show that security that relies totally on secrecy is extremely fragile, and once it is lost, there is no way to regain it. Schneier goes on to make a case that
  17. 17. Cryptography and Network Security 17 cryptography—since it is based on secret keys that are short, easy to transfer, and easy to change—must rely on one of its basic principles that the cryptographic algorithm be made public if it is to remain strong and offer good security. Using the public key system avoids the fallacy in the argument that secrecy works. Those who oppose secrecy ignore the security value of openness. The only reliable means to improve security is to embrace public scrutiny. Now that we have analyzed some of the research that has been conducted and reported in scholarly literature, let’s switch our focus and review some of the non-scholarly literature that has been published on this topic as well.
  18. 18. Cryptography and Network Security 18 Non-Scholarly Literature As pointed out in Companies Integrate (2008) many corporations are beginning to realize that using cryptography to encrypt the PC or perimeter device is not an all-inclusive, effective means of protecting their essential data. Taking measures to prevent data loss is also needed. Additionally with the myriad ways of sharing data on corporate networks and the Internet that exist today, it is time to employ strong cryptography as a means of securing the data and to protect individuals’ privacy (Harris, 2007). Embedded systems that are designed today depend entirely on the same technologies that corporate IT depends upon. These technologies involve Ethernet, TCP/IP, and operating systems. This fact suggests that embedded systems, such as mobile phones, refrigerators, smart light switches, automobiles to military weapons are now as vulnerable to the same security threats that have plagued corporate IT systems for many years (Robinson). The reliance on strong cryptography is necessary to protect these embedded systems from viral and other malicious attacks. Especially vulnerable are embedded systems that rely on wireless technology, such as Bluetooth, Blackberry, RFID, and the like. Robinson first develops the fundamental concepts surrounding cryptography, such as public key/private key encryption, Diffie-Hellman Key Exchange, block ciphers, Hash algorithms, DES, AES, the implications of IP Security (IPSEC) and Internet Key Exchange (IKE), elliptic curve cryptography, SSL/TLS used heavily in Web-based applications, Wi-Fi, and other embedded security concerns. Next, Robinson makes a case that developing strong encryption protocols in software for small devices may be too cost prohibitive, and these designers should consider including cryptographic hardware in the embedded designs.
  19. 19. Cryptography and Network Security 19 One of the biggest issues facing privacy and data security in the health industry today, as pointed out by Protect Those Portable (2008), is that while the Health Insurance Portability and Accountability Act (HIPAA) requires all medical providers in the U.S. to protect paper health records, Federal law does not require the same protection when these records are digitally exported to non-healthcare providers. This issue surfaces with recent partnerships such as the AT&T/Tennessee Plan, Microsoft’s Health Vault Plan, and a recent Google partnership with a Cleveland, OH health clinic that permit individuals to view their health record information online. A USA Today article cited in Protect Those Portable (2008) reports that both Microsoft and Google have assured individuals using their plans that strong cryptographic measures on the Web will ensure their data will remain secure and private. To echo recent studies conducted involving quantum cryptography, Hughes (2007); Baker (2005) report recent developments in a new cryptographic protocol called Keyed Communication in Quantum Noise (KCQ). Because KCQ uses encryption involving quantum noise of light at the physical layer of network transmission, many scientists theorize that this new protocol will offer greater security than heretofore secure communication systems that rely only on cryptographic encryption technology involving mathematical cryptography complexity. The instantiation of KCQ into existing communications at the physical layer is called the AlphEta protocol in the United States. The AlphaEta protocol injects thousands of photons for each logical data bit transmitted on existing networks at the physical layer. These radiation states of multiple photons emitted by lasers are the means of information transport in the network. These states of light—from a quantum physics standpoint—are fuzzy waves of light in that their amplitude, phases, and polarization states do not exist in clearly quantifiable packets. Rather, these observable characteristics are random variables, which possess means and
  20. 20. Cryptography and Network Security 20 variances about those means. This quantum random noise is irreducible and cannot be filtered away. This is based on a fundamental property of quantum mechanics. This fact makes the use of the AlphaEta protocol especially promising for securing data due to the quantum uncertainty principle in measuring fluctuations in quantum noise polarization and phase states. Coupling the use of the AlphaEta protocol with other stringent mathematically-complex cryptographic algorithms forms a near perfect security cryptosystem. Many IT professionals and information security professionals are beginning to realize the importance of remaining current in the area of network security through the development of information technology safeguards and corporate policies that keep companies’ information assets secure. Since there is a greater reliance on cryptography as the means of securing those assets more effectively, many of these professionals are turning to the non-profit organization known as the International Information Systems Security (ISC) Certification Consortium, which has certified more than 42,000 information security professionals in 110 countries (Pratt 2006). Many of these IS security professionals must now manage complex applications that involve advanced cryptosystems that help corporations comply with a growing list of federally- and state-mandated regulations that commission strict data security and privacy. Perspectives for (2006) reports that cryptography serves as the foundation of many IT security systems. One of the main challenges of computer science research is maintaining security on an ever-increasingly vulnerable IT network infrastructure, which includes communications, commerce, public administration, medical care, politics, and education that depend heavily on IT technology. The long-term security of these systems will also depend extensively on cryptography.
  21. 21. Cryptography and Network Security 21 And, finally, Webb reports the necessity of “hack-proof” design in embedded systems. These devices provide unattended operation for thousands of safety-related and mission-critical systems in the medical, manufacturing, health care, transportation, finance, and military sectors. Any one of these systems could be a potential target for hackers, organized crime, adversarial governments, and terrorists throughout the world. It is imperative that the designers of these embedded devices not only seek to protect the data that passes through them, but the intellectual property itself. The use of cryptography on either a software or hardware level, or both, is seen as the means of providing this protection.
  22. 22. Cryptography and Network Security 22 Conclusions A review of the scholarly and non-scholarly literature over the past decade would suggest that although cryptography has had its limitations on desktop PC platforms, it has played a key role in providing strong, reliable, and robust network data security. Furthermore, network security principles and practice depend on cryptography to function properly and reliably, and it appears that cryptography will continue to figure prominently into the strategic IT and business plans for the foreseeable future with regard to protecting critical financial, personal, medical, transportation, and ecommerce data via corporate networks and click-and-mortar Internet businesses on the World Wide Web while providing a respectable level of privacy. Scholarly research also indicates that there are gaps in the research, especially in the area involving credential-based user-centric identity systems that crosses the boundaries of user- centricity, and in another area involving the way that society uses cryptography due to the reliance on current laws, customs, regulations, and, in general, what we as a society expect cryptography to do. From its inception in the latter 1970s, modern-day cryptography has evolved from the basic Data Encryption Standard that was used to secure early digital data on desktop PCs and later networks and communications devices to the incorporation of a much stronger cryptography involving RSA encryption and IKE, which has been used extensively in the development of SSL/TLS and IPSec to provide a cost effective means to secure Web ecommerce applications, mobile devices, and provide security for worldwide global communications with both commercial and military application. The prevailing myth that secrecy is good for security has been proved wrong with the association that cryptosystems provide extremely strong security when these systems utilize an
  23. 23. Cryptography and Network Security 23 asymmetric key management system process where the public key is known to everyone and the secret key is known only to the one who possesses it; that is to say, security is achieved when cryptography relies on one of its most basic principles that the algorithms remain public. Modern-day applications such as Pretty Good Privacy (PGP) attest to the power cryptography that uses this asymmetric key system to encrypt and decipher data and electronic mail provides. Even though cryptography is based on mathematical complexity that is not fully understood by everyone and especially by its typical users, cryptosystems such as PGP provide an application software interface that allows for a very user-friendly experience, which removes the complexity while still affording the user the strong security that is required and that they demand. Although cryptography is of paramount importance in providing crucial data security through the use of digital signatures, state-of-the-art watermarking, data hiding, SSL/TLS, IPSec, etc., IT network administrators and corporate CEOs should not forget that other network security principles that don’t involve cryptography shouldn’t be pushed aside. Good network security principles and practice should, instead, be used in conjunction with cryptography to form a more secure complementary network security system. And, finally, since cryptography is here to stay, many IT and IT security professionals are becoming aware of the importance of keeping current through the development of information technology safeguards and corporate policies that keep companies’ information assets secure. As a result, they are turning to third-party non-profit organizations to assist in this regard.
  24. 24. Cryptography and Network Security 24 References Baker, M. (2005, January). Keeping a Secret. Technology Review, 108(1), 82-83. Retrieved August 2, 2008, from Academic Search Premier database. Bhargav-Spantzel, A., Camenisch, J., Gross, T., & Sommer, D. (2007, October). User centricity: A taxonomy and open issues. Journal of Computer Security, 15(5), 493-527. Retrieved August 2, 2008, from Academic Search Premier database. Bohli, J., González Vasco, M., & Steinwandt, R. (2007, July). Secure group key establishment revisited. International Journal of Information Security, 6(4), 243-254. Retrieved August 2, 2008, doi:10.1007/s10207-007-0018-x Boneh, D., Canetti, R., Halevi, S., & Katz, J. (2006, December). CHOSEN-CIPHERTEXT SECURITY FROM IDENTITY-BASED ENCRYPTION. SIAM Journal on Computing, 36(5), 1301-1328. Retrieved August 2, 2008, doi:10.1137/S009753970544713X Callas, J. (2007, January). The Future of Cryptography. Information Systems Security, 16(1), 15- 22. Retrieved August 2, 2008, doi:10.1080/10658980601051284 COMPANIES INTEGRATE ENCRYPTION/DATA LOSS PREVENTION. (2008, July). Computer Security Update, Retrieved August 2, 2008, from Academic Search Premier database. Fagin, B., Baird, L., Humphries, J., & Schweitzer, D. (2008, January). Skepticism and Cryptography. Knowledge, Technology & Policy, 20(4), 231-242. Retrieved August 2, 2008, doi:10.1007/s12130-007-9030-8 Floyd, D. (2006, Fall2006). Mobile application security system (MASS). Bell Labs Technical Journal, 11(3), 191-198. Retrieved August 2, 2008, doi:10.1002/bltj.20188
  25. 25. Cryptography and Network Security 25 Harris, D. (2007, April 27). Has Anyone Seen My Data?. Electronic Design, 55(9), 41-46. Retrieved August 2, 2008, from Academic Search Premier database. Hoque, S., Fairhurst, M., Howells, G., & Deravi, F. (2005, March 17). Feasibility of generating biometric encryption keys. Electronics Letters, 41(6), 1-2. Retrieved August 2, 2008, doi:10.1049/el:20057524 Hughes, D. (2007, May). Cyberspace Security via Quantum Encryption. Military Technology, 31(5), 84-87. Retrieved August 2, 2008, from Academic Search Premier database. Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) Advances in Cryptology—CRYPTO’03, Lecture Notes in Computer Science, vol. 2729, pp. 110–125. Springer, Berlin (2003) Kim, H.J., Lee, S.M., Lee, D.H.: Constant-round authenticated group key exchange for dynamic groups. In: Lee, P.J. (ed.) Advances in Cryptology—ASIACRYPT’04, Lecture Notes in Computer Science, vol. 3329, pp. 245–259. Springer, Berlin (2004) Klappenecker, A. (2004, December). REMARK ON A NON-BREAKABLE DATA ENCRYPTION SCHEME BY KISH AND SETHURAMAN. Fluctuation & Noise Letters, 4(4), C25-C26. Retrieved August 2, 2008, from Academic Search Premier database. Kodaganallur, V. (2006, January). Secure E-Commerce: Understanding the Public Key Cryptography Jigsaw Puzzle. Information Systems Security, 14(6), 44-52. Retrieved August 2, 2008, from Academic Search Premier database. Levy, S. (2001). Crypto: How the code rebels beat the Government - Saving privacy in the digital age. New York: Viking Penguin Publishing.
  26. 26. Cryptography and Network Security 26 Li, C., Li, S., Zhang, D., & Chen, G. (2006, February). Cryptanalysis of a data security protection scheme for VoIP. IEE Proceedings -- Vision, Image & Signal Processing, 153(1), 1-10. Retrieved August 2, 2008, doi:10.1049/ip-vis:20045234 Lovoshynovskiy, S., Deguillaume, F., Koval, O., & Pun, T. (2005, January). INFORMATION- THEORETIC DATA-HIDING:: RECENT ACHIEVEMENTS AND OPEN PROBLEMS. International Journal of Image & Graphics, 5(1), 5-35. Retrieved August 2, 2008, from Academic Search Premier database. PERSPECTIVES FOR CRYPTOGRAPHIC LONG-TERM SECURITY. (2006, September). Communications of the ACM, Retrieved August 2, 2008, from Academic Search Premier database. Pistoia, M., Chandra, S., Fink, S., & Yahav, E. (2007, April). A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Systems Journal, 46(2), 265-288. Retrieved August 2, 2008, from Academic Search Premier database. Pratt, M. (2006, December 4). Moving Target. Computerworld, 40(49), 39-40. Retrieved August 2, 2008, from Academic Search Premier database. Prince, B. (2008, June 2). Playing the waiting game. eWeek, 25(17), 20-20. Retrieved August 2, 2008, from Academic Search Premier database. Protect Those Portable Devices. (2008, May). Information Management Journal, Retrieved August 2, 2008, from Academic Search Premier database. Robinson, S. (2008, June). Safe and secure: data encryption for embedded systems. (Cover story). EDN Europe, 53(6), 24-33. Retrieved August 2, 2008, from Academic Search Premier database.
  27. 27. Cryptography and Network Security 27 S., E. (2007, February). HACK-PROOF INTERNET. Popular Science, 270(2), 48-49. Retrieved August 2, 2008, from Academic Search Premier database. Schneier, B. (2004, October). The Nonsecurity of Secrecy. Communications of the ACM, 47(10), 120-120. Retrieved August 2, 2008, from Academic Search Premier database. Tafaroji, M., & Falahati, A. (2007, June). Improving code division multiple access security by applying encryption methods over the spreading codes. IET Communications, 1(3), 398- 404. Retrieved August 2, 2008, doi:10.1049/iet-com:20060295 Toubba, K. (2006, July). Employing Encryption to Secure Consumer Data. Information Systems Security, 15(3), 46-54. Retrieved August 2, 2008, from Academic Search Premier database. Walters, L. (2007, Spring2007). A Draft of an Information Systems Security and Control Course. Journal of Information Systems, 21(1), 123-148. Retrieved August 2, 2008, from Academic Search Premier database. Webb, W. (2006, July 20). HACK-PROOF DESIGN. (Cover story). EDN, 51(15), 46-54. Retrieved August 2, 2008, from Academic Search Premier database. Young, A. (2006, March). Cryptoviral extortion using Microsoft's Crypto API. International Journal of Information Security, 5(2), 67-76. Retrieved August 2, 2008, doi:10.1007/s10207-006-0082-7 Zanin, G., Di Pietro, R., & Mancini, L. (2007, February). Robust RSA distributed signatures for large-scale long-lived ad hoc networks. Journal of Computer Security, 15(1), 171-196. Retrieved August 2, 2008, from Academic Search Premier database.

×