Contributors - CyberSecurity Malaysia

More documents

Recommendations

Info

28.Application Of CryptographyIntroductionCryptography is a study of the ways to hide informationor encrypt data from plaintext into unintelligible text(ciphertext). Cryptography has become an integral partof nearly everyone’s daily life and has been applied inmany areas to enhance the secrecy in different levels ofdatabase systems or important communication. Nowadays,cryptography systems are often embedded into computerapplications such as in digital cash, digital managementfor intellectual property protection, and e-commerce.In this article, we will discuss three applications ofcryptography, which are Public Key Infrastructure (PKI), theInternet, and Radio Frequency Identification (RFID).Public Key Infrastructure (PKI)Millions of people are PKI users without ever realising it.One PKI application that is widely known is Pretty GoodPrivacy (PGP). PGP is a computer program that providescryptographic privacy and authentication. Developedby Philip R. Zimmermann in 1991, PGP has become a defacto standard for e-mail security. PGP is a program thatuses encryption to protect the privacy of your electronicmail and the files that you store on your computer. Whenencrypted, the message looks like a meaningless jumbleof random characters that are unreadable by other usersor intruders.PGP is often used for signing, encrypting and decryptinge-mails to increase the security of e-mail communication.PGP uses a variation of the public key system. In thissystem, each user has a publicly known encryption keyand a private key known only to that user. You encrypta message you send to someone else using their publickey. When they receive it, they decrypt it using theirprivate key. Since encrypting an entire message can betime-consuming, PGP uses a faster encryption algorithmto encrypt the message and then uses the public key toencrypt the shorter key that was used to encrypt the entiremessage. Both the encrypted message and the short keyare sent to the receiver who first uses the receiver's privatekey to decrypt the short key and then uses that key todecrypt the message.Figure 1: How PGP decryption worksAs shown in Figure 1, PGP encryption uses a serialcombination of hashing, data compression, symmetrickeycryptography, and public-key cryptography with eachstep using one of several supported algorithms. Eachpublic key is bound to a user name and/or e-mail address.The first version of this system was generally known asa web of trust to contrast with the X.509 system, whichuses a hierarchical approach based on certificate authorityand was added to PGP implementations later. Currentversions of PGP encryption include both options throughan automated key management server.You can also use PGP as a tamper proof digital signaturesystem, allowing you to prove that files or electronic mailmessages have not been modified. Digital signature canalso be used in a message without encrypting it. This isnormally used in public postings where you do not wantto hide what you are saying, instead, allowing others toverify that the message actually came from you. Once adigital signature is created, it is impossible for anyone tomodify either the message or the signature without themodification being detected by users.The sender uses PGP to create a digital signature for themessage with either the RSA or DSA signature algorithms.To do so, PGP computes a hash (also called a messagedigest) from the plaintext, and then creates the digitalsignature from that hash using the sender's private keys.The receiver uses the sender's public key to decrypt thehash code. If it matches the hash code sent as the digitalsignature for the message, then the receiver is sure thatthe message has arrived securely from the stated sender.Available both as freeware and in a low-cost commercialversion, PGP is a widely used privacy-ensuring programthat is used by individuals and also corporations.
29.InternetRadio Frequency Identification (RFID)Hypertext Transfer Protocol Secure (HTTPS) is acombination of the Hypertext Transfer Protocol withthe SSL/TLS protocol to provide encryption and secureidentification of a web server. HTTPS connections are oftenused for payment transactions on the World Wide Web andfor sensitive transactions in corporate information systems.Web browsers typically use HTTP to communicate withweb servers, sending and receiving information withoutencrypting it. For sensitive transactions such as Internete-commerce or online access to financial accounts, thebrowser and server must encrypt this information.The main idea of HTTPS as shown in Figure 2 is to createa secure channel over an unsecured network. This ensuresreasonable protection from eavesdroppers and man-in-themiddleattacks, provided that adequate cipher suites areused and that the server certificate is verified and trusted.The administrator needs to create a public key certificatethat is signed by a trusted certificate authority for a webserver to accept the HTTPS connection. Web browsers aregenerally distributed with the signing certificates of majorcertificate authorities so that they can verify certificatessigned by them.Figure 3: RFID tagRadio Frequency Identification (RFID) is an emergingtechnology that brings enormous productivity benefitsin applications where objects have to be identifiedautomatically. RFID systems are used for automaticretrieval of data on goods, persons, animals and objects.The object is equipped with a small circuit, called an RFIDtag (Figure 3), and the information stored on the mediumcan be automatically retrieved by a reader device. This itemcan be used in industrial applications for tracking of goodsor in access systems.Figure 4: Some applications for an RFID system.Figure 2: HTTPS ConnectionTransport Layer Security (TLS) is a cryptographic protocolthat provides security for data integrity and confidentialitycommunications over open networks such as the Internet.TLS provides a protection which ensures that the datais both consistent and correct, in both client and serverapplications. Several versions of the protocol are widelyused in applications such as instant messaging, webbrowsing and E-mail. TLS is a standards track protocol,which means there are definite specifications of themethodology or technology applicable to the Internet.Transport Layer Security consists of two layers, the TLSRecord Protocol and the TLS Handshake Protocol. TheTLS Record Protocol provides connection security withencryption methods such as the Data Encryption Standard(DES). The TLS Record Protocol can also be used withoutencryption. The TLS Handshake Protocol generates secretkeys unique to each connection and allows the serverand client to authenticate each other and negotiate anencryption algorithm and cryptographic keys before datais exchanged.RFID systems do not require line-of-sight and work contacts.Data and energy are transmitted via radio frequency. EachRFID system consists of a tag, which is attached to theobject it identifies, and a reader, which is able to retrievedata from the tag. The reader may also be able to write oradd data to the tag’s memory. Additionally, to implementan application (Figure 4) on data received from the tags,a host is used. Host commands are converted into readerrequests and broadcasted via radio frequency. If a tag isinside the reader’s field, it sends a response. Tag responsescan be processed by the host corresponding to the currentapplication.It looks like RFID will be very popular technology in thenear future, leading people to think about its security andprivacy issues. Enhanced security always comes with extracosts. Although the industry claims low-cost tags, sooneror later the security issue has to be confronted in order tomake RFID an everyday technology. The implementation ofan authentication method for RFID systems using strongcryptography is very useful. The Advanced EncryptionStandard (AES) is used as a cryptographic primitive,because it is standardized and considered to be secure.e-Security | <strong>CyberSecurity</strong> <strong>Malaysia</strong> | Volume 21 - (Q4/2009)
Page 1: Volume 21 - (Q4/2009)“Companies s
Page 4 and 5: 4.MyCERT 4th Quarter 2009 SummaryRe
Page 6 and 7: 6.USB PortA culprit to ICT Security
Page 8 and 9: 8.Specific device setup classes can
Page 10 and 11: 10.ConclusionReferencesUSB removabl
Page 12 and 13: 12.Figure 9: Interpreting “Active
Page 14 and 15: 14.7. A list of time zone propertie
Page 16 and 17: 16.allowing you to specify which da
Page 18: 18.Guide to Motion Compensation (Ph
Page 21 and 22: Graph 1 shows all the satisfied poi
Page 23 and 24: CyberdatingHow to Have Funbut Stay
Page 25 and 26: find them. If anything goes wrong,
Page 27: 27.What could be the threats to ena
Page 31 and 32: Common Criteria andNational Cyber S
Page 33 and 34: 33.Case Study: US Government Direct
Page 35 and 36: has caused a US$2.25 million fine t
Page 37 and 38: 37.lewat sampai pada penerima ataup
Page 39 and 40: For instance TM, Malaysia’s large

Contributors - CyberSecurity Malaysia

Create successful ePaper yourself

Delete template?

Save as template?