The Chronicler's Web (TCW)

written by Dan Calloway
Published 7:45 pm EST; www.dancalloway.com

Early vs. Modern Cryptography:

Today’s cryptography is vastly more complex than its predecessor. Unlike the original use of cryptography in its classical roots where it was implemented to conceal both diplomatic and military secrets from the enemy, the cryptography of today, even though it still has far-reaching military implications, has expanded its domain, and has been designed to provide a cost-effective means of securing and thus protecting large amounts of electronic data that is stored and communicated across corporate networks worldwide. Cryptography offers the means for protecting this data all the while preserving the privacy of critical personal financial, medical, and ecommerce data that might end up in the hands of those who shouldn’t have access to it.

There have been many advances in the area of modern cryptography that have emerged beginning in the 1970s as the development of strong encryption-based protocols and newly developed cryptographic applications began to appear on the scene. On January, 1977, the National Bureau of Standards (NBS) adopted a data encryption standard called the Data Encryption Standard (DES), which was a milestone in launching cryptography research and development into the modern age of computing technology. Moreover, cryptography found its way into the commercial arena when, on December, 1980, the same algorithm, DES, was adopted by the American National Standards Institute (ANSI). Following this milestone was yet another when a new concept was proposed to develop Public Key Cryptography (PKC), which is still undergoing research development today (Levy, 2001).

When we speak of modern cryptography, we are generally referring to cryptosystems because the cryptography of today involves the study and practice of hiding information through the use of keys, which are associated with Web-based applications, ATMs, Ecommerce, computer passwords, and the like.

Cryptography is considered not only a part of the branch of mathematics, but also a branch of computer science. There are two forms of cryptosystems: symmetric and asymmetric. Symmetric cryptosystems involve the use of a single key known as the secret key to encrypt and decrypt data or messages. Asymmetric cryptosystems, on the other hand, use one key (the public key) to encrypt messages or data, and a second key (the secret key) to decipher or decrypt those messages or data. For this reason, asymmetric cryptosystems are also known as public key cryptosystems. The problem that symmetric cryptosystems have always faced is the lack of a secure means for the sharing of the secret key by the individuals who wish to secure their data or communications. Public key cryptosystems solve this problem through the use of cryptographic algorithms used to create the public key and the secret key, such as DES, which has already been mentioned, and a much stronger algorithm, RSA. The RSA algorithm is the most popular form of public key cryptosystem, which was developed by Ron Rivest, Adi Shamir, and Leonard Adleman at the Massachusetts Institute of Technology in 1977 (Robinson, 2008). The RSA algorithm involves the process of generating the public key by multiplying two very large (100 digits or more) randomly chosen prime numbers, and then, by randomly choosing another very large number, called the encryption key. The public key would then consist of both the encryption key and the product of those two primes. Ron Rivest then developed a simple formula by which someone who wanted to scramble a message could use that public key to do so. The plaintext would then be converted to ciphertext, which was transformed by an equation that included that large product. Lastly, using an algorithm developed through the work of the great mathematician, Euclid, Ron Rivest provided for a decryption key—one that could only be calculated by the use of the original two prime numbers. Using this encryption key would unravel the ciphertext and transform it back into its original plaintext. What makes the RSA algorithm strong is the mathematics that is involved. Ascertaining the original randomly chosen prime numbers and the large randomly chosen number (encryption key) that was used to form the product that encrypted the data in the first place is nearly impossible (Levy, 2001).

A very popular public key cryptosystem is known as Pretty Good Privacy (PGP), developed by Phil Zimmerman beginning in early 1991 (Levy, 2001). The strength of the keys that are created to encrypt and decrypt data or communications is a function of the length of those keys. Typically the longer the key, the stronger that key is. For example, a 56-bit key (consisting of 56 bits of data) would not be as strong as a 128-bit key. And, consequently, a 128-bit key would not be as strong as a 256- or 1024-bit key.

Next, let’s address the overall trends identified in the research that has been conducted in the field of cryptography and network security.

Overall Trends in the Research:

In reviewing the research that has already been published with regard to cryptography and network security since the 1970s, some noteworthy trends have emerged.

There is a prevailing myth that secrecy is good for security, and since cryptography is based on secrets, it may not be good for security in a practical sense (Schneier, 2004; Baker, 2005). The mathematics involved in good cryptography is very complex and often difficult to understand, but many software applications tend to hide the details from the user thus making cryptography a useful tool in providing network and data security (Robinson, 2008). Many companies are incorporating data encryption and data loss prevention plans, based on strong cryptographic techniques, into their network security strategic planning programs (Companies Integrate, 2006). Cryptographic long-term security is needed but is often difficult to achieve. Cryptography serves as the foundation for most IT security solutions, which include: (1) Digital signatures that are used to verify the authenticity of updates for computer operating systems, such as Windows XP; (2) Personal banking, ecommerce, and other Web-based applications that rely heavily on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for authentication and data security; and (3) The introduction of health cards that allow access to medical history, prescription history, and medical records in countries such as Germany, which contain the electronic health information of its citizens and which depend on digital signature and other encryption schemes for security and privacy of critical data (Perspectives for, 2006). There are product design criteria that designers can meet for implementing strong encryption protocols into software applications; however, strong public-key cryptography may prove too computationally expensive for small devices, and the alternative may be to incorporate cryptographic hardware into embedded designs (Robinson, 2008). Although cryptography and information security are multi-billion dollar industries, the economy of the world and the defense of almost every nation worldwide depend upon it and could not be carried out without it (Fagin, Baird, Humphries, & Schweitzer, 2008). An individual’s identity in the digital world could be controlled by what is termed the federated identity management system consisting of software components and protocols that manage the identify of individuals throughout their identity lifecycle (Bhargav-Spantzel, Camenisch, Gross, & Sommer, 2007). With the rise in threats to sensitive data from outsiders, encryption is seen as a necessary tool in ensuring corporate networks and individuals’ information is as secure as possible (Toubba, 2006). The ubiquity of the Internet makes it extremely difficult to trace and identify intruders of corporate networks and Internet-based businesses involved in ecommerce with the public domain. Primary security concerns are confidentiality, data integrity, data origin authenticity, agent authenticity, non-repudiation, and so on. Current cryptographic techniques, such as smart cards, PINs, password authentication, etc., have performed well in keeping data secure. However, the overall security of an encryption system depends upon its ability to keep cipher keys secret, while the typical human behavior is to write down passwords so they aren’t forgotten, which often makes security very vulnerable to compromise. The concept of biometric-based keys appears to be one possible solution to this dilemma (Hogue, Fairhurst, Howells, & Deravi, 2005). Security must be the primary design consideration from a mission-critical or safety-related product’s conception, through design and development, production, deployment, and the end of its lifecycle. Embedded systems that find themselves installed in devices that are an integral part of the manufacturing, health, transportation, and finance sectors, as well as the military, without having near-flawless strong cryptographic security built into them would be vulnerable to would-be hackers, organized crime, terrorists, or enemy governments (Webb, 2006; S., E, 2007). The concept of data hiding technologies whose aim is to solve modern network security, quality of services control, and secure communications, has been seen as a cost-effective alternative to other means of data security, which does not require protocol modifications, and is compatible with existing standards of multimedia compression and communications (Lovoshynovskiy, Deguillaume, Koval, & Pun, 2005). Security is an important aspect of any network, but in particular to wireless ad-hoc networks where mobile applications are deployed to perform specific tasks. Since these networks are wireless, the potential for hacking into them using mobile devices is greater as there is no clear line of defense for protecting them. The development of the Mobile Application Security System (MASS) utilizing a layered security approach and strong cryptographic techniques is seen as a viable low-cost solution to protecting these application-based wireless networks (Floyd, 2006). And, finally, a new concept in cryptographic security known as Quantum Encryption, which uses quantum fluctuations of laser light at the physical layer introduced into existing network transmission lines is seen as a means of enabling ultra-secure communications and near perfect security (Hughes, 2007).

It is the intent of this review of the literature to look at what has been published regarding cryptography in recent years from the standpoint of network and data security and privacy, and to specifically address the role that cryptography plays in enabling this security (cont.’d).

References:

Baker, M. (2005, January). Keeping a Secret. Technology Review, 108(1), 82-83. Retrieved August 2, 2008, from Academic Search Premier database.

Bhargav-Spantzel, A., Camenisch, J., Gross, T., & Sommer, D. (2007, October). User centricity: A taxonomy and open issues. Journal of Computer Security, 15(5), 493-527. Retrieved August 2, 2008, from Academic Search Premier database.

COMPANIES INTEGRATE ENCRYPTION/DATA LOSS PREVENTION. (2008, July). Computer Security Update, Retrieved August 2, 2008, from Academic Search Premier database.

Fagin, B., Baird, L., Humphries, J., & Schweitzer, D. (2008, January). Skepticism and Cryptography. Knowledge, Technology & Policy, 20(4), 231-242. Retrieved August 2, 2008, doi:10.1007/s12130-007-9030-8

Floyd, D. (2006, Fall2006). Mobile application security system (MASS). Bell Labs Technical Journal, 11(3), 191-198. Retrieved August 2, 2008, doi:10.1002/bltj.20188

Hoque, S., Fairhurst, M., Howells, G., & Deravi, F. (2005, March 17). Feasibility of generating biometric encryption keys. Electronics Letters, 41(6), 1-2. Retrieved August 2, 2008, doi:10.1049/el:20057524

Hughes, D. (2007, May). Cyberspace Security via Quantum Encryption. Military Technology, 31(5), 84-87. Retrieved August 2, 2008, from Academic Search Premier database.

Levy, S. (2001). Crypto: How the code rebels beat the Government – Saving privacy in the digital age. New York: Viking Penguin Publishing.

Lovoshynovskiy, S., Deguillaume, F., Koval, O., & Pun, T. (2005, January). INFORMATION-THEORETIC DATA-HIDING:: RECENT ACHIEVEMENTS AND OPEN PROBLEMS. International Journal of Image & Graphics, 5(1), 5-35. Retrieved August 2, 2008, from Academic Search Premier database.

PERSPECTIVES FOR CRYPTOGRAPHIC LONG-TERM SECURITY. (2006, September). Communications of the ACM, Retrieved August 2, 2008, from Academic Search Premier database.

Robinson, S. (2008, June). Safe and secure: data encryption for embedded systems. (Cover story). EDN Europe, 53(6), 24-33. Retrieved August 2, 2008, from Academic Search Premier database.

Schneier, B. (2004, October). The Nonsecurity of Secrecy. Communications of the ACM, 47(10), 120-120. Retrieved August 2, 2008, from Academic Search Premier database.

Toubba, K. (2006, July). Employing Encryption to Secure Consumer Data. Information Systems Security, 15(3), 46-54. Retrieved August 2, 2008, from Academic Search Premier database.

Webb, W. (2006, July 20). HACK-PROOF DESIGN. (Cover story). EDN, 51(15), 46-54. Retrieved August 2, 2008, from Academic Search Premier database.