Confidentiality and Integrity Risks: In an organization, managing users and authenticating users is crucial. However, when a VPN is implemented, numerous problems arise. Businesses lack both the power and the means to control employee computers. To verify users, an organization might allocate network resources and put network solutions in place. Consider a worker who accesses a shared computer from their house. There are numerous attack vectors when an employee uses a shared computer, and there are few solutions for guaranteeing that only one person has access to company resources. In addition to creating problems with authorization and authentication, this might give attackers an advantage against companies.
I agree with your comment that the management of users and authenticating users is crucial. Particularly with terminated team members. There needs to be a policy in place specifically with removing access to remote users that were terminated. The removal needs to be immediately upon notification or timely (i.e., within 24 hours).
Hi Jill,
VPNs provide minimal security with traffic encryption and simple user authentication. Since most remote workers connect via their home network there is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network.
Hi Jill,
VPN use encryption to secure the connection between employee’s device and organization’s network however, this encryption can be vulnerable to attacks because of the user’s behavior of using weak passwords or unsecured Wi-Fi networks. attackers may be able to listen the transmitted data over VPN or gain access to the organization’s network by exploiting loopholes in the VPN configuration or software itself. So, Security becomes one of the great risk for the company allowing employees to use remote access VPN. To mitigate the risks, companies should implement strong security measures like enforcing use of MFA and regularly monitoring the logs for unusual activity,
Both use symmetric block ciphers, although AES is more technically efficient. The main advantage of AES is the variety of key lengths available. The length of the key used to secure the communication—128-bit, 192-bit, or 256-bit keys—is closely correlated with the amount of time needed to crack the encryption technique. As a result, AES is far more secure than DES’s 56-bit key. Because AES encryption is so much faster, it is perfect for software, firmware, and hardware that demands high throughput or low latency.
Firstly, as Mary mentioned AES-128 is a faster algorithm for encryption because it uses a shorter key length and a simpler encryption algorithm. This makes information data encryption and decryption to be more efficient. In addition, AES-128 has been tested and proven to be secure and most organizations are usually willing to choose to use it to encrypt sensitive data. the AES-128 encryption standard is easier to find tools and resources for implementation and maintenance.
AES is a superior encryption algorithm over 3DES in every way. It is faster and more secure. 3DES was a stop-gap mechanism that was put into place when it was discovered that DES was no longer sufficient to protect against attacks from faster-than-brute-force methods. The idea to run multiple iterations of DES with multiple keys was simple to implement, but even at the time was known that it would be inefficient because it requires doing 3x the processing. Building the new standard that would become AES and fully testing it was a time consuming and difficult process. Proving new crypto is very difficult. The issues with known weak curves in ECC show that is still the case today. ECC is a strong and computationally light algorithm, but it can be crippled by a poor input curve and testing input curves is not something the average user (or anyone without specialist level math skills) can do.
Hey Frank! Both the public-private key pair is part of a mathematical function. However, knowing one would make it extremely difficult for a cryptanalyst to find the other one. So the only real difference is how the keys are used. A sender of a message can encrypt the message with their private key to ensure non-repudiation or use the receiver’s public key for encryption to ensure confidentiality.
Hi Frank ,
private keys can be used for both encryption and decryption, while public keys are used only for the purpose of encrypting the sensitive data. Private keys are shared between the sender and the receiver, whereas public keys can be freely circulated among multiple users.
Hi Frank,
I don’t think the system can be 100% secure. Because people write code, and people make mistakes. It is estimated that the industry average is about 15-20 errors per 1000 lines of code. This leads to bugs in the core of the system. The system also has software and applications built and designed by humans, none of which is guaranteed to be completely secure.
The private key is kept secret and not public to anyone apart from the sender and the receiver. The public key is free to use and the private key is kept secret only.
Both of the keys are used for encryption and decryption, however public keys are only used for the purpose of encrypting sensitive data. Private keys are used between sender and receiver. Public keys can be used freely between multiple users. Systems are never 100% secured, however there are ways to make sure that they can stayed as secure as possible.
Why do asymmetric cryptographic algorithms need longer key lengths to provide similar encryption strength as symmetric cryptographic algorithms with shorter key lengths?
In asymmetric cryptography, 2 different keys are used for encryption and decryption, whereas symmetric cryptography uses only one key. Asymmetric is considered more secure, it needs longer key lengths to match the same level of security as symmetric. It is because asymmetric cryptography performs more complex mathematical function and must defend against more advanced attacks. So, longer key length raise the defense against these attacks. The public key in asymmetric algorithm is accessible to public, making it more vulnerable to attacks, so longer key lengths are required to provide encryption strength equivalent to symmetric algorithms.
Regular security evaluation and update of cryptographic algorithms and protocols to maintain security of a system is very important due to algorithms can be learned, and once learned, the cryptographic algorithm could be compromised.
Ciphertext is transmitted across the network. Ciphertext is encrypted text. Plain text is not encrypted and therefore is transmitted across the network could be easily compromised.
I agree with Jill, Plaintext is the original message and can be images, sounds, videos, or a combo. Ciphertext is what is sent to the receiver and is a random stream of bits, the ciphertext is transmitted across the network.
Hi Shepherd,
Prior to being sent across the network, the plaintext is encrypted to create ciphertext. The data that is actually sent across the network is the ciphertext, which is the plaintext encrypted. The receiver then employs a decryption technique and the matching decryption key to convert the ciphertext back into the original plaintext. To prevent unauthorized access and transmission manipulation, it is crucial to transmit the ciphertext rather than the plaintext of the data.
Ciphertext is transmitted across the network because it is encrypted. Plaintext is not encrypted so it would be extremely unsafe to send across the network. It would break all the elements of the CIA triad and data would be leaked.
Hi Abayomi,
Keys are classified as symmetric keys and asymmetric keys, where asymmetric keys decrypt and encrypt data through the use of public key and private key. In my opinion, the possible human issue is the wrong choice to encrypt the data with the private key and send it, which will result in the receiver who has the private key corresponding to the public key being unable to open the file to get the data. Or, the private key is leaked due to improper storage, and the data is intercepted during transmission and decrypted by attackers.
You can determine the bit length of system encryption keys using the mathematical relationship
If there is a key length of N bits, there are 2N (NB: N is superscript) possible keys.
A question I have for my fellow classmates surrounds quantum computing. We’ve all heard of it, and the possibilities that will unlock due to its implementation. How do you believe quantum computing will change the way we encrypt/decrypt data today?
Great question. I believe quantum computing will be speeding up the required calculations, but with sufficiently powerful hardware. At the same time, this sounds alarming to me because hacker groups might be the people to be able to fund such extremely expensive hardware.
Hey Aauysh, great point about the hardware aspect. We saw previously a shortage in graphics cards due to bitcoin miners. The miners were buying them all up driving the prices of graphics cards sky high. I wonder if similar repercussions will occur when quantum computing goes mainstream.
I agree that quantum computing will likely have a significant impact on the way we encrypt and decrypt data. Currently, most data encryption relies on the difficulty of solving mathematical problems that are too complex for today’s computers. However, quantum computers are much better equipped to solve these problems, which means that current encryption methods may become vulnerable. To combat this, researchers are developing new encryption methods that take advantage of the unique properties of quantum computers, such as quantum key distribution, which is considered to be unbreakable.. Basically, while quantum computing presents new challenges for data security, it also offers the potential for even more secure encryption methods.
Public Key algorithms could be used for both cryptography and digital signatures.
key strength
Digital signatures provide very strong security.
Weaknesses
a) Digital signatures consume extensive processing power.
b) It is very difficult and expensive to set up a public key infrastructure to distribute the private keys and digital certificates.
A virtual private network (VPN) uses a cryptographic system to secure communication over an untrusted network such as the Internet, or a wireless LAN.
The three (3) types of VPNs are
a) Host-to-host VPN
b) Remote access VPN
c) Site-to-site VPNs
Differences
A host-to-host VPN connects a single client over an untrusted network to a single server.
Site-to-site VPNs protect all traffic flowing over an untrusted network between a pair of sites.
A remote access VPN connects a single remote PC over an untrusted network to a site network.
The three main types of Virtual Private Networks (VPNs) are:
1.Remote Access VPNs
2.Site-to-Site VPNs
3.Intranet VPNs
The number of locations these VPNs connect to and the kinds of users they are designed to accommodate are the key distinctions between these VPN varieties. Site-to-Site VPNs link many distinct networks, while Intranet VPNs build a secure network within an organization’s current network infrastructure. Remote Access VPNs are made for those who need to access the company network from a remote location.
I think we can consider a portfolio using both symmetric and asymmetric encryption methods that may be helpful in maintaining data integrity. This combination can provide the security of asymmetric encryption while retaining the speed and efficiency of symmetric encryption. The combination of symmetric and asymmetric would ensure that the information data remains secure and confidential throughout the transmission process.
Cryptography is a component of just one class of tools that are used for good cybersecurity. Encryption is a powerful tool to ensure confidentiality. Encrypted data is safe data so long as best practices are followed. It allows us to store and send information without as much concern if someone was to obtain it. Unencrypted data is known as soon as it is accessed, encrypted data has a strong layer of protection that is still in place if the data is removed from your network, storage, or other secure location.
Not as commonly thought of, but encryption is a powerful tool for integrity as well. Using asymmetrical encryption can prove that the sender/creator of data and the contents of the data are ensured with a public key signature. Because the signature only works if the public and private keys match, you can be assured that the matching key was used to sign. The signature also includes a hash of the data, so you can be assured that not even a single bit has changed or the hash would be invalid
How do experts determine when an encryption algorithm is no longer secure? Is this determination a universal answer or is an algorithm that is not secure enough for a high security application still good enough for a low security application?
Question for the class: What is one risk associated with a company allowing employees to use remote access VPN?
Confidentiality and Integrity Risks: In an organization, managing users and authenticating users is crucial. However, when a VPN is implemented, numerous problems arise. Businesses lack both the power and the means to control employee computers. To verify users, an organization might allocate network resources and put network solutions in place. Consider a worker who accesses a shared computer from their house. There are numerous attack vectors when an employee uses a shared computer, and there are few solutions for guaranteeing that only one person has access to company resources. In addition to creating problems with authorization and authentication, this might give attackers an advantage against companies.
I agree with your comment that the management of users and authenticating users is crucial. Particularly with terminated team members. There needs to be a policy in place specifically with removing access to remote users that were terminated. The removal needs to be immediately upon notification or timely (i.e., within 24 hours).
Data-leakage which may fall under Integrity security objective.
Hi Jill,
VPNs provide minimal security with traffic encryption and simple user authentication. Since most remote workers connect via their home network there is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network.
Hi Jill,
VPN use encryption to secure the connection between employee’s device and organization’s network however, this encryption can be vulnerable to attacks because of the user’s behavior of using weak passwords or unsecured Wi-Fi networks. attackers may be able to listen the transmitted data over VPN or gain access to the organization’s network by exploiting loopholes in the VPN configuration or software itself. So, Security becomes one of the great risk for the company allowing employees to use remote access VPN. To mitigate the risks, companies should implement strong security measures like enforcing use of MFA and regularly monitoring the logs for unusual activity,
Comment on the advantages of using AES-128 bit over 3DES.
Both use symmetric block ciphers, although AES is more technically efficient. The main advantage of AES is the variety of key lengths available. The length of the key used to secure the communication—128-bit, 192-bit, or 256-bit keys—is closely correlated with the amount of time needed to crack the encryption technique. As a result, AES is far more secure than DES’s 56-bit key. Because AES encryption is so much faster, it is perfect for software, firmware, and hardware that demands high throughput or low latency.
Hi Aayush,
Firstly, as Mary mentioned AES-128 is a faster algorithm for encryption because it uses a shorter key length and a simpler encryption algorithm. This makes information data encryption and decryption to be more efficient. In addition, AES-128 has been tested and proven to be secure and most organizations are usually willing to choose to use it to encrypt sensitive data. the AES-128 encryption standard is easier to find tools and resources for implementation and maintenance.
AES is a superior encryption algorithm over 3DES in every way. It is faster and more secure. 3DES was a stop-gap mechanism that was put into place when it was discovered that DES was no longer sufficient to protect against attacks from faster-than-brute-force methods. The idea to run multiple iterations of DES with multiple keys was simple to implement, but even at the time was known that it would be inefficient because it requires doing 3x the processing. Building the new standard that would become AES and fully testing it was a time consuming and difficult process. Proving new crypto is very difficult. The issues with known weak curves in ECC show that is still the case today. ECC is a strong and computationally light algorithm, but it can be crippled by a poor input curve and testing input curves is not something the average user (or anyone without specialist level math skills) can do.
what is the difference between a public key compared to a private key? also are systems 100% secured ?
Hey Frank! Both the public-private key pair is part of a mathematical function. However, knowing one would make it extremely difficult for a cryptanalyst to find the other one. So the only real difference is how the keys are used. A sender of a message can encrypt the message with their private key to ensure non-repudiation or use the receiver’s public key for encryption to ensure confidentiality.
Hi Frank ,
private keys can be used for both encryption and decryption, while public keys are used only for the purpose of encrypting the sensitive data. Private keys are shared between the sender and the receiver, whereas public keys can be freely circulated among multiple users.
Hi Frank,
I don’t think the system can be 100% secure. Because people write code, and people make mistakes. It is estimated that the industry average is about 15-20 errors per 1000 lines of code. This leads to bugs in the core of the system. The system also has software and applications built and designed by humans, none of which is guaranteed to be completely secure.
The private key is kept secret and not public to anyone apart from the sender and the receiver. The public key is free to use and the private key is kept secret only.
Both of the keys are used for encryption and decryption, however public keys are only used for the purpose of encrypting sensitive data. Private keys are used between sender and receiver. Public keys can be used freely between multiple users. Systems are never 100% secured, however there are ways to make sure that they can stayed as secure as possible.
Why do asymmetric cryptographic algorithms need longer key lengths to provide similar encryption strength as symmetric cryptographic algorithms with shorter key lengths?
In asymmetric cryptography, 2 different keys are used for encryption and decryption, whereas symmetric cryptography uses only one key. Asymmetric is considered more secure, it needs longer key lengths to match the same level of security as symmetric. It is because asymmetric cryptography performs more complex mathematical function and must defend against more advanced attacks. So, longer key length raise the defense against these attacks. The public key in asymmetric algorithm is accessible to public, making it more vulnerable to attacks, so longer key lengths are required to provide encryption strength equivalent to symmetric algorithms.
How important is regular security evaluation and update of cryptographic algorithms and protocols in maintaining the security of a system?
Regular security evaluation and update of cryptographic algorithms and protocols to maintain security of a system is very important due to algorithms can be learned, and once learned, the cryptographic algorithm could be compromised.
What is transmitted across the network the plaintext or the ciphertext?
Ciphertext is transmitted across the network. Ciphertext is encrypted text. Plain text is not encrypted and therefore is transmitted across the network could be easily compromised.
Hi Shepherd ,
I agree with Jill, Plaintext is the original message and can be images, sounds, videos, or a combo. Ciphertext is what is sent to the receiver and is a random stream of bits, the ciphertext is transmitted across the network.
Hi Shepherd,
Prior to being sent across the network, the plaintext is encrypted to create ciphertext. The data that is actually sent across the network is the ciphertext, which is the plaintext encrypted. The receiver then employs a decryption technique and the matching decryption key to convert the ciphertext back into the original plaintext. To prevent unauthorized access and transmission manipulation, it is crucial to transmit the ciphertext rather than the plaintext of the data.
Ciphertext is transmitted across the network because it is encrypted. Plaintext is not encrypted so it would be extremely unsafe to send across the network. It would break all the elements of the CIA triad and data would be leaked.
What are the human issues that affect cryptography?
Hi Abayomi,
Keys are classified as symmetric keys and asymmetric keys, where asymmetric keys decrypt and encrypt data through the use of public key and private key. In my opinion, the possible human issue is the wrong choice to encrypt the data with the private key and send it, which will result in the receiver who has the private key corresponding to the public key being unable to open the file to get the data. Or, the private key is leaked due to improper storage, and the data is intercepted during transmission and decrypted by attackers.
How do you determine the bit length of system encryption keys?
You can determine the bit length of system encryption keys using the mathematical relationship
If there is a key length of N bits, there are 2N (NB: N is superscript) possible keys.
Hello Samuel,
I agree with Shadrack and one thing to note is that, the longer the key, the more secure data can be viewed with it.
A question I have for my fellow classmates surrounds quantum computing. We’ve all heard of it, and the possibilities that will unlock due to its implementation. How do you believe quantum computing will change the way we encrypt/decrypt data today?
Great question. I believe quantum computing will be speeding up the required calculations, but with sufficiently powerful hardware. At the same time, this sounds alarming to me because hacker groups might be the people to be able to fund such extremely expensive hardware.
Hey Aauysh, great point about the hardware aspect. We saw previously a shortage in graphics cards due to bitcoin miners. The miners were buying them all up driving the prices of graphics cards sky high. I wonder if similar repercussions will occur when quantum computing goes mainstream.
I agree that quantum computing will likely have a significant impact on the way we encrypt and decrypt data. Currently, most data encryption relies on the difficulty of solving mathematical problems that are too complex for today’s computers. However, quantum computers are much better equipped to solve these problems, which means that current encryption methods may become vulnerable. To combat this, researchers are developing new encryption methods that take advantage of the unique properties of quantum computers, such as quantum key distribution, which is considered to be unbreakable.. Basically, while quantum computing presents new challenges for data security, it also offers the potential for even more secure encryption methods.
Which cryptographic algorithms could be used for both cryptography and digital signatures? What are their key strengths and weaknesses?
Public Key algorithms could be used for both cryptography and digital signatures.
key strength
Digital signatures provide very strong security.
Weaknesses
a) Digital signatures consume extensive processing power.
b) It is very difficult and expensive to set up a public key infrastructure to distribute the private keys and digital certificates.
What are the three types of VPNS and what are the differences between them?
A virtual private network (VPN) uses a cryptographic system to secure communication over an untrusted network such as the Internet, or a wireless LAN.
The three (3) types of VPNs are
a) Host-to-host VPN
b) Remote access VPN
c) Site-to-site VPNs
Differences
A host-to-host VPN connects a single client over an untrusted network to a single server.
Site-to-site VPNs protect all traffic flowing over an untrusted network between a pair of sites.
A remote access VPN connects a single remote PC over an untrusted network to a site network.
Hi Shadrack,
The three main types of Virtual Private Networks (VPNs) are:
1.Remote Access VPNs
2.Site-to-Site VPNs
3.Intranet VPNs
The number of locations these VPNs connect to and the kinds of users they are designed to accommodate are the key distinctions between these VPN varieties. Site-to-Site VPNs link many distinct networks, while Intranet VPNs build a secure network within an organization’s current network infrastructure. Remote Access VPNs are made for those who need to access the company network from a remote location.
Which cryptography methodology do you think is best for maintaining the integrity of the data?
Hi Asha,
I think we can consider a portfolio using both symmetric and asymmetric encryption methods that may be helpful in maintaining data integrity. This combination can provide the security of asymmetric encryption while retaining the speed and efficiency of symmetric encryption. The combination of symmetric and asymmetric would ensure that the information data remains secure and confidential throughout the transmission process.
List the three (3) AES alternative key lengths released by NIST.
Hi Shadrack,
The three key lengths for AES are 128, 192, and 256. AES 256 being the strongest of the three.
Hello Shadrack,
AES 256, 192, 128
What is the relationship between cryptography and cybersecurity?
Cryptography is a component of just one class of tools that are used for good cybersecurity. Encryption is a powerful tool to ensure confidentiality. Encrypted data is safe data so long as best practices are followed. It allows us to store and send information without as much concern if someone was to obtain it. Unencrypted data is known as soon as it is accessed, encrypted data has a strong layer of protection that is still in place if the data is removed from your network, storage, or other secure location.
Not as commonly thought of, but encryption is a powerful tool for integrity as well. Using asymmetrical encryption can prove that the sender/creator of data and the contents of the data are ensured with a public key signature. Because the signature only works if the public and private keys match, you can be assured that the matching key was used to sign. The signature also includes a hash of the data, so you can be assured that not even a single bit has changed or the hash would be invalid
How do experts determine when an encryption algorithm is no longer secure? Is this determination a universal answer or is an algorithm that is not secure enough for a high security application still good enough for a low security application?