One key point that I took from this chapter is “Human factor in Cryptography”. Human factor is one of the biggest challenges in cryptography because users are often the weakest link in a security chain. As the book mentioned, history have lots of examples of failure of security systems due to people who use it.
Encryption might be mathematically guaranteed, keys are long enough, and ciphers are well-tested, however, if the users don’t know how to share keys or implement the encryption properly, entire secure program may be void. Therefore, organizations should put organizational processes in place and enforce them to prevent compromise of technical strength of cryptography by users.
Hi Zeynep, You made a good point. Poor communication discipline can defeat the strongest cipher and longest keys. It is not all about the strenght of the cipher or the length of of the keys, but how informed the users are about IT security, and the policies and procedures in place to ensure that end users abide by basic rules, and are properly trained to act ethically as they access IT applications.
The unique aspect worth noting as explained by Kerkhoff’s law is that in order to have confidentiality, communication partners only need to keep the key secret, not the cipher. Keeping the keys secret is the recipe for encryption. I also learned that cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer while encryption is a cryptographic process that turns the plaintext into seemingly random stream of bits called the cipher text. The sender sends this ciphertext to the receiver which he turns into plaintext by using a key to the message is decrypted.
Pointing out the basic which is keeping the key secret is very important. If the cipher also need to be kept secret, the whole security system will be much harder to run than what we have now.
I agree with you, if the key is not kept secret then it defeats the purpose of securing data. Therefore, encryption is not half complete if decryption keys are not kept secret.
This chapter talks about the cryptographic concepts. One key point that I took from this chapter is the public key for encryption. There are two main different encrypt goals which are public key encryption for confidentiality and public key encryption for authentication. These two methods have different way to send the keys. The details are as follows;
To ensure confidentiality – The sender will encrypt with the receiver’s public key, while the receiver will decrypt by using the receiver’s private key.
To ensure authentication – The sender will encrypt with the sender’s private key, while the receiver will decrypt with the true party’s public key.
It is important to understand these two public encryption because it uses different way with different purposes. Using in the wrong way might impact the data confidentiality or data integrity.
I agree that Public key cryptography serves dual purpose of authentication as well as that of confidentiality of the data. However, due to the large overhead involved, its not feasible to use PKI for encrypting large data sets. This is where symmetric key cryptography is used. However, before this step, PKI is used in the initial step of authentication as well as for the secure transmission of session keys.
Hi,Numneung
You finally mentioned the importance of using cryptography correctly.This is true, and the enhanced encryption ensures the technical transmission of information.However, the use of the wrong way will lead to the direct loss of decryption.Even strong encryption cannot prevent attacks after the decryption method is compromised.
This chapter delineated on some of the core cryptography concepts used in today’s technologies for secure transmission over internet. I would like to bring attention to the widespread use of SSL/TLS VPN even though its limitations are very well documented. SSL/TLS does not provide transparent protection to application layer traffic and can only encrypt traffic of applications which are SSL/TLS aware. Secondly, for remote users using public computers (Internet Cafes) where they don’t have administrative privileges, SSL/TLS leaves behind the user’s session information on the client PC’s hard drive which is a major security risk. Using SSL/TLS for remote access VPN requires due diligence during implementation which is often clumsy. Still it is noted that this technology is widely used is because of the low cost of implementation. Every PC has a browser installed in it, which act as SSL/TLS client and hence there is no setup cost. Hence, even though this technology comes with significant flaws. Its use is rapidly increasing because of no additional cost of setting up software clients.
One key takeaway from this chapter is that encryption for confidentiality was the original purpose of cryptography, and encryption and decryption requires two things – a cipher (a specific mathematical process in encryption & decryption) and a key ( a random string 40 to 4000 bits).
It’s also important to note that in symmetric key encryption for confidentiality, the sender and receiver use the same key in both directions; in public key encryption, each party has both a public key and a private key, and in public key encryption for confidentiality, the sender encrypts with the public key of the receiver and the receiver decrypts with its own private key. To achieve strong security, keys should be long to frustrate or foil exhaustive search.
Innocent,
Great points, cryptography is one of the oldest forms of information security to ensure confidentiality. However I think an important thing about key length to remember is they should be long enough to keep they information confidential but also not too long as to slow down decryption and bog the system.
I think a key takeaway from this chapter is the understanding of the cryptographic processes and how each is used for confidentiality and authentication. Symmetric key encryption provides confidentiality because the sender and receiver are encrypting and decrypting with the shared key. However this does not ensure authentication. Public key encryption provides confidentiality because the sender is encrypting with the receivers public key and the receiver is decrypting with their private key. It also provide authentication because the sender can encrypt with their own private key and then the receiver decrypts with the senders public key which verifies it was from the sender. Hashing is also used for authentication within the cryptographic process.
After reading through the third chapter of “Corporate Computer Security”, which focuses on identifying and explaining cryptography concepts and their applications in securing information systems, I became excited about the prospect of quantum computing. The section on quantum security discusses how the distribution of quantum keys is already functionally available and being harnessed for encrypting sensitive information transmitted across computers. However, most organizations choose instead to use more traditional keying encryption methods, as quantum computers and quantum key cracking are still in the development stage. Once quantum computers and quantum key cracking become more capable, then traditional cryptography methods will become invalidated.
It’s interesting to think about where quantum computers will be in the next 10-20 years or so. While this technology will certainly be a major asset for a variety of industries, having the proper security and privacy controls will be an even bigger challenge.
I love where your mind is at Imran. Already looking ahead to the future of cyber security and cryptography. As a relative novice in the cyber security game I always looked at complex subjects, like ‘quantum computing’, as too difficult or far out. When in reality, it is passion like yours that shows where a new and exciting opportunity is in CS. Much like sarah said, in the not so distant future, these emerging technologies will have a place in Information Security.
In this reading, I like the emphasis of the human factor in regards to cryptography. It’s very important that organization well-train their employees to properly use their systems to reduce the risk of error in allowing a mistake that may harm the company.
It’s for this reason why security awareness is so important because human users can be the main cause of letting an outside user gain access. A lack of understanding of how to handle the keys in between messages can lead to unfavorable results.
Hello,
I would like to thank you for sharing your thoughts on the third chapter of the “Corporate Computer Security”, as it did bring to light something that I and many others probably don’t pay too much attention to. The human element when it comes to cyber security can be quite detrimental due to the possibility of errors and conflicting morals and objectives. However, this human element can also provide significant benefits to the organization, if appropriate training and measures are taken to align employees with the organization’s objectives.
Chapter 3 explains the different components of cryptography and how it functions within information systems. Something that stood out to me in this chapter is the reference of costs of implementation for the various security standards (such as hashing, encryption, SSL/TLS, and IPsec), along with the mention of how companies must also have policies/procedures in place that protect the control itself. As we have learned in other classes, it’s always important to note that while a business can have the fastest/most expensive/newest technology, there should always be written processes in place that describe how exactly these systems should be used.
Hello Sarah, Thanks for fleshing out the various ways to enable security during process of message transmission. One important security standard you mentioned is hashing. It is necessary for us to note that when hashing is applied to a binary message, the hash becomes shorter than the original message, whereas, encryption produces ciphertext which can be as long as the plaintext. Also, encryption can be reversed by decryption, but hashing is irreversible and is repeatable.
Diffie–Hellman keys exchange agreement between 2 parties is an important process to understand, as a majority of devices (Cisco, Juniper) are using the same procedures at the beginning for exchange keys and encrypting communications. (VPN, IPsec).
Quantum computers are predicted in couple of years a treat to the public key cryptography codes that are currently used to encrypt transactions on the internet and network communication. I read that NIST is working on Post-Quantum Cryptography project.
The Boyle and Panko Chapter 3 on Cryptography outlines the process, policies, and science around encrypting a message, data, or an information system. The factor that always stands out to me is the underrated role than security personnel play in the protection of information and their assets. The CISO, managers, and IT auditors play an important roll in determining the best method and processes to create the optimal environment for their systems and working professionals. The basic action of creating encryption keys and ensuring the correct public and private key falls back to these individuals — in a profession focused on machinery.
Cryptography is the combination of mathematical operations and programming code.In the information age, cryptography provides a guarantee for the security of information transmission.Encryption works by converting the plaintext into what appears to be a random stream of bits called ciphertext. Even if it is intercepted by hackers, it cannot be cracked without proper decryption methods. Cryptography is a powerful tool, but it must be used in the right way to prevent leaks.Poor communication discipline in general can defeat the strongest cipher and longest key.
One point I want to talk about is the usage of VPNs. Human are really good at coming up solutions. A virtual private network is created by using a cryptographic system to secure communication over an untrusted network. With a proper set VPN, either Site-to-Site or Host-to-Host depending on requirement and need, we are able to remotely access cryptographic systems without worrying about security too much.
The other point I want to talk about is the key using in encryptions, which can lead to several question in CISA exam, showing the importance.
One key point that I took from this chapter is “Human factor in Cryptography”. Human factor is one of the biggest challenges in cryptography because users are often the weakest link in a security chain. As the book mentioned, history have lots of examples of failure of security systems due to people who use it.
Encryption might be mathematically guaranteed, keys are long enough, and ciphers are well-tested, however, if the users don’t know how to share keys or implement the encryption properly, entire secure program may be void. Therefore, organizations should put organizational processes in place and enforce them to prevent compromise of technical strength of cryptography by users.
Hi Zeynep, You made a good point. Poor communication discipline can defeat the strongest cipher and longest keys. It is not all about the strenght of the cipher or the length of of the keys, but how informed the users are about IT security, and the policies and procedures in place to ensure that end users abide by basic rules, and are properly trained to act ethically as they access IT applications.
The unique aspect worth noting as explained by Kerkhoff’s law is that in order to have confidentiality, communication partners only need to keep the key secret, not the cipher. Keeping the keys secret is the recipe for encryption. I also learned that cryptography is the use of mathematical operations to protect messages traveling between parties or stored on a computer while encryption is a cryptographic process that turns the plaintext into seemingly random stream of bits called the cipher text. The sender sends this ciphertext to the receiver which he turns into plaintext by using a key to the message is decrypted.
Hi Jacob,
Pointing out the basic which is keeping the key secret is very important. If the cipher also need to be kept secret, the whole security system will be much harder to run than what we have now.
Hi Peiran,
I agree with you, if the key is not kept secret then it defeats the purpose of securing data. Therefore, encryption is not half complete if decryption keys are not kept secret.
This chapter talks about the cryptographic concepts. One key point that I took from this chapter is the public key for encryption. There are two main different encrypt goals which are public key encryption for confidentiality and public key encryption for authentication. These two methods have different way to send the keys. The details are as follows;
To ensure confidentiality – The sender will encrypt with the receiver’s public key, while the receiver will decrypt by using the receiver’s private key.
To ensure authentication – The sender will encrypt with the sender’s private key, while the receiver will decrypt with the true party’s public key.
It is important to understand these two public encryption because it uses different way with different purposes. Using in the wrong way might impact the data confidentiality or data integrity.
Hello Num,
I agree that Public key cryptography serves dual purpose of authentication as well as that of confidentiality of the data. However, due to the large overhead involved, its not feasible to use PKI for encrypting large data sets. This is where symmetric key cryptography is used. However, before this step, PKI is used in the initial step of authentication as well as for the secure transmission of session keys.
Hi,Numneung
You finally mentioned the importance of using cryptography correctly.This is true, and the enhanced encryption ensures the technical transmission of information.However, the use of the wrong way will lead to the direct loss of decryption.Even strong encryption cannot prevent attacks after the decryption method is compromised.
This chapter delineated on some of the core cryptography concepts used in today’s technologies for secure transmission over internet. I would like to bring attention to the widespread use of SSL/TLS VPN even though its limitations are very well documented. SSL/TLS does not provide transparent protection to application layer traffic and can only encrypt traffic of applications which are SSL/TLS aware. Secondly, for remote users using public computers (Internet Cafes) where they don’t have administrative privileges, SSL/TLS leaves behind the user’s session information on the client PC’s hard drive which is a major security risk. Using SSL/TLS for remote access VPN requires due diligence during implementation which is often clumsy. Still it is noted that this technology is widely used is because of the low cost of implementation. Every PC has a browser installed in it, which act as SSL/TLS client and hence there is no setup cost. Hence, even though this technology comes with significant flaws. Its use is rapidly increasing because of no additional cost of setting up software clients.
One key takeaway from this chapter is that encryption for confidentiality was the original purpose of cryptography, and encryption and decryption requires two things – a cipher (a specific mathematical process in encryption & decryption) and a key ( a random string 40 to 4000 bits).
It’s also important to note that in symmetric key encryption for confidentiality, the sender and receiver use the same key in both directions; in public key encryption, each party has both a public key and a private key, and in public key encryption for confidentiality, the sender encrypts with the public key of the receiver and the receiver decrypts with its own private key. To achieve strong security, keys should be long to frustrate or foil exhaustive search.
Innocent,
Great points, cryptography is one of the oldest forms of information security to ensure confidentiality. However I think an important thing about key length to remember is they should be long enough to keep they information confidential but also not too long as to slow down decryption and bog the system.
I think a key takeaway from this chapter is the understanding of the cryptographic processes and how each is used for confidentiality and authentication. Symmetric key encryption provides confidentiality because the sender and receiver are encrypting and decrypting with the shared key. However this does not ensure authentication. Public key encryption provides confidentiality because the sender is encrypting with the receivers public key and the receiver is decrypting with their private key. It also provide authentication because the sender can encrypt with their own private key and then the receiver decrypts with the senders public key which verifies it was from the sender. Hashing is also used for authentication within the cryptographic process.
Hi Chris,
I love the key takeaway you mentioned. It’s important to have a general understanding of the process of cryptography and what its used for.
Best,
Natalie Dorely
After reading through the third chapter of “Corporate Computer Security”, which focuses on identifying and explaining cryptography concepts and their applications in securing information systems, I became excited about the prospect of quantum computing. The section on quantum security discusses how the distribution of quantum keys is already functionally available and being harnessed for encrypting sensitive information transmitted across computers. However, most organizations choose instead to use more traditional keying encryption methods, as quantum computers and quantum key cracking are still in the development stage. Once quantum computers and quantum key cracking become more capable, then traditional cryptography methods will become invalidated.
It’s interesting to think about where quantum computers will be in the next 10-20 years or so. While this technology will certainly be a major asset for a variety of industries, having the proper security and privacy controls will be an even bigger challenge.
I love where your mind is at Imran. Already looking ahead to the future of cyber security and cryptography. As a relative novice in the cyber security game I always looked at complex subjects, like ‘quantum computing’, as too difficult or far out. When in reality, it is passion like yours that shows where a new and exciting opportunity is in CS. Much like sarah said, in the not so distant future, these emerging technologies will have a place in Information Security.
In this reading, I like the emphasis of the human factor in regards to cryptography. It’s very important that organization well-train their employees to properly use their systems to reduce the risk of error in allowing a mistake that may harm the company.
It’s for this reason why security awareness is so important because human users can be the main cause of letting an outside user gain access. A lack of understanding of how to handle the keys in between messages can lead to unfavorable results.
Hello,
I would like to thank you for sharing your thoughts on the third chapter of the “Corporate Computer Security”, as it did bring to light something that I and many others probably don’t pay too much attention to. The human element when it comes to cyber security can be quite detrimental due to the possibility of errors and conflicting morals and objectives. However, this human element can also provide significant benefits to the organization, if appropriate training and measures are taken to align employees with the organization’s objectives.
Chapter 3 explains the different components of cryptography and how it functions within information systems. Something that stood out to me in this chapter is the reference of costs of implementation for the various security standards (such as hashing, encryption, SSL/TLS, and IPsec), along with the mention of how companies must also have policies/procedures in place that protect the control itself. As we have learned in other classes, it’s always important to note that while a business can have the fastest/most expensive/newest technology, there should always be written processes in place that describe how exactly these systems should be used.
Hello Sarah, Thanks for fleshing out the various ways to enable security during process of message transmission. One important security standard you mentioned is hashing. It is necessary for us to note that when hashing is applied to a binary message, the hash becomes shorter than the original message, whereas, encryption produces ciphertext which can be as long as the plaintext. Also, encryption can be reversed by decryption, but hashing is irreversible and is repeatable.
Diffie–Hellman keys exchange agreement between 2 parties is an important process to understand, as a majority of devices (Cisco, Juniper) are using the same procedures at the beginning for exchange keys and encrypting communications. (VPN, IPsec).
Quantum computers are predicted in couple of years a treat to the public key cryptography codes that are currently used to encrypt transactions on the internet and network communication. I read that NIST is working on Post-Quantum Cryptography project.
The Boyle and Panko Chapter 3 on Cryptography outlines the process, policies, and science around encrypting a message, data, or an information system. The factor that always stands out to me is the underrated role than security personnel play in the protection of information and their assets. The CISO, managers, and IT auditors play an important roll in determining the best method and processes to create the optimal environment for their systems and working professionals. The basic action of creating encryption keys and ensuring the correct public and private key falls back to these individuals — in a profession focused on machinery.
Cryptography is the combination of mathematical operations and programming code.In the information age, cryptography provides a guarantee for the security of information transmission.Encryption works by converting the plaintext into what appears to be a random stream of bits called ciphertext. Even if it is intercepted by hackers, it cannot be cracked without proper decryption methods. Cryptography is a powerful tool, but it must be used in the right way to prevent leaks.Poor communication discipline in general can defeat the strongest cipher and longest key.
One point I want to talk about is the usage of VPNs. Human are really good at coming up solutions. A virtual private network is created by using a cryptographic system to secure communication over an untrusted network. With a proper set VPN, either Site-to-Site or Host-to-Host depending on requirement and need, we are able to remotely access cryptographic systems without worrying about security too much.
The other point I want to talk about is the key using in encryptions, which can lead to several question in CISA exam, showing the importance.