An interesting point discussed in this week’s reading was the distinction that computer science students should develop new encryption ciphers, not information security students. I often read comments on the internet that debate whether cybersecurity degrees are even necessary and that a computer science degree holds more value. However, as some of us know or will soon know, computer science or even software engineers do not always develop with security in mind. Alternatively, security professionals do not always understand the underlying code. Cryptography is a perfect example of how information security and computer science professionals can work together to develop and then implement security best practices.
I find this particularly interesting as my undergraduate degree is in computer science; based on my personal experience in that program, it was much more reliant upon foundational concepts like design and analysis of algorithms, and how computers interpret code, how the underlying elements of computing function. Cybersecurity professionals, depending on the specific role, may be much more aware of the business logic in a more organizational approach to applying security concepts and advising programmers, and may not necessarily have a deep understanding of programming in as much depth as a computer science student, who has focused much more on theory. Software engineers simply do not have the time in a normal workday to be able to push code into production fast enough for executives to be satisfied with a product release date, so there has to be an unfortunate compromise which historically has been resulting with quicker coding and bad security. I would place more trust in a computer scienctist to develop an encryption cypher as an information security professional like you said may not necessarily understand code in as much depth.
Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. Cryptography can be broken down into three types: secret key cryptography, public key cryptography and hash functions. Secret Key Cryptography, uses a single key to encrypt data. Both encryption and decryption in symmetric cryptography use the same key, making this the easiest form of cryptography. Examples of Secret Key Cryptography is AES, DES and Ceasar Cipher’s. Public Key Cryptography occurs One key is kept private, and is called the “private key”, while the other is shared publicly and can be used by anyone, hence it is known as the “public key”. Examples of public key cryptography is ECC, Diffie-Hellman and DSS. Hashing Functions. Hash functions are irreversible, one-way functions which protect the data, at the cost of not being able to recover the original message Examples of Hashing Functions are MD5, SHA-1, SHA-2 and SHA-3.
One interesting point I took from this reading is the different downsides that come with both symmetric key encryption and public key encryption, and how each is used differently to provide secure and efficient encryption. Symmetric key encryption is quick, but it does not inherently provide authentication, and it requires that the parties exchange the keys ahead of time, which could be a hassle and a vulnerability. Public key encryption assists in a more secure encryption, and it can also provide authentication and non-repudiation; however, it is slow and therefore expensive. As a result, public key encryption is used to establish and confirm the parties’ identities and to provide the symmetric key, and ongoing communication is encrypted and decrypted using the symmetric key.
Just wanted to add some additional uses of Symmetric and Asymmetric Encryption. Symmetric cryptography typically gets used when speed is the priority over increased security,
Examples:
Banking: Encrypting credit card information or other personally identifiable information (PII) required for transactions
Data storage: Encrypting data stored on a device when that data is not being transferred.
Asymmetric cryptography typically gets used when increased security is the priority over speed and when identity verification is required, as the latter is not something symmetric cryptography supports.
Examples:
Digital signatures: Confirming identity for someone to sign a document
Blockchain: Confirming identity to authorize transactions for cryptocurrency
Public key infrastructure (PKI): Governing encryption keys through the issuance and management of digital certificates
One of the takeaways that I took from this reading was that cryptography can help protect an organization and secure their messages, but there are other things to factor in as well. Organizations have to take into account their business model and how they are going to use cryptography to help them; what ciphers are used, what system standards they plan on implementing, and what cipher suite will be used for their applications. On top of that, it’s important to not rely too heavily on cryptography; safeguards should be in place in the event that an attacker is able to retrieve a key or decrypt messages.
When I was thinking of everyday examples of cryptograhy, messages were the primary example I could think of such as encrypting emails via outlook or gmail and using messanger apps like signal. This are simple measures that users can adopt to help strengthen an organization’s cyber defense. Thanks for sharing your post.
My biggest takeaway from this reading was that regardless of the technical strengths of cryptography if there are holes in communication or the organizational process confidentiality could be broken. The message that was thought to be highly secured is now be interpreted by the unintended recipient. Take the Japanese Navy example from the book, they were sending messages when there was no necessary reason and this provided cryptanalyst the advantage. Another example is the Japanese having to use codebooks, if one of those books became misplaced then many of their encrypted messages could be deciphered. The point is that it is important to have proper communication and organizational practices in place because even the most advanced cryptographic system is not automatic protection.
I agree with you that although cryptography occupies a lot of technical advantages, vulnerabilities in communication or the confidentiality of organizational processes can be compromised. Poor communication discipline can defeat the strongest cipher and the longest key.
Cryptography provides secure communication in the presence of a malicious third party (called an adversary). Encryption uses an algorithm and a key to convert the input (i.e., plaintext) into an encrypted output (i.e., ciphertext). A given algorithm will always convert the same plaintext to the same ciphertext if the same key is used. An algorithm is considered secure if an attacker cannot determine any plaintext property or the key given the ciphertext. Given the large number of plaintext/ciphertext combinations using the key, an attacker should not choose any information about the key.
Hey Zijan, what I found most interesting about these cipher algorithms is that even if the cipher itself is known to an attacker, an encryption can still be secure as long as the attacker does not know the key that was used. I think this is especially useful in today’s world as attackers become more advanced and able to reverse-engineer programs.
The most interesting thing I found from Chapter 3: Cryptography was the discussion at the end, regarding the debate on privacy versus security, and when it is either too far or beneficial at times. It is interesting when this topic arises because studies have shown that many people, despite knowing the potential consequences of agreeing to data privacy / usage policies / agreements in order to use an application, service, etc, they still choose to use the applications while also resenting the selling of their data that they are aware of and anticipate.
There is a good amount of debate on the topic of data privacy. Large organizations at this point can’t survive without our data and we generally are okay with providing them our data due to the small benefits we receive, whether that’s more relevant content or target ads. Then there is also the debate around providing our data but the data is encrypted so theoretically no one outside of the organization would have it. However, the EU is looking to ban the collection of personal data so these large corporations will eventually need to come up with a new solution.
One of the interesting things I learned from this article is that bad communication discipline can beat the strongest passwords and the longest keys. As mentioned in the article, during WWII the Japanese Navy often sent messages when they didn’t need to, making the cryptanalyst’s job easier than if the Japanese had used better communications discipline. On the other hand, many other symmetric key encryption ciphers, only a few of which survived years of extensive cryptanalysis. It is also interesting to note that many companies advertise “new and proprietary” encryption ciphers because it relies on secrecy, where an attacker cannot obtain information about the cipher, rather than the robustness of the cipher itself.
You bring up an interesting point that it is important to not become too reliant on cryptography. Other things can happen like phishing, social engineering, and other attacks that can circumvent it. As technology grows (and potential attack avenues), it would be a good idea to keep this in mind.
Physical security is one component of access control where training for employees should not be overlooked. A hacker can piggyback off someone willing to hold the door for them. It’s important to teach employees and those who have access to the building to ask questions and make sure the person signs in with security. Access cards, physical tokens, mantraps, security guards, and cameras are some ways in which a building can increase physical security.
Great Point Madalyn,
The most vulnerable asset of any organization is the employees. Hense the reason for constant Security Awareness Training. Security Awareness Training is not used to just “Inform” employees of Cyber Security Best Practice. It’s primary use is to change the behavior of employees.
Cryptography is technique that uses a mathematics operation to encrypt the message to provide the confidentiality. The message gets encrypted using either a symmetric, AES, RC4, DES, and 3DES key and gets decrypted using a relevant key. This allows the message to stay confidential from eavesdropping attacks as long as the keys and the method of the encryption stays secure. Out of all the types of the encryption methods the most efficient is AES encryption. There is also a session being used by the 2 parties for communication through an application. The session key method uses a different key for every session. Which makes it more reliable. Public key method is also used to keep the messages confidential. It uses 2 different kinds of keys: Public and Private. The public key is being shared with other and the private is kept secure. The message gets encrypted using the users public key and being decrypted using a user’s private key.
I like how you list out the common methods of encryption and explain an example of communication using encryption to secure traveling information. I also thought the way that you differentiated between symmetric and public encryption was beneficial, especially by noting that both of these encryption types can be used within the same communication – one to secure the session, and one to secure the information transferred during the session.
One major takeaway from this publication is about a virtual private network (VPN). Hence, since numerous people working at home. the VPN can be used to provide a secure tunnel for the end user to determine the confidential information within their organizations local network. The VPN permits people to continue to perform their business activities without the impression someone decrypting and viewing the data you are transmitting in plain text
Hello Kofi,
That’s a great point. This days where almost all of the work is remote the organizations are using the VPN which allows an secure connection to their employees to the companies resources. This makes companies more vulnerable to the cyber attacks as there are many access point (i.e., each user accounts) which the attacker could use to enter in the network. As a result, companies has to focus more on the network security to secure the VPN process and continuous monitoring of their network.
I can relate to this! Ever since covid started, I’ve spent a considerable amount of time working from home and using a VPN to connect. I believe it is a requirement to connect to company resources, for the reasons that you mention.
Hi Kofi, thanks for your post! A VPN is so critical for teleworking (both before and after the pandemic), since so many employers rely on client computing systems. VPN is a highly used security measure for a reason.
Hey Kofi, its interesting how often VPNs have been utilized in today’s world with so many people working from home. I also connect to a VPN when working from home, and it is interesting to learn about the encryption taking place behind the scenes of my daily routine. This connection allows sensitive information to be transmitted between devices in a secure and encrypted way.
Kofi,
Throughout the COVID-19 pandemic, everyone can relate to this. I personally can relate to this, as needed when working from home. A VPN is extremely important and is used as a guard against attackers on a public network.
An interesting point in this reading was SSL/TLS. SSL is when a purchase is made online, an extra layer of security is protecting your information. TLS is the Transport Layer Security, in which it works as a transport layer.
However, I thought it was interesting to convert SSL/TLS from a host-to-host VPN to a remote access VPN, where companies post a SSL/TLS gateway at the border of each site, remote clients’ browser, establishes a single SSL/TLS connection with the gateway, rather than individual hosts within the site (Page 148). Compared to the IPSec VPN, SSL provides clients a simple way to connect information remotely.
As the reading mentions, the SSL/TSL gateway allows the client’s PC to connect to multiple internal web servers or the gateway could connect to the client’s PC to an entire subnet of the site’s network.
Great points. In my KT sessions for my work, many customers ask why we should enable SSL/TLS when they have IPSec VPN and we usually tell them IPSec works by connecting to the host/network where as SSL/TLS will connect directly to the application which makes it a little easier.
One key point that I took away from this weeks textbook reading is that public key encryption is commonly used to establish an authenticated connection, and then symmetric keys are used for the duration of the session to encrypt/decrypt data containing session information.
One use of this methodology is SSL/TLS certificates, which are commonly used to establish HTTPS. Although these two are often used interchangeably, TLS is actually the successor to and improved version of SSL, but SSL is still widely used. These certificates are used to authenticate the identity of websites; once that occurs, “HTTPS” is established and will be shown by a “locked” lock symbol, or show up at the beginning of the URL. All government websites are required to use HTTPS connections, and almost all websites should anyways (even if they are not required to by law). Sites that do not use HTTPS, especially those that process payments and PII, will lose customers/visitors because any information given to the site is not secure.
I totally agree with you in regard to your assessment, but the weakness of the Public Key Encryption is vulnerable to Brute-force attack. This algorithm also fails when the user lost his private key, then the public key Encryption becomes the most vulnerable algorithm. Public Key Encryption also is weak towards man in the middle attack.
Playing the devils’ advocate, and upon further research, the under listed were identified as the Drawbacks of Cryptography
Cryptography does prevent vulnerabilities and threats that emerge from the poor design of systems, protocols, and procedures. These need to be fixed through proper technique and defensive infrastructure
Difficulty – Strongly encrypted information can be difficult to access even for a legitimate user at a crucial decision-making time opening the network to attack.
Another fundamental need for information security of selective access control cannot be realized through cryptography. Administrative rules and procedures are required to be exercised for the same.
Cryptography comes at a cost. The cost is in terms of time and money –
The addition of cryptographic techniques in information processing leads to delay.
Public-key cryptography requires setting up and maintaining critical public infrastructure requiring a handsome financial budget.
The security of cryptographic techniques is based on the computational difficulty of mathematical problems. Any breakthrough in solving such mathematical issues or increasing the computing power can render a cryptographic process vulnerable.
I like how you mention the drawbacks of using cryptography. I think the main drawback would be time like you mentioned – there appears to be a gray line between making a system ‘secure enough’ and the point where overusing cryptography has a negative effect on the usability of the system.
I agree with Andrew, the drawbacks of cryptography are just as important as the benefits. Cost is a huge factor, an organization would have to see if the cost of encrypting data is worth the cost of losing the data, as well as the point that cryptography does not prevent vulnerabilities, it is an additional tool but other countermeasures need to be put in place.
I’d like to offer some personal experience regarding your point on difficulty. I often receive encrypted emails at work from business partners. These emails will take me to a login portal where I can access the communication. However, my company blocks this login portal’s website, meaning I can’t access the communication. Encryption is good, but if I can’t read the message, then that makes the message useless.
Playing the devils’ advocate, and upon further research, the under listed were identified as the Drawbacks of Cryptography
Cryptography does not prevent vulnerabilities and threats that emerge from the poor design of systems, protocols, and procedures. These need to be fixed through proper technique and defensive infrastructure
Difficulty – Strongly encrypted information can be difficult to access even for a legitimate user at a crucial decision-making time opening the network to attack.
Another fundamental need for information security of selective access control cannot be realized through cryptography. Administrative rules and procedures are required to be exercised for the same.
Cryptography comes at a cost. The cost is in terms of time and money –
The addition of cryptographic techniques in information processing leads to delay.
Public-key cryptography requires setting up and maintaining critical public infrastructure requiring a handsome financial budget.
The security of cryptographic techniques is based on the computational difficulty of mathematical problems. Any breakthrough in solving such mathematical issues or increasing the computing power can render a cryptographic process vulnerable.
One important key takeaway from this reading was the importance of picking the right encryption algorithm based on the need for confidentiality in the information requiring protection. RC4 should never be used; although it is fast, it has minimal protection. The only potential use I can see from this is if it is used to store low impact data, partnered by a strong hardened system. DES (Data Encryption Standard) is better than RC4, with moderate processing/transmittal speed and moderate protection levels (being it is at 56 bits). Using these specifications, DES should protect moderate impact data, such as in basic consumer applications. 3DES is a step above DES, but should not be used in most scenarios due to how slow the processing/transmittal speed it; security measures need to be balanced with functionability–and there is little to no functionability with this method. Lastly, AES is a great encryption algorithm for secure transactions (i.e. payment cards, PII, trade secrets, etc.) due to its high protection power (it is offered in 128, 192 and 256 bits), and high processing power.
Kelly Sharadin says
An interesting point discussed in this week’s reading was the distinction that computer science students should develop new encryption ciphers, not information security students. I often read comments on the internet that debate whether cybersecurity degrees are even necessary and that a computer science degree holds more value. However, as some of us know or will soon know, computer science or even software engineers do not always develop with security in mind. Alternatively, security professionals do not always understand the underlying code. Cryptography is a perfect example of how information security and computer science professionals can work together to develop and then implement security best practices.
Antonio Cozza says
I find this particularly interesting as my undergraduate degree is in computer science; based on my personal experience in that program, it was much more reliant upon foundational concepts like design and analysis of algorithms, and how computers interpret code, how the underlying elements of computing function. Cybersecurity professionals, depending on the specific role, may be much more aware of the business logic in a more organizational approach to applying security concepts and advising programmers, and may not necessarily have a deep understanding of programming in as much depth as a computer science student, who has focused much more on theory. Software engineers simply do not have the time in a normal workday to be able to push code into production fast enough for executives to be satisfied with a product release date, so there has to be an unfortunate compromise which historically has been resulting with quicker coding and bad security. I would place more trust in a computer scienctist to develop an encryption cypher as an information security professional like you said may not necessarily understand code in as much depth.
Kyuande Johnson says
Cryptography is the study of secure communications techniques that allow only the sender and intended recipient of a message to view its contents. Cryptography can be broken down into three types: secret key cryptography, public key cryptography and hash functions. Secret Key Cryptography, uses a single key to encrypt data. Both encryption and decryption in symmetric cryptography use the same key, making this the easiest form of cryptography. Examples of Secret Key Cryptography is AES, DES and Ceasar Cipher’s. Public Key Cryptography occurs One key is kept private, and is called the “private key”, while the other is shared publicly and can be used by anyone, hence it is known as the “public key”. Examples of public key cryptography is ECC, Diffie-Hellman and DSS. Hashing Functions. Hash functions are irreversible, one-way functions which protect the data, at the cost of not being able to recover the original message Examples of Hashing Functions are MD5, SHA-1, SHA-2 and SHA-3.
Patrick Jurgelewicz says
One interesting point I took from this reading is the different downsides that come with both symmetric key encryption and public key encryption, and how each is used differently to provide secure and efficient encryption. Symmetric key encryption is quick, but it does not inherently provide authentication, and it requires that the parties exchange the keys ahead of time, which could be a hassle and a vulnerability. Public key encryption assists in a more secure encryption, and it can also provide authentication and non-repudiation; however, it is slow and therefore expensive. As a result, public key encryption is used to establish and confirm the parties’ identities and to provide the symmetric key, and ongoing communication is encrypted and decrypted using the symmetric key.
Kyuande Johnson says
Great Points Patrick,
Just wanted to add some additional uses of Symmetric and Asymmetric Encryption. Symmetric cryptography typically gets used when speed is the priority over increased security,
Examples:
Banking: Encrypting credit card information or other personally identifiable information (PII) required for transactions
Data storage: Encrypting data stored on a device when that data is not being transferred.
Asymmetric cryptography typically gets used when increased security is the priority over speed and when identity verification is required, as the latter is not something symmetric cryptography supports.
Examples:
Digital signatures: Confirming identity for someone to sign a document
Blockchain: Confirming identity to authorize transactions for cryptocurrency
Public key infrastructure (PKI): Governing encryption keys through the issuance and management of digital certificates
Andrew Nguyen says
One of the takeaways that I took from this reading was that cryptography can help protect an organization and secure their messages, but there are other things to factor in as well. Organizations have to take into account their business model and how they are going to use cryptography to help them; what ciphers are used, what system standards they plan on implementing, and what cipher suite will be used for their applications. On top of that, it’s important to not rely too heavily on cryptography; safeguards should be in place in the event that an attacker is able to retrieve a key or decrypt messages.
Kelly Sharadin says
Hi Andrew,
When I was thinking of everyday examples of cryptograhy, messages were the primary example I could think of such as encrypting emails via outlook or gmail and using messanger apps like signal. This are simple measures that users can adopt to help strengthen an organization’s cyber defense. Thanks for sharing your post.
Kelly
Dhaval Patel says
My biggest takeaway from this reading was that regardless of the technical strengths of cryptography if there are holes in communication or the organizational process confidentiality could be broken. The message that was thought to be highly secured is now be interpreted by the unintended recipient. Take the Japanese Navy example from the book, they were sending messages when there was no necessary reason and this provided cryptanalyst the advantage. Another example is the Japanese having to use codebooks, if one of those books became misplaced then many of their encrypted messages could be deciphered. The point is that it is important to have proper communication and organizational practices in place because even the most advanced cryptographic system is not automatic protection.
Source: Boyle and Panko, Chapter 3 Cryptography
Dan Xu says
Hi Dhaval,
I agree with you that although cryptography occupies a lot of technical advantages, vulnerabilities in communication or the confidentiality of organizational processes can be compromised. Poor communication discipline can defeat the strongest cipher and the longest key.
zijian ou says
Cryptography provides secure communication in the presence of a malicious third party (called an adversary). Encryption uses an algorithm and a key to convert the input (i.e., plaintext) into an encrypted output (i.e., ciphertext). A given algorithm will always convert the same plaintext to the same ciphertext if the same key is used. An algorithm is considered secure if an attacker cannot determine any plaintext property or the key given the ciphertext. Given the large number of plaintext/ciphertext combinations using the key, an attacker should not choose any information about the key.
source: https://www.synopsys.com/glossary/what-is-cryptography.html
Patrick Jurgelewicz says
Hey Zijan, what I found most interesting about these cipher algorithms is that even if the cipher itself is known to an attacker, an encryption can still be secure as long as the attacker does not know the key that was used. I think this is especially useful in today’s world as attackers become more advanced and able to reverse-engineer programs.
Antonio Cozza says
The most interesting thing I found from Chapter 3: Cryptography was the discussion at the end, regarding the debate on privacy versus security, and when it is either too far or beneficial at times. It is interesting when this topic arises because studies have shown that many people, despite knowing the potential consequences of agreeing to data privacy / usage policies / agreements in order to use an application, service, etc, they still choose to use the applications while also resenting the selling of their data that they are aware of and anticipate.
Dhaval Patel says
Hi Antonio,
There is a good amount of debate on the topic of data privacy. Large organizations at this point can’t survive without our data and we generally are okay with providing them our data due to the small benefits we receive, whether that’s more relevant content or target ads. Then there is also the debate around providing our data but the data is encrypted so theoretically no one outside of the organization would have it. However, the EU is looking to ban the collection of personal data so these large corporations will eventually need to come up with a new solution.
Dan Xu says
One of the interesting things I learned from this article is that bad communication discipline can beat the strongest passwords and the longest keys. As mentioned in the article, during WWII the Japanese Navy often sent messages when they didn’t need to, making the cryptanalyst’s job easier than if the Japanese had used better communications discipline. On the other hand, many other symmetric key encryption ciphers, only a few of which survived years of extensive cryptanalysis. It is also interesting to note that many companies advertise “new and proprietary” encryption ciphers because it relies on secrecy, where an attacker cannot obtain information about the cipher, rather than the robustness of the cipher itself.
Andrew Nguyen says
Hi Dan,
You bring up an interesting point that it is important to not become too reliant on cryptography. Other things can happen like phishing, social engineering, and other attacks that can circumvent it. As technology grows (and potential attack avenues), it would be a good idea to keep this in mind.
zijian ou says
It is important to note that the pros and cons of relying on cryptography are well illustrated in history.
Madalyn Stiverson says
Physical security is one component of access control where training for employees should not be overlooked. A hacker can piggyback off someone willing to hold the door for them. It’s important to teach employees and those who have access to the building to ask questions and make sure the person signs in with security. Access cards, physical tokens, mantraps, security guards, and cameras are some ways in which a building can increase physical security.
Kyuande Johnson says
Great Point Madalyn,
The most vulnerable asset of any organization is the employees. Hense the reason for constant Security Awareness Training. Security Awareness Training is not used to just “Inform” employees of Cyber Security Best Practice. It’s primary use is to change the behavior of employees.
Vraj Patel says
Cryptography is technique that uses a mathematics operation to encrypt the message to provide the confidentiality. The message gets encrypted using either a symmetric, AES, RC4, DES, and 3DES key and gets decrypted using a relevant key. This allows the message to stay confidential from eavesdropping attacks as long as the keys and the method of the encryption stays secure. Out of all the types of the encryption methods the most efficient is AES encryption. There is also a session being used by the 2 parties for communication through an application. The session key method uses a different key for every session. Which makes it more reliable. Public key method is also used to keep the messages confidential. It uses 2 different kinds of keys: Public and Private. The public key is being shared with other and the private is kept secure. The message gets encrypted using the users public key and being decrypted using a user’s private key.
Michael Jordan says
Hi Vraj,
I like how you list out the common methods of encryption and explain an example of communication using encryption to secure traveling information. I also thought the way that you differentiated between symmetric and public encryption was beneficial, especially by noting that both of these encryption types can be used within the same communication – one to secure the session, and one to secure the information transferred during the session.
-Mike
kofi bonsu says
One major takeaway from this publication is about a virtual private network (VPN). Hence, since numerous people working at home. the VPN can be used to provide a secure tunnel for the end user to determine the confidential information within their organizations local network. The VPN permits people to continue to perform their business activities without the impression someone decrypting and viewing the data you are transmitting in plain text
Vraj Patel says
Hello Kofi,
That’s a great point. This days where almost all of the work is remote the organizations are using the VPN which allows an secure connection to their employees to the companies resources. This makes companies more vulnerable to the cyber attacks as there are many access point (i.e., each user accounts) which the attacker could use to enter in the network. As a result, companies has to focus more on the network security to secure the VPN process and continuous monitoring of their network.
Andrew Nguyen says
Hi Kofi,
I can relate to this! Ever since covid started, I’ve spent a considerable amount of time working from home and using a VPN to connect. I believe it is a requirement to connect to company resources, for the reasons that you mention.
Lauren Deinhardt says
Hi Kofi, thanks for your post! A VPN is so critical for teleworking (both before and after the pandemic), since so many employers rely on client computing systems. VPN is a highly used security measure for a reason.
Patrick Jurgelewicz says
Hey Kofi, its interesting how often VPNs have been utilized in today’s world with so many people working from home. I also connect to a VPN when working from home, and it is interesting to learn about the encryption taking place behind the scenes of my daily routine. This connection allows sensitive information to be transmitted between devices in a secure and encrypted way.
Victoria Zak says
Kofi,
Throughout the COVID-19 pandemic, everyone can relate to this. I personally can relate to this, as needed when working from home. A VPN is extremely important and is used as a guard against attackers on a public network.
Victoria Zak says
An interesting point in this reading was SSL/TLS. SSL is when a purchase is made online, an extra layer of security is protecting your information. TLS is the Transport Layer Security, in which it works as a transport layer.
However, I thought it was interesting to convert SSL/TLS from a host-to-host VPN to a remote access VPN, where companies post a SSL/TLS gateway at the border of each site, remote clients’ browser, establishes a single SSL/TLS connection with the gateway, rather than individual hosts within the site (Page 148). Compared to the IPSec VPN, SSL provides clients a simple way to connect information remotely.
As the reading mentions, the SSL/TSL gateway allows the client’s PC to connect to multiple internal web servers or the gateway could connect to the client’s PC to an entire subnet of the site’s network.
Dhaval Patel says
Hi Victoria,
Great points. In my KT sessions for my work, many customers ask why we should enable SSL/TLS when they have IPSec VPN and we usually tell them IPSec works by connecting to the host/network where as SSL/TLS will connect directly to the application which makes it a little easier.
Michael Jordan says
One key point that I took away from this weeks textbook reading is that public key encryption is commonly used to establish an authenticated connection, and then symmetric keys are used for the duration of the session to encrypt/decrypt data containing session information.
One use of this methodology is SSL/TLS certificates, which are commonly used to establish HTTPS. Although these two are often used interchangeably, TLS is actually the successor to and improved version of SSL, but SSL is still widely used. These certificates are used to authenticate the identity of websites; once that occurs, “HTTPS” is established and will be shown by a “locked” lock symbol, or show up at the beginning of the URL. All government websites are required to use HTTPS connections, and almost all websites should anyways (even if they are not required to by law). Sites that do not use HTTPS, especially those that process payments and PII, will lose customers/visitors because any information given to the site is not secure.
kofi bonsu says
I totally agree with you in regard to your assessment, but the weakness of the Public Key Encryption is vulnerable to Brute-force attack. This algorithm also fails when the user lost his private key, then the public key Encryption becomes the most vulnerable algorithm. Public Key Encryption also is weak towards man in the middle attack.
Olayinka Lucas says
Playing the devils’ advocate, and upon further research, the under listed were identified as the Drawbacks of Cryptography
Cryptography does prevent vulnerabilities and threats that emerge from the poor design of systems, protocols, and procedures. These need to be fixed through proper technique and defensive infrastructure
Difficulty – Strongly encrypted information can be difficult to access even for a legitimate user at a crucial decision-making time opening the network to attack.
Another fundamental need for information security of selective access control cannot be realized through cryptography. Administrative rules and procedures are required to be exercised for the same.
Cryptography comes at a cost. The cost is in terms of time and money –
The addition of cryptographic techniques in information processing leads to delay.
Public-key cryptography requires setting up and maintaining critical public infrastructure requiring a handsome financial budget.
The security of cryptographic techniques is based on the computational difficulty of mathematical problems. Any breakthrough in solving such mathematical issues or increasing the computing power can render a cryptographic process vulnerable.
Source:
vulnerabilitieshttps://www.tutorialspoint.com/cryptography/benefits_and_drawbacks.htm
Andrew Nguyen says
Hi Olayinka,
I like how you mention the drawbacks of using cryptography. I think the main drawback would be time like you mentioned – there appears to be a gray line between making a system ‘secure enough’ and the point where overusing cryptography has a negative effect on the usability of the system.
Dhaval Patel says
Hi Olayinka,
I agree with Andrew, the drawbacks of cryptography are just as important as the benefits. Cost is a huge factor, an organization would have to see if the cost of encrypting data is worth the cost of losing the data, as well as the point that cryptography does not prevent vulnerabilities, it is an additional tool but other countermeasures need to be put in place.
Madalyn Stiverson says
Hi Olayinka,
I’d like to offer some personal experience regarding your point on difficulty. I often receive encrypted emails at work from business partners. These emails will take me to a login portal where I can access the communication. However, my company blocks this login portal’s website, meaning I can’t access the communication. Encryption is good, but if I can’t read the message, then that makes the message useless.
Olayinka Lucas says
Playing the devils’ advocate, and upon further research, the under listed were identified as the Drawbacks of Cryptography
Cryptography does not prevent vulnerabilities and threats that emerge from the poor design of systems, protocols, and procedures. These need to be fixed through proper technique and defensive infrastructure
Difficulty – Strongly encrypted information can be difficult to access even for a legitimate user at a crucial decision-making time opening the network to attack.
Another fundamental need for information security of selective access control cannot be realized through cryptography. Administrative rules and procedures are required to be exercised for the same.
Cryptography comes at a cost. The cost is in terms of time and money –
The addition of cryptographic techniques in information processing leads to delay.
Public-key cryptography requires setting up and maintaining critical public infrastructure requiring a handsome financial budget.
The security of cryptographic techniques is based on the computational difficulty of mathematical problems. Any breakthrough in solving such mathematical issues or increasing the computing power can render a cryptographic process vulnerable.
Source:
vulnerabilitieshttps://www.tutorialspoint.com/cryptography/benefits_and_drawbacks.htm
Lauren Deinhardt says
One important key takeaway from this reading was the importance of picking the right encryption algorithm based on the need for confidentiality in the information requiring protection. RC4 should never be used; although it is fast, it has minimal protection. The only potential use I can see from this is if it is used to store low impact data, partnered by a strong hardened system. DES (Data Encryption Standard) is better than RC4, with moderate processing/transmittal speed and moderate protection levels (being it is at 56 bits). Using these specifications, DES should protect moderate impact data, such as in basic consumer applications. 3DES is a step above DES, but should not be used in most scenarios due to how slow the processing/transmittal speed it; security measures need to be balanced with functionability–and there is little to no functionability with this method. Lastly, AES is a great encryption algorithm for secure transactions (i.e. payment cards, PII, trade secrets, etc.) due to its high protection power (it is offered in 128, 192 and 256 bits), and high processing power.