Boost PC performance: How more available memory can improve productivity
Cryptoandnetworksecuritylitreview
1. Cryptography and Network Security 1
Running head: LITERATURE REVIEW OF CRYPTOGRAPHY & NETWORK SECURITY
Literature Review of Cryptography and its Role in Network Security Principles and Practice
Daniel Lloyd Calloway
Capella University, OM8302, § 4
8 September 2008
Dr. Hannon, Instructor
2. Cryptography and Network Security 2
Abstract
This literature review looks at the research that has been published in the area of
cryptography as it relates to network data and global communications security. It compares and
contrasts the research pointing out overall trends in what has already been published on this
subject. It analyzes the role that cryptography has played and will play in the future relative to
security. This review addresses cryptography around the central theme of the security that it
provides or should provide individuals, corporations, and others in the modern age of computing
technology, networking, and Web-based ecommerce. By reviewing both scholarly and non-
scholarly works, it is our objective to make a case that continuing research into the use of
cryptography is paramount in preserving the future of electronic data security and privacy as well
as the continuing development of Web-based applications that will permit the growth of
ecommerce business worldwide to be conducted over the Internet.
3. Cryptography and Network Security 3
CONTENTS
Abstract............................................................................................................................................2
Introduction - Early vs. Modern Cryptography .............................................................................4
Introduction - Overall Trends in the Research...............................................................................7
Scholarly Literature .......................................................................................................................10
Non-Scholarly Literature ...............................................................................................................18
Conclusions....................................................................................................................................22
References......................................................................................................................................24
4. Cryptography and Network Security 4
Introduction -
Early vs. Modern Cryptography
Today’s cryptography is vastly more complex than its predecessor. Unlike the original
use of cryptography in its classical roots where it was implemented to conceal both diplomatic
and military secrets from the enemy, the cryptography of today, even though it still has far-
reaching military implications, has expanded its domain, and has been designed to provide a
cost-effective means of securing and thus protecting large amounts of electronic data that is
stored and communicated across corporate networks worldwide. Cryptography offers the means
for protecting this data all the while preserving the privacy of critical personal financial, medical,
and ecommerce data that might end up in the hands of those who shouldn’t have access to it.
There have been many advances in the area of modern cryptography that have emerged
beginning in the 1970s as the development of strong encryption-based protocols and newly
developed cryptographic applications began to appear on the scene. On January, 1977, the
National Bureau of Standards (NBS) adopted a data encryption standard called the Data
Encryption Standard (DES), which was a milestone in launching cryptography research and
development into the modern age of computing technology. Moreover, cryptography found its
way into the commercial arena when, on December, 1980, the same algorithm, DES, was
adopted by the American National Standards Institute (ANSI). Following this milestone was yet
another when a new concept was proposed to develop Public Key Cryptography (PKC), which is
still undergoing research development today (Levy, 2001).
When we speak of modern cryptography, we are generally referring to cryptosystems
because the cryptography of today involves the study and practice of hiding information through
5. Cryptography and Network Security 5
the use of keys, which are associated with Web-based applications, ATMs, Ecommerce,
computer passwords, and the like.
Cryptography is considered not only a part of the branch of mathematics, but also a
branch of computer science. There are two forms of cryptosystems: symmetric and asymmetric.
Symmetric cryptosystems involve the use of a single key known as the secret key to encrypt and
decrypt data or messages. Asymmetric cryptosystems, on the other hand, use one key (the public
key) to encrypt messages or data, and a second key (the secret key) to decipher or decrypt those
messages or data. For this reason, asymmetric cryptosystems are also known as public key
cryptosystems. The problem that symmetric cryptosystems have always faced is the lack of a
secure means for the sharing of the secret key by the individuals who wish to secure their data or
communications. Public key cryptosystems solve this problem through the use of cryptographic
algorithms used to create the public key and the secret key, such as DES, which has already been
mentioned, and a much stronger algorithm, RSA. The RSA algorithm is the most popular form
of public key cryptosystem, which was developed by Ron Rivest, Adi Shamir, and Leonard
Adleman at the Massachusetts Institute of Technology in 1977 (Robinson, 2008). The RSA
algorithm involves the process of generating the public key by multiplying two very large (100
digits or more) randomly chosen prime numbers, and then, by randomly choosing another very
large number, called the encryption key. The public key would then consist of both the
encryption key and the product of those two primes. Ron Rivest then developed a simple
formula by which someone who wanted to scramble a message could use that public key to do
so. The plaintext would then be converted to ciphertext, which was transformed by an equation
that included that large product. Lastly, using an algorithm developed through the work of the
great mathematician, Euclid, Ron Rivest provided for a decryption key—one that could only be
6. Cryptography and Network Security 6
calculated by the use of the original two prime numbers. Using this encryption key would
unravel the ciphertext and transform it back into its original plaintext. What makes the RSA
algorithm strong is the mathematics that is involved. Ascertaining the original randomly chosen
prime numbers and the large randomly chosen number (encryption key) that was used to form
the product that encrypted the data in the first place is nearly impossible (Levy, 2001).
A very popular public key cryptosystem is known as Pretty Good Privacy (PGP),
developed by Phil Zimmerman beginning in early 1991 (Levy, 2001). The strength of the keys
that are created to encrypt and decrypt data or communications is a function of the length of
those keys. Typically the longer the key, the stronger that key is. For example, a 56-bit key
(consisting of 56 bits of data) would not be as strong as a 128-bit key. And, consequently, a 128-
bit key would not be as strong as a 256- or 1024-bit key.
Next, let’s address the overall trends identified in the research that has been conducted in
the field of cryptography and network security.
7. Cryptography and Network Security 7
Introduction -
Overall Trends in the Research
In reviewing the research that has already been published with regard to cryptography
and network security since the 1970s, some noteworthy trends have emerged.
There is a prevailing myth that secrecy is good for security, and since cryptography is
based on secrets, it may not be good for security in a practical sense (Schneier, 2004; Baker,
2005). The mathematics involved in good cryptography is very complex and often difficult to
understand, but many software applications tend to hide the details from the user thus making
cryptography a useful tool in providing network and data security (Robinson, 2008). Many
companies are incorporating data encryption and data loss prevention plans, based on strong
cryptographic techniques, into their network security strategic planning programs (Companies
Integrate, 2006). Cryptographic long-term security is needed but is often difficult to achieve.
Cryptography serves as the foundation for most IT security solutions, which include: (1) Digital
signatures that are used to verify the authenticity of updates for computer operating systems,
such as Windows XP; (2) Personal banking, ecommerce, and other Web-based applications that
rely heavily on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for
authentication and data security; and (3) The introduction of health cards that allow access to
medical history, prescription history, and medical records in countries such as Germany, which
contain the electronic health information of its citizens and which depend on digital signature
and other encryption schemes for security and privacy of critical data (Perspectives for, 2006).
There are product design criteria that designers can meet for implementing strong encryption
protocols into software applications; however, strong public-key cryptography may prove too
computationally expensive for small devices, and the alternative may be to incorporate
8. Cryptography and Network Security 8
cryptographic hardware into embedded designs (Robinson, 2008). Although cryptography and
information security are multi-billion dollar industries, the economy of the world and the defense
of almost every nation worldwide depend upon it and could not be carried out without it (Fagin,
Baird, Humphries, & Schweitzer, 2008). An individual’s identity in the digital world could be
controlled by what is termed the federated identity management system consisting of software
components and protocols that manage the identify of individuals throughout their identity
lifecycle (Bhargav-Spantzel, Camenisch, Gross, & Sommer, 2007). With the rise in threats to
sensitive data from outsiders, encryption is seen as a necessary tool in ensuring corporate
networks and individuals’ information is as secure as possible (Toubba, 2006). The ubiquity of
the Internet makes it extremely difficult to trace and identify intruders of corporate networks and
Internet-based businesses involved in ecommerce with the public domain. Primary security
concerns are confidentiality, data integrity, data origin authenticity, agent authenticity, non-
repudiation, and so on. Current cryptographic techniques, such as smart cards, PINs, password
authentication, etc., have performed well in keeping data secure. However, the overall security
of an encryption system depends upon its ability to keep cipher keys secret, while the typical
human behavior is to write down passwords so they aren’t forgotten, which often makes security
very vulnerable to compromise. The concept of biometric-based keys appears to be one possible
solution to this dilemma (Hogue, Fairhurst, Howells, & Deravi, 2005). Security must be the
primary design consideration from a mission-critical or safety-related product’s conception,
through design and development, production, deployment, and the end of its lifecycle.
Embedded systems that find themselves installed in devices that are an integral part of the
manufacturing, health, transportation, and finance sectors, as well as the military, without having
near-flawless strong cryptographic security built into them would be vulnerable to would-be
9. Cryptography and Network Security 9
hackers, organized crime, terrorists, or enemy governments (Webb, 2006; S., E, 2007). The
concept of data hiding technologies whose aim is to solve modern network security, quality of
services control, and secure communications, has been seen as a cost-effective alternative to
other means of data security, which does not require protocol modifications, and is compatible
with existing standards of multimedia compression and communications (Lovoshynovskiy,
Deguillaume, Koval, & Pun, 2005). Security is an important aspect of any network, but in
particular to wireless ad-hoc networks where mobile applications are deployed to perform
specific tasks. Since these networks are wireless, the potential for hacking into them using
mobile devices is greater as there is no clear line of defense for protecting them. The
development of the Mobile Application Security System (MASS) utilizing a layered security
approach and strong cryptographic techniques is seen as a viable low-cost solution to protecting
these application-based wireless networks (Floyd, 2006). And, finally, a new concept in
cryptographic security known as Quantum Encryption, which uses quantum fluctuations of laser
light at the physical layer introduced into existing network transmission lines is seen as a means
of enabling ultra-secure communications and near perfect security (Hughes, 2007).
It is the intent of this review of the literature to look at what has been published regarding
cryptography in recent years from the standpoint of network and data security and privacy, and
to specifically address the role that cryptography plays in enabling this security.
10. Cryptography and Network Security 10
Scholarly Literature
There is much skepticism surrounding cryptography. Fagin et al. (2008) indicates that
there is progress being made in this area to remove the skepticism. The National Institute of
Standards and Technology (NIST) has joined forces with the National Security Agency (NSA) to
form the “Common Criteria” process known as the Common Criteria for Information
Technology Security Evaluation 2005 whose aim it is to increase the confidence in
cryptographic and information-related security products. Additionally, the Department of
Defense (DoD) has enacted policy directives requiring Information Assurance (IA) professionals
to receive information security training in addition to basic IA training for all of its DoD
employees (Fagin et al.). Fagin et al. further notes that security today requires some level of
skepticism and critical thinking.
Bhargav-Spantzel et al. (2007) contends that there is a recent paradigm in identify
management called user-centricity identity management. The study conducted by Bhargav-
Spantzel et al. differentiated between two predominant notions: relationship-focused and
credential-focused identity management. In the former approach, a user only maintains
relationships with identity providers (IDPs) and thus every transaction providing identity
information is conveyed to the appropriate IDP. In the latter approach, the user must obtain
long-term credentials and store them in a local provider database.
Bhargav-Spantzel et al. indicates that the most predominant identity management model
on the Internet today is the silo model where users handle their own data and provide it to
organizations separately. One solution to this dilemma offered by Bhargav-Spantzel et al. is the
centralized federation model, such as Microsoft’s Passport, which removes the inconsistencies
and redundancies of the silo model and provides the Web users a seamless experience. Bhargav-
11. Cryptography and Network Security 11
Spantzel et al. offers a taxonomy for unifying the relationship-focused and credential-focused
identity management, and investigated the idea of a universal user-centric system, which
incorporates the current approaches. The open research question offered by Bhargav-Spantzel et
al. in their study is the search for a credential-based user-centric system that crosses the
boundaries of user-centricity. The study also supports their approach in unifying the notions in
user-centricity that could be useful in the field of user-centric federated identity management
systems (FIMS).
The study conducted by Bohli et al. (2007) examined popular proof models for group key
establishment and the tools offered for analyzing group key establishment protocols in the
presence of malicious participants. The framework introduced by Bohli et al. indicates that a
protocol proposed by Katz & Yung (2003) offer guarantees of security against a single malicious
participant, whereas a proposal offered by Kim, Lee & Lee (2004) fails to do so. Furthermore,
Bohli et al. showed that established group key establishment schemes from CRYPTO 2003 and
ASIACRYPT 2004 do not fully meet these requirements and proved a variant of the
ASIACRYPT2004 group key establishment scheme based on the Computational Diffie-Hellman
(CDH) assumption and the Random Oracle Model is secure in the strictest sense.
In the area of wireless security, Tafaroji, & Falahati (2007) proposed a means of
improving security of the code division multiple access (CDMA)—one of the most widely used
wireless air link interfaces in 3G wireless communication—by applying an encryption algorithm
over the spreading codes. In the Tafaroji et al. study the cross-correlation between outputs of
encryption algorithm causing multi-user interference was studied thoroughly, since multi-user
detection is the inherent characteristic of CDMA. A combination of encrypted and unencrypted
M-sequence is used as the spreading code to mitigate system performance. Thus Tafaroji et al.
12. Cryptography and Network Security 12
proposed a new method named “hidden direct sequence” to enhance the security of CDMA
systems through the application of the cryptographic algorithm in the channelization code. This
secure spectrum-spreading method prevents eavesdroppers from hearing an intercepted message,
and further prevents them from attempting to decipher the communication using the most
powerful means.
In a study conducted by Pistoia, Chandra, Fink, & Yahav (2007), three areas of security
vulnerability in software systems were analyzed. These were: access-control, information flow,
and application-programming interface conformance. Static analysis techniques were used to
analyze two major areas of access-control: stack-based and role-based access control. Static
analysis techniques were also used to address integrity violations and confidentiality violations,
which comprise information flow. The study also discussed how static analysis could be used to
verify the correct usage of security libraries and interfaces for component-based systems.
In the area of chosen ciphertext attacks (CCA), Boneh, Canetti, Halevi, & Katz (2006)
proposed a CCA-secure public-key encryption scheme based on identity-based encryption (IBE).
These schemes provide for a new paradigm for achieving CCA-security, which avoids “proofs of
well-formedness” that was the basis for previous constructions. Furthermore, by instantiating
their constructions using known IBE constructions, Boneh et al. was able to obtain CCA-secure
public-key encryption schemes whose performance was competitive with other CCA-secure
schemes already in existence.
Research conducted by Callas (2007) covered such topics as the social expectations of
cryptography, the myth of non-repudiation, the paradox of stronger keys, cryptography and
reliability, rights management, privacy enhancing technologies, new cryptographic ciphers, and
legal changes regarding cryptography. The future of cryptography is dependent on the way that
13. Cryptography and Network Security 13
society uses it. This relies on current laws, customs, regulations, and what we as a society expect
cryptography to do. Callas indicates that there are gaps in the research that are left to future
researchers to address. Callas points out that the concept that digital signatures, used for signing
documents and email, offer the property of non-repudiation—that the signer can’t say they didn’t
sign the document—is a myth and they present examples to further explain it. The research
goes on to explain that stronger cryptographic keys does not necessarily make the system more
secure since stronger cryptography in a chaotic system might actually promote the chaotic state;
thus the paradox of stronger keys. Callas differentiates between secure cryptography and
reliability in safety systems by noting that security systems protect against intelligent attackers
while reliability systems protect against unintelligent attackers. Ensuring the wrong people don’t
have the cryptographic keys will ensure a secure cryptographic system while making certain the
right people have the keys will ensure a reliable cryptographic system. Callas points out that the
future of cryptography is dependent upon a strong key management system that will ensure the
right people have the keys and the wrong people don’t gain access to the keys. Furthermore,
Callas shows that there is another myth that there needs to be tradeoffs between security and
privacy in the use of cryptography. They demonstrate that a cryptosystem can be private while
being secure. New ciphers such as elliptic curve, bi-linear, and quantum cryptography are
introduced in the study. And, finally, Callas points out that the way people think about data and
communications privacy and security is a reflection of changes in the law that have come about
by events like the terrorist attacks of September, 2001, and ubiquitous cryptography has played a
major role in that shift. As a result, cryptography will play a critical role in protecting
information now and in the future.
14. Cryptography and Network Security 14
Walters (2007) proposes a draft IS security curriculum that should be incorporated into
the core body of knowledge of the business curriculum, and proposes that additional practical
guidance to Accounting Information Security (AIS) educators who would like to incorporate IS
security into their existing curriculum needs to be undertaken.
Zanin, Di Pietro, & Mancini (2007) in their study present a new distributed signature
protocol based on the RSA cryptographic algorithm, which is suitable for large-scale ad-hoc
networks. This signature protocol is shown to be distributed, adaptive, and robust while
remaining subject to tight security and architectural constraints. The study reveals that the
robustness of this protocol scheme can be enhanced by involving only a fraction of the nodes on
the network. Zanin et al. demonstrated that their protocol scheme is correct, because it allows a
chosen number of nodes to produce a valid cryptographic signature; it is secure, because an
attacker who compromises fewer than the given number of nodes is unable to disrupt the service
or produce a bogus signature; and it is efficient, because of the low overhead in comparison to
the number of features provided.
Not only is security important in wired networks, but it is an important factor in any
network, including wireless networks. Floyd (2006) devised a cryptographic solution to securing
mobile ad-hoc networks that are especially vulnerable to malicious attacks since they possess no
clear line of defense. This cryptographic system was dubbed, the Mobile Application Security
System (MASS). This system was shown to prevent unauthorized modifications of mobile
applications by other running applications and other hosts on the wireless network, by ensuring
the mobile code was both authentic and authorized.
Employing encryption based on cryptographic algorithms to secure consumer data is of
paramount importance today, especially in the area of ecommerce on the Internet. Toubba
15. Cryptography and Network Security 15
(2006) stresses the importance of strong encryption key management and granular access control
to Web-based applications. Toubba shows that corporations that store, transmit, and use
consumer data must take steps to choose strong cryptographic solutions to protect this data, and
to employ complementary network security procedures to maximize the overall effectiveness of
the encryption product. Strong key management and granular access control are viewed as the
complementary network security procedures. Furthermore, in another study conducted by
Kodaganallur (2006), it was shown that the use of public key cryptography based on asymmetric
key ciphers overcomes the shortcomings of using symmetric key ciphers in isolation by enabling
confidentiality, message integrity, and authentication. Klappenecker (2004) further demonstrate
the ability to break a cryptosystem and demonstrate that the authentication problem of their
protocol that allowed them to break this seemingly “unbreakable data encryption” is fixable.
Limitations in computer platform security in the use of cryptography are demonstrated in
the study conducted by (Young, 2004). This study showed the experimental results of launching
a crypto-viral payload on the Microsoft Windows platform, specifically on the Microsoft
Cryptographic API. The study revealed that using eight types of API calls and 72 lines of C
code, the payload was able to hybrid encrypt sensitive data and hold it hostage. The researchers
in this study were able to develop a countermeasure to the crypto-viral attack, which forces the
API caller to show that an authorized party can successfully recover the asymmetrically
encrypted data.
The importance of the use of strong cryptography in voice communication can’t be
overstated. In a study conducted by Li., C, Li., S., Zhang, & Chen (2006), a new Voice-Over-
Internet Protocol (VOIP) technique with a new hierarchical data security protection (HDSP)
scheme was developed using a secret chaotic bit sequence. However, there are limitations in this
16. Cryptography and Network Security 16
scheme involving known chosen/plaintext attacks in which only one known chosen/plaintext
attack was sufficient to break the secret key. Additionally, brute force attacks against HDSP
indicate the security of HDSP to be weak in this regard. The researchers offer suggestions to
strengthen HDSP, but cautioned against the use of HDSP in security-sensitive applications,
especially if the secret key will be reused to encrypt more than one plaintext.
One means of strengthening data encryption and authentication in cryptosystems on
corporate networks is discussed in a study by Hogue et al. in which the feasibility of generating
biometric key encryption is presented. Experimental analysis of this study revealed encouraging
prospects for its use in modern cryptosystems.
Recent developments have shown that network security, Quality of Service (QoS) and
secure data communications over public networks (and the Internet) can benefit from theoretical
data-hiding technologies. In their study, Lovoshynovskiy et al. demonstrated that cryptographic
techniques for hiding data on heterogeneous public networks was a very cost-effective
alternative to other network security measures, which do not require significant upfront
investment, protocol modifications, and are totally compatible with existing multimedia
compression and communication standards. These data hiding techniques include state-of-the-
art watermarking, watermark-assisted multimedia processing, tamper proofing, and secure
communications.
Finally, in a study conducted by Schneier (2004), the researchers concluded that the
argument that secrecy is good for security is a myth and worthy of rebuttal. They further
demonstrated that secrecy is especially not good for security with respect for vulnerability and
reliability information. They also show that security that relies totally on secrecy is extremely
fragile, and once it is lost, there is no way to regain it. Schneier goes on to make a case that
17. Cryptography and Network Security 17
cryptography—since it is based on secret keys that are short, easy to transfer, and easy to
change—must rely on one of its basic principles that the cryptographic algorithm be made public
if it is to remain strong and offer good security. Using the public key system avoids the fallacy
in the argument that secrecy works. Those who oppose secrecy ignore the security value of
openness. The only reliable means to improve security is to embrace public scrutiny.
Now that we have analyzed some of the research that has been conducted and reported in
scholarly literature, let’s switch our focus and review some of the non-scholarly literature that
has been published on this topic as well.
18. Cryptography and Network Security 18
Non-Scholarly Literature
As pointed out in Companies Integrate (2008) many corporations are beginning to realize
that using cryptography to encrypt the PC or perimeter device is not an all-inclusive, effective
means of protecting their essential data. Taking measures to prevent data loss is also needed.
Additionally with the myriad ways of sharing data on corporate networks and the Internet that
exist today, it is time to employ strong cryptography as a means of securing the data and to
protect individuals’ privacy (Harris, 2007).
Embedded systems that are designed today depend entirely on the same technologies that
corporate IT depends upon. These technologies involve Ethernet, TCP/IP, and operating
systems. This fact suggests that embedded systems, such as mobile phones, refrigerators, smart
light switches, automobiles to military weapons are now as vulnerable to the same security
threats that have plagued corporate IT systems for many years (Robinson). The reliance on
strong cryptography is necessary to protect these embedded systems from viral and other
malicious attacks. Especially vulnerable are embedded systems that rely on wireless technology,
such as Bluetooth, Blackberry, RFID, and the like. Robinson first develops the fundamental
concepts surrounding cryptography, such as public key/private key encryption, Diffie-Hellman
Key Exchange, block ciphers, Hash algorithms, DES, AES, the implications of IP Security
(IPSEC) and Internet Key Exchange (IKE), elliptic curve cryptography, SSL/TLS used heavily
in Web-based applications, Wi-Fi, and other embedded security concerns. Next, Robinson
makes a case that developing strong encryption protocols in software for small devices may be
too cost prohibitive, and these designers should consider including cryptographic hardware in the
embedded designs.
19. Cryptography and Network Security 19
One of the biggest issues facing privacy and data security in the health industry today, as
pointed out by Protect Those Portable (2008), is that while the Health Insurance Portability and
Accountability Act (HIPAA) requires all medical providers in the U.S. to protect paper health
records, Federal law does not require the same protection when these records are digitally
exported to non-healthcare providers. This issue surfaces with recent partnerships such as the
AT&T/Tennessee Plan, Microsoft’s Health Vault Plan, and a recent Google partnership with a
Cleveland, OH health clinic that permit individuals to view their health record information
online. A USA Today article cited in Protect Those Portable (2008) reports that both Microsoft
and Google have assured individuals using their plans that strong cryptographic measures on the
Web will ensure their data will remain secure and private.
To echo recent studies conducted involving quantum cryptography, Hughes (2007);
Baker (2005) report recent developments in a new cryptographic protocol called Keyed
Communication in Quantum Noise (KCQ). Because KCQ uses encryption involving quantum
noise of light at the physical layer of network transmission, many scientists theorize that this new
protocol will offer greater security than heretofore secure communication systems that rely only
on cryptographic encryption technology involving mathematical cryptography complexity.
The instantiation of KCQ into existing communications at the physical layer is called the
AlphEta protocol in the United States. The AlphaEta protocol injects thousands of photons for
each logical data bit transmitted on existing networks at the physical layer. These radiation
states of multiple photons emitted by lasers are the means of information transport in the
network. These states of light—from a quantum physics standpoint—are fuzzy waves of light in
that their amplitude, phases, and polarization states do not exist in clearly quantifiable packets.
Rather, these observable characteristics are random variables, which possess means and
20. Cryptography and Network Security 20
variances about those means. This quantum random noise is irreducible and cannot be filtered
away. This is based on a fundamental property of quantum mechanics. This fact makes the use
of the AlphaEta protocol especially promising for securing data due to the quantum uncertainty
principle in measuring fluctuations in quantum noise polarization and phase states. Coupling the
use of the AlphaEta protocol with other stringent mathematically-complex cryptographic
algorithms forms a near perfect security cryptosystem.
Many IT professionals and information security professionals are beginning to realize the
importance of remaining current in the area of network security through the development of
information technology safeguards and corporate policies that keep companies’ information
assets secure. Since there is a greater reliance on cryptography as the means of securing those
assets more effectively, many of these professionals are turning to the non-profit organization
known as the International Information Systems Security (ISC) Certification Consortium, which
has certified more than 42,000 information security professionals in 110 countries (Pratt 2006).
Many of these IS security professionals must now manage complex applications that involve
advanced cryptosystems that help corporations comply with a growing list of federally- and
state-mandated regulations that commission strict data security and privacy.
Perspectives for (2006) reports that cryptography serves as the foundation of many IT
security systems. One of the main challenges of computer science research is maintaining
security on an ever-increasingly vulnerable IT network infrastructure, which includes
communications, commerce, public administration, medical care, politics, and education that
depend heavily on IT technology. The long-term security of these systems will also depend
extensively on cryptography.
21. Cryptography and Network Security 21
And, finally, Webb reports the necessity of “hack-proof” design in embedded systems.
These devices provide unattended operation for thousands of safety-related and mission-critical
systems in the medical, manufacturing, health care, transportation, finance, and military sectors.
Any one of these systems could be a potential target for hackers, organized crime, adversarial
governments, and terrorists throughout the world. It is imperative that the designers of these
embedded devices not only seek to protect the data that passes through them, but the intellectual
property itself. The use of cryptography on either a software or hardware level, or both, is seen
as the means of providing this protection.
22. Cryptography and Network Security 22
Conclusions
A review of the scholarly and non-scholarly literature over the past decade would suggest
that although cryptography has had its limitations on desktop PC platforms, it has played a key
role in providing strong, reliable, and robust network data security. Furthermore, network
security principles and practice depend on cryptography to function properly and reliably, and it
appears that cryptography will continue to figure prominently into the strategic IT and business
plans for the foreseeable future with regard to protecting critical financial, personal, medical,
transportation, and ecommerce data via corporate networks and click-and-mortar Internet
businesses on the World Wide Web while providing a respectable level of privacy.
Scholarly research also indicates that there are gaps in the research, especially in the area
involving credential-based user-centric identity systems that crosses the boundaries of user-
centricity, and in another area involving the way that society uses cryptography due to the
reliance on current laws, customs, regulations, and, in general, what we as a society expect
cryptography to do.
From its inception in the latter 1970s, modern-day cryptography has evolved from the
basic Data Encryption Standard that was used to secure early digital data on desktop PCs and
later networks and communications devices to the incorporation of a much stronger cryptography
involving RSA encryption and IKE, which has been used extensively in the development of
SSL/TLS and IPSec to provide a cost effective means to secure Web ecommerce applications,
mobile devices, and provide security for worldwide global communications with both
commercial and military application.
The prevailing myth that secrecy is good for security has been proved wrong with the
association that cryptosystems provide extremely strong security when these systems utilize an
23. Cryptography and Network Security 23
asymmetric key management system process where the public key is known to everyone and the
secret key is known only to the one who possesses it; that is to say, security is achieved when
cryptography relies on one of its most basic principles that the algorithms remain public.
Modern-day applications such as Pretty Good Privacy (PGP) attest to the power cryptography
that uses this asymmetric key system to encrypt and decipher data and electronic mail provides.
Even though cryptography is based on mathematical complexity that is not fully understood by
everyone and especially by its typical users, cryptosystems such as PGP provide an application
software interface that allows for a very user-friendly experience, which removes the complexity
while still affording the user the strong security that is required and that they demand.
Although cryptography is of paramount importance in providing crucial data security
through the use of digital signatures, state-of-the-art watermarking, data hiding, SSL/TLS, IPSec,
etc., IT network administrators and corporate CEOs should not forget that other network security
principles that don’t involve cryptography shouldn’t be pushed aside. Good network security
principles and practice should, instead, be used in conjunction with cryptography to form a more
secure complementary network security system.
And, finally, since cryptography is here to stay, many IT and IT security professionals are
becoming aware of the importance of keeping current through the development of information
technology safeguards and corporate policies that keep companies’ information assets secure.
As a result, they are turning to third-party non-profit organizations to assist in this regard.
24. Cryptography and Network Security 24
References
Baker, M. (2005, January). Keeping a Secret. Technology Review, 108(1), 82-83. Retrieved
August 2, 2008, from Academic Search Premier database.
Bhargav-Spantzel, A., Camenisch, J., Gross, T., & Sommer, D. (2007, October). User centricity:
A taxonomy and open issues. Journal of Computer Security, 15(5), 493-527. Retrieved
August 2, 2008, from Academic Search Premier database.
Bohli, J., González Vasco, M., & Steinwandt, R. (2007, July). Secure group key establishment
revisited. International Journal of Information Security, 6(4), 243-254. Retrieved August
2, 2008, doi:10.1007/s10207-007-0018-x
Boneh, D., Canetti, R., Halevi, S., & Katz, J. (2006, December). CHOSEN-CIPHERTEXT
SECURITY FROM IDENTITY-BASED ENCRYPTION. SIAM Journal on Computing,
36(5), 1301-1328. Retrieved August 2, 2008, doi:10.1137/S009753970544713X
Callas, J. (2007, January). The Future of Cryptography. Information Systems Security, 16(1), 15-
22. Retrieved August 2, 2008, doi:10.1080/10658980601051284
COMPANIES INTEGRATE ENCRYPTION/DATA LOSS PREVENTION. (2008, July).
Computer Security Update, Retrieved August 2, 2008, from Academic Search Premier
database.
Fagin, B., Baird, L., Humphries, J., & Schweitzer, D. (2008, January). Skepticism and
Cryptography. Knowledge, Technology & Policy, 20(4), 231-242. Retrieved August 2,
2008, doi:10.1007/s12130-007-9030-8
Floyd, D. (2006, Fall2006). Mobile application security system (MASS). Bell Labs Technical
Journal, 11(3), 191-198. Retrieved August 2, 2008, doi:10.1002/bltj.20188
25. Cryptography and Network Security 25
Harris, D. (2007, April 27). Has Anyone Seen My Data?. Electronic Design, 55(9), 41-46.
Retrieved August 2, 2008, from Academic Search Premier database.
Hoque, S., Fairhurst, M., Howells, G., & Deravi, F. (2005, March 17). Feasibility of generating
biometric encryption keys. Electronics Letters, 41(6), 1-2. Retrieved August 2, 2008,
doi:10.1049/el:20057524
Hughes, D. (2007, May). Cyberspace Security via Quantum Encryption. Military Technology,
31(5), 84-87. Retrieved August 2, 2008, from Academic Search Premier database.
Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.)
Advances in Cryptology—CRYPTO’03, Lecture Notes in Computer Science, vol. 2729,
pp. 110–125. Springer, Berlin (2003)
Kim, H.J., Lee, S.M., Lee, D.H.: Constant-round authenticated group key exchange for dynamic
groups. In: Lee, P.J. (ed.) Advances in Cryptology—ASIACRYPT’04, Lecture
Notes in Computer Science, vol. 3329, pp. 245–259. Springer, Berlin (2004)
Klappenecker, A. (2004, December). REMARK ON A NON-BREAKABLE DATA
ENCRYPTION SCHEME BY KISH AND SETHURAMAN. Fluctuation & Noise
Letters, 4(4), C25-C26. Retrieved August 2, 2008, from Academic Search Premier
database.
Kodaganallur, V. (2006, January). Secure E-Commerce: Understanding the Public Key
Cryptography Jigsaw Puzzle. Information Systems Security, 14(6), 44-52. Retrieved
August 2, 2008, from Academic Search Premier database.
Levy, S. (2001). Crypto: How the code rebels beat the Government - Saving privacy in the
digital age. New York: Viking Penguin Publishing.
26. Cryptography and Network Security 26
Li, C., Li, S., Zhang, D., & Chen, G. (2006, February). Cryptanalysis of a data security
protection scheme for VoIP. IEE Proceedings -- Vision, Image & Signal Processing,
153(1), 1-10. Retrieved August 2, 2008, doi:10.1049/ip-vis:20045234
Lovoshynovskiy, S., Deguillaume, F., Koval, O., & Pun, T. (2005, January). INFORMATION-
THEORETIC DATA-HIDING:: RECENT ACHIEVEMENTS AND OPEN
PROBLEMS. International Journal of Image & Graphics, 5(1), 5-35. Retrieved August 2,
2008, from Academic Search Premier database.
PERSPECTIVES FOR CRYPTOGRAPHIC LONG-TERM SECURITY. (2006, September).
Communications of the ACM, Retrieved August 2, 2008, from Academic Search Premier
database.
Pistoia, M., Chandra, S., Fink, S., & Yahav, E. (2007, April). A survey of static analysis methods
for identifying security vulnerabilities in software systems. IBM Systems Journal, 46(2),
265-288. Retrieved August 2, 2008, from Academic Search Premier database.
Pratt, M. (2006, December 4). Moving Target. Computerworld, 40(49), 39-40. Retrieved August
2, 2008, from Academic Search Premier database.
Prince, B. (2008, June 2). Playing the waiting game. eWeek, 25(17), 20-20. Retrieved August 2,
2008, from Academic Search Premier database.
Protect Those Portable Devices. (2008, May). Information Management Journal, Retrieved
August 2, 2008, from Academic Search Premier database.
Robinson, S. (2008, June). Safe and secure: data encryption for embedded systems. (Cover
story). EDN Europe, 53(6), 24-33. Retrieved August 2, 2008, from Academic Search
Premier database.
27. Cryptography and Network Security 27
S., E. (2007, February). HACK-PROOF INTERNET. Popular Science, 270(2), 48-49. Retrieved
August 2, 2008, from Academic Search Premier database.
Schneier, B. (2004, October). The Nonsecurity of Secrecy. Communications of the ACM,
47(10), 120-120. Retrieved August 2, 2008, from Academic Search Premier database.
Tafaroji, M., & Falahati, A. (2007, June). Improving code division multiple access security by
applying encryption methods over the spreading codes. IET Communications, 1(3), 398-
404. Retrieved August 2, 2008, doi:10.1049/iet-com:20060295
Toubba, K. (2006, July). Employing Encryption to Secure Consumer Data. Information Systems
Security, 15(3), 46-54. Retrieved August 2, 2008, from Academic Search Premier
database.
Walters, L. (2007, Spring2007). A Draft of an Information Systems Security and Control Course.
Journal of Information Systems, 21(1), 123-148. Retrieved August 2, 2008, from
Academic Search Premier database.
Webb, W. (2006, July 20). HACK-PROOF DESIGN. (Cover story). EDN, 51(15), 46-54.
Retrieved August 2, 2008, from Academic Search Premier database.
Young, A. (2006, March). Cryptoviral extortion using Microsoft's Crypto API. International
Journal of Information Security, 5(2), 67-76. Retrieved August 2, 2008,
doi:10.1007/s10207-006-0082-7
Zanin, G., Di Pietro, R., & Mancini, L. (2007, February). Robust RSA distributed signatures for
large-scale long-lived ad hoc networks. Journal of Computer Security, 15(1), 171-196.
Retrieved August 2, 2008, from Academic Search Premier database.