• No results found

Software Engineering 4C03: Web Encryption Software And It s Purpose

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Software Engineering 4C03: Web Encryption Software And It s Purpose"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Software Engineering 4C03:

Web Encryption Software

And It’s Purpose

Gordon Burtch

0147045

Apr. 04, 2005

Dr. Kartik Krishman

(2)

Introduction

This report details the methods and purposes of encryption software currently employed on the World Wide Web as well as current research in the field. The purpose of this document is to inform the reader of hazards which arise with communication via the internet. This is especially relevant to transmission of sensitive data. Following an explanation of the topic, a case study is provided which serves to convey the importance of web security.

Background

Encryption may be defined as follows: the encoding of information in such a manner that only a person with the proper knowledge may decode it. This knowledge can is analogous to a key for a lock. There are multiple methods of performing the encryption, all relying on the science of cryptography. Modern cryptography relies on the application of computers to the process, as human-based code would be much too difficult to crack using a computer. There are two main groups of encryption methods in use today: Symmetric Key Encryption and Public Key Encryption.

Symmetric Key encryption occurs when each computer has a secret key that it can use to encrypt a piece of information before it is sent over the network to another system. This requires that you know which computers will be talking to each other so that the key can be present on each one. It is

essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message. A simple example of this might be to take the ASCII value of any given character. The transmitted data will appear to be random numbers. When the data is received, it is decrypted by converting from ASCII values, back into the standard alphabet. In this case, all that is necessary is knowledge of the encrypting function. To decrypt, the inverse function is applied to the encrypted data.

Public Key encryption uses a combination of a private key and a public key. The private key is known only to your computer. The public key is

advertised to the rest of the world. Any computer wishing to communicate with yours must encrypt the data using the public key. Large scale Public Key

encryption requires additional factors to be feasible; digital certificates. Digital certificates are bits of information that indicate whether a Web server is trusted by a third party called a “certificate authority.” The certificate authority acts as a middleman that both computers trust. First confirming that each computer involved in the communication is who it says it is, it then provides the public keys of each computer to the other.

Standard secure transactions via web browser now typically implement a combination of Private and Symmetric encryption. A symmetric key is

(3)

transmitted via Public Key encryption. Following this, all communication is then performed via Symmetric Key encryption.

Indications of 128-bit or 512-bit encryption simply refer to the number of bits required to represent the hash value result of the employed encryption algorithm. A hash value is most easily described as a summary of the input value. It is calculated via a hash algorithm. A hash algorithm is not a 1-to-1 relation, but is rather a many-to-1 relation; the function is not invertible without a second piece of data.

Case Studies

E-Brokerage, a European based online brokerage, offers World Wide

Web based securities trading for corporations and individuals on every major American and European stock exchange. A large proportion of the company’s customer info is exchanged electronically via e-mail with third party companies. The broker needed to secure these data transfers for multiple reasons:

1. In order to comply with regulations governing the secure exchange of electronic information.

2. To secure confidential customer information, in keeping with customer privacy rights.

3. To protect against malicious activity founded on potentially stolen data.

E-brokerage provides trades on Euronext, the Swedish and Luxembourg stock exchanges, the New York Stock Exchange (NYSE) and the NASDAQ. Any

companies within the European Union exchanging information electronically are legally required to comply with the EU privacy directive, as well as multiple country specific regulations pertaining to the same subject. This particular company exchanges thousands of e-mails a day with third-parties many

containing confidential data. It becomes obvious, quite quickly, that encryption is necessary for the business to function internally, as well as in communication with its client base.

Zurich Capital Markets (ZCM) is a leading asset management firm,

providing financial services worldwide to a vast number of clients, having offices all over the world. The company has made use of various pieces of web

restriction software for several years with an understanding of the importance of managed Internet use when it comes to their internal network. This

understanding was based on the fact that malicious mobile code has been propagating itself across the internet quite rapidly, now being found on many websites.

According to industry data, nearly half of all malicious mobile code is found on websites that most companies would not think to take a second look at; travel sites and search engines. Once the malicious code enters the network,

(4)

a large portion of it was found to spread viral worms by writing or reading to the registry and other activities. The remaining, larger, portion was found to be adding bookmarks, changing search pages or adding shortcuts onto the desktop. ZCM employs internet monitoring software to block employee access to high risk sites to minimize the risk of MMC attacks, such as web-borne viruses, Trojan horses, worms and script attacks. The software operates by identifying malicious code and entering the sites containing it into a database on a daily basis. This database is then automatically downloaded to employee systems each day. The database adds an additional layer of security to networks by preventing employees from unknowingly accessing sites that are infected with malicious code and spyware distributing sites.

E-brokerage and ZCM are both examples of high risk situations relating to data transfer and corporate network security. The cases can become even more extreme, however, when it comes to things like national security; government, and government contracted corporations’, networks and their fallibilities. As computers advance, it becomes increasingly more difficult to maintain the level of security one would like. In keeping with this concept, cryptography is a constant area of continuing research.

Future Developments

Current research into computer cryptography ranges from the highly theoretical down to the practical. Quantum cryptography, for example, is a branch of computer security which is based entirely upon the assumption of the availability of a quantum computer and is therefore highly theoretical. While quantum cryptography protocols have been developed and tested over relatively short distances (kilometers), they are by no means a practical method of

encryption over the much larger distances required when communicating intercontinentally.

Active networking is a fairly recent development in the world of

computers. Its potential for greater functionality means it will likely enter into very high usage in the near future. In an active network, packets are not simply forwarded by a router. A router, on an active network, has the capability of processing the data contained in a packet in an application-specific way. Active networks will allow service providers, or even users, to mold the functionality of a network to their needs, by placing function-specific code into the network. Active networking is a technology that can be used to implement programmable networks - networks providing a basic hardware and software infrastructure, which can be dynamically adapted to the needs of the service provider or the user. They will allow dynamic service creation and deployment, i.e. a “just in time” approach to providing services in a future Internet. The concept of active networks presents a whole new facet in the study of cryptography and, as such, many corporations and a large portion of academia are researching this subject as well.

(5)

References

1. Alden W. Jackson and James P.G. Sterbenz. Active Networks: Introduction to a novel approach in computer networking. Dec. 4th,

2002. Retrieved Apr. 1st, 2005.

http://www.tik.ee.ethz.ch/~iwan2002/IWAN_2002_Tutorial_on_Active _Networking.html

2. Tyson, Jeff. How Encryption Works. Retrieved March 28th, 2005.

http://computer.howstuffworks.com/encryption.htm

3. PGP Corporate Publication. PGP Universal Case Study. 2004. Retrieved March 28th, 2005.

http://download.pgp.com/pdfs/casestudies/PGP-UN_case_study_E-Brokerage_040510_FL.pdf

4. CSO Online Custom Publication Vol. 1 No. 1. Case Study: Zurich Capital Markets. Oct. 15th, 2003. Retrieved March 29th, 2005.

References

Download now ( PDF - 5 Page - 11.96 KB )

Related documents

Late Pleistocene to Mid-Holocene climate variability in Ireland : evidence from Ostracod geochemistry

Late Glacial to Mid-Holocene (15,500 to 7,000 Cal Years BP) Environmental Variability: Evidence of Lake Eutrophication and Variation in Vegetation from Ostracod Faunal Sucession

Migraine headache: a review of the molecular genetics of a common disorder

Familial hemiplegic migraine (FHM), a rare form of migraine with motor aura, is an example of a monogenic subtype of migraine which can be considered a model for the common forms of

Vol 33, No 13 (2020)

Residindo a doente numa região onde foram, no passado, diagnosticados vários casos de estrongiloidíase e na ausência de viagens previas para o estrangeiro, este representa o

Liquid crystal hyperspectral imager

7.10 (a) True color image of a city scene with krypton lamp embedded within the scene (b) Multichannel image of a city scene with buildings, sky, snow and a krypton lamp, at

4 CE ELEC2 Earthquake Dynamic Lateral Force Procedure

A response spectrum is simply a plot of the peak or steady-state response (displacement, velocity or acceleration) of a series of oscillators of   varying natural frequency, that

Treatment of Patients With Acute Stress Disorder and Posttraumatic Stress Disorder

Evidence from several large randomized, double-blind controlled trials suggests that SSRIs are first- line medication treatment for both men and women with PTSD (123, 141–147).

Consumer confusion: a test of the behavioural perspective model

The present study will offer a novel behavioural perspective in examining consumer confusion in retail settings. It will demonstrate the way to explore consumer