This report will be used in preparation for phase 2 of this project the practical implementation of a
crytopgraphic method to secure information.
Contents
Introduction ............................................................................................................................................ 3
Define the principles of information security and state measures to secure information by
demonstrating an understanding of cryptographic methods. ............................................................... 3
What is information security?............................................................................................................. 3
Cryptography and information security.............................................................................................. 3
Information security principles, aims and main components in relation to cryptography. ............... 3
Measures to secure information: ....................................................................................................... 4
Data at Rest .................................................................................................................................... 4
Data-in-Motion: .............................................................................................................................. 4
Cryptographic methods: ..................................................................................................................... 4
Hashing Encryption......................................................................................................................... 4
Symmetric Methods ....................................................................................................................... 5
Asymmetric Forms.......................................................................................................................... 6
Identify and describe security implications for modern networks. ........................................................ 6
Issues surrounding a company ........................................................................................................... 6
Passive Attacks .................................................................................................................................... 6
Eavesdropping ................................................................................................................................ 7
Man-in-the-Middle Attack ............................................................................................................. 7
Sniffer Attack .................................................................................................................................. 7
Active Attack ....................................................................................................................................... 7
Identity Spoofing (IP Address Spoofing) ........................................................................................ 8
Denial-of-Service Attack................................................................................................................. 8
Issues surrounding Bahrain mini-mail it self ....................................................................................... 8
Methodologies to secure company’s information.............................................................................. 9
Conclusion and Recommendations ...................................................................................................... 10
References ............................................................................................................................................ 11
Introduction
The aim of this report is to discuss and define information security and to find measure to secure
information in relation to cryptographic methods. Moreover, to identify risks that Bahrain Mini-
mail might have in its modern network, provide some solutions and policies implementing
cryptography. Finally to provide some recommendations for the company to have more
secure network.
The concern about securing the proper information and the personal data is increasing day
by day and the reason behind that is the increase of threats to information security from
hackers and pirates. Many organisation are having these worries about protecting their
important and sensitive data. Information security is the set of policies, standards,
technologies and management practices that are applied to secure the information. (The
Open University, 2016)
Cryptography is one of the approaches that is taken to secure the data from piracy and
make it unreadable for them. In order to secure the stored or transmitted data, it have to be
changed or hidden in a way that the unauthorised individual do not have the ability to know
its true meaning. To accomplish this, specific mathematical equations are applied, which are
difficult to solve unless some standards are met. These equations are creating the basis of
cryptography. (Rouse, 2005)
The information security principles and aims is represented by the CIA trial, which stands for
“Integrity”,” Confidentiality” and “Authentication”. This CIA is a model to show the main
purposes and goals of the Information security. The modern cryptography concerns itself
with these aims and principles. Firstly, to satisfy the confidentiality, when the encryption is
applied the information cannot be understood by anyone and just readable by the ones who
intended to have the data. Secondly, to meet the integrity, the cryptography restricts the
ability to alter or transit the data in storage without being detected. Thirdly, Authentication
is fulfilled when the encryption make the sender and receiver confirm each other’s identity
and the destination of information. Moreover, Non-repudiation is a concern also. It means
that by encrypting data, the creator and sender cannot deny that they create or transmit
the information. (Rouse, 2014)
To know how to secure information, we have to know the states that the information takes.
Data at rest, Data in use and Data in motion are states that the data take in any organization
system.
Data at Rest
When data at rest it means that the data are in a secure way stored on a hard drive.
Protecting these data by conventional perimeter-based such as anti-virus and firewalls.
However, these defenses are not enough. Additional layers of defense are needed for
protecting sensitive data in case the network is compromised. Encrypting hard drives is one
of the best ways to have more security on these data. (Identity finder, n.d.)
Data-in-Motion:
In this state, the data are at its most vulnerable. The reason is that the data is transmitting
across a network. Example of that is when sending an email. It takes long journey through
the electronic infrastructure at government facilities, universities and other network
locations. A hacker with the right tools can take the data from the email while it moves.
Transmitting data through an encryption platform is a way to have the data more secure.
(Identity finder, n.d.)
Cryptographic methods:
Hashing Encryption
By using an algorithm or hash function, the hashes are created. It is an encryption method
where hashing create a unique, fixed-length signature for a message or data set. Hashing
commonly used to compare sets of data. Any minor changes occur to a message, it causes a
huge different hash because the hash is unique to specific message. Because of that alerting
the user is very important. (Linn, 2016)
In hashing, once the data is encrypted, the process cannot be reversed or decrypted and this
is the main difference between hashing, Symmetric cryptography and Asymmetric
cryptography. This means that even if a hacker or attacker could obtain a hash, the attacker
will not have the ability to decrypt the message or know the content of it by using any
decryption method. Examples of hashing algorithms are Secure Hashing Algorithm (SHA)
and Message Digest 5 (MD5). (Linn, 2016)
MD5: it is an extension of MD4 and it is slower because it have 4 rounds unlike the MD4
which have 3. It provide security features with one way hash function. Because of
downloading files from peer to peer (P2P) servers/network, a same name files are
downloaded which make it difficult to know the original one, so having message digits is
very important to know the message authentication and as a result to prove the source
verification. (Gupta & Kumar, 2014)
SHA: It is a hash function cryptography that is used in digital certificate as well as in data
integrity. It is developed by N.I.S.T. as a U.S. Federal Information Processing Standard (FIPS).
SHA is a fingerprint that particulars the data is projected for use with digital signature
applications. Secure Hash algorithms works with messages less than 264 bits. (Gupta &
Kumar, 2014)
Symmetric Methods
Symmetric cryptography or the private-key cryptography, is one of the most secure
encryption methods and one of the oldest. It is called the private-key cryptography because
the key must be private and secured. The reason is that this key is used to encrypt and
decrypt the message, so anyone with this key could see the content of the message. The
process of the encryption is that the sender encodes a message into cipher text using a key,
and the receiver or anyone who have the key could decode it by using the same key. (Linn,
2016)
Stream cipher and block cipher are two different methods that can be used to encrypt a
message when using symmetric cryptography. The stream cipher encryption is encrypting
one character at a time as it is sent or received. On the other hand, the block cipher
encrypts fixed amount of data. Using one method over the other method depends on the
amount of data being encrypted. Examples of symmetric encryption algorithms are
Advanced Encryption Standard (AES) and Data Encryption Standard (DES). (Linn, 2016)
Data Encryption Standard (DES): DES is a block cipher, with a 56bit key and a 64-bit block
size .it contain 16-round series of substitution and permutation. Each round, the data and
key bits are shifted, XORed, permutated, and sent through, 8 s-boxes which is a set of
lookup tables that are important to the DES algorithm. In the reverse way, decryption is
done. (Soni, Agrawal & Sharma, 2012)
Advanced Encryption Standard (AES): 10, 12, or 14 rounds are used by the AES. The key
size can reach 128,192 or 256 bits depends on the number of rounds. Several stages are
made inside each round of several rounds in the AES. AES uses transformations to provide
security. Each round of AES has Substitution permutation, mixing and key adding except the
last round uses the four transformations. (Soni, Agrawal & Sharma, 2012)
Asymmetric Forms
Asymmetric or public key cryptography is encryption methods which is more secure than
the symmetric methods. The reason behind that is that Asymmetric cryptography uses two
keys, a private key and public key to achieve encryption and decryption. Major weakness in
symmetric key cryptography are avoided when using the two keys in Asymmetric key, since
it is difficult to securely manage one key among multiple users. (Linn, 2016)
The public key in Asymmetric cryptography, is available to everyone and used to encrypt
messages before sending. However, to decrypt the messages, just the one who have the
private key could decipher them. Algorithms examples that uses public key encryption is
RSA and Diffie-Hellman. (Linn, 2016)
RSA: this algorithm is based on producing large numbers that have 2 factors which are
prime numbers. It provide public and private key. The public key is available for everyone to
encrypt, but to decrypt just the one who have the private key could do that. It is possible to
generate the private key out of the public key but it is extremely difficult which make the
RSA a good choice to encrypt data. (“RSA Algorithm”, n.d.)
First of all, it is very important to understand the attacks and threats that is surrounding any
company or organization and it is the first step to stop these kinds of dangers. Some of the
attacks is going to be demonstrated and discussed which will lead to find some
methodologies to protect the company and its information.
Passive Attacks
Firstly, passive attack is kind of attacks where the hacker is listening and recording
telecommunication exchanges. A way to do that, by using a protocol analyser or other
packet capturing software, the attacker could sniff network traffic. By plugin into the
network the attacker begins capturing traffic for later analysis. Other way to do that is key
loggers, which are software to record keystrokes such as user password and ID. The aim of
this attack, regardless of the method, is to record and listen to the data passing through.
This attack could be harmful since the data that was gathered by the user is not encrypted.
(Hughes, n.d.). Some types of passive attacks will be discussed:
Eavesdropping
Most of the network communications are unsecure or “cleartext” format, which mean that
the attacker who gained access to your network have the ability to listen or read the traffic
in the data path. It is a major security issue that the administrators face. Without having
good encryption services that is built on strong cryptography, the data is readable by the
attacker while it is traveling in the network. (Microsoft, n.d.)
Man-in-the-Middle Attack
A man in the middle attack happen when there is someone between you and the person
whom you are communicating is capturing, monitoring and controlling your communication
transparently. The attacker could re-route the data exchange because communications at
low levels of network layer might do not give the computers the ability to determine with
whom it is exchanging data.
The attacker act like he is you by assuming your identity in order to read the messages. The
person on the other side might believe that it is you because the attacker is acting in a
professional way that he is you to keep the exchange of data going and getting more
information. (Microsoft, n.d.)
Sniffer Attack
Sniffer attacker is done by a device or an application which can monitor, read, and capture
data exchanges and read network packets. Encrypting data will secure your data from being
seen by the attacker unless he have the key to decrypt it. However if the data are not
encrypted, the attacker will have full view if your important and sensitive packets and data.
Using a sniffer will give the attacker many advantages, for example:
Gain your information and analyze your network which will lead to crashing or to
currupt your network.
Read the communications that you have. (Microsoft, n.d.)
Active Attack
Secondly, active attack is established either with the information gathered during passive
attack, such as passwords, or a direct attack by using technological blunt instruments.
Examples of these instruments are email phishing attacks, denial-of services attack,
password cracker, worms and many other malware attacks. The attacker aims in an active
attack is to bring a website down, destroy computing equipment or to steal information.
Even though, if the network administrator use defences against the existing attack tools, the
attacker will develop more powerful tools. (Hughes, n.d.). Some types of active attacks will
be discussed:
A valid entity can be identified by networks and operating systems by using the IP address of
a computer. It is possible that the attacker guess or assume the IP address-identity spoofing.
It is also possible that the attacker use special programs to build IP packets that appear to
originate from valid address inside the company intranet. By using the valid IP address, the
attacker can gain access to the network and modify, reroute, or delete the data. Other
attack also can be conducted. (Microsoft, n.d.)
Denial-of-Service Attack
The main purpose of the denial-of-service attack is to prevent the valid users to use the
computer or network in normal way. After getting access to the network, the attacker can
do several things from the following:
Make the internal Information Systems staff attention dispersed so that they do not
see the intrusion immediately, which gives the attacker more opportunities to make
new attacks.
Causing abnormal termination or behavior of the applications or services by Sending
invalid data to them.
Torrent a computer or the entire network with traffic until shutting down because of
the overload.
Authorized user loss the access to network resources because of blocking traffic.
(Microsoft, n.d.)
1-While the company is sending data in and out of the company, it mean that it have data in
motion. As explained previously the data in this state is in its top vulnerability. Any hacker
could sniff or listen to this sensitive information while it is moving.
2- The company has many third party clients, which are not trusted to steal or to sniff the
important data while communicating with the company (man in the middle).
3-The Company is using variety of computers and operating systems to access network,
which means that it is difficult to use the same methodologies of cryptography and ways of
encryption.
4-The employees at the company are using a user name and passwords that have been
issued by the It department. If these passwords and user names are not encrypted while it is
in the data base it will cause damage for the company. This issue is less important because
the data is at rest.
5- Allowing the free exchange of information and all users have access to most data is
another issue that the company is facing. If the information that is most important is not
encrypted it would be a problem if an employee distributed it or capture it.
The most thorough procedure is full-disk encryption. Most of the files are
permanently encrypted, even the temporary files created by the system or
applications. Also encrypt swap or hibernation files. The encryption is done
immediately while the employees are accessing new data. Using full-disk encryption
is also useful when a laptop is stolen because the hardware could be removed and
attached to another computer and allow easy access to data. (Carey, 2015)
Using Strong passwords and changing it weekly is good method for authentication.
(PANDEY, 2011)
Using robust password when using a wireless connection. (PANDEY, 2011)
Robust data encryption is effective way to secure the data in motion. (PANDEY,
2011)
Using HTTP encrypts the connection between the system and the website visited.
The HTTPS is not a guarantee that the site is save, but it can prevent the hackers
from accessing to the system through the network. (Mediati, 2011)
File encryption is another way to protect the data at rest and data in motion.
Because the file existing in an encrypted form, even if the network is not encrypted,
the file is encrypted which protect its content.
Conclusion and Recommendations
In the conclusion, a security assessment summarization will be provided. The main issues
that the company is having is the data that is moving in and out of the company, and
allowing the free exchange of the data with allowing access to most data because the
information is on motion and it will be easily captured or sniffed by the competitors. The
second less danger problems are having variety of computers and operating systems, not
updating and encrypting passwords and usernames of the employees. This data should be
secured by anti-virus and firewalls and also encrypting them because the data are at rest.
It is recommended that the company encrypt its data by using full-disk encryption, file
encryption, connected encryption and robust data encryption which will lead to have more
save data at rest and data in motion. While the company is depending on sending emails
and moving data through the network Strong encryption methods as mention is essential.
Gupta, P. & Kumar, S. (2014). A Comparative Analysis of SHA and MD5 Algorithm. Retrieved 4
January 2017, from http://ijcsit.com/docs/Volume%205/vol5issue03/ijcsit20140503398.pdf
Hughes, A. (n.d.). The Difference between Passive & Active Attacks on a Computer. Retrieved 5
January 2017, from https://www.techwalla.com/articles/the-difference-between-passive-
active-attacks-on-a-computer
Identity finder. (n.d.).Data Loss Prevention: Data-at-Rest vs. Data-in-Motion. Retrieved 5 January
2017, from
http://www.pronovus.nl/documenten/identyfinder/whitepaper_identityfinder_dlp.pdf
Linn, M. (2016). What are the Different Types of Encryption Methods? Retrieved 5 January 2017,
from http://www.wisegeek.org/what-are-the-different-types-of-encryption-methods.htm
Mediati, N. (2011). How to Use an HTTPS-Encrypted Connection When Browsing. Retrieved 5 January
2017, from
http://www.pcworld.com/article/226791/use_an_https_encrypted_connection_when_bro
wsing.html
PANDEY, S. (2011). MODERN NETWORK SECURITY: ISSUES AND CHALLENGES. Retrieved 4 January
2017, from http://www.ijest.info/docs/IJEST11-03-05-208.pdf
Soni, S., Agrawal, H., & Sharma, M. (2012). Analysis and Comparison between AES and DES
Cryptographic Algorithm. Retrieved 5 January 2017, from
http://www.ijeit.com/vol%202/Issue%206/IJEIT1412201212_64.pdf
The Open University. (2016). An introduction to information security. Retrieved 6 January 2017, from
http://www.open.edu/openlearn/science-maths-technology/computing-and-
ict/introduction-information-security/content-section-1