You are on page 1of 27

Cryptography and Network Security 1

Running head: LITERATURE REVIEW OF CRYPTOGRAPHY & NETWORK SECURITY

Literature Review of Cryptography and its Role in Network Security Principles and Practice

Daniel Lloyd Calloway

Capella University, OM8302, § 4

8 September 2008

Dr. Hannon, Instructor


Cryptography and Network Security 2

Abstract

This literature review looks at the research that has been published in the area of

cryptography as it relates to network data and global communications security. It compares and

contrasts the research pointing out overall trends in what has already been published on this

subject. It analyzes the role that cryptography has played and will play in the future relative to

security. This review addresses cryptography around the central theme of the security that it

provides or should provide individuals, corporations, and others in the modern age of computing

technology, networking, and Web-based ecommerce. By reviewing both scholarly and non-

scholarly works, it is our objective to make a case that continuing research into the use of

cryptography is paramount in preserving the future of electronic data security and privacy as well

as the continuing development of Web-based applications that will permit the growth of

ecommerce business worldwide to be conducted over the Internet.


Cryptography and Network Security 3

CONTENTS

Abstract ............................................................................................................................................2

Introduction - Early vs. Modern Cryptography .............................................................................4

Introduction - Overall Trends in the Research...............................................................................7

Scholarly Literature .......................................................................................................................10

Non-Scholarly Literature ...............................................................................................................18

Conclusions....................................................................................................................................22

References......................................................................................................................................24
Cryptography and Network Security 4

Introduction -

Early vs. Modern Cryptography

Today’s cryptography is vastly more complex than its predecessor. Unlike the original

use of cryptography in its classical roots where it was implemented to conceal both diplomatic

and military secrets from the enemy, the cryptography of today, even though it still has far-

reaching military implications, has expanded its domain, and has been designed to provide a

cost-effective means of securing and thus protecting large amounts of electronic data that is

stored and communicated across corporate networks worldwide. Cryptography offers the means

for protecting this data all the while preserving the privacy of critical personal financial, medical,

and ecommerce data that might end up in the hands of those who shouldn’t have access to it.

There have been many advances in the area of modern cryptography that have emerged

beginning in the 1970s as the development of strong encryption-based protocols and newly

developed cryptographic applications began to appear on the scene. On January, 1977, the

National Bureau of Standards (NBS) adopted a data encryption standard called the Data

Encryption Standard (DES), which was a milestone in launching cryptography research and

development into the modern age of computing technology. Moreover, cryptography found its

way into the commercial arena when, on December, 1980, the same algorithm, DES, was

adopted by the American National Standards Institute (ANSI). Following this milestone was yet

another when a new concept was proposed to develop Public Key Cryptography (PKC), which is

still undergoing research development today (Levy, 2001).

When we speak of modern cryptography, we are generally referring to cryptosystems

because the cryptography of today involves the study and practice of hiding information through
Cryptography and Network Security 5

the use of keys, which are associated with Web-based applications, ATMs, Ecommerce,

computer passwords, and the like.

Cryptography is considered not only a part of the branch of mathematics, but also a

branch of computer science. There are two forms of cryptosystems: symmetric and asymmetric.

Symmetric cryptosystems involve the use of a single key known as the secret key to encrypt and

decrypt data or messages. Asymmetric cryptosystems, on the other hand, use one key (the public

key) to encrypt messages or data, and a second key (the secret key) to decipher or decrypt those

messages or data. For this reason, asymmetric cryptosystems are also known as public key

cryptosystems. The problem that symmetric cryptosystems have always faced is the lack of a

secure means for the sharing of the secret key by the individuals who wish to secure their data or

communications. Public key cryptosystems solve this problem through the use of cryptographic

algorithms used to create the public key and the secret key, such as DES, which has already been

mentioned, and a much stronger algorithm, RSA. The RSA algorithm is the most popular form

of public key cryptosystem, which was developed by Ron Rivest, Adi Shamir, and Leonard

Adleman at the Massachusetts Institute of Technology in 1977 (Robinson, 2008). The RSA

algorithm involves the process of generating the public key by multiplying two very large (100

digits or more) randomly chosen prime numbers, and then, by randomly choosing another very

large number, called the encryption key. The public key would then consist of both the

encryption key and the product of those two primes. Ron Rivest then developed a simple

formula by which someone who wanted to scramble a message could use that public key to do

so. The plaintext would then be converted to ciphertext, which was transformed by an equation

that included that large product. Lastly, using an algorithm developed through the work of the

great mathematician, Euclid, Ron Rivest provided for a decryption key—one that could only be
Cryptography and Network Security 6

calculated by the use of the original two prime numbers. Using this encryption key would

unravel the ciphertext and transform it back into its original plaintext. What makes the RSA

algorithm strong is the mathematics that is involved. Ascertaining the original randomly chosen

prime numbers and the large randomly chosen number (encryption key) that was used to form

the product that encrypted the data in the first place is nearly impossible (Levy, 2001).

A very popular public key cryptosystem is known as Pretty Good Privacy (PGP),

developed by Phil Zimmerman beginning in early 1991 (Levy, 2001). The strength of the keys

that are created to encrypt and decrypt data or communications is a function of the length of

those keys. Typically the longer the key, the stronger that key is. For example, a 56-bit key

(consisting of 56 bits of data) would not be as strong as a 128-bit key. And, consequently, a 128-

bit key would not be as strong as a 256- or 1024-bit key.

Next, let’s address the overall trends identified in the research that has been conducted in

the field of cryptography and network security.


Cryptography and Network Security 7

Introduction -

Overall Trends in the Research

In reviewing the research that has already been published with regard to cryptography

and network security since the 1970s, some noteworthy trends have emerged.

There is a prevailing myth that secrecy is good for security, and since cryptography is

based on secrets, it may not be good for security in a practical sense (Schneier, 2004; Baker,

2005). The mathematics involved in good cryptography is very complex and often difficult to

understand, but many software applications tend to hide the details from the user thus making

cryptography a useful tool in providing network and data security (Robinson, 2008). Many

companies are incorporating data encryption and data loss prevention plans, based on strong

cryptographic techniques, into their network security strategic planning programs (Companies

Integrate, 2006). Cryptographic long-term security is needed but is often difficult to achieve.

Cryptography serves as the foundation for most IT security solutions, which include: (1) Digital

signatures that are used to verify the authenticity of updates for computer operating systems,

such as Windows XP; (2) Personal banking, ecommerce, and other Web-based applications that

rely heavily on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for

authentication and data security; and (3) The introduction of health cards that allow access to

medical history, prescription history, and medical records in countries such as Germany, which

contain the electronic health information of its citizens and which depend on digital signature

and other encryption schemes for security and privacy of critical data (Perspectives for, 2006).

There are product design criteria that designers can meet for implementing strong encryption

protocols into software applications; however, strong public-key cryptography may prove too

computationally expensive for small devices, and the alternative may be to incorporate
Cryptography and Network Security 8

cryptographic hardware into embedded designs (Robinson, 2008). Although cryptography and

information security are multi-billion dollar industries, the economy of the world and the defense

of almost every nation worldwide depend upon it and could not be carried out without it (Fagin,

Baird, Humphries, & Schweitzer, 2008). An individual’s identity in the digital world could be

controlled by what is termed the federated identity management system consisting of software

components and protocols that manage the identify of individuals throughout their identity

lifecycle (Bhargav-Spantzel, Camenisch, Gross, & Sommer, 2007). With the rise in threats to

sensitive data from outsiders, encryption is seen as a necessary tool in ensuring corporate

networks and individuals’ information is as secure as possible (Toubba, 2006). The ubiquity of

the Internet makes it extremely difficult to trace and identify intruders of corporate networks and

Internet-based businesses involved in ecommerce with the public domain. Primary security

concerns are confidentiality, data integrity, data origin authenticity, agent authenticity, non-

repudiation, and so on. Current cryptographic techniques, such as smart cards, PINs, password

authentication, etc., have performed well in keeping data secure. However, the overall security

of an encryption system depends upon its ability to keep cipher keys secret, while the typical

human behavior is to write down passwords so they aren’t forgotten, which often makes security

very vulnerable to compromise. The concept of biometric-based keys appears to be one possible

solution to this dilemma (Hogue, Fairhurst, Howells, & Deravi, 2005). Security must be the

primary design consideration from a mission-critical or safety-related product’s conception,

through design and development, production, deployment, and the end of its lifecycle.

Embedded systems that find themselves installed in devices that are an integral part of the

manufacturing, health, transportation, and finance sectors, as well as the military, without having

near-flawless strong cryptographic security built into them would be vulnerable to would-be
Cryptography and Network Security 9

hackers, organized crime, terrorists, or enemy governments (Webb, 2006; S., E, 2007). The

concept of data hiding technologies whose aim is to solve modern network security, quality of

services control, and secure communications, has been seen as a cost-effective alternative to

other means of data security, which does not require protocol modifications, and is compatible

with existing standards of multimedia compression and communications (Lovoshynovskiy,

Deguillaume, Koval, & Pun, 2005). Security is an important aspect of any network, but in

particular to wireless ad-hoc networks where mobile applications are deployed to perform

specific tasks. Since these networks are wireless, the potential for hacking into them using

mobile devices is greater as there is no clear line of defense for protecting them. The

development of the Mobile Application Security System (MASS) utilizing a layered security

approach and strong cryptographic techniques is seen as a viable low-cost solution to protecting

these application-based wireless networks (Floyd, 2006). And, finally, a new concept in

cryptographic security known as Quantum Encryption, which uses quantum fluctuations of laser

light at the physical layer introduced into existing network transmission lines is seen as a means

of enabling ultra-secure communications and near perfect security (Hughes, 2007).

It is the intent of this review of the literature to look at what has been published regarding

cryptography in recent years from the standpoint of network and data security and privacy, and

to specifically address the role that cryptography plays in enabling this security.
Cryptography and Network Security 10

Scholarly Literature

There is much skepticism surrounding cryptography. Fagin et al. (2008) indicates that

there is progress being made in this area to remove the skepticism. The National Institute of

Standards and Technology (NIST) has joined forces with the National Security Agency (NSA) to

form the “Common Criteria” process known as the Common Criteria for Information

Technology Security Evaluation 2005 whose aim it is to increase the confidence in

cryptographic and information-related security products. Additionally, the Department of

Defense (DoD) has enacted policy directives requiring Information Assurance (IA) professionals

to receive information security training in addition to basic IA training for all of its DoD

employees (Fagin et al.). Fagin et al. further notes that security today requires some level of

skepticism and critical thinking.

Bhargav-Spantzel et al. (2007) contends that there is a recent paradigm in identify

management called user-centricity identity management. The study conducted by Bhargav-

Spantzel et al. differentiated between two predominant notions: relationship-focused and

credential-focused identity management. In the former approach, a user only maintains

relationships with identity providers (IDPs) and thus every transaction providing identity

information is conveyed to the appropriate IDP. In the latter approach, the user must obtain

long-term credentials and store them in a local provider database.

Bhargav-Spantzel et al. indicates that the most predominant identity management model

on the Internet today is the silo model where users handle their own data and provide it to

organizations separately. One solution to this dilemma offered by Bhargav-Spantzel et al. is the

centralized federation model, such as Microsoft’s Passport, which removes the inconsistencies

and redundancies of the silo model and provides the Web users a seamless experience. Bhargav-
Cryptography and Network Security 11

Spantzel et al. offers a taxonomy for unifying the relationship-focused and credential-focused

identity management, and investigated the idea of a universal user-centric system, which

incorporates the current approaches. The open research question offered by Bhargav-Spantzel et

al. in their study is the search for a credential-based user-centric system that crosses the

boundaries of user-centricity. The study also supports their approach in unifying the notions in

user-centricity that could be useful in the field of user-centric federated identity management

systems (FIMS).

The study conducted by Bohli et al. (2007) examined popular proof models for group key

establishment and the tools offered for analyzing group key establishment protocols in the

presence of malicious participants. The framework introduced by Bohli et al. indicates that a

protocol proposed by Katz & Yung (2003) offer guarantees of security against a single malicious

participant, whereas a proposal offered by Kim, Lee & Lee (2004) fails to do so. Furthermore,

Bohli et al. showed that established group key establishment schemes from CRYPTO 2003 and

ASIACRYPT 2004 do not fully meet these requirements and proved a variant of the

ASIACRYPT2004 group key establishment scheme based on the Computational Diffie-Hellman

(CDH) assumption and the Random Oracle Model is secure in the strictest sense.

In the area of wireless security, Tafaroji, & Falahati (2007) proposed a means of

improving security of the code division multiple access (CDMA)—one of the most widely used

wireless air link interfaces in 3G wireless communication—by applying an encryption algorithm

over the spreading codes. In the Tafaroji et al. study the cross-correlation between outputs of

encryption algorithm causing multi-user interference was studied thoroughly, since multi-user

detection is the inherent characteristic of CDMA. A combination of encrypted and unencrypted

M-sequence is used as the spreading code to mitigate system performance. Thus Tafaroji et al.
Cryptography and Network Security 12

proposed a new method named “hidden direct sequence” to enhance the security of CDMA

systems through the application of the cryptographic algorithm in the channelization code. This

secure spectrum-spreading method prevents eavesdroppers from hearing an intercepted message,

and further prevents them from attempting to decipher the communication using the most

powerful means.

In a study conducted by Pistoia, Chandra, Fink, & Yahav (2007), three areas of security

vulnerability in software systems were analyzed. These were: access-control, information flow,

and application-programming interface conformance. Static analysis techniques were used to

analyze two major areas of access-control: stack-based and role-based access control. Static

analysis techniques were also used to address integrity violations and confidentiality violations,

which comprise information flow. The study also discussed how static analysis could be used to

verify the correct usage of security libraries and interfaces for component-based systems.

In the area of chosen ciphertext attacks (CCA), Boneh, Canetti, Halevi, & Katz (2006)

proposed a CCA-secure public-key encryption scheme based on identity-based encryption (IBE).

These schemes provide for a new paradigm for achieving CCA-security, which avoids “proofs of

well-formedness” that was the basis for previous constructions. Furthermore, by instantiating

their constructions using known IBE constructions, Boneh et al. was able to obtain CCA-secure

public-key encryption schemes whose performance was competitive with other CCA-secure

schemes already in existence.

Research conducted by Callas (2007) covered such topics as the social expectations of

cryptography, the myth of non-repudiation, the paradox of stronger keys, cryptography and

reliability, rights management, privacy enhancing technologies, new cryptographic ciphers, and

legal changes regarding cryptography. The future of cryptography is dependent on the way that
Cryptography and Network Security 13

society uses it. This relies on current laws, customs, regulations, and what we as a society expect

cryptography to do. Callas indicates that there are gaps in the research that are left to future

researchers to address. Callas points out that the concept that digital signatures, used for signing

documents and email, offer the property of non-repudiation—that the signer can’t say they didn’t

sign the document—is a myth and they present examples to further explain it. The research

goes on to explain that stronger cryptographic keys does not necessarily make the system more

secure since stronger cryptography in a chaotic system might actually promote the chaotic state;

thus the paradox of stronger keys. Callas differentiates between secure cryptography and

reliability in safety systems by noting that security systems protect against intelligent attackers

while reliability systems protect against unintelligent attackers. Ensuring the wrong people don’t

have the cryptographic keys will ensure a secure cryptographic system while making certain the

right people have the keys will ensure a reliable cryptographic system. Callas points out that the

future of cryptography is dependent upon a strong key management system that will ensure the

right people have the keys and the wrong people don’t gain access to the keys. Furthermore,

Callas shows that there is another myth that there needs to be tradeoffs between security and

privacy in the use of cryptography. They demonstrate that a cryptosystem can be private while

being secure. New ciphers such as elliptic curve, bi-linear, and quantum cryptography are

introduced in the study. And, finally, Callas points out that the way people think about data and

communications privacy and security is a reflection of changes in the law that have come about

by events like the terrorist attacks of September, 2001, and ubiquitous cryptography has played a

major role in that shift. As a result, cryptography will play a critical role in protecting

information now and in the future.


Cryptography and Network Security 14

Walters (2007) proposes a draft IS security curriculum that should be incorporated into

the core body of knowledge of the business curriculum, and proposes that additional practical

guidance to Accounting Information Security (AIS) educators who would like to incorporate IS

security into their existing curriculum needs to be undertaken.

Zanin, Di Pietro, & Mancini (2007) in their study present a new distributed signature

protocol based on the RSA cryptographic algorithm, which is suitable for large-scale ad-hoc

networks. This signature protocol is shown to be distributed, adaptive, and robust while

remaining subject to tight security and architectural constraints. The study reveals that the

robustness of this protocol scheme can be enhanced by involving only a fraction of the nodes on

the network. Zanin et al. demonstrated that their protocol scheme is correct, because it allows a

chosen number of nodes to produce a valid cryptographic signature; it is secure, because an

attacker who compromises fewer than the given number of nodes is unable to disrupt the service

or produce a bogus signature; and it is efficient, because of the low overhead in comparison to

the number of features provided.

Not only is security important in wired networks, but it is an important factor in any

network, including wireless networks. Floyd (2006) devised a cryptographic solution to securing

mobile ad-hoc networks that are especially vulnerable to malicious attacks since they possess no

clear line of defense. This cryptographic system was dubbed, the Mobile Application Security

System (MASS). This system was shown to prevent unauthorized modifications of mobile

applications by other running applications and other hosts on the wireless network, by ensuring

the mobile code was both authentic and authorized.

Employing encryption based on cryptographic algorithms to secure consumer data is of

paramount importance today, especially in the area of ecommerce on the Internet. Toubba
Cryptography and Network Security 15

(2006) stresses the importance of strong encryption key management and granular access control

to Web-based applications. Toubba shows that corporations that store, transmit, and use

consumer data must take steps to choose strong cryptographic solutions to protect this data, and

to employ complementary network security procedures to maximize the overall effectiveness of

the encryption product. Strong key management and granular access control are viewed as the

complementary network security procedures. Furthermore, in another study conducted by

Kodaganallur (2006), it was shown that the use of public key cryptography based on asymmetric

key ciphers overcomes the shortcomings of using symmetric key ciphers in isolation by enabling

confidentiality, message integrity, and authentication. Klappenecker (2004) further demonstrate

the ability to break a cryptosystem and demonstrate that the authentication problem of their

protocol that allowed them to break this seemingly “unbreakable data encryption” is fixable.

Limitations in computer platform security in the use of cryptography are demonstrated in

the study conducted by (Young, 2004). This study showed the experimental results of launching

a crypto-viral payload on the Microsoft Windows platform, specifically on the Microsoft

Cryptographic API. The study revealed that using eight types of API calls and 72 lines of C

code, the payload was able to hybrid encrypt sensitive data and hold it hostage. The researchers

in this study were able to develop a countermeasure to the crypto-viral attack, which forces the

API caller to show that an authorized party can successfully recover the asymmetrically

encrypted data.

The importance of the use of strong cryptography in voice communication can’t be

overstated. In a study conducted by Li., C, Li., S., Zhang, & Chen (2006), a new Voice-Over-

Internet Protocol (VOIP) technique with a new hierarchical data security protection (HDSP)

scheme was developed using a secret chaotic bit sequence. However, there are limitations in this
Cryptography and Network Security 16

scheme involving known chosen/plaintext attacks in which only one known chosen/plaintext

attack was sufficient to break the secret key. Additionally, brute force attacks against HDSP

indicate the security of HDSP to be weak in this regard. The researchers offer suggestions to

strengthen HDSP, but cautioned against the use of HDSP in security-sensitive applications,

especially if the secret key will be reused to encrypt more than one plaintext.

One means of strengthening data encryption and authentication in cryptosystems on

corporate networks is discussed in a study by Hogue et al. in which the feasibility of generating

biometric key encryption is presented. Experimental analysis of this study revealed encouraging

prospects for its use in modern cryptosystems.

Recent developments have shown that network security, Quality of Service (QoS) and

secure data communications over public networks (and the Internet) can benefit from theoretical

data-hiding technologies. In their study, Lovoshynovskiy et al. demonstrated that cryptographic

techniques for hiding data on heterogeneous public networks was a very cost-effective

alternative to other network security measures, which do not require significant upfront

investment, protocol modifications, and are totally compatible with existing multimedia

compression and communication standards. These data hiding techniques include state-of-the-

art watermarking, watermark-assisted multimedia processing, tamper proofing, and secure

communications.

Finally, in a study conducted by Schneier (2004), the researchers concluded that the

argument that secrecy is good for security is a myth and worthy of rebuttal. They further

demonstrated that secrecy is especially not good for security with respect for vulnerability and

reliability information. They also show that security that relies totally on secrecy is extremely

fragile, and once it is lost, there is no way to regain it. Schneier goes on to make a case that
Cryptography and Network Security 17

cryptography—since it is based on secret keys that are short, easy to transfer, and easy to

change—must rely on one of its basic principles that the cryptographic algorithm be made public

if it is to remain strong and offer good security. Using the public key system avoids the fallacy

in the argument that secrecy works. Those who oppose secrecy ignore the security value of

openness. The only reliable means to improve security is to embrace public scrutiny.

Now that we have analyzed some of the research that has been conducted and reported in

scholarly literature, let’s switch our focus and review some of the non-scholarly literature that

has been published on this topic as well.


Cryptography and Network Security 18

Non-Scholarly Literature

As pointed out in Companies Integrate (2008) many corporations are beginning to realize

that using cryptography to encrypt the PC or perimeter device is not an all-inclusive, effective

means of protecting their essential data. Taking measures to prevent data loss is also needed.

Additionally with the myriad ways of sharing data on corporate networks and the Internet that

exist today, it is time to employ strong cryptography as a means of securing the data and to

protect individuals’ privacy (Harris, 2007).

Embedded systems that are designed today depend entirely on the same technologies that

corporate IT depends upon. These technologies involve Ethernet, TCP/IP, and operating

systems. This fact suggests that embedded systems, such as mobile phones, refrigerators, smart

light switches, automobiles to military weapons are now as vulnerable to the same security

threats that have plagued corporate IT systems for many years (Robinson). The reliance on

strong cryptography is necessary to protect these embedded systems from viral and other

malicious attacks. Especially vulnerable are embedded systems that rely on wireless technology,

such as Bluetooth, Blackberry, RFID, and the like. Robinson first develops the fundamental

concepts surrounding cryptography, such as public key/private key encryption, Diffie-Hellman

Key Exchange, block ciphers, Hash algorithms, DES, AES, the implications of IP Security

(IPSEC) and Internet Key Exchange (IKE), elliptic curve cryptography, SSL/TLS used heavily

in Web-based applications, Wi-Fi, and other embedded security concerns. Next, Robinson

makes a case that developing strong encryption protocols in software for small devices may be

too cost prohibitive, and these designers should consider including cryptographic hardware in the

embedded designs.
Cryptography and Network Security 19

One of the biggest issues facing privacy and data security in the health industry today, as

pointed out by Protect Those Portable (2008), is that while the Health Insurance Portability and

Accountability Act (HIPAA) requires all medical providers in the U.S. to protect paper health

records, Federal law does not require the same protection when these records are digitally

exported to non-healthcare providers. This issue surfaces with recent partnerships such as the

AT&T/Tennessee Plan, Microsoft’s Health Vault Plan, and a recent Google partnership with a

Cleveland, OH health clinic that permit individuals to view their health record information

online. A USA Today article cited in Protect Those Portable (2008) reports that both Microsoft

and Google have assured individuals using their plans that strong cryptographic measures on the

Web will ensure their data will remain secure and private.

To echo recent studies conducted involving quantum cryptography, Hughes (2007);

Baker (2005) report recent developments in a new cryptographic protocol called Keyed

Communication in Quantum Noise (KCQ). Because KCQ uses encryption involving quantum

noise of light at the physical layer of network transmission, many scientists theorize that this new

protocol will offer greater security than heretofore secure communication systems that rely only

on cryptographic encryption technology involving mathematical cryptography complexity.

The instantiation of KCQ into existing communications at the physical layer is called the

AlphEta protocol in the United States. The AlphaEta protocol injects thousands of photons for

each logical data bit transmitted on existing networks at the physical layer. These radiation

states of multiple photons emitted by lasers are the means of information transport in the

network. These states of light—from a quantum physics standpoint—are fuzzy waves of light in

that their amplitude, phases, and polarization states do not exist in clearly quantifiable packets.

Rather, these observable characteristics are random variables, which possess means and
Cryptography and Network Security 20

variances about those means. This quantum random noise is irreducible and cannot be filtered

away. This is based on a fundamental property of quantum mechanics. This fact makes the use

of the AlphaEta protocol especially promising for securing data due to the quantum uncertainty

principle in measuring fluctuations in quantum noise polarization and phase states. Coupling the

use of the AlphaEta protocol with other stringent mathematically-complex cryptographic

algorithms forms a near perfect security cryptosystem.

Many IT professionals and information security professionals are beginning to realize the

importance of remaining current in the area of network security through the development of

information technology safeguards and corporate policies that keep companies’ information

assets secure. Since there is a greater reliance on cryptography as the means of securing those

assets more effectively, many of these professionals are turning to the non-profit organization

known as the International Information Systems Security (ISC) Certification Consortium, which

has certified more than 42,000 information security professionals in 110 countries (Pratt 2006).

Many of these IS security professionals must now manage complex applications that involve

advanced cryptosystems that help corporations comply with a growing list of federally- and

state-mandated regulations that commission strict data security and privacy.

Perspectives for (2006) reports that cryptography serves as the foundation of many IT

security systems. One of the main challenges of computer science research is maintaining

security on an ever-increasingly vulnerable IT network infrastructure, which includes

communications, commerce, public administration, medical care, politics, and education that

depend heavily on IT technology. The long-term security of these systems will also depend

extensively on cryptography.
Cryptography and Network Security 21

And, finally, Webb reports the necessity of “hack-proof” design in embedded systems.

These devices provide unattended operation for thousands of safety-related and mission-critical

systems in the medical, manufacturing, health care, transportation, finance, and military sectors.

Any one of these systems could be a potential target for hackers, organized crime, adversarial

governments, and terrorists throughout the world. It is imperative that the designers of these

embedded devices not only seek to protect the data that passes through them, but the intellectual

property itself. The use of cryptography on either a software or hardware level, or both, is seen

as the means of providing this protection.


Cryptography and Network Security 22

Conclusions

A review of the scholarly and non-scholarly literature over the past decade would suggest

that although cryptography has had its limitations on desktop PC platforms, it has played a key

role in providing strong, reliable, and robust network data security. Furthermore, network

security principles and practice depend on cryptography to function properly and reliably, and it

appears that cryptography will continue to figure prominently into the strategic IT and business

plans for the foreseeable future with regard to protecting critical financial, personal, medical,

transportation, and ecommerce data via corporate networks and click-and-mortar Internet

businesses on the World Wide Web while providing a respectable level of privacy.

Scholarly research also indicates that there are gaps in the research, especially in the area

involving credential-based user-centric identity systems that crosses the boundaries of user-

centricity, and in another area involving the way that society uses cryptography due to the

reliance on current laws, customs, regulations, and, in general, what we as a society expect

cryptography to do.

From its inception in the latter 1970s, modern-day cryptography has evolved from the

basic Data Encryption Standard that was used to secure early digital data on desktop PCs and

later networks and communications devices to the incorporation of a much stronger cryptography

involving RSA encryption and IKE, which has been used extensively in the development of

SSL/TLS and IPSec to provide a cost effective means to secure Web ecommerce applications,

mobile devices, and provide security for worldwide global communications with both

commercial and military application.

The prevailing myth that secrecy is good for security has been proved wrong with the

association that cryptosystems provide extremely strong security when these systems utilize an
Cryptography and Network Security 23

asymmetric key management system process where the public key is known to everyone and the

secret key is known only to the one who possesses it; that is to say, security is achieved when

cryptography relies on one of its most basic principles that the algorithms remain public.

Modern-day applications such as Pretty Good Privacy (PGP) attest to the power cryptography

that uses this asymmetric key system to encrypt and decipher data and electronic mail provides.

Even though cryptography is based on mathematical complexity that is not fully understood by

everyone and especially by its typical users, cryptosystems such as PGP provide an application

software interface that allows for a very user-friendly experience, which removes the complexity

while still affording the user the strong security that is required and that they demand.

Although cryptography is of paramount importance in providing crucial data security

through the use of digital signatures, state-of-the-art watermarking, data hiding, SSL/TLS, IPSec,

etc., IT network administrators and corporate CEOs should not forget that other network security

principles that don’t involve cryptography shouldn’t be pushed aside. Good network security

principles and practice should, instead, be used in conjunction with cryptography to form a more

secure complementary network security system.

And, finally, since cryptography is here to stay, many IT and IT security professionals are

becoming aware of the importance of keeping current through the development of information

technology safeguards and corporate policies that keep companies’ information assets secure.

As a result, they are turning to third-party non-profit organizations to assist in this regard.
Cryptography and Network Security 24

References

Baker, M. (2005, January). Keeping a Secret. Technology Review, 108(1), 82-83. Retrieved

August 2, 2008, from Academic Search Premier database.

Bhargav-Spantzel, A., Camenisch, J., Gross, T., & Sommer, D. (2007, October). User centricity:

A taxonomy and open issues. Journal of Computer Security, 15(5), 493-527. Retrieved

August 2, 2008, from Academic Search Premier database.

Bohli, J., González Vasco, M., & Steinwandt, R. (2007, July). Secure group key establishment

revisited. International Journal of Information Security, 6(4), 243-254. Retrieved August

2, 2008, doi:10.1007/s10207-007-0018-x

Boneh, D., Canetti, R., Halevi, S., & Katz, J. (2006, December). CHOSEN-CIPHERTEXT

SECURITY FROM IDENTITY-BASED ENCRYPTION. SIAM Journal on Computing,

36(5), 1301-1328. Retrieved August 2, 2008, doi:10.1137/S009753970544713X

Callas, J. (2007, January). The Future of Cryptography. Information Systems Security, 16(1), 15-

22. Retrieved August 2, 2008, doi:10.1080/10658980601051284

COMPANIES INTEGRATE ENCRYPTION/DATA LOSS PREVENTION. (2008, July).

Computer Security Update, Retrieved August 2, 2008, from Academic Search Premier

database.

Fagin, B., Baird, L., Humphries, J., & Schweitzer, D. (2008, January). Skepticism and

Cryptography. Knowledge, Technology & Policy, 20(4), 231-242. Retrieved August 2,

2008, doi:10.1007/s12130-007-9030-8

Floyd, D. (2006, Fall2006). Mobile application security system (MASS). Bell Labs Technical

Journal, 11(3), 191-198. Retrieved August 2, 2008, doi:10.1002/bltj.20188


Cryptography and Network Security 25

Harris, D. (2007, April 27). Has Anyone Seen My Data?. Electronic Design, 55(9), 41-46.

Retrieved August 2, 2008, from Academic Search Premier database.

Hoque, S., Fairhurst, M., Howells, G., & Deravi, F. (2005, March 17). Feasibility of generating

biometric encryption keys. Electronics Letters, 41(6), 1-2. Retrieved August 2, 2008,

doi:10.1049/el:20057524

Hughes, D. (2007, May). Cyberspace Security via Quantum Encryption. Military Technology,

31(5), 84-87. Retrieved August 2, 2008, from Academic Search Premier database.

Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.)

Advances in Cryptology—CRYPTO’03, Lecture Notes in Computer Science, vol. 2729,

pp. 110–125. Springer, Berlin (2003)

Kim, H.J., Lee, S.M., Lee, D.H.: Constant-round authenticated group key exchange for dynamic

groups. In: Lee, P.J. (ed.) Advances in Cryptology—ASIACRYPT’04, Lecture

Notes in Computer Science, vol. 3329, pp. 245–259. Springer, Berlin (2004)

Klappenecker, A. (2004, December). REMARK ON A NON-BREAKABLE DATA

ENCRYPTION SCHEME BY KISH AND SETHURAMAN. Fluctuation & Noise

Letters, 4(4), C25-C26. Retrieved August 2, 2008, from Academic Search Premier

database.

Kodaganallur, V. (2006, January). Secure E-Commerce: Understanding the Public Key

Cryptography Jigsaw Puzzle. Information Systems Security, 14(6), 44-52. Retrieved

August 2, 2008, from Academic Search Premier database.

Levy, S. (2001). Crypto: How the code rebels beat the Government - Saving privacy in the

digital age. New York: Viking Penguin Publishing.


Cryptography and Network Security 26

Li, C., Li, S., Zhang, D., & Chen, G. (2006, February). Cryptanalysis of a data security

protection scheme for VoIP. IEE Proceedings -- Vision, Image & Signal Processing,

153(1), 1-10. Retrieved August 2, 2008, doi:10.1049/ip-vis:20045234

Lovoshynovskiy, S., Deguillaume, F., Koval, O., & Pun, T. (2005, January). INFORMATION-

THEORETIC DATA-HIDING:: RECENT ACHIEVEMENTS AND OPEN

PROBLEMS. International Journal of Image & Graphics, 5(1), 5-35. Retrieved August 2,

2008, from Academic Search Premier database.

PERSPECTIVES FOR CRYPTOGRAPHIC LONG-TERM SECURITY. (2006, September).

Communications of the ACM, Retrieved August 2, 2008, from Academic Search Premier

database.

Pistoia, M., Chandra, S., Fink, S., & Yahav, E. (2007, April). A survey of static analysis methods

for identifying security vulnerabilities in software systems. IBM Systems Journal, 46(2),

265-288. Retrieved August 2, 2008, from Academic Search Premier database.

Pratt, M. (2006, December 4). Moving Target. Computerworld, 40(49), 39-40. Retrieved August

2, 2008, from Academic Search Premier database.

Prince, B. (2008, June 2). Playing the waiting game. eWeek, 25(17), 20-20. Retrieved August 2,

2008, from Academic Search Premier database.

Protect Those Portable Devices. (2008, May). Information Management Journal, Retrieved

August 2, 2008, from Academic Search Premier database.

Robinson, S. (2008, June). Safe and secure: data encryption for embedded systems. (Cover

story). EDN Europe, 53(6), 24-33. Retrieved August 2, 2008, from Academic Search

Premier database.
Cryptography and Network Security 27

S., E. (2007, February). HACK-PROOF INTERNET. Popular Science, 270(2), 48-49. Retrieved

August 2, 2008, from Academic Search Premier database.

Schneier, B. (2004, October). The Nonsecurity of Secrecy. Communications of the ACM,

47(10), 120-120. Retrieved August 2, 2008, from Academic Search Premier database.

Tafaroji, M., & Falahati, A. (2007, June). Improving code division multiple access security by

applying encryption methods over the spreading codes. IET Communications, 1(3), 398-

404. Retrieved August 2, 2008, doi:10.1049/iet-com:20060295

Toubba, K. (2006, July). Employing Encryption to Secure Consumer Data. Information Systems

Security, 15(3), 46-54. Retrieved August 2, 2008, from Academic Search Premier

database.

Walters, L. (2007, Spring2007). A Draft of an Information Systems Security and Control Course.

Journal of Information Systems, 21(1), 123-148. Retrieved August 2, 2008, from

Academic Search Premier database.

Webb, W. (2006, July 20). HACK-PROOF DESIGN. (Cover story). EDN, 51(15), 46-54.

Retrieved August 2, 2008, from Academic Search Premier database.

Young, A. (2006, March). Cryptoviral extortion using Microsoft's Crypto API. International

Journal of Information Security, 5(2), 67-76. Retrieved August 2, 2008,

doi:10.1007/s10207-006-0082-7

Zanin, G., Di Pietro, R., & Mancini, L. (2007, February). Robust RSA distributed signatures for

large-scale long-lived ad hoc networks. Journal of Computer Security, 15(1), 171-196.

Retrieved August 2, 2008, from Academic Search Premier database.

You might also like