Submit Chapter 2 Draft here for review. By this time, your complete chapter 2 should be between 50 to 55 pages and at least 45 to 55 scholarly references.

RunningHead: CRYPTOGRAPHY 1

CRYPTOGRAPHY 9

Cryptography

Manikanta Rayankula

University of the Cumberlands

Cryptography

Introduction

Cyber security is now a very important issue with regard to information systems and data exchange. Today, there is a widespread reliance on the internet for both commercial and social uses. The rise in internet dependence further increases the interest of malicious persons in the data exchange process. In response to cyber security threats that now present in multiple forms, there have been proposed solutions that have been tried for the last 80 years. Of them all, cryptography has proved to be one of the most effective solutions that organizations and businesses should strive to adopt. However, the reliability of cryptography as a cyber-security tool has been criticized recently following the large data volumes being transmitted and the need for fast transmission of data. Further, availability of quantum computing causes cryptography to lose its use in the IT. There have been proposals for improving cryptography by various scholars and researchers.

The need for improved cryptography is so vivid. The value of information in 21st century continues to increase by day. At the same time, the rise in concerns about the existing assurance of security in terms of availability, integrity, confidentiality, authenticity and privacy of information and information technology systems is clear (Saeed, 2015). Therefore, while there is an increase in demand for IT applications and infrastructure, there is also a need for legally binding digital signatures that will ensure data protection at affordable prices. This will increase users’ assurance of security as they use the technology devices, systems and as they carry out serious personal communications and transactions.

What is cryptography?

Encryption is a technique known to safeguard information from third parties. This is a technique that requires individuals to encrypt data and information with some kind of algorithm that is only known by the parties involved. The individuals who are party to the information being shared are the only ones who can decrypt the information and use it. While encryption has been in use for long now, it has proved relatively ineffective in ensuring maximum protection to the information being shared. In response, strong security measures have been proposed, more powerful technique that ensures that information contained cannot be deciphered.

On a more positive notion, cryptography is very important in protecting information but from a government’s perspective, cryptography is not good because it keeps all private conversations and transaction secure and private even when criminals are involved (Claret, 2011). For law enforcement officers, criminal investigations involving crimes conducted via the internet are strongly hindered by cryptography. The varying perception of cryptography by the policy makers and the public raises question on whether cryptography should be regulated to aid in legal investigations.

Cryptography is the conversion of data from readable and understandable into unreadable and a form that cannot be understood for security purposes (Claret, 2011). Cryptography is simply the process of concealing content of messages. Cryptography is derived from Kryptos, a greek word that means hidden and graphikos which means writing (Claret, 2011). In cryptography, plaintext which is in the form of characters, numbers, pictures, words etc. is the one that is encrypted. The receiver decrypts it after receiving it. When transformed into a form that cannot be read and understood, the data is called cipher text (Kumari, 2017). It is simply meaningless and useless. Cipher text is transmitted via the network and various procedures are involved to transform plaintext into a cipher text. The process involved to convert plaintext to cipher text is called cipheris and the method is called encryption (Kumari, 2017). Encryption is therefore the mechanism through which cryptography is achieved. In order to encrypt, a key is needed. The key is basically the encryption algorithm that has to be independent of the plain text. Different keys results into different cipher texts. The receiver uses the inverse of the key used to cipher so as to decipher. Cryptography is meant to ensure data security from hackers, theft, corruption and loss.

As seen, encryption is a process involving keys and algorithms. Cryptologists continue to create stronger cryptography techniques that are hard to break. The existing cryptography techniques are nearly unbreakable. The current cryptographic methods make use of complex computations and sophisticated languages that cannot be broken even by other cryptologists (Burman, 2008).

Symmetric vs. asymmetric cryptography

In symmetric key cryptography, a secret key is used to send secret messages between two parties. In this case, both the sender and the receiver have a copy of the secret key (Kumari, 2017). In asymmetric key cryptography, both the sender and receiver of the message have two different keys (Kumari, 2017). The sender has an encryption key for encrypting the message and the receiver has a private secret key for decrypting the message.

US Department of Defense (DOD) Defense Travel System (DTS)

IN 2018, the DTS of DOD was reported to send out unencrypted email that had an attachment. The email was sent to the wrong distribution list. The organization is known for its motto which states “always faithful” (Raywood, 2018). In this context, the motto was ironical given that the breach that followed could have been prevented by a simple measure of cryptography. According to the marine forces reserve, the email exposed more than 21,000 personal information of marines, sailors, and civilians (Raywood, 2018). The data was compromised and it included social security numbers, bank details and routing numbers as well as names, addresses, names and contact details. Personal identifiable information is highly treasured by hackers.

The email that was sent out of the defense travel system. The system contains sensitive details of travels by Marine Corps as well as travel expense reimbursements (Raywood, 2018). For a defense department, location details is very crucial as it could lead to attacks. The act of sending emails to the wrong contact is similar to human error in business organizations involving the employees. This shows that while breaches are common, employees have a role to play in facilitating them and preventing them from occurring.

The breach revealed some truths about cyber security. First, there is technological, managerial and administrative limitations to secure information. In this case, the sender was performing a legitimate task but the email was sent to a legitimate email but not the intended recipient. Controls are imperative but they cannot prevent sending emails to the wrong contact. The only solution to this problem was making sure that the recipient is counterchecked. From a technological perspective, cryptography was the ultimate solution to this problem. Had the attachment been encrypted, the receiver would not have opened it without the secret decrypting key. Had cryptography been done, the breach would not have taken place.

This and other organization need to make use of proper encryption. Failure to encrypt messages gives cyber criminals an opportunity to intercept a message and read it. This is similar to sending sensitive information through unencrypted channel which attract cyber criminals. When the Marine Corps learnt about the breach, they recalled the email and reduced the number of legitimate email accounts that should receive emails from the department (Raywood, 2018). Additional security measures were also adopted.

Importance of cryptography

Cryptography puts off cyber criminals and other intruders. Cryptography works and when properly implemented, strong crypto systems are highly reliable (Domb, 2019). Cryptography, may also be referred to as end to end encryption, maximizes data security when data is in public or private cloud, in a device or being transmitted. According to a security company by the name Gemaltos Breach Level Index, about a thousand data breaches that led to compromise of 3.3 billion data occurred in 2018 (Raywood, 2018). This was more than 70 percent increase from the 2017 records. This means that more 18 million records are exposed every day that contain sensitive personally identifiable data. Surprisingly, of the data breaches, only 2 percent involved encrypted data (Raywood, 2018). This points toward the value of encryption in data security.

Organizations are called upon to leverage of cryptography so that they can protect their data. Encryption is a form of authentication which should be secretive as possible. In the event that the secret key and certificates are made accessible to all people within the organization gives them an elevated privilege of accessing messages (Burman, 2008). Organizations should not provide the access key to all employees since some could be untrustworthy. Access controls works handy with cryptography.

The fact that organizations now have volumes of data being transmitted between employees and with other organizations, it is crucial that the organization chooses what to encrypt. This is in the aim of making cryptography cost effective for the organizations. Organizations need to conduct an enterprise risk management and data governance process in order to determine what to encrypt (Domb, 2019). Ideally, not every data needs to be encrypted but this is determined by the content held with the data. Similarly, not all data sets require encryption. There is no a specific approach of determining which data to encrypt but organizations should encrypt data based on the sensitivity of details and level of risk of attack of the entire organization’s systems.

All organizations have three basic types of data: data in motion, data at rest and data in use (Jody Hair, 2018). Data in motion is data being transmitted over an organization’s network. Data at rest is data contained in data sets in the computers, storage devices, and computers. Tablets etc. data in use is the data that is presently being generated, updated, viewed etc. Each of this data category require to be protected using various forms of security methods. For instance, data at rest can be encrypted either as a file system, database, file, folder, full disk etc. data in motion including emails can be encrypted using a virtual private network, Wi-Fi protected access, secured socket layer for web browsers that are used for communication and secure shell for remotely administered systems (Jody Hair, 2018). In most cases, data in motion is encrypted using SSL and VPN since it prevent the man-in-the-middle attacks and packet sniffers.

Data in use is hard to encrypt. It requires protection from third parties especially now that cloud computing services are offered by third parties. Data in use is the hardest to protect since it has to be decrypted to be used. Servers become open to attacks such as RAM scraping (Jody Hair, 2018). RAM scraping is a technique that investigates the memory of the running web server and mines data as it gets processed in the unencrypted state.

Encryption makes data unavailable to attackers. Email encryption is probably the most popular form of encryption. Asymmetric key encryption also known as public key infrastructure is the most common form of email encryption. PKI serves to distribute and validate key. It is made up of a certificate authority that offers ad verifies digital certificates. In this case certificates are an electronic document that shows ownership rights to a public key. PKI also provides a registration authority which serves to verify the certificate of authority before an individual is issued with the digital certificate. PKI also comprises of a directory which stores public keys and lastly, it has a certificate management system (Jody Hair, 2018).

Effective cryptography

It is important to note that data security through cryptography is a process. It involves selection of an encryption methods, selection of data to encrypt among other factors. In order to effectively perform cryptography, there are seven essential elements that must be considered when building an end to end encryption process.

Collaboration is the first element to consider. An effective cryptography is an initiative of the management, IT and operations staff (Jody Hair, 2018). These are the key data stakeholders who must be involved in the program to identify the regulations, laws, guidelines and bring together resources needed. The second element is data classification. Data classification helps distinguish the data that needs to be encrypted and that which does not require. Data need to be classified on basis of their risks, security controls needed to secure them etc.

The third element is key management. As mentioned earlier, cryptography involve secret keys that should be secured. There should be a management system which shows what each key should be used for and where it should be stored as well as who should access it. The key management system should provide details of encryption key lifecycle and access management. The forth element is identification of the right encryption solution for the organization. The encryption technique selected should be tried before it is purchased from the vendor.

Access control is the fifth element to take into account. It is crucial that data is accessed by the authorized persons only by use of passwords, file permissions, and two factor authentication among others (Jody Hair, 2018). The sixth element that has to be considered is the consequence of failure to adhere to the encryption rules. Ideally, businesses must ensure that employees are informed and trained about encryption. Business partners and third parties also need to be informed about the need for compliance so that consequences of non-compliance are made clear. Lastly, SSL decryption is a very important element (Jody Hair, 2018). Organizations should strive to implement SSL encryption and decryption to ensure that malicious codes do not get into the way of their network traffic.

Conclusion

There is no ultimate security to information system and encryption does not offer a hundred percent guarantee. Attackers still try to breach networks and data even on the most secure and isolated computer systems. However, encrypting data adds on to an organization’s security measures and is just a part of the comprehensive information technology security. With adequate planning of cryptography, organizations can select from the variety of encryption choices available and utilize one that will keep it ahead of threats. Cryptography also reduces chances of non-compliance costs.

References

Alkandari, S. B. (2017). Cryptography and randomization to dispose of data and boost system security. Journal of Cogent Engineering. https://www.tandfonline.com/doi/full/10.1080/23311916.2017.1300049

Domb, M. (2019). Modern Cryptography: Current Challenges and Solutions. IntechOpen. https://www.intechopen.com/books/modern-cryptography-current-challenges-and-solutions

Faiqa Maqsood, M. A. (2017). Cryptography: A Comparative Analysis forModern Techniques. (IJACSA) International Journal of Advanced Computer Science and Applications, https://www.researchgate.net/profile/Munam_Shah/publication/318200344_Cryptography_A_Comparative_Analysis_for_Modern_Techniques/links/59a423ad0f7e9b4f7df35b74/Cryptography-A-Comparative-Analysis-for-Modern-Techniques

Jody Hair, D. O. (2018, November 6). 7 Key Elements of a Successful Encryption Strategy. Sirius Edge: IT FOCUS: https://edge.siriuscom.com/security/7-key-elements-of-a-successful-encryption-strategy

José Bacelar Almeida, M. B. (2017). Jasmin: High-Assurance and High-Speed Cryptography. CCS ’17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, (pp. 1807-23). https://dl.acm.org/doi/abs/10.1145/3133956.3134078

Kumari, S. (2017). A research Paper on Cryptography Encryption and Compression Techniques. nternational Journal Of Engineering And Computer Science ISSN:2319-7242, 6(4), 20915-919. http://www.ijecs.in/index.php/ijecs/article/view/3630/3378

Praveen Kumar, P. K. (2018). Attribute based encryption in cloud computing: A survey, gap analysis, and future directions. Journal of Network and Computer Applications, 108, 37-52.https://www.sciencedirect.com/science/article/abs/pii/S1084804518300547

Raywood, D. (2018, March 1). US Marines Confirm 21,000 Details Exposed in Data Breach. Info Security Magazine: https://www.infosecurity-magazine.com/news/marines-21000-breach/

William J. Buchanan, S. L. (2018). Lightweight cryptography methods. Journal of Cyber Security Technology, 187-201 https://www.tandfonline.com/doi/full/10.1080/23742917.2017.1384917