5 Essential Basic Security Concepts in Cyber Secuirty

 5 Essential Basic Security Concepts 

This article will describe the basic concepts in any given security architecture. There are multitudes of security concepts available, however this article will provide only some general concepts that are used extensively by all security models.

Cryptography

Cryptography is the science of encryption and decryption of data. Usually data is in its raw form, which can be easily read by any person. Such data is not secure because hackers can break in and read it. If you can disguise the data in a format that does not make sense, you have successfully encrypted it. Figure illustrates the encryption process.

Encrypting clear text data results in encrypted text,also called cipher text. Generally, the idea behind encryption is to hide the data from everybody except those people who should read it. People for whom the data is intended should be aware of the process to convert the encrypted text back to its original format, also called decryption. Figure illustrates this process.

Cryptography actually uses mathematics to encrypt and decrypt data. You can send such encrypted data across the Internet without worrying about the packets being sniffed because even if hackers can sniff the data, they won’t know the correct mechanism to decrypt it.

To better understand the process of cryptography, you need to understand how a cryptographic algorithm, also called a cipher works. A cipher is a mathematical algorithm that encrypts and decrypts the data. A cipher requires a key combination in which the key can be either a number or a string. The cipher uses the key to encrypt the clear text. 

Conventional cryptography uses the concept of symmetric key encryption, in which a single key is used for both encrypting clear text and decrypting cipher text.

One example of conventional cryptography is Caesar’s cipher, which uses the concept of “shift by three” encryption. Using Caesar’s cipher, the letters in the English alphabet are replaced by the third letter down to the right of the letter. In other words, if you encrypt the word password, you get sdvvzrug, which is cipher text. To decrypt this, you have to use the same “shift by three” key in reverse. In other words, you shift three letters up to the left. This is a very simple example of symmetric key encryption. There are other encryp-tion standards, such as DES (Data Encryption Standard), that use a much more complex encryption mechanism.

If you use symmetric encryption standards, you must share a key with the recipient. As long as the key is kept secret between the two parties, the communication between them is relatively secure. However, there is an inherent problem with this mechanism. If a hacker sniffs out the key value while you are sharing it with the recipient, the security of the cipher text is compromised.

In public key cryptography also known as asymmetric cryptography, Public key cryptography uses a pair of keys to encrypt clear text. A public key and a private key comprise the pair. The public key is normally used to encrypt the data, while the private key is used to decrypt the data. The concept behind asymmetric encryption is that once you generate a pair of keys, you share your public key with the rest of the world and keep your private key a secret. 

Public key cryptography eliminates the need to secretly share a single key between two parties (as in the case of symmetric encryption) because the public key can be freely distributed. It also eliminates another inherent problem of symmetric encryption—maintaining multiple keys for different people.

Authentication 

Authentication is a process that uses an account name and a password to identify a user. There are different types of authentication, which range from a simple mechanism, such as an account name and a password, to complex authentication, such as biometrics.

Authorization 

Authorization is a security measure that is employed by a security model after it authenti- cates a user’s identity. This measure is also called access control in some security implemen- tations. The goal of authorization is to provide limited or predefined access to a user. Predefined access is based on an access control list, which maps the user’s identity to a list of resources that the user can access.

Audits

The goal of auditing within a security model is to set up an account quota for every user to limit the consumption of a resource. Auditing also ensures that most of the actions the user performs within the security model are logged so that they are traceable.

Public Key Infrastructure

PKI (Public Key Infrastructure) is a set of technologies and tools that provide secured communication for the system. It is responsible for verifying the confidentiality and authenticity of data between two communication end points. PKI uses the following three technologies based on cryptography to generate a security component.

• Symmetric key ciphers
• Asymmetric key ciphers
• One-way hash functions

Symmetric and asymmetric key ciphers were explained earlier, in the “Cryptography” section. One-way hash functions use a cryptographic algorithm, which encrypts clear text to cipher text; there is no decryption process. In other words, once the clear text is encrypted, it is relatively impossible to decrypt the cipher text. Such one-way hash functions can be used to store account passwords in a database so that even if there is a security breach of the passwords, it is impossible to decrypt them.

The PKI infrastructure uses one-way hash functions for authentication purposes. The first time an account is created within a system, a one-way hash function encrypts the password for the account and stores it within a system database. The next time the user tries to access the system, the PKI model asks him or her to enter the account name and password. 

Once the user does this, the password is encrypted using a one-way hash function, and the resulting cipher text is compared with the cipher text stored in the system database. If the cipher text matches, the user is permitted to access the system. One-way hash functions always generate the same cipher text for the given clear text, and the cipher text for two different pieces of clear text data is never equal. PKI uses these cryptographic technologies to ensure the privacy of data on a communication channel and security within the network.

Digital Certificates 

The “Cryptography” section already explained the concept of public key ciphers. You’ll recall that a public key cipher is an asymmetric encryption algorithm consisting of a pair of keys to secure data—a public key and a private key. As the holder of the private key, you are the only person who can decrypt data. There is an inherent problem with this mechanism. How can the sender of the data know that the public key really belongs to you? In reality, there is no way by which the sender can confirm this. The sender trusts that the key belongs to you and performs the relevant task. If a public key that is created by a hacker replaces your public key, the information sent will be compromised.

• The concept of digital certificates was introduced to solve this problem. Digital certificates are based on the concept of a digital signature, which is a unique electronic fingerprint that can be assigned to a particular user. You can identify the authenticity of the user by verifying his or her digital signature.

• A certifying authority that vouches for the authenticity of the key can obtain these digital signatures. Usually, a certifying authority requires your public key and other relevant data such as your name, social security number, or any other unique identity that establishes your presence. 

• Once you submit your public key and the relevant data, the certifying authority creates a digital certificate that contains your public key, a digital signature, an expiration date for the certificate, and the detailed information about the holder of the public key. 

• This certificate can then be used as a verification tool to ensure that the public key really belongs to the person it represents. A hacker cannot tamper with such digital certificates. Verisign is one such third-party certifying authority that issues certificates conforming to International Telecommunications Union (ITU) Telecommunication Standardization (ITU-T) X.509 version 3.