5 Essential Basic Security Concepts
This article will describe the basic concepts in any given security architecture. There are multitudes of security concepts available, however this article will provide only some general concepts that are used extensively by all security models.
Cryptography
Cryptography is the science of encryption and decryption of data. Usually data is in its raw form, which can be easily read by any person. Such data is not secure because hackers can break in and read it. If you can disguise the data in a format that does not make sense, you have successfully encrypted it. Figure illustrates the encryption process.
Encrypting clear text data results in encrypted text,also called cipher text. Generally, the idea behind encryption is to hide the data from everybody except those people who should read it. People for whom the data is intended should be aware of the process to convert the encrypted text back to its original format, also called decryption. Figure illustrates this process.
Cryptography actually uses mathematics to encrypt and decrypt data. You can send such encrypted data across the Internet without worrying about the packets being sniffed because even if hackers can sniff the data, they won’t know the correct mechanism to decrypt it.
Conventional cryptography uses the concept of symmetric key encryption, in which a single key is used for both encrypting clear text and decrypting cipher text.
One example of conventional cryptography is Caesar’s cipher, which uses the concept of “shift by three” encryption. Using Caesar’s cipher, the letters in the English alphabet are replaced by the third letter down to the right of the letter. In other words, if you encrypt the word password, you get sdvvzrug, which is cipher text. To decrypt this, you have to use the same “shift by three” key in reverse. In other words, you shift three letters up to the left. This is a very simple example of symmetric key encryption. There are other encryp-tion standards, such as DES (Data Encryption Standard), that use a much more complex encryption mechanism.
If you use symmetric encryption standards, you must share a key with the recipient. As long as the key is kept secret between the two parties, the communication between them is relatively secure. However, there is an inherent problem with this mechanism. If a hacker sniffs out the key value while you are sharing it with the recipient, the security of the cipher text is compromised.
In public key cryptography also known as asymmetric cryptography, Public key cryptography uses a pair of keys to encrypt clear text. A public key and a private key comprise the pair. The public key is normally used to encrypt the data, while the private key is used to decrypt the data. The concept behind asymmetric encryption is that once you generate a pair of keys, you share your public key with the rest of the world and keep your private key a secret.
Public key cryptography eliminates the need to secretly share a single key between two parties (as in the case of symmetric encryption) because the public key can be freely distributed. It also eliminates another inherent problem of symmetric encryption—maintaining multiple keys for different people.
Authentication
Authentication is a process that uses an account name and a password to identify a user. There are different types of authentication, which range from a simple mechanism, such as an account name and a password, to complex authentication, such as biometrics.
Authorization
Authorization is a security measure that is employed by a security model after it authenti- cates a user’s identity. This measure is also called access control in some security implemen- tations. The goal of authorization is to provide limited or predefined access to a user. Predefined access is based on an access control list, which maps the user’s identity to a list of resources that the user can access.
Audits
The goal of auditing within a security model is to set up an account quota for every user to limit the consumption of a resource. Auditing also ensures that most of the actions the user performs within the security model are logged so that they are traceable.
Public Key Infrastructure
PKI (Public Key Infrastructure) is a set of technologies and tools that provide secured communication for the system. It is responsible for verifying the confidentiality and authenticity of data between two communication end points. PKI uses the following three technologies based on cryptography to generate a security component.
- Symmetric key ciphers
- Asymmetric key ciphers
- One-way hash functions
The PKI infrastructure uses one-way hash functions for authentication purposes. The first time an account is created within a system, a one-way hash function encrypts the password for the account and stores it within a system database. The next time the user tries to access the system, the PKI model asks him or her to enter the account name and password.
Digital Certificates
- The concept of digital certificates was introduced to solve this problem. Digital certificates are based on the concept of a digital signature, which is a unique electronic fingerprint that can be assigned to a particular user. You can identify the authenticity of the user by verifying his or her digital signature.
- A certifying authority that vouches for the authenticity of the key can obtain these digital signatures. Usually, a certifying authority requires your public key and other relevant data such as your name, social security number, or any other unique identity that establishes your presence.
- Once you submit your public key and the relevant data, the certifying authority creates a digital certificate that contains your public key, a digital signature, an expiration date for the certificate, and the detailed information about the holder of the public key.
- This certificate can then be used as a verification tool to ensure that the public key really belongs to the person it represents. A hacker cannot tamper with such digital certificates. Verisign is one such third-party certifying authority that issues certificates conforming to International Telecommunications Union (ITU) Telecommunication Standardization (ITU-T) X.509 version 3.