Chapter 10 Boundary Controls
Dec 21, 2015
Cryptographic Controls
• Cryptology is the science of secret codes
• Cryptography deals with systems for transforming data into codes
Transposition Ciphers
• Simple transposition rule is to swap the position of characters in consecutive pairs.
For example:
Peace is our objective
is coded as
Epca Esio Ruo Jbceitev
Substitution Ciphers
• Simple rule: hide identity of characters by replacing them with another character according to some rule
For example:
Letters: ABCDEFGHIJKLMNOP
Code: IDEOGRAPHYBCFJKL
GOOD DOG will be AKKO OKA
Product Cipher
• Product Cipher:Combination of substitution and transposition
Better than both and resistant to cryptanalysis
The remaining discussion assumes product cipher
Choosing a Cipher System
• Cipher System has two components– (1) an encipherment method or algorithm that
constitutes the basic cryptographic technique
– (2) a cryptographic key upon which the algorithm operates in conjunction with cleartext to produce ciphertext
5 Desirable Properties of a Cipher System
(1) High work factor (difficult to break)
(2) Small key (can be changed frequently)
(3) Simplicity (too complex = too costly)
(4) Low error propagation (if chained encryption is used)
(5) Little expansion of message size (avoid stats pkg to identify patterns of letters)
Private Key vs. Public Key
• Parties should share the same key at both ends. This make it difficult for business applications, thought it might be good for military purposes. Private key is slow
• So, we need Public Key Cryptosystems– Different keys to encrypt and decrypt
Key Generation
• 3 Questions when performing the key-generation function:– (1) What keys must be generated? (key for PIN is
different from key for other part of transaction)– (2) How should these keys be generated? (a
complete random process)
– (3) How long must the keys be? (trade off between risk and overhead , 90-bit key is good)
Key Distribution
• Different place than where was generated
• Physically carry the key or part of it
Key Installation
• Setting switches
• Turning dials
• Keypad to a temp storage
• Use of special command to link all and make it a workable key
• No wire tap between keypad and cryptographic facility
Access Controls
• Restrict use of computer system resources to authorized users
• Limit actions authorized users can take with these resources
• Ensure the users obtain only authentic computer system resources
• Are part of Op Sys or special software
Identification & Authentication
• Users can provide 3 classes of authentication information:
– Remembered information (name, account)– Possessed objects (Badge, card)– Personal characteristics (finger print)
Object Resources
• Resources users seek to employ in a computer-based information system can be classified into 4 types:– Hardware– Software– Commodities – Data
Access Control Policies
Two Types:
(1) Discretionary -users can choose to share files with other users if they wish
(2) Mandatory -both users and resources are assigned fixed security attributes
Implementing Access Control Mechanism
• Open vs. Closed Environment– OPEN: users have all access unless
authorization data specifies otherwise
– CLOSED: users cannot access resources unless they have been assigned the necessary action privileges
Approaches to Authorization
Two alternatives:
(1) a “ticket-oriented” approach
(2) a “list-oriented” approach
PIN Generation & Advantages
• Derived PIN– PIN need not be stored
• Random PIN– PIN not tied to an account number
• Customer-selected PIN– PIN is easy to remember
PIN Issuance & Delivery
• Mail Solicitation
• Telephone Solicitation
• PIN entry via a secure terminal
• PIN entry at the issuer’s facility
PIN Validation
• Local PIN Validation– online or offline modes
• Interchange PIN Validation– transmission– processing– storage– change
Plastic Cards
• Application for the Card
• Preparation of the Card– embossing name, account number, exp date
• Issue of the Card– ensure cards arrives safely to user
• Use of the Card– controls seek to ensure that users safeguard
their cards