Chapter 10 Boundary Controls. Cryptographic Controls Cryptology is the science of secret codes Cryptography deals with systems for transforming data into.

Chapter 10

Boundary Controls

Cryptographic Controls

• Cryptology is the science of secret codes

• Cryptography deals with systems for transforming data into codes

Transposition Ciphers

• Simple transposition rule is to swap the position of characters in consecutive pairs.

For example:

Peace is our objective

is coded as

Epca Esio Ruo Jbceitev

Substitution Ciphers

• Simple rule: hide identity of characters by replacing them with another character according to some rule

For example:

Letters: ABCDEFGHIJKLMNOP

Code: IDEOGRAPHYBCFJKL

GOOD DOG will be AKKO OKA

Product Cipher

• Product Cipher:Combination of substitution and transposition

Better than both and resistant to cryptanalysis

The remaining discussion assumes product cipher

Choosing a Cipher System

• Cipher System has two components– (1) an encipherment method or algorithm that

constitutes the basic cryptographic technique

– (2) a cryptographic key upon which the algorithm operates in conjunction with cleartext to produce ciphertext

5 Desirable Properties of a Cipher System

(1) High work factor (difficult to break)

(2) Small key (can be changed frequently)

(3) Simplicity (too complex = too costly)

(4) Low error propagation (if chained encryption is used)

(5) Little expansion of message size (avoid stats pkg to identify patterns of letters)

Private Key vs. Public Key

• Parties should share the same key at both ends. This make it difficult for business applications, thought it might be good for military purposes. Private key is slow

• So, we need Public Key Cryptosystems– Different keys to encrypt and decrypt

Key Management

• Key generation

• Key distribution

• Key installation

Key Generation

• 3 Questions when performing the key-generation function:– (1) What keys must be generated? (key for PIN is

different from key for other part of transaction)– (2) How should these keys be generated? (a

complete random process)

– (3) How long must the keys be? (trade off between risk and overhead , 90-bit key is good)

Key Distribution

• Different place than where was generated

• Physically carry the key or part of it

Key Installation

• Setting switches

• Turning dials

• Keypad to a temp storage

• Use of special command to link all and make it a workable key

• No wire tap between keypad and cryptographic facility

Access Controls

• Restrict use of computer system resources to authorized users

• Limit actions authorized users can take with these resources

• Ensure the users obtain only authentic computer system resources

• Are part of Op Sys or special software

Identification & Authentication

• Users can provide 3 classes of authentication information:

– Remembered information (name, account)– Possessed objects (Badge, card)– Personal characteristics (finger print)

Object Resources

• Resources users seek to employ in a computer-based information system can be classified into 4 types:– Hardware– Software– Commodities – Data

What is a good password?

Make one now

See page 381

Action Privilages

• Read– Direct read– Statistical read

• Add– Insert– Append

• Modify

Access Control Policies

Two Types:

(1) Discretionary -users can choose to share files with other users if they wish

(2) Mandatory -both users and resources are assigned fixed security attributes

Implementing Access Control Mechanism

• Open vs. Closed Environment– OPEN: users have all access unless

authorization data specifies otherwise

– CLOSED: users cannot access resources unless they have been assigned the necessary action privileges

Approaches to Authorization

Two alternatives:

(1) a “ticket-oriented” approach

(2) a “list-oriented” approach

PIN Generation & Advantages

• Derived PIN– PIN need not be stored

• Random PIN– PIN not tied to an account number

• Customer-selected PIN– PIN is easy to remember

PIN Issuance & Delivery

• Mail Solicitation

• Telephone Solicitation

• PIN entry via a secure terminal

• PIN entry at the issuer’s facility

PIN Validation

• Local PIN Validation– online or offline modes

• Interchange PIN Validation– transmission– processing– storage– change

Plastic Cards

• Application for the Card

• Preparation of the Card– embossing name, account number, exp date

• Issue of the Card– ensure cards arrives safely to user

• Use of the Card– controls seek to ensure that users safeguard

their cards