SECURITY:
Identification:
Various identification methods are used in
pervasive devices. One is user have to type the one which is stored in the
device otherwise the user can be identified using certificates.
Authentication:
The most common way of authenticating peers is by
using user name and password. For a client server connection authentication is
ensured by establishing secure socket layer. WTLS is used in WAP phones.
Wireless Authentication Module (WIM) is for smart cards. SIMs will be
authenticating the mobile terminal in GSM network.
When smart card at the client and authentication
software is installed in the server then the server will produce a challenge to
the client and in return the client gives the signature and the certificate
which will be checked by the server.
Authorization:
Authorization is based on from which device the
user is accessing. In a banking transaction, If the user access from PC using
user identification and password and this will be the same for user from WAP
phone, PDAs but when user is from normal telephone then there is no entry for
user identification and password.
Transaction Authorization:
The applications such as home-banking, placing
orders, brokerage should authorize every individual transaction.
Digital Signature Endorsed by a
Password:
Digital
signature ensures that the particular request or message comes from the
authorized user since the user will be having the unique key from which a token
will be generated and the token generates the required signature which will be
passed to the server for verifying the transaction.
Transaction Authorization Number:
TAN (in blocks) is a secret number generated for
legitimate users in an organization. The users have to acknowledge immediately
after receiving the TAN and the user should ensure that it will be kept secret.
Whenever the user contacts the server, TAN should be entered which will be
compared with the stored one.
Non-Repudiation:
User A denying user B and user B denying user A is
called non-repudiation. This can be avoided by using efficient digital
signature.
2. Device Security
Trojan Horses
A Trojan
horse, or Trojan, is a
non-self-replicating type of malware which gains privileged access to the
operating system while appearing to perform a desirable function but instead
drops a malicious payload, often including a backdoor allowing unauthorized
access to the target's computer. These backdoors tend to be invisible to
average users, but may cause the computer to run slow. Trojans do not attempt
to inject themselves into other files like a computer virus. Trojan horses may
steal information, or harm their host computer systems. Trojans may use
drive-by downloads or install via online games or internet-driven applications
in order to reach target computers.
Security in WAP phones
WTLS is the layer that provides most of the
security functionalities for WAP applications. These functionalities include
client-server mutual authentication, privacy, data integrity, and non-repudiation.
WTLS and TLS: The
design of WTLS is based upon TLS (Transport Layer Security) that is in turn built upon SSL (Secure Socket Layer). TLS has
become de facto security protocol for ensuring end-to-end security for Internet
communications. Similar to TLS, WTLS requires the client and the server
negotiate and agree on a set of security parameters during the handshake before
the communicate channel can be established. Once handshake succeeds, the client
and the server can exchange information using the secrets known to both ends of
the channel. Since WTLS resembles TLS so much, one could consider that the WTLS
provides the same level of security as TLS does. However, due to the
limitations of wireless communications and the modifications WTLS made to
accommodate to these limitations, it has been shown that WTLS is vulnerable to
a variety of known attacks such as plaintext recovery attacks and datagram
truncation attacks.
Security in PDAs
Downloading
and installing arbitrary software makes prone Trojan horse attacks.
3. Server Side Security
4. Cryptographic Algorithms:
A
cryptographic algorithm, or cipher, is a mathematical function used in the
encryption and decryption process. A cryptographic algorithm works in combination
with a key—a word, number, or phrase—to encrypt the plaintext. The same
plaintext encrypts to different ciphertext with different keys. The security of
encrypted data is entirely dependent on two things: the strength of the
cryptographic algorithm and the secrecy of the key. A cryptographic algorithm,
plus all possible keys and all the protocols that make it work comprise a
cryptosystem
Symmetric cryptographic algorithm:
In secret
key cryptography, a single key is used for both encryption and decryption. The
sender uses the key (or some set of rules) to encrypt the plaintext and sends
the cipher text to the receiver. The receiver applies the same key to decrypt
the message and recover the plaintext. Because a single key is used for both
functions, secret key cryptography is also called symmetric encryption. With
this form of cryptography, it is obvious that the key must be known to both the
sender and the receiver; that, in fact, is the secret. The biggest difficulty
with this approach, of course, is the distribution of the key.
Asymmetric cryptographic algorithm:
Public or
asymmetric key cryptography involves the use of key pairs: one private key and
one public key. Both are required to encrypt and decrypt a message or
transmission. The private key, not to be confused with the key utilized in
private key cryptography, is just that, private. It is not to be shared with
anyone. The owner of the key is responsible for securing it in such a manner
that it will not be lost or compromised. On the other hand, the public key is
just that, public. Public key cryptography intends for public keys to be
accessible to all users. In fact, this is what makes the system strong. If a
person can access anyone public key easily, usually via some form of directory
service, then the two parties can communicate securely and with little effort,
i.e. without a prior key distribution arrangement.
Data Encryption Standard (DES):
DES is
the archetypal block cipher — an algorithm that takes a fixed-length string of
plaintext bits and transforms it through a series of complicated operations
into another cipher text bit string of the same length. In the case of DES, the
block size is 64 bits. DES also uses a key to customize the transformation, so
that decryption can supposedly only be performed by those who know the
particular key used to encrypt. The key ostensibly consists of 64 bits;
however, only 56 of these are actually used by the algorithm. Eight bits are
used solely for checking parity, and are thereafter discarded. Hence the
effective key length is 56 bits
Triple Data Encryption Standard (Triple DES):
AES:
AES is
based on a design principle known as a substitution-permutation network, and is
fast in both software and hardware. Unlike its predecessor DES, AES does not
use a Feistel network. AES is a variant of Rijndael which has a fixed block
size of 128 bits, and a key size of 128, 192, or 256 bits.
RSA:
Digital Signature:
Elliptic Curve Cryptography:
Public-key
cryptography is based on the intractability of certain mathematical problems.
Early public-key systems are secure assuming that it is difficult to factor a
large integer composed of two or more large prime factors. For
elliptic-curve-based protocols, it is assumed that finding the discrete
logarithm of a random elliptic curve element with respect to a publicly known
base point is infeasible. The size of the elliptic curve determines the
difficulty of the problem. The primary benefit promised by ECC is a smaller key
size, reducing storage and transmission requirements—i.e., that an elliptic
curve group could provide the same level of security afforded by an RSA-based
system with a large modulus and correspondingly larger key—e.g., a 256-bit ECC
public key should provide comparable security to a 3072-bit RSA public key.
For current cryptographic purposes, an
elliptic curve is a
plane curve which consists of the
points satisfying the equation
along
with a distinguished point at infinity, denoted ∞. (The coordinates here are to
be chosen from a fixed finite field of characteristic not equal to 2 or 3, or
the curve equation will be somewhat more complicated.)
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.