Introduction
For the purpose of the presentation, the company that will be the focus of this project is Amazon.com. Its central offering is online shopping where consumers are able to search for the items they’d like to purchase online. They are also able to pay for their purchases online and have the items delivered to their home. In this e-business, the categories of information that may need applications of cryptography are the users’ or consumers’ passwords and their credit card or checking account numbers.
Feasible Attacks
Some of the methods that hackers can use to attack e-commerce websites such as Amazon.com include the following: Tricking the shopper; Spying on the shopper’s computer; Monitoring the network; Guessing passwords; Using denial of service attacks; Using known server bugs; and Using server root exploits (IBM, n.d.).
Social engineering techniques are used to trick the shopper. With these techniques, information about a shopper’s behavior is gathered. For example, the shopper may be tricked into going to a phishing site where the shopper’s information is gathered. The consumer may also receive a call or email from someone posing as a customer representative of a legitimate company who then obtains the consumer’s information.
Hackers can also spy on shopper’s computers especially if the users have turned off the security features that come with their computer hardware and software. In particular, hackers gain entry into the shopper’s system by using tools such as SATAN, which detects possible entry points into the system. After finding an open port and entering the system, hackers are able to scan the shopper’s file system and obtain personal information and passwords (IBM, n.d.)
Similarly, a hacker can obtain the shopper’s personal and credit card information by monitoring the data being transmitted between the server and the shopper’s computer. The hacker would most likely perform the attack near the shopper’s computer as the wireless hub that the shopper uses would most likely have its security features disabled.
The guessing of passwords is another common attack, which is done either through a manual or an automated process. Manually guessing a password is possible if the hacker knows something about the shopper; otherwise, tools can be used to come up with numerous combinations of user IDs and passwords.
On the other hand, denial of service attacks occur when hackers make the server perform a vast number of small tasks, which eventually exceeds the server’s capacity, making it unable to cope with other tasks. In the same regard, a hacker can exploit the server by determining what software was used in the site and which patches were not applied. The hacker can then exploit the server’s weaknesses through the vulnerabilities exposed by the missing patch. These are usually known server bugs. As well, the hacker can exploit the server root, which enables them to gain an almost limitless access to the server. This enables them to control all of the shoppers’ and merchants’ information on the site.
Protection through Cryptography
Cryptography is the science that deals with the various methods used “for taking legible, readable data, and transforming it into unreadable data for the purpose of secure transmission, and then using a key to transform it back into readable data when it reaches its destination” (“What is Cryptography,” 2012). It is used for messaging and email security such as S/MIME; for online orders and payments; for ensuring non-repudiation through the use of digital certificates; for securing sensitive or confidential information; for performing a certificate-based authentication process; and for ensuring the security of remote access through VPN or IPSec (OWASP, 2012).
The Applications of Keys
A good encryption scheme is one that is capable of specifying a key and altering itself so that each key creates a different encrypted data, which requires a unique key for decryption (“Basic Concepts in Data Encryption,” 1999).
Encryption keys can either be symmetrical or asymmetrical. A symmetrical key is when the same key is used for encryption and decryption whereas asymmetrical keys mean that the keys for encryption and decryption are different.
Attacks on Encrypted Data and Keys
Cryptographic attacks intend to undermine “the security of cryptographic algorithms” (Conrad, n.d., p. 2) and are used for attempting to decrypt data without the use of a key. These are parts of Cryptanalysis, “which is the art of deciphering data” (Conrad, n.d., p. 2).
Cryptographic attacks have two main classifications, namely plaintext-based attacks and ciphertext-based attacks (Conrad, n.d.). In turn, Plaintext-based attacks include known plaintext, chosen plaintext, and adaptive chosen plaintext attacks whereas Ciphertext-based attacks include ciphertext only, chosen ciphertext, and adaptive chosen ciphertext attacks. These methods serve as the foundation of cryptographic attacks.
In a known plain text attack, the cryptanalyst has access to both the plaintext and its corresponding ciphertext and tries to determine how they are correlated. In a ciphertext-only attack, the cryptanalyst does not have access to the plaintext but has access to its corresponding ciphertext. In the case of simple ciphers, frequency analysis can be used for breaking the cipher.
On the other hand, a chosen plaintext attack is used against asymmetric cryptography. In this case, the cryptanalyst has access to a public key and encrypts a plaintext of their own so that they can analyze the resulting ciphertext. In a chosen ciphertext attack, the cryptanalyst selects a ciphertext and searches for a plaintext that matches it. For this, the cryptanalyst can use a decryption oracle or a machine that is used for decrypting without needing to expose the key. This method is usually used in attacks against public key encryption.
Finally, both adaptive chosen plaintext and adaptive chosen ciphertext attacks involve the cryptanalyst choosing further plaintexts or ciphertexts based on earlier results.
Still, other types of attacks include the side channel attack, which makes use of the physical implementation of the data encryption and decryption process; the brute force attack, which is a systematic attempt at every possible key; the meet-in-the middle attack, which is used against cryptographic algorithms where multiple keys are used for encryption; and the birthday attack, which is used for discovering “collisions in hashing algorithms” (Conrad, n.d., p. 6).
Digital Encryption Standards
The Data Encryption Standard (DES) is a data encryption method that uses a private key, which the U.S. government determines to be very difficult to break and as such, is restricted from being exported to other countries (“Data Encryption Standard,” 2012). With this method, there are 72 quadrillion possible keys that can be used where the key for each message is randomly chosen. It also requires the sender and the receiver to know and use the same private key. In addition, some companies use the Triple DES, which involves the application of 3 keys in succession.
Another standard is the Advanced Encryption Standard (AES), which is expected to eventually replace DES. It is an encryption algorithm that the U.S. government agencies use to secure sensitive but unclassified data (“Advanced Encryption Standard,” 2012). This method uses a symmetric algorithm, which in turn uses block encryption that is “128 bits in size” (“Advanced Encryption Standard,” 2012) and supports “128, 192 and 256 bits, as a minimum” (“Advanced Encryption Standard,” 2012). It is available for use worldwide and is free of royalty charges. It offers sufficient security that provides data protection for the next twenty to thirty years. Moreover, it can easily be implemented in software, hardware, and even in restricted environments.
Password-based Encryption
Password-based encryption is implemented to enable users to encrypt and decrypt their files with a key or password that they can easily remember and that would ensure the security of those files (Atreya, 2003). With the password based encryption method, the algorithm creates a secret key based on a password that the user provides. For this, the PKCS #5 and #12 standards are used for defining how a symmetric key can be created with the use of a password. In addition, a good algorithm for encrypting passwords is one that generates the key through the combination of the password with a random number referred to as the salt. Without a salt, a brute force attack can be used to search for the key-space.
Systems such as local file encryption tools use the password-based encryption method for ensuring the confidentiality of data and for protecting the user’s private key store. It should also be noted that user prompted passwords are usually a subset of UTF-8 or ASCII, which enables inter-operability (Atreya, 2003).
Good Passwords
A good password must consist of at least six to eight characters and should be a combination of numbers, lowercase letters, and at least two uppercase letters (“What Makes a Good Password Good,” 2012). It should not be obvious and instead, should consist of random characters. In particular, a good password should not be the name of a pet or a child. Rather, it would be best if the password were not a real thing, place, person, or word.
Based on Microsoft’s rules for creating passwords (“What Makes a Good Password Good,” 2012), a password should have at least six characters, should not contain the or any part of the user’s full name, and should contain at least 3 of the 4 class characteristics, which are the following: Non-alphanumeric characters or symbols and punctuation marks; numerals; English lowercase; and English uppercase.
Crypto Accelerators
With encryption routines being the most costly operations that a Web server performs, the implementation of cryptographic accelerators can help reduce the load that a secure web server has to process. This is accomplished through the implementation of hardware that is specifically intended to handle CPU-intensive operations (MacVittie, 1999). With the use of cryptographic accelerators, server response times are improved and the number of connections that the Web server can handle at the same time is increased.
References
Advanced encryption standard (AES). (2012). Retrieved from
http://searchsecurity.techtarget.com/definition/Advanced-Encryption-Standard
Atreya, M. (2003, January). Introduction to password based encryption. Retrieved from
http://www.eetimes.com/electrical-engineers/education-training/tech-
papers/4134121/Introduction-to-Password-Based-Encryption
Basic concepts in data encryption: Key-based encryption. (1999). Retrieved from
http://library.thinkquest.org/27158/concept2_1.html
Conrad, E. (n.d.). Types of cryptographic attacks. Retrieved from http://www.giac.org/cissp-
papers/57.pdf
Data encryption standard (DES). (2012). Retrieved from
http://searchsecurity.techtarget.com/definition/Data-Encryption-Standard
IBM. (n.d.). E-commerce security: Attacks and preventive strategies. Retrieved from
http://www.ibm.com/developerworks/library/co-0504_mckegney/index.html
MacVittie, L. (1999, April 19). Cryptographic accelerators provide quick encryption. Retrieved
OWASP. (2012, February 26). Guide to cryptography. Retrieved from
https://www.owasp.org/index.php/Guide_to_Cryptography
What is cryptography? (2012). Retrieved from http://www.wisegeek.org/what-is-
cryptography.htm
What makes a good password good. (2012). Retrieved from
http://www.practicallynetworked.com/sharing/good_passwords.htm
