Our last few articles have dealt with the science and technology of Biometrics. To review, it is merely the Verification and/or Identification of an individual based on their unique physiological traits or even behavioral mannerisms.
This is probably one of the best forms of Security technology to use because it is probably the only mechanism available which provides irrefutable proof into the identification an individual.
However, just like anything else, it too has its flaws. As it was stated throughout, Biometrics should never be relied upon as the sole mean of defense. Rather, it should only be relied upon as a providing another extra layer of Security in addition to what is already available at the business or corporation. In this regard, Biometrics becomes what is known as a “Multimodal Security Solution.”
The primary advantage of this is that if one layer of defense is penetrated, then the Biometrics layer will come to help prevent the Cyber attacker from breaking into the lines of defenses.
In this fashion, there are many Biometric modalities which can be used, which fall into the general categories of Physical Biometrics and Behavioral based Biometrics. As it was also reviewed, the most widely used modalities are that of Fingerprint Recognition, Iris Recognition, Vein Pattern Recognition (which is a non-contactless technology -in other words, there is no direct contact from the end user to the Biometric Sensor), and to a lesser extent, Facial Recognition (which in of itself is a very controversial type of modality).
A Biometrics procurement and deployment project can be extremely complex, and also quite expensive if it is not planned out properly in detail. This is where the role of the Biometrics Project Management plan comes into play.
It is a very exhaustive and proven methodology which allows for the C-Level Executive to properly plan out how Biometrics will meet the new Security requirements of their business or corporation.
However, keep in mind also, there is also the social impact of Biometrics. Unlike other Security technologies which are available in the marketplace today, Biometrics has a very strong impact (and most of the time a negative one) upon the end user.
The primary reason for this is that it is a piece of our physiological or behavioral selves which is being captured by the device and we have no control over that.
Apart from the hardware aspect of a Biometrics procurement and deployment project is the software side as well. This aspect includes any associated applications (such as the Graphical User Interface) and the database. The latter is probably the most important, as it houses both the Enrollment and Verification Templates, and also from where these transactions occur to confirm the identity of the individual in question.
Included in this is the networking side of Biometrics as well. As it was also reviewed, a Biometric System can either be linked together via a Peer to Peer Network or even in a Client-Server fashion.
When the Biometric Templates are traversed across the network medium, they are stored and contained in the Data Packet. In this regard, it is the Data Packet which also needs further protection, which is where the role of Cryptography comes into play.
This is the topic and focal for the next series of articles, and this one will specifically address the following items:
An Introduction to Cryptography Message Scrambling and Descrambling Encryption and Decryption Ciphertexts Symmetric and Asymmetric Key SystemsFor a quick primer into Cryptography, click here:
http://resources.infosecinstitute.com/cryptography-fundamentals-part-1/#gref
An Introduction to CryptographyCryptography is the science that dates all the way back to the times of Julius Caesar. In its simplest form, the science Cryptography is merely the scrambling and the descrambling of a text or written message between two individual parties.
These individual parties can also be referred to the sender and the receiver. It is the former which creates the text or the written message that needs to be sent, and in turn, it is the latter that receives the text or the written message, and then reads it and appropriately responds.
In normal, everyday communications, we always trust that the individual party who is receiving the text or the written message will receive it accordingly, without any type or kind of problem. Although this mostly happens in our daily lives, given especially the high-tech world in which we live in, this sometimes does not occur.
When this actually occurs, we always assume that that the worst has always occurred. However, what is the worst that could happen? The text or the written message could be intercepted by a third party, and maliciously used.
Again, in normal everyday conversations, while we would normally trust the other end (the receiving party) from keeping the details of the conversation privileged, there is always that chance that a third party could also be covertly listening in and use that very privileged information for the purposes of personal gain or exploitation, such as that of Identity Theft.
We can also extend this example to that of electronic communications of all types. For example, when hit the “send” button, what assurances do we have that the receiving party will get our message or that it will not be intercepted by a third party? Obviously, we cannot really ensure any kind of safety, especially when it comes to electronic communications, such as that of E-Mail.
However, the only thing that can be guaranteed is that if any type of message were to be captured by a third party, it would be rendered to be useless. How is this accomplished? It is done by the scrambling and the descrambling of the text or the written message, while it is still in transit.
Message Scrambling and DescramblingAt this point, the text or the written message must be unscrambled for it to make comprehensible sense for the receiving party. For example, a very simple example of this is the message “I Love You.” The sending party would scramble this message by rearranging the letters to read “UYO I VEOL.” This message would then stay in the scrambled format while it is in transit until it is received by the receiving party.
They would then descramble it so that it would read again “I Love You.” Thus, if this message were to have been captured by a third party, the content would be rendered useless and totally undecipherable to the third party.
This in very simple terms is the science of Cryptography. It is basically the art of scrambling and in turn, the descrambling of the text or the written message into a readable and comprehensible format again.
Specifically, Cryptography can be defined as the “practice and study of techniques for secure communication in the presence of third parties (called adversaries). More generally, it is about constructing and analyzing that overcome the influence of adversaries and which are related to the various aspects of data confidentiality, data integrity, authentication, and repudiation”. (SOURCE: 1).
Encryption and DecryptionRegarding Cryptography, the terms of scrambling and descrambling have much more specific terms associated with them. Respectively, scrambling and descrambling are also known as “Encryption” and “Decryption.”
Thus, for instance, the written message of “I Love You” when scrambled by the sending party becomes what is known as the “Encrypted Message”. This means that this written message has been disguised in such a manner that it would be totally meaningless, or in terms of Cryptography, it would be rendered as “undecipherable.”
Also, encryption can be further defined as a “conversion of information from a readable state to apparent nonsense.” (SOURCE: 2). Now, when the receiving party receives this encrypted message, it must be descrambled into an understandable and comprehensible state of context. This is a process of descrambling is known specifically as “Decryption.”
So, rather than saying that Cryptography is the science of scrambling and descrambling, it can now be referred to as the science of encryption and decryption. There are also specific terms which are used for the encrypted message as well the decrypted message.
For example, the decrypted message, when returned to its original or plain state of context, is also known as the “Ciphertext” or the “Plaintext.”
CiphertextsEthical Hacking Training Resources (InfoSec)
When the decrypted message is again encrypted into a state of context which is totally incomprehensible and indecipherable, this is known as the “Ciphertext.” Thus, to illustrate this with the previous example, when the sending party creates the written message of “I Love You,” this is the Plaintext or the Cleartext.
Once this message is encrypted into the format of UYO I VEOL, and while it is in transit, it becomes known as the Ciphertext. Then, once the receiving party gets this Ciphertext and then decrypts into a comprehensible and understandable form of “I Love You,” this message then becomes the Plaintext, or the Cleartext once again.
At this point, the question that often gets asked is, how does the sending party actually encrypt the text or the written message, and how does the receiving party then actually decrypt the Ciphertext?
Well, in its simplest form, the text or the written message is encrypted via a special mathematical formula. This formula is specifically known as the “Encryption Algorithm.” Because the Ciphertext is now encrypted by this special mathematical algorithm, it would be rendered useless to a third party with a malicious intent because of its totally garbled nature.
As the receiving party gets the Ciphertext, it remains in its garbled format, until it is descrambled. To do this, a key is used, which is only known by the sending party and the receiving party. Regarding Cryptography, this key is also known as the “Cipher,” and it is usually a short string of characters that is needed to break the Ciphertext.
As it will be examined later, interestingly enough, the Encryption Algorithm is actually publicly known and is available for everyone to use. Therefore, the key or the Ciphertext must remain a secret between both the sending party and the receiving party.
To send the Ciphertext between, the sending party and the receiving party and to share the keys that are needed to encrypt and decrypt the Ciphertext, specific Cryptographic systems are needed. Today, there are two such types of Cryptographic systems which are in existence. They are specifically known as the following:
Symmetric Key Systems; Asymmetric Key Systems. Symmetric and Asymmetric Key SystemsThe primary difference between these two types of Cryptographic systems is that the former (Symmetric) uses only one key for encryption and decryption, which is also known as the “Private Key” of the Ciphertext. With the latter, two types of keys are utilized for both the encryption and decryption of the Ciphertext, and these are known as the “Public Key” and the “Private Key.”
We will now take a look in further detail at both of these Cryptographic Systems, first starting with Symmetric Key Systems. One of the simplest methodologies with this is that of the Caesar Cipher, which is very often attributed to Julius Caesar (thus its name); and will be detailed in the next article.
ConclusionsAs the world moves towards a realm where all forms of communications and commerce transactions are achieved from a technological standpoint (such as using a Smartphone), the need to protect these lines of communications becomes even more critical. For example, given the extremely advanced Cyber-attacks of today, anything can be intercepted and hijacked very covertly, and there may even be a huge time lag from when the business/corporation or even an individual will even realize that they have become a victim.
In this regard, the advanced uses of Cryptography become absolutely critical. As it has been reviewed in this article, in its simplest form, it is the process of scrambling a line of communications so that it is rendered in a garbled and useless state until it reaches the hands of the receiver. From here, it is then descrambled and assembled into a decipherable format.
However, the world of Cryptography is a complex one, and there are many principles of it which can be applied in varying levels and formats. We will continue with this topic into the next article, with a review of the Caesar Methodology, the types of Cryptographic Attacks, Polyalphabetic Encryption, Block Ciphers, Initialization Vectors, etc.
Sources Computer Networking: A Top Down Approach , Kurose, J.F., and Ross, K.W., Pearson Education, 2008. Computer Networking: A Top Down Approach , Kurose, J.F., and Ross, K.W., Pearson Education, 2008. https://www.cl.cam.ac.uk/~rja14/Papers/SE-05.pdf http://citeseer.ist.psu.edu/viewdoc/download?doi=10.1.1.99.2838&rep=rep1&type=pdf ftp://ftp.pgpi.org/pub/pgp/6.5/docs/english/IntroToCrypto.pdf https://www.entrust.com/wp-content/uploads/2013/05/cryptointro.pdf https://www.nhk.or.jp/strl/publica/bt/bt12/pdf/le0012.pdf https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf https://www.usenix.org/legacy/event/sec11/tech/full_papers/Green.pdf https://www.cs.umd.edu/~jkatz/papers/id-cca.pdf http://crypto.stanford.edu/~dabo/papers/ccaibejour.pdf http://www.engr.uconn.edu/~zshi/course/cse5302/ref/CSurveys_SymmAsymEncrypt-simmons.pdf https://www.cs.utexas.edu/users/byoung/cs361/lecture44.pdf https://pdfs.semanticscholar.org/d139/89613117ab2cfcf25bb0bfbb94dc71360bad.pdf