Security & Privacy in Cloud

Unit 1 - Fundamentals of Cloud Security Concepts

What is cloud security?

Cloud security is the set of control-based security measures and
technology protection, designed to protect o n l i n e stored
resources from l e a k a g e , theft, and data loss. Protection includes
data from cloud infrastructure, applications, and threats. Security
applications uses a software the same as SaaS (Software as a Service)
model.

How to manage security in the cloud?

Cloud service providers have many methods to
protect the data.

Firewall is the central part of cloud architecture. The firewall

protects the network and the perimeter of end-users. It also
protects traffic between various apps stored in the cloud.

Access control protects data by allowing us to set access lists

for various assets. For example, you can allow the application of
specific employees while restricting others. It's a rule that employees
can access the equipment that they required. We can keep
essential documents which are stolen from malicious insiders
or hackers to maintaining strict access control.

Data protection methods include Virtual Private Networks

(VPN), encryption, or masking. It allows remote employees to
connect the network. VPNaccommodates the tablets and
smartphone for remote access. Data masking maintains the data's
integrity by keeping identifiable information private. A medical
company share data with data masking without violating the HIPAA
laws.

For example, we are putting intelligence information at risk in

order of the importance of security. It helps to protect mission-
critical assets from threats. Disaster recovery is vital for
security because it helps to recover lost or stolen data.
Benefits of Cloud Security System
We understand how the cloud computing security operates to find
ways to benefit your business.

Cloud-based security systems benefit the business by:

○ Protecting the Business from Dangers
○ Protect against internal threats
○ Preventing data loss
○ Top threats to the system include Malware, Ransomware, and
○ Break the Malware and Ransomware attacks
○ Malware poses a severe threat to the businesses.

More than 90% of malware comes via email. It is often reassuring that employee's download malware
without analysingit. Malicious software installs itself on the network to steal files or damage the content
once it is downloaded.

Ransomware is a malware that hijacks system's data and asks for a

financial ransom. Companies are reluctant to give ransom because
they want their data back.

Data redundancy provides the option to pay a ransom for your

data. You can get that was stolen with minimal service interruption.

Many cloud data protection solutions identify malware and

ransomware. Firewalls keep malicious email out of the inbox.

DDoS Security
Distributed Denial of Service (DDoS)is flooded with requests. Website
slows down the downloading until it crashes to handle the number
of requests.

DDoS attacks come with many serious side effects. Most of the
companies suffering from DDoS attacks lose $ 10,000 to $ 100,000.
Many businesses damage reputation when customers lose
confidence in the brand. If confidential customer data is lost
through any DDoS attack, we may face challenges.

The severity of these side effects, some companies shut down

after the DDoS attacks. It is to be noted that the last DDoS attack
lasted for 12 days.

Cloud security service monitors the cloud to identify and prevent

attacks. The cloud service providers protectthe cloud service users
in real time.
Threat to detect
Cloud computing detects advanced threats by using endpoint
scanning for threats at the device level.

B2B Advanced Communications provides a multi-layer approach to securing messages and

other data with identification, authentication, authorization, confidentiality, data integrity, and
non-repudiation.

The security management functions include these commonly accepted aspects of security:

Identification and authentication

Identification is the ability to identify uniquely a user of a system or an application that is
running in the system. Authentication is the ability to prove that a user or application is genuinely
who that person or what that application claims to be.
Authorization
Authorization protects critical resources in a system by limiting access only to authorized
users and their applications. It prevents the unauthorized use of a resource or the use of a
resource in an unauthorized manner.
Confidentiality
The confidentiality mechanisms protect sensitive information from unauthorized disclosure.
Data integrity and nonrepudiation
The data integrity and nonrepudiation mechanisms detect whether unauthorized modification of
data occurred.
Security mechanisms are standards that are used to ensure secure operations and
communications. A mechanism might operate by itself, or with others, to provide a particular
service. Some of the security mechanisms that are used by B2B Advanced Communicationsto
keep your data secure are:

Authenticating all users and organizations through credentials, such as user name
and password pairs.
Enforcing session timeout limits after which a user is automatically logged out of
B2B Advanced Communications.
Ensuring that data is validated each time a trust boundary in crossed. Messages
(including payloads) are validated at both entry to and exit from B2B Advanced
Communications.
Providing access control and authorization for resources and operations by running
processes that use accounts with minimal privileges and access rights. Additionally,
access to administrative function is restricted to users with Master Account Administrator
and System Administrator privileges. Access control also enforces data confidentiality.
Predefining access privileges by adding each user to a group for which permissions are
assigned by user role.
Protecting data at rest by enabling encryption by default and setting properties to provide
the necessary default certificates.
Using Secure Sockets Layer (SSL) to exchange messages securely over the transport
protocol.
Setting a connection timeout after which it is disconnected if the connection is not
established.
Providing secure mechanisms to audit, log, and monitor security-related events. Effective
auditing and logging is the key to nonrepudiation. Nonrepudiation ensures that a partner
cannot deny sending or receiving a message.
AS4 security logging is done by publishing visibility events of the audit event type.
These events are published after AS4 security processing and contains the X.509
certificate that was used for digital signature, the digest algorithm, the message digest,
the user subject, and the source IP.
Establishing trust boundaries to indicate where trust levels change from a perspective of
confidentiality and integrity. For example, a change in access control levels in your
application, where a specific role or privilege level is required to access a resource
or operation, is a change in trust level. Another example is at an entry point in your
system where you might not fully trust the data that is passed to the entry point.
Identifying trust boundaries from a data flow perspective. For each component, the
system considers whether the upstream data flow or user input is trusted, and if it is
not, the data flow and input can be authenticated and authorized. Storing user password as
encrypted in the database.

B2B Advanced Communications also provides these methods that you can use to secure
your data:

Ensure message confidentiality by converting the contents to ciphertext with XML

encryption. This encryption ensures that data remains private and confidential, and that it
cannot be viewed by unauthorized users or eavesdroppers.
Ensure message integrity and authentication by signing a message with a digital
signature. This signature confirms the source of the message and detect whether the
contents were altered in transit.
Identify and reject messages that are resubmitted (duplicate messages) to defend
against message replay attacks.
Use the secure HTTPS protocol to transmit messages when they are transmitted to and
from your partners. HTTPS, a combination of Hypertext Transfer Protocol (HTTP) and
Secure Sockets Layer (SSL), is the industry standard for securing information that is
transmitted between partners.
Use SFTP protocol to transfer files between you and your partners. SFTP is a full file
system protocol that is secured with Secure Shell (SSH).
Set the maximum size of a message request. This message validation measures the
message size against the criteria you specify and any request that is larger than the
specified size limit is rejected.
Set the maximum size of message payloads to prevent denial of service because a large
payload is exhausting system resources.
Allow user authentication checking through the system or user exit, with either an
X.509 certificate or user name token, or both.
Allow user credential SSH authentication for SFTP with either a password or public key,
or both.
Allow the signing of outbound exchanges with an X.509 certificate to ensure message
integrity and prevent data modification in transit.
Specify that inbound messages must be signed, and specify the signature hash to be
used. For NIST compliance, you must specify a higher key strength algorithm (for
example, SHA256) in the conformance policy.
Ensure high availability of the system for legitimate users. The goal for many attackers
in denial of service attacks is to disable an application or overwhelm it so that other users
cannot access it.
Use digital certificates for identity authentication, and select the certificate that is based
on alias name and function usage (such as sign, verify, encrypt, decrypt, SSL client).
Allow authentication by using the certificate issuer and serial number to return the
unique subject.
Allow authentication by using a user name and password token to return the unique
subject.
Allow authentication by using an X.509 certificate to return the unique subject. Allow
authentication by using a certificate subject key identifier or thumbprint to return the
unique subject.
Allow SSH authentication with an SSH public key.
Trust received public certificates by using the configured CA store and Certificate
Revocation Lists (CRLs).
Create security policies (for AS2) or conformance policies (for AS4) that specify security
aspects and settings to secure communication with your partners. Security policies can
include whether:
HTTP or HTTPS basic authentication is required
Signed messages are required
Signed Message Disposition Notifications (MDNs) are required
Messages are required to be encrypted

These are some effective security methods in B2B Advanced Communications:

Use multiple layers of security to circumvent unauthorized interception of data if one

layer is bypassed or compromised. For example, use digital signatures to sign your
message and also encrypt the message.
Give each user the least amount of access control necessary.
Use Private Key Infrastructure (PKI) keys and certificates at two levels, the
transport level (HTTP transport with SSL or SFTP transport with SSH), and at the
message level (by using XML signature and XML encryption elements or SSH
authentication).
>Set user account policies that define a secure password for your systems. Some
things to consider when you create a password policy are:
Enforcing password history to establish how frequently old passwords can be
reused.
Setting a minimum password age to determine how long users must keep a
password before they can change it. This minimum age prevents users from
bypassing the password policy.
Setting a maximum password age to determine how long users can keep a
password before they must change it.
Setting password length and complexity requirements, such as requiring at least
6 characters.
Ensuring your policy is updated and distributed to all users.
Establishing regular policy review milestones.
Tracking user compliance to the policy and managing policy violations. Associate
a user credential with an SSH public key for SSH authentication.
Securing AS2 security policies
Security policies establish guidelines to govern and ensure secure partner
communications via AS2. You can create, update, and remove AS2 security policies.
Authentication overview
B2B Advanced Communications provides several mechanisms to secure messages,
including authentication.
Securing system settings
Canonicalization is a process for converting data that has more than one physical
representation into a standard format that is known as Canonical XML.
Securing digital certificates
A digital certificate is a set of electronic data that uniquely identifies an
organization. The certificate contains a public key for the organization, and is
digitally signed by a trusted party to bind the public key to the organization. Securing
certificate revocation lists
The certificate authority (CA) that issues a digital certificate can revoke the
certificate any time the certificate validity period ends before its actual expiration data.
For example, a certificate is revoked if the integrity of the certificate is compromised.
The CA publishes a Certificate Revocation List (CRL) that contains a list of
revoked certificates. CRLs are made publicly available so that anyone can verify
whether a certificate that was used to sign a message is valid. The CRL ensures the
integrity of the signatures, which are based on the expected level of trust that is
associated with the type of certificate. In B2B Advanced Communications, you can also
add and remove lists of revoked certificates that you and your partners use to authenticate
certificates.
Digital signature overview
A digital signature is an electronic, encrypted stamp of authentication on digital
information such as messages. The digital signature confirms the integrity of the
message.
XML digital signature security overview
An XML digital signature (XML DSIG) is an electronic, encrypted, stamp of
authentication on digital information such as messages. The digital signature confirms
that the information originated from the signer and was not altered in transmission.
Additionally, with digital signatures that use public key cryptography, the origin
of the signed message can be traced to the identity of the sender to satisfy
nonrepudiation requirements. Using XML digital signatures (either separately from XML
encryption or in conjunction) has potential security implications. However, in general,
there are fewer potential security issues with XML encryption than with XML digital
signatures.
Public key cryptography
Public key cryptography uses a set of cryptographic keys to encrypt and decrypt
information across a transfer or connection. In B2B Advanced Communications, private
and public key pairs are used to secure message exchanges, file transfers, and
connections between nodes in a clustered installation.
Message security overview
Message-level security (securing web services at the message level), addresses security
requirements, including: identity, authentication, authorization, integrity, confidentiality,
nonrepudiation, and basic message exchange. The message-level security process uses
many of the same mechanisms to provide security as transport-level web security does,
including digital certificates, encryption, and digital signatures.
Message security process
Message-level security (securing web services at the message level), addresses security
requirements, including identity, authentication, authorization, integrity, confidentiality,
nonrepudiation, and basic message exchange. The B2B Advanced
Communications message-level security process includes digital certificates, encryption,
and digital signatures.
XML encryption overview
XML encryption is a security mechanism that assures the data confidentiality of
transmitted messages. You can encrypt an entire message or choose to encrypt
onlycertain elements of the message. When a SOAP message is encrypted, only a service
that knows the appropriate key can decrypt and read the message.
XML encryption security overview
XML encryption can be used to assure data confidentiality of transmitted messages. You
can encrypt an entire message or choose to encrypt only certain elements of the
message. However, using XML encryption (either separately from XML digital
signatures or in conjunction) can have potential security implications.
Securing Java Cryptography Encryption
During the B2B Advanced Communications installation, you select a compressed file
that contains a Java™ Cryptography Extension (JCE) policy file to strengthen
cryptographic operations.
X.509 binary security token overview
At the message layer of B2B Advanced Communications, you can use X.509 certificates
as binary security tokens to digitally sign and encrypt messages. These certificates also
provide data confidentiality and data origin authentication. X.509 tokens are validated by
using a certificate path.
User name token overview
User name tokens allow you to secure data with the WS-Security
UsernameToken element. A user name token transfers user credentials as part of
exchanges that are sent to and received from a trading partner. Those user credentials
are then used to authenticate the sender or receiver of an exchange. National Institute of
Standards and Technology (NIST) overview
B2B Advanced Communications provides functionality to enable you to conform
to the security requirements for the National Institute of Standards and
Technology (NIST) standards.
Nonrepudiation overview
Nonrepudiation is a security mechanism that is used in business-to-business transactions
to establish the sender, the receiver, and the contents of the file that is transmitted.
Anonymous partner overview
B2B Advanced Communications supports using an anonymous partner for authentication
and authorization with AS4 message exchanges, instead of configuring a partner
organization in the system. The anonymous partner allows you to represent more than
one partner through the anonymous partner mechanism. This mechanism supports
many trading partners (or individual users) without needing to configure an
organization (identity representation in the system), specific certificates, and exchange
details for each one.
Planning for storage security
Before you implement B2B Advanced Communications, determine the best security
methods to manage your data. To configure storage security settings, you must create
a new bucket variant (and then retire and eventually delete the old variant).
System passphrase overview
During the installation of B2B Advanced Communications, you must create a system
passphrasethat is required to start the system and to access protected system information.
eXtreme Scale credentials overview
To support high availability, performance, and system security, B2B Advanced
Communications supports changing the credentials for your eXtreme Scale system
through the command line interface (CLI). Through the CLI, you can add a user with a
passphrase, remove a user, and retrieve the distinguished name for a user.

What Is Cloud Cryptography

Introduction

Cloud computing allows an organization to use IT services

delivered via the internet instead of maintaining its physical
servers. However,
cloud operators are expected to change client data without being
fully trusted, so cloud computing has unique security
challenges. Cloud technology has impacted our lives more than
we realize, from remote data access to digitalizing the
education system. Cloud computing now powers practically
every program we use. However, you will need to ensure the best
data security protocols.

Cyber-attacks and data breaches affect cloud computing

services in the same way they affect traditional IT assets.
Spear-phishing is an example of a cloud security breach, in
which a cybercriminal uses an email phishing scam to
target a specific individual. Cloud cryptography is one
technique to improve cybersecurity for your cloud services. In this
article, we will learn about Cloud Cryptography, how it works, and
the benefits it provides.

Cloud cryptography uses encryption techniques to protect

data utilized or stored there. It enables users to securely access
shared cloud services, as all data hosted by cloud providers is
encrypted. Cloud cryptography safeguards sensitive data without
slowing down information sharing. Cryptography in the cloud
makes it possible to protect sensitive data outside your company’s
IT infrastructure, where it is no longer under your control.

If you’re interested in starting a career in Cloud Computing,

then
IPSpecialist is the best place to learn.

Cloud Cryptography and Security

Every day, more businesses and organizations realize the

advantages of cloud computing. Clients can store data and run
applications on a virtual computing infrastructure provided
by cloud computing. However, because cloud operators
store and handle client data outside of the reach of clients’
existing security controls, cloud computing has presented
security issues. Several firms are developing cryptographic
algorithms customized to cloud computing to balance security
and performance properly.
Most cloud computing infrastructures lack security against
untrustworthy cloud operators, posing a problem for businesses
that need to store sensitive, secret data like medical,
financial, or high-impact corporate data. As cloud computing
becomes more mainstream, many cloud computing service
providers and researchers are developing cloud cryptography
initiatives to answer the commercial demands and issues
connected to cloud security and data protection.

Extending cryptography to cloud data can be done in several

ways. Many businesses want to encrypt data before uploading
it to the cloud. Data is encrypted before leaving the company’s
environment, and authorized parties can only decode data
with access to the correct decryption keys. Other cloud
providers can encrypt data upon receipt, guaranteeing that all data
they store or transport is encrypted by default. While certain cloud
services may lack encryption features, encrypted connections
such as HTTPS or SSL should be used to assure data
security while in transit.

To guard against sophisticated attacks in the complex and

dynamic environments of virtualization, cloud services,
and mobility, businesses and organizations must take a data-
centric strategy to protect sensitive data. Companies should
deploy data security solutions that enable consistent protection
of sensitive data, such as encryption and cryptographic key
management for cloud data. Complete cloud security and
encryption platform should also offer robust access controls
and key management tools that allow businesses to use
encryption to practically, cost-effectively, and comprehensively
satisfy security goals.

How Cloud Cryptography Works

The two types of cloud cryptography that your firm should

include in its cybersecurity rules are data-in-transit and data-at-rest.
Data-in-transit

The term “data-in-transit” refers to data that is in the process of

being transferred between two or more endpoints. The HTTPS
and HTTP protocols that safeguard the information channel
you use when accessing different online sites are a typical
form of data-in-transit cloud encryption that you can observe
when utilizing an internet browser.

When data is exchanged between your endpoint and the endpoint

for the website you’re viewing, the SSL within the HTTP
or HTTPS encrypts both your data and the website’s,
ensuring that if your channel is compromised, the cybercriminal
will only access encrypted data.

Data-at-rest

Sensitive data stored in company IT architecture such as

servers, discs, or cloud storage services is known as data-at-
rest. You can impose access control by only issuing
decryption credentials to authorized staff by encrypting data
while it is being stored. Anyone attempting to access your
data at rest will be presented with encrypted data rather than
plaintext.

Cryptography is based on three algorithms:

1.Symmetric-key

2. Asymmetric-key

3. Hashing

Symmetric Algorithm

Authorized users can access data at rest and in transit using

this encryption algorithm, eliminating manual encryption and
decryption.
Once login credentials are provided, the method
automatically encrypts essential information.

Although symmetric cryptographic algorithms are

frequently automated, key management is still required.
Depending on the cloud service provider you select, your
company may use several cryptographic key types or
different encryption keys. Your key management system
should assist you in keeping track of all of your encryption keys
if you deal with many cloud service providers or in various
cloud environments.

Asymmetric Algorithm

For encryption and decryption, asymmetric algorithms employ

distinct keys. Each recipient will need a decryption key in
this case. The recipient’s private key is the name given to this
key, and the encryption key is usually associated with a single
person or institution. This technique is the safest because it
requires both keys to access a specific piece of data.

Hashing

One of the most crucial aspects of blockchain security is

hashing. Information is kept in blocks on the blockchain and
linked together using cryptographic principles like a string or
chain, and a unique code or hash is assigned to each data
block when added to the chain. Hashing is mainly used in
databases to index and retrieve objects, and
it also encrypts and decrypts messages using two distinct keys. It
also allows for quicker data retrieval.

Benefits of Cloud Cr yptography

Companies’ information is becoming digital as the globe

moves towards a technological age. Cloud cryptography is being
used to add a strong protection layer to data to prevent it
from being hacked, breached, or infected by malware. Following
are the benefits of cloud cryptography:

Privacy

The information is sensitive; the data is kept private for

clients, decreasing the risk of unauthorized users’ fraud.

Enhanced Data Security

Data transmission is at risk when data is sent from one

system to another, securing the information.

Users

Cloud cryptography employs stringent security procedures; firms

are promptly notified if an unauthorized user attempts
to make modifications. Only those with cryptographic keys have
access.

Conclusion

In this complex and developing environment of virtualization,

cloud services, and mobility, businesses and enterprises
must take a
data-centric approach to secure critical information from
advanced attacks.

Companies must establish security solutions that provide

consistent protection for sensitive data, including encryption and
cryptographic key management for cloud information.
Comprehensive cloud security and encryption platform should
have robust access controls and key management capabilities,
allowing businesses to use encryption extensively to achieve their
security goals.

Cryptography - Hash Functions & Digital Signatures

Cryptography - History and Basics Cryptography -

Symmetric Key Algorithms Cryptography - Asymmetric

Key Algorithms Cryptography - Hash Functions &

Digital Signatures Cryptography - Applications

In this article we discuss hash functions in depth and how they can be combined with public-key
encryption to create a digital signature.

Hash Functions - Definition

Hash functions take a potentially long message as the input and generate a unique output value
from the content. The output of a hash function is commonly referred to as the message digest.

Hashing is a one-way function and with a properly designed algorithm, there is no way to
reverse the hashing process to reveal the original input.
Compare this to encryption (two-way function) which allows encryption and decryption with the
correct key or key pair.

Another specific use case of hash functions is in data structures like hash tables or bloom
filters. The goal here is not security but rapid data lookup.

Hash functions in the context of digital signatures are supposed to produce the same output for
the same input (deterministic). This enables the recipient of a message to recompute the
message digestwith the same hash function and compare it to the transmitted digest to
verify that the message wasn’t modified in transit.

If the message has even a minor difference in spacing, punctuation, or content, the message
digest will be completely different.

It is not possible to derive the degree of difference between two messages by

comparing the digest. The slightest difference in the input will produce a drastically different
digest value.

There are five requirements for a cryptographic hash function:

■ The input can be of any length.

■ The output has a fixed length.
■ The hash function is relatively easy to compute for any input.
■ The hash function is one-way (this means it is extremely hard if not impossible to
determine the input from the output).
■ The hash function is collision-free (there can’t be two different messages
producing the same hash value).

SHA - Secure Hash Algorithm

The secure hash algorithm SHA and its successors, SHA-1, SHA-2, SHA-3, are government
standard hash functions promoted by the National Institute of Standards and Technology
(NIST).

SHA-1 takes an input of virtually any length and produces a 160-bit message. It
processes a message in 512-bit blocks. If a message length isn’t a multiple of 512-bit, the SHA
algorithm pads the message with data until the length reaches the next highest multiple of 512-
bit.

SHA-1 is no longer considered secure against well-funded adversaries. All major web browser
manufacturers stopped accepting SHA-1 SSL certificates in 2017. Google even demonstrated a
collision in SHA-1.

SHA-2 was published in 2001 as a reaction to the weaknesses in SHA-1. It includes significant
changes from its predecessor and has four major variants:
■ SHA-256 produces a 256-bit message digest using a 512-bit block size.
■ SHA-224 uses a truncated version of the SHA-256 hash and produces a
224-bit digest using a 512-bit block size.
■ SHA-512 produces a 512-bit message digest using a 1,024-bit block size.
■ SHA-384 uses a truncated version of the SHA-512 hash and produces a
384-bit digest using a 1,024-bit block size.

The cryptographic community generally considers SHA-2 algorithms as secure, but it

theoretically suffers from the same weakness as the SHA-1 algorithm.

SHA-3 was published in 2015, while part of the same series of standards, SHA-3 is internally
different from the MD5 like structure of SHA-1 and SHA-2. SHA-3 is a subset of the broader
cryptographic primitive family Keccak. It was developed as a drop-in replacement of
SHA-2, offering the same variants (SHA3-256/SHA3-224/SHA3-
512/SHA3-384) and hash lengths but using a more secure algorithm.

MD2 - Message Digest

The MD2 Message-Digest Algorithm was developed by Ronald Rivest (yes, the one from
Rivest, Shamir, and Adleman aka RSA Security) in 1989 to provide a secure hash function for
8-bit processors.

MD2 pads the message to a length of a multiple of 16-bit and computes a 16-byte(!) checksum
which is appended to the end of the input message. Then a 128-bit message digest is generated
by using the original message along with the appended checksum.

Cryptanalytic attacks against the MD2 algorithm exist and it was even proven that MD2 is not a
one-way function. Therefore, it should no longer be used.

MD4 is an enhancement of MD2, was released in 1990, and supports 32-bit processors. It
increases the security level with an enhanced algorithm.

MD4 pads the message to a length of 64-bit smaller than a multiple of 512-bits. The MD4
algorithm then processes 512-bit blocks of the message in thee rounds of computation to
produce a 128-bit message digest.

An 8-bit message would be padded with 440 additional bits of data to make it 448-bits, which
is 64-bit smaller than a 512-bit message.

Several flaws have been found in the MD4 algorithm and therefore it is no longer considered
secure. Usage should be avoided if possible.
MD5 was released in 1991 as the next version of the message-digest algorithm. It also
processes 512-bit blocks of the message but uses four rounds of computation to produce
the same 128-bit message-digest length as in MD2 and MD4.

MD5 has the same padding requirements as MD4, the message length must be 64-bit less than a
multiple of 512-bit. MD5 introduced additional security features that reduced the speed of
message-digest production.

Recent cryptanalytic attacks demonstrated that MD5 is subject to collisions. In 2005 it was
demonstrated that two digital certificates from different public keys have the same MD5 hash.

All algorithms in the MD family are no longer accepted as suitable hashing functions. However,
they may still be found in use today.

Digital Signatures

With secure hash functions, we can implement a digital signature system. A digital signature
infrastructure has two goals:

■ Digitally signed messages assure the recipient that the message came from the
claimed sender. This provides nonrepudiation.
■ Digitally signed messages provide the recipient with the assurance that the
message was not altered while in transit. This protects against malicious (man in the
middle) or unintentional (communication interference) modification.

Digital signatures rely on the combination of two concepts, public-key cryptography, and
hash functions.

Alice is sending a digitally signed but not encrypted message to Bob:

1: Alice generates a message digest of the original plaintext message using a secure hash
function like SHA3-512.

2: Alice then encrypts the message digest using her private key. The output is the digital
signature.

3: Alice appends the digital signature to the plaintext message.

4: Alice then sends the appended message to Bob

5: Bob removes the digital signature from the appended message and decrypts it with the public
key of Alice.

6: Bob calculates the hash of the plaintext message with SHA3-512.

7: Bob then compares the decrypted message digest he received from Alice with the message
digest Bob computed. If the two digests match, he can be assured that the message he received
was sent by Alice.

The digital signature process does not provide any privacy by itself. It only ensures that the
cryptographic goals of authentication, integrity, and nonrepudiation are met. If Alice wants to
ensure the privacy of her message to Bob, she could encrypt the appended message generated
in step 3with the public key of Bob. Bob then would need to first decrypt the encrypted
message with his private key before continuing with step 5.

Digital signatures are used not only for messages but software vendors are often using digital
signature technology to authenticate code distribution over insecure networks like the internet.
Checksums do not require any encryption key, they are simple digests of fingerprints to represent
some kind of data.

HMAC - Hashed Message Authentication

The hashed message authentication code (HMAC) algorithm implements a partial digital
signature and guarantees the integrity of a message but it does not provide nonrepudiation.

HMAC relies on the combination of two concepts, private-key cryptography, and hash
functions.

HMAC can be combined with any secure hash function such as SHA3. The resulting message
authentication code (MAC) is called HMAC-SHA3. HMAC combines a secret key with a hash
function and represents a halfway point between the unencrypted use of a message-digest
algorithm and computationally expensive digital signature algorithms based on public-key
cryptography.

HMAC does not encrypt the message. Instead, the message (encrypted or not) must be sent
alongside the HMAC hash. Parties with the secret key will hash the message again themselves,
and the received and computed hashes will match if it is authentic.

DSS - Digital Signature Standard

This standard specifies that all federally approved digital signature algorithms must use the
SHA-3 hashing function. DSS also specifies the encryption algorithms that can be used to
support digital signature infrastructure. Currently approved in version 186-4 are:

■ DSA - Digital Signature Algorithm

■ RSA - Rivest-Shamir-Adleman Algorithm
■ ECDSA - Elliptic Curve DSA
Key Confusion

Public-Key Cryptography and Digital Signatures can be confusing. Encryption, Decryption,

Digital Signatures, and Signature verification all use the same algorithms with different key
inputs. Here are a few simple rules:

■ You encrypt a message with the recipient’s public key.

■ You decrypt a message with your own private key.
■ You digitally sign a message with your own private key.
■ You verify the signature of a message with the sender’s public key.

Conventional encryption is a cryptographic system that uses the same key used
by the sender to encrypt the message and by the receiver to decrypt the
message. It was the only type of encryption in use prior to the development of
public-key encryption.

It is still much preferred of the two types of encryption systems due to its
simplicity. It is a relatively fast process since it uses a single key for
both encryption and decryption In this encryption model, the sender
encrypts plaintext using the receiver’s secret key, which can be later used by
the receiver to decrypt the ciphertext. Below is a figure that illustrates this
concept.
Suppose A wants to send a message to B, that message is called plaintext.
Now, to avoid hackers reading plaintext, the plaintext is encrypted using an
algorithm and a secret key (at 1). This encrypted plaintext is called ciphertext.
Using the same secret key and encryption algorithm run in reverse(at 2), B can
get plaintext of A, and thus the message is read and security is maintained.

The idea that uses in this technique is very old and that’s why this model is
called conventional encryption.

Conventional encryption has mainly 5 ingredients :

1. Plain text –

It is the original data that is given to the algorithm as an input.

2. Encryption algorithm –

This encryption algorithm performs various transformations on plain

text to convert it into ciphertext.

3. Secret key –

The secret key is also an input to the algorithm. The encryption

algorithm will produce different outputs based on the keys used at that

time.

4. Ciphertext –

It contains encrypted information because it contains a form of original

plaintext that is unreadable by a human or computer without proper

cipher to decrypt it. It is output from the algorithm.

5. Decryption algorithm –

This is used to run encryption algorithms in reverse. Ciphertext and

Secret key is input here and it produces plain text as output.

Requirements for secure use of conventional encryption :

1. We need a strong encryption algorithm.

2. The sender and Receiver must have obtained copies of the secret key

in a secure fashion and must keep the key secure.

Advantages of Conventional Encryption :

1. Simple –

This type of encryption is easy to carry out.

2. Uses fewer computer resources –

Conventional encryption does not require a lot of computer resources

when compared to public-key encryption.

3. Fast –

Conventional encryption is much faster than asymmetric key

encryption.

Disadvantages of Conventional Encryption Model:

1. Origin and authenticity of the message cannot be guaranteed, since

both sender and receiver use the same key, messages cannot be

verified to have come from a particular user.

2. It isn’t much secured when compared to public-key encryption.

3. If the receiver lost the key, he/she cant decrypt the message and thus

making the whole process useless.

4. This scheme does not scale well to a large number of users because

both the sender and the receiver have to agree on a secret key before

transmission.