Cryptography concepts and applications

Cryptography

Information Systems technology has become an essential aspect of business and industry in recent years. As such organizations and individuals alike have formulated ways to keep information secure and private. Cryptography is vital to the development of the always growing information technology world. The purpose of this discussion is to focus on the role of cryptography in wireless networks, smart cards, content delivery services, e-commerce and health care. The discussion to follow will solidify the fact that cryptography is an enabling technology that is vital for the development of the information society including applications such as smart cards (for identification and financial transactions) content delivery services (pay-per-view audio/video) and wireless networks.

Cryptography

Cryptography is defined as "the science of designing of cipher systems, whereas cryptanalysis is the name given to the process of deducing information about plaintext from the ciphertext without being given the appropriate key. Cryptology is the collective term for both cryptography and cryptanalysis (Murphy & Piper, 2002)."

Murphy (2002) also explains that the purpose of a cipher system is to hide private or confidential information in a manner that makes it impossible to understand. There are two primary uses for a cipher system: to securely store data and to broadcast data over an insecure channel. Cipher systems do not prevent people from having access to data but it does guarantee that the individual will not have the ability to decipher the data (Murphy & Piper, 2002).

The author also posits that the concealed information is referred to as the plaintext and the process of disguising the information is referred to as encryption. Additionally, the plaintext that is encrypted is known as ciphertext or cryptogram while the guidelines used to encrypt information plaintext is the encryption algorithm (Murphy & Piper, 2002). In most cases the ability of the algorithm to function is dependent upon the encryption key. The encryption key is input to the algorithm alongside the message. A decryption algorithm must be present to allow the recipient to obtain the message from the cryptogram. When the decryption algorithm is used with the proper decryption key, the plaintext from the ciphertext is duplicated. In most cases the guidelines that constitute one of these cryptographic algorithms is likely to be very complicated and they need careful design (Murphy & Piper, 2002).

In addition an individual who intercepts the message is referred to an interceptor. These individuals can also be referred to as the enemy, eavesdropper, or adversary (Murphy & Piper, 2002). Nevertheless, the proper name for such an individual is interceptor. It is also important to note that an interceptor could be a good guy. In addition, even if an interceptor understands the decryption algorithm, they usually don't know the decryption key. As such it is difficult for an interceptor to understand the plaintext (Murphy & Piper, 2002).

Now that we have gained a greater understanding of what cryptography is, let us discuss the manner in which it is utilized in applications such as wireless networks, smart cards (for identification and financial transactions) and content delivery services (pay-per-view audio/video). We will also focus on the role of cryptography in ecommerce and healthcare.

Wireless Networks

In recent years wireless networks have become a vital source of communication for businesses and home users. Wireless networks are popular because they provide individuals with greater mobility and access to information. Wireless networks are present in airports, coffee shops and many other places. Although wireless networks are extremely popular, they can also be difficult to secure. In fact, several studies have shown that wireless networks leave users open to many vulnerabilities. Cryptography has long been used to address this issue. Initially cryptography technology known as Wired Equivalent Privacy WEP was utilized. WEP offered little protection to wireless networks and there users. According to Piazza (2003)

Academicians and security experts began exposing the gaping holes in WEP not long after the standard was released in late 1999 by the Institute of Electrical and Electronics Engineers (IEEE). Ken Evans, vice president of marketing and product management at Fortress Technologies, which makes wireless security products, says that WEP's biggest flaw was what he calls a bad implementation of good cryptography "Think of a keychain with only four keys," he says, referring to WEP's rotation of only four encryption keys. "It's pretty easy for someone, once they find the right key, to open all the doors (Piazza 2003)."

Indeed, once the key is found and an individual has the time and the proper processing power, he will have access to the transmission of the data and will have the capacity to decipher information concerning the wireless network and the user including the internet protocol address (Piazza 2003). Once the internet protocol address is known the network becomes extremely vulnerable.

To combat the problems associated with WEP, Wi-Fi Protected Access (WPA) was developed and served as a temporary solution to be utilized until a better designed protocol could be developed and implemented (Piazza 2003). WPA provided a solution to the aforementioned security issues by presenting a larger number of keys in a more frequent pattern, thus ensuring that it would be more difficult for an individual to gain access to and decipher the encryption during transmission (Piazza 2003). WPA is also designed to provide tough user authentication; this authentication begins prior to encryption.

In addition WPA was a popular choice because it could be upgraded and as such users would not have to purchase new hardware to receive more advanced security options (Piazza 2003).

The author further explains that the design of the WPS was taken from the IEEE protocol known as 802.111. This protocol was essential at the time because it provided a more intense level of encryption known as that Advanced Encryption Standard (AES) (Piazza 2003). The authors explained that AES provided slightly better security but WPA actually solved the problem associated with the vulnerability of wireless networks (Piazza 2003).

As you can see, cryptography plays an important role in the securing of wireless networks. Wireless networks are a vital communications tool within the paradigm of our increasingly global world. Without the presence of cryptography information could easily end up in the hands of individuals that would do harm to businesses and individuals alike. Businesses use wireless networks to share information over significant distances. For instance, a business might use a wireless network to email sensitive information or to purchase products. If the network is not secured with the appropriate cryptography, competitors may have the ability to obtain information about the business and the competitive advantage may be lost.

The use of cryptography for wireless networks is also important as it relates to individual users. Now more than ever people are using the internet to access bank accounts, pay bills and purchase products. This means that banking information and credit card information is constantly transmitted via the internet. Cryptography is used to secure this information to ensure that it is not stolen and used by unauthorized persons. Indeed, as it relates to wireless networks, cryptography plays a vital role and acts as a necessary agent for this form of information systems technology. Although wireless networks are an extremely popular form of technology, they are not the only popular technology. The following paragraphs will discuss the role that cryptography plays as it relates to smart cards.

Smart Cards

In addition to wireless networks, smartcards have also become vitally important information systems technology. Smart cards were first developed in the mid-1970's and they are cards that contain a computer chip (Misra et al., 2004). Smart Cards are comparable to a debit or credit card however they differ in that they permit the user to store, secure, and update information at some point in a transaction. In addition, smart cards are able to store greater amount of information than a credit card and smart cards are also able to make basic decisions during a transaction (Misra et al., 2004).

There are two primary types of Smart cards memory cards and microprocessor cards, however there are also other types of smart cards. Memory cards are designed to store data, and are comparable to a small floppy disk. Microprocessor cards are composed of a central processing unit (CPU) that allow it to process data, conduct interim calculations, provide security, and store data (Misra et al., 2004). The author asserts that the information stored in a smart card is secured through well-designed encryption. Additionally a number of microprocessor cards can also perform various functions on a single card, thus improving flexibility and appeal to a user. Additionally a card reader must be present to read a smart card (Misra et al., 2004).

There are also various types of smart cards that can be utilized. One such type is the Electronic Purse. The Electronic Purse is a smart card containing an electronic counterpart to cash and is regarded as a replacement for a traditional purse (Misra et al., 2004).

Electronic purses are usually come in the form of debit cards that contain a preloaded sum of money that can be used to purchase goods and services. In addition electronic purses can be reloaded using ATM machines or traditional tellers (if the card is connected to a banking account).

Additionally, electronic purses are usually based on smart card technology and necessitate a card reader to fulfill a transaction. Equipment including point of sale (POS) terminals, ATMs, and smart card kiosks can be outfitted with card readers (Misra et al., 2004). Every time the user utilizes the card reader to complete a transaction; the card reader will debit or credit the transaction value from or to the card.

The author further asserts that Smart cards can be utilized for various purposes.

In most cases they are used as stored value cards (Misra et al., 2004). Stored value cards can be utilized at the time of purchase and are preloaded with a certain amount of money. These cards can be discarded after they have been used; however, most stored value cards can be reloaded and used repeatedly (Misra et al., 2004). Stored value cards are popular gifts at Christmas time and are usually referred to as gift cards.

The author further explains that Smart cards, because of their nature, may be considered as electronic cash. Smart cards that do not need a physical contact with a reader (contactless cards), can be used for applications such as highway tolls where a motorist does not have to stop to pay for the toll. Since smart cards can be used to hold any kind of information, we can expect to see applications of this medium grow in the future (Misra et al., 2004 page15)"

The original purpose of smartcards was to reduce reliance upon paper forms of money such as cash and checks.

Although smart cards have not yet replace cash and checks the prevalence of these instruments has grown substantially. The orders for smart cards increased form 1.79 billion in 2000 to 2,55 billion in 2002 (Misra et al., 2004). Also, the number of cards distributed internationally increased from 900 million in 1997 to 6.31 billion in 2003 (Misra et al., 2004). In addition smart cards are utilized by several different industries including transportation, healthcare and banking (Misra et al., 2004).

As a result of the increased use of Smart cards (in all their various forms), there has been a concerted effort to formulate encryption systems that lessen the likelihood of fraud. To this end, cryptography is often used to secure the information on the card or to ensure that the card can not be used by an unauthorized person. There are many ways this can be accomplished through cryptography.

Smart Cards for Identification

In addition to using smart cards for purchases, they can also be used for identification purposes. The use of smart cards for identification purposes can often be seen in places of business and in government. This type of smart card contains a chip that identifies the person with the card and may grant access to various parts of an office or even to the office computer system. In some cases these cards are also used by employees to clock in and out of work. The primary purpose of using smart cards for identification is office and organizational security. This is particularly true at government facilities, where security issues have taken center stage as a result increased threats of terrorism.

According to Piazza (2005) the smart cards used for identification purposes are among the most technologically advanced devices available. In some cases, they even contain biometric information to ensure that the individual can have access to a building or classified information. Biometrics is inclusive of such things as iris scans, fingerprinting and face recognition (Piazza, 2005). In addition newer biometrics technologies include systems that can analyze vein structure, odor and gait (Piazza, 2005).

Because smart cards can hold extremely sensitive information encryption is essential. As with the other technologies that have been discussed, cryptography provides the security needed to prevent others from deciphering this sensitive information. There are several different cryptography systems that can be used to secure smart cards. One such system is the elliptic curve cryptography. According to Al-Kayali (2004) elliptic curve cryptosystems have grown tremendously in popularity as it relates to the securing of smart cards. Elliptic curve cryptography is a rather complex concept to explain but it is actually a type of "public-key cryptography based on the algebraic structure of elliptic curves over finite fields (ECC)." The elliptic curve is used primarily in the field of mathematics but its use as a form of cryptography to secure smart cards has been developed in recent years. Many experts believe that the use of this type of cryptography is so difficult to manipulate that it provides very good security for smart card systems.

It is evident that smart cards are increasing in popularity both in the sphere of electronic cash and identification. In the years to come there will most likely be an increased emphasis placed of the securing of this type of technology. It is also apparent that different forms of cryptography will be used to ensure that private information contained on smart cards remains private.

Content Delivery Services

Another growing aspect of information technology is content delivery services. Content delivery services are designed to allow users to access content over cable television, pay per view and the internet. An example of such technologies can be seen with Apple's iTunes platform that allows for the downloading of music and videos. This can also be seen with the Netflix platform which allows for the download of movie selections. There are also many other companies that utilize content delivery services.

According to Mitrou (2004) content delivery services are part of an industry that will continue to row in the years to come. Users enjoy content delivery services because they provide instant access to music, videos and music; people are no longer required to go to the store to get these products. Although content delivery is convenient it also poses certain security concerns. This is particular true of music and media that is contains copyrighted material. For this reason, businesses that provide content delivery services must do all they can to protect this material and prevent from being copied or shared.

In recent years this has proven to be quite a challenge. Both music and movies are readily available on the internet through sites that allow users to share movies and music. Although such file sharing is illegal it is very difficult to control because various methods used to encrypt music and movies have failed. As a result, programs such as iTunes use more advance technologies to deliver music and videos in a manner that is more secure. These companies use cryptography to prevent customers from downloading music without paying. The encryption program also makes it difficult to transfer music to other programs that might allow the user to share the music with other users.

The primary cryptography system that is utilized for content delivery services is content access. According to Frauenfelder (2005) the iTunes music store uses conditional access to secure or restrict the availability of files and resources. The content access system is combined with a Digital Rights Management System. These systems are utilized simultaneously to ensure that users do not have access to a download until Apple has received payment for the download (Frauenfelder 2005).

In addition to protecting the content that is delivered, cryptography is also used to ensure that credit card information is not stolen. This aspect of security is extremely important because iTunes users and users of other content delivery services are asked to save their credit card information so that it will not have to be taken every time the user wants to purchase a product for download. As such iTunes is responsible for the private information of many users and must take special care to ensure that this information is secure.

Cryptography in Ecommerce and Healthcare

Any industry or organization that utilizes computers has a need for cryptography. Within the context of Ecommerce and Healthcare cryptography is important because of the type of sensitive information that is at stake. In the case of Ecommerce, customer information including phone numbers, addresses and credit card information are transmitted on a daily basis. As it pertains to healthcare this same type of information is transmitted in addition to private medical information.

Cryptography solutions for ecommerce are often inclusive of such things as certificates and certificate authorities. According to a book entitled "Control and Security of Ecommerce" Certificate authorities are designed to issue digital certificates that allow ecommerce partners to be positively identified when engaged in electronic transactions (Smith, 2004). Although most ecommerce businesses have password protections, the author points out passwords can easily be cracked or compromised. In fact the author points out the existence of password cracking software that can be downloaded off of the internet (Smith, 2004). Needless to say, the presence of this type of software makes stronger authentication mechanisms necessary. Digital certificates provide this increased authentication. As it relates to certificates and certificate authorities, the author explains

The certificate authority is the entity that issues certificates to an organization or a person. The parties to a transaction need assurance that the digital certificates of all other parties to the transaction are valid and current. They rely on the certificate authority's digital signature to prove that the certificate is real and has not expired or been revoked. Several algorithms can be used to compute the digital signature...Digital certificates have both a start date and an end date (Smith, 2004 page58)."

It is evident that ecommerce transactions depend heavily upon the use of encryption programs to guarantee smooth and safe transactions. It is also apparent that certificate authentication is the key component used to address the security issues that exist in the realm of ecommerce. Ecommerce is a growing industry that generates billions of dollars per year. With so much at stake and so many stakeholders ecommerce businesses, the banking industry (including credit card companies) and customers rely upon cryptography to keep information safe and to generate a profit.

In addition to ecommerce, the healthcare industry is also dependent upon methods of cryptography to secure information. One of the most utilized forms of cryptography within the healthcare industry is public key encryption (PKE). According to the HIPPA signature rule "the signature should "[ensure] the integrity of the signed document to enable transportability of data, interoperability, independent verifiability, and continuity of signature capability (Talukdar, 2003, pg. 95)."