Network VPN and Web Security Cryptography Essay

Securing Internet commercial transactions and sensitive banking data is increasingly becoming critical as threats to computer networks continue to cause significant financial losses resulting from data damage, loss or corruption by spy ware, viruses and other data corrupting hostile codes (Mogollon, 2007). The consequences of having weak security system administration become enormous and companies should step up their security measures to protect sensitive data by cryptographic methods. In online transactions, the secure Web server communicates with the client’s computer by authenticating each other. They do this by enciphering the data which is transmitted by means specific protocols such as transport layer security (TLS), Internet protocol security (IPsec) and secure socket layer (SSL). All Web browsers such as Internet Explorer and Netscape have in-built TLS and SSL protocols. To make internet transactions safe, the problems associated with end-user certificate distribution have to be solved and this was the challenge that led to the fall of secure electronic transaction (SET) technology after its introduction in 1990s (Mogollon, 2007). This paper will discuss important technologies behind VPN SSL and website encryption paying critical attention to algorithms which make encryption in financial systems such as the Internet commercial transactions possible and secure. In particular, the paper addresses advanced and critical issues in online transactions as one of the areas applying cryptography and network security. The Need for Network Security in Financial Systems The modern online commerce and financial systems are rapidly growing partly because several protocols for Web encryption are often implemented hence ensuring secure transactions. In a practical scenario, online clients buying commodities enter the credit card number online and then hit the â€Å"Submit† button. While this information is provided online and can be deciphered by hackers, the Web browser commits to secure this online transaction by enciphering the transmitted data (Mogollon, 2007). Secure communication between the client and the server requires client-server authentication which is a cryptographic key exchange involving an agreement of both parties. The client and the server will agree on a common pre-master secret code or key. Data is then enciphered using the keys which are generated from the agreed pre-master key. This communication agreement between the client and server also involves the decisions on which versions and protocols to use such as SSL2, SSL3, TLS1. 0, and TLS 1. 1 (Mogollon, 2007). They will also agree on which cryptographic algorithm to use and whether to authenticate to each other or not. The use of certain techniques of public-key encryption which generate the pre-master secret key will also be agreed on. Both have to make an agreement that session keys are to be created to help in the enciphering of the messages. Virtual Private Network (VPN) A virtual private network (VPN) serves as an extension of a private network which encompasses links across public or shared networks such as the Internet (Mogollon, 2007). VPN enables users to send data between two interconnected computers across a public or shared network in a way that it emulates point-to-point private link properties. Virtual private networking is the technique of creating and configuring VPN and it emulates point-to-point links (Mogollon, 2007). There should be data encapsulation or wrapping with headers to provide routing information thus allowing it to traverse the public or shared transit internetwork and attain its endpoint. At the same time, to emulate private links, the sent data must be encrypted for security and confidentiality (Microsoft Corporation, 2003). The packets intercepted on public or shared networks cannot be deciphered without the use of encryption keys. Private data is encapsulated in a connection portion known as the tunnel and it is encrypted in a connection portion known as the VPN connection (Microsoft Corporation, 2003). Fig 1. 1 Figure 1. 1: Virtual private network connection (Microsoft Corporation, 2003) The VPN connection provide the capabilities for remote users while at homes, branch offices or even while traveling to securely connect to remote organizations’ servers by the use of routing infrastructure which is provided by a shares or public network like the Internet(Microsoft Corporation, 2003). Since the creation of VPN connection is facilitated by the Internet from anywhere, these networks require strong security mechanisms to avoid any unwelcome private network access and to protect private data while traversing the public network (Microsoft Corporation, 2003). These security mechanisms include data encryption and authentication as well as other advanced VPN security measures such as certificate-based authentication. Virtual private network security (VPNs) is provided by the Internet Protocol security (IPsec), TLS and SSL (Mogollon, 2007). IPsecVPN are commonly used in several enterprises but they are not as easy to use as SSLVPN. Another difference between IPsec VPN and SSL VPN is that IPsec VPN works at Layer 3 and creates a tunnel into networks. This way, IPsec allows for devices to log on as if they have physical connections to the local area network (LAN) (Mogollon, 2007). On the other hand, the SSL VPN work at the application Layer 4 and users can have access to individual applications through the Web browser. In SSLVPN, the administrators can dictate the access by applications instead of providing entire network access. VPN emulates the facility of private wide area network (WAN) by the use of private Internet Protocol (IP) and public internet backbones (Mogollon, 2007). Secure Socket Layer Virtual Private Network (SSLVPN) Security networks particularly those used in online transactions demand increasingly complex cryptographic systems and algorithms (Lian, 2009). Therefore, there is need for individuals concerned with the implementation of security policies in companies to use technical knowledge and skill in information technology in order to implement critical security mechanisms. Unlike the traditional IPsec VPN which requires the use of special client software on computers of end users, the SSL VPN such as Web SSL VPN requires no installation of such software (Lian, 2009). SSLVPN is mainly designed to provide remote users access to various client-server applications, Web application as well as internal network connections. SSL VPN authenticates and encrypts client-server communication (Lian, 2009). Two types of SSL VPNs are recognized: the SSL Portal VPN and SSL Tunnel VPN (Lian, 2009). The SSL Portal VPN usually allows a single SSL to connect to the website while allowing secure access to a number of network services by end users. This common website is known as the portal because it serves as a single door leading to a number of resources. The site is usually a single page having links to other pages. The second example of SSLVPN is the SSL Tunnel VPN which allows Web browsers, and thus users to safely access a number of multiple network services as well as protocols and applications which are not Web-based (Lian, 2009). Access is mainly provided via a tunnel which runs under SSL. The SSL Tunnel VPN requires all browsers to have the capacity to support active content that makes them to have more functionality not possible with SSL Portal VPN. The active content supported by SSL Tunnel VPN includes Active X, Java, JavaScript and plug-ins or Flash applications (Lian, 2009). Secure Socket Layer (SSL) provides a standardized communication encryption deployed for the purpose of protecting a number of protocols (Lian, 2009). For instance, most online transacting sites such as PayPal, AlertPay and MoneyBookers have their Universal Resource Locator (URL) address beginning with â€Å"https://† instead of â€Å"http://. † This means that the Hypertext Transfer Protocol (Http) is wrapped inside the SSL (Lian, 2009). Cryptography and Encryption Cryptography is concerned with the development of algorithms where data is written secretly thus the names, crypto-meaning secret and –graphy, meaning writing (Li, n. d). Cryptography basically provides a number of ways to confirm data security during VPN communication. These various means or algorithms include hash, cipher, digital signature, authentication and key generation (Lian, 2009). Cryptography endeavors to conceal the actual context of data from everyone except the recipient and the sender hence maintaining secrecy or privacy. Cryptography also verifies or authenticates the correctness or validity of data to recipients in virtual private network. As a result of this, cryptography has been the basis of a number of technological solutions to problems such as communication and network security in share networks such as that in VPN. In general, cryptography can be defined as the technique exploiting the methods and principles of converting intelligible data into unintelligible one and then changing it back to the original form (Li, n. d). SSL VPN encryption involves the adoption of traditions and novel algorithms of encryption in the protection of sensitive data such as the one exchanged during online transactions. The original data is transformed into secure data with specific algorithm of encryption by the use of the encryption key. At the same time, the encrypted data can be decrypted back into its original state with the help of algorithms of decryption. Sometimes, attacks to data are common in networked systems where hackers break into systems to obtain the original data which has not been encrypted. The present research focuses on the efficient algorithms of encryption and decryption which are secure against these attacks (Lian, 2009). Typical VPN Encryption Algorithms VPN encryption utilizes a number of encryption algorithms to secure flowing traffic across a shared or public network (Malik, 2003). The encryption of VPN connections is done so as to allow VPN and Web traffic to traverse share or public network like the Internet. Example of encrypted VPN is the SSL VPN and IPsec which uses encryption algorithms to safely allow traffic across shared or public network such as the Internet (Malik, 2003). Apart from classifying VPN in terms of encryption, classification of VPN can also be based on the model of OSI layer which they are constructed in. this is an important classification as the encrypted VPN only allows specific amount of traffic which gets encrypted and the degree of transparency to VPN clients (Malik, 2003). Classification of VPN based on the OSI model layers recognizes three types of VPNs: data link layer, network layer and application layer VPNs (Malik, 2003). Algorithms used for encryption can be classified into partial encryption, direct encryption and compression-combined encryption (Lian, 2009). According to the number of keys used, algorithms can also be classified into asymmetrical and symmetrical algorithms. In general, different encryption algorithms encrypt data volumes hence acquiring different efficiency and security. It therefore remains a decision of system security administrators to select which algorithm to use which will provide the best VPN security (Microsoft Corporation, 2005). There is no single encryption algorithm which is efficient to address all situations (Microsoft Corporation, 2005). However, there are basic factors to consider when selecting the type of algorithm to use in VPN security. Strong encryption algorithms always consume more resources in computer systems compared to weaker encryption algorithms. Long encryption keys are considered to offer stronger securities than the shorter keys. Therefore, Chief Security Officer (CSOs) should decide on longer keys to enhance system securities (Microsoft Corporation, 2005). Asymmetric algorithms are also considered stronger than the symmetric ones since they use different keys (Microsoft Corporation, 2005). However, asymmetric algorithms of encryption are slower compared to symmetric ones. Experts also prefer block ciphers as they use loner keys hence offer stronger security compared to stream ciphers. Passwords that are long and complex seem to offer better security than shorter and simpler passwords which can be broken easily by hackers. It should be factor to consider the amount of data which is being encrypted. If large amounts of data are to be encrypted, then symmetric keys are to be used to encrypt the data and asymmetric keys should be used to encrypt the symmetric keys. It is also critical to compress data before encrypting because it is not easy to compress data once it has been encrypted (Microsoft Corporation, 2005). Direct encryption involves the encryption of data content with either traditional or novel cipher directly. Partial encryption involves the encryption of only significant portions of data and other parts are left unencrypted (Microsoft Corporation, 2003). Compression-combined encryption involves the combinations of encryption operation with compression operation which are simultaneously implemented. Comparably, direct encryption offers the highest data security as it encrypts largest volumes of data. However, this method has the lowest efficiency as it takes much time encrypting all data volumes. The reduction of data volumes in partial and compression-combined encryptions result to lower security but with highest efficiency (Lian, 2009). There are specific examples of ciphering algorithms used by most online companies to protect sensitive and private data such as business data, personal messages or passwords for online banking. The commonly used ciphering algorithms include the DES/3 DES, RC4, SEAL and Blowfish (MyCrypto. net, n. d). Data encryption in VPN client-server communications is critical for data confidentiality. This is because data is passed between VPN clients and VPN servers over a public or shared network which often poses risks of illegal data interception by the hackers. However, VPN servers can be configured to force communication encryption. The encryption will force VPN clients connecting to VPN servers to encrypt their data or else be denied connections. Microsoft Windows Server 2003 employs two different types of encryptions: the Internet Protocol security (IPSec) encryption that uses the Layer Two Tunneling Protocol (L2TP) and Microsoft Point-to-Point Encryption (MPPE) which used Point –to –Point Tunneling Protocol (Microsoft Corporation, 2005). In telephone communication or dial-up clients, data encryption is not necessary between the clients and their Internet Service Providers (ISP) since the encryption is always carried out with VPN client-VPN server connections. This implies that mobile users using dial-up connections to dial local ISPs need not to encrypt anything since once the Internet connection has been established, the users can create VPN connection with corporate VPN servers. In case VPN connections are encrypted, there is no need for encryption between users and ISPs in dial-up connections (Microsoft Corporation, 2005). VPN encryption generally allows for the attainment of the highest possible security standards made possible by key generation in a certified centre using the RSA, 1024 bit (MyCrypto. net, n. d). Smart card technology especially the TCOS-2. 0 Net Key SmartCard OS (operating system) grant a safe mode for key storage which complies with the evaluation criteria of information security systems (Li, n. d). Different types of encryption algorithms employ proprietary specific methods to generate the secret keys and thus the encryption algorithms become useful in different types of applications (MyCrypto. net, n. d). The length of keys generated by these algorithms determines the strength of encryption. The most common algorithms, DES/3DES, BLOWFISH, IDEA, SEAL, RC4 and RSA have different qualities and capabilities which network security administrators may choose to use in providing VPN security (MyCrypto. net, n. d). The RSA algorithm, developed in 1979 was named after its developers Ron Rivest, Shamir and Adleman hence the name RSA (Riikonen, 2002). RSA supports digital signatures and encryption and it is therefore the most widely used type of public key algorithm. RSA takes advantage of the problem of integer factorization to enhance security and it utilizes both private and public keys. It is one of the algorithms which is easy to understand and it has been patent-free since the year 2000 (Riikonen, 2002). RSA is commonly used for securing IP data, transport (SSL/TSL) data, emails, terminal connections and conferencing services. Its security entirely depends on the randomness of the numbers generated by the Pseudo Random Number Generator (PRNG). Data Encryption Standard/ Triple Data Encryption Standard (DES/3DES) has widely been used as a standard in banking institutions in Automatic Teller Machines (ATMs) as well as in UNIX OS password encryption (MyCrypto. net, n. d). DES/3DES allows the authentication of Personal Identification Number (PIN) to be made possible. While DES is basically a 64-bit block cipher, it uses 56-bit keys in encryption and most users don’t regard it as advances in computer technology continue to transform the banking and online industry (MyCrypto. net, n. d). DES has been found to be vulnerable to some cyberattacks and experts have now recommended 3DES as the stronger option. 3DES has the ability to encrypt data 3 times hence the name 3DES. It uses different keys for all the three passes and this gives it a total cumulative of 112-168 bit key size (MyCrypto. net, n. d). IDEA (International Data Encryption Algorithm) is another type of algorithm first developed by Prof. Massey and Dr. Lai in the wake of 1990s in Switzerland (MyCrypto. net, n. d) . It was meant to replace DES algorithm but one of the weaknesses of DES is that it uses a common key for both encryption and decryption and it only operates on 8 bytes at every incident. The success of IDEA in enhancing security lies on the length of its 128-bit key which makes hackers difficult to break especially those who try out every key. To present, there are no known means of breaking the IDEA 128-bit key other than trying each key at a time which is also difficult (MyCrypto. net, n. d). This then makes the algorithm better for security. Since it is a fast algorithm, IDEA has been implemented in most hardware chipsets to male them run faster (MyCrypto. net, n. d). Just like IDEA and DES, Blowfish represent another type of a symmetric block cipher which tales a varying key length ranging from 32 to 448 bits (MyCrypto. net, n. d). This makes it ideal for both exportable and domestic use. Developed in 1993 by Bruce Schneier, Blowfish became not only a fast alternative but also a free option to the other existing algorithms of encryption. Blowfish is now becoming more accepted by many experts because of its strong encryption properties (MyCrypto. net, n. d). Software-optimized Encryption Algorithm (SEAL), developed by Coppersmith and Rogaway is an example of a stream cipher where data is encrypted continuously (MyCrypto. net, n. d). Stream ciphers represent a group of algorithms which are faster compared to block ciphers such as IDEA, Blowfish and DES. However, stream ciphers have an extended initialization phase whereby a secure harsh algorithm is used to complete the set of tables (MyCrypto. net, n. d). It is considered a very fast algorithm as it uses 160 bit key for the purpose of encryption. In addition, SEAL is considered one of the safest algorithms used to protect data from hackers and thus, it can be used in managing passwords in financial systems (MyCrypto. net, n. d). Ciphers and Encryption Ciphers transform plaintext into secured ciphertext and then recover it back from ciphertext with the help of keys (Li, n. d). This way, data is kept private during client-server communication this providing maximum VPN and Web security. The transformation into plaintext and the recovery from ciphertext is commonly known as encryption and decryption respectively. During the decryption process, a key is required and without the key, correct plaintext recovery is not possible. There are several types of ciphers widely known and have been classified according to their properties. Ciphers can be classified as to either symmetric or asymmetric ciphers (Li, n. d). In symmetric ciphers, the decryption key used in cryptography is the same as that used in encryption. The operation for decrypting is often symmetric to the encrypting operation in symmetric ciphers (Li, n. d). In asymmetric ciphers, the decryption operations are never symmetric to encryption operations hence the keys used might differ (Lian, 2009). A simple model for showing asymmetric and symmetric ciphers is as shown below in Fig 2. 1 (a) and (b). Fig 2. 1(a) and (b) (a) Symmetric cipher (b) Asymmetric cipher Fig 2. 1 (a) and (b): Symmetric and asymmetric ciphers (Lian, 2009) In the models shown above, symmetric cipher use same key (K0) in encryption and decryption while asymmetric cipher use different keys (K1) and (K1) for encryption and decryption respectively (Lian, 2009). Since in asymmetric cipher the key is similar in both encryption and decryption operations, the key is known both to the sender and the receiver but not to the third party and it should always be kept private. Otherwise, the third party can decrypt the ciphertext and expose the ciphertext as plaintext. This is why the asymmetric cipher is also known as the private cipher. However, symmetric ciphers such as Advanced Encryption Standard (AES), Data Encryption Standard (DES) and International Data Encryption Algorithm (IDEA) have widely been used despite some vulnerabilities of ciphertext decryption by third parties (Lian, 2009). Asymmetric ciphers offer advanced security as the encryption key (K1) can securely be made public but the decryption key (K2) is safely kept private only made known to the receiver. This means that if the sender and the third party only knows one key (the encryption key), he is not able to decrypt the ciphertext hence maintaining maximum network security. The asymmetric cipher is therefore known as the public cipher and the symmetric cipher, private cipher. Asymmetric cipher or public ciphers are regarded more suitable particularly for key exchanges in online communications and internet commercial transactions. The reasons which make public ciphers suitable for VPN securities are for instance the difficulties in large number factorization in RSA cipher. The problem of the discrete logarithm is the concept behind the suitability of Elliptic Curve Cryptography (ECC). The ElGamal encryption is also regarded to offer suitable securities because of the problem with complex computing of discrete logarithms as the encryption is always defines over a wide range of cyclic groups. Cryptanalysis and Security Attacks Cryptanalysis techniques allow hackers to break easily into cipher systems in VPN. According to Kerckhoffs principle, the hacker clearly knows the cipher per se and the security of the cipher is largely depended on the private key (Lian, 2009). Cryptanalysis techniques employed by attackers aim to get access to the cipher’s private key with the aim of knowing the information as plaintext, ciphertext or even encryption algorithm. Cryptanalysis methods can be grouped into four categories according to the information best known to the attackers (Lian, 2009). The attack based on only ciphertext means that the attack only progresses after the attacker has known ciphertext collection. This method is known as ciphertext-only attack (Lian, 2009). Known-plaintext attack is another cryptanalysis method which means that the attack method will only be successful when the hacker has obtained pairs of plain-text-ciphertext sets. Another attack method is the chosen-plaintext attack which progresses only when the hacker has ciphertexts which correspond to arbitrary plaintexts sets. The last possible method of attack is the related-key attack which works after the attacker has obtained ciphertext which are encrypted using two dissimilar keys (Lian, 2009). Encryption algorithms security is determined by the resistance to cryptanalysis techniques including attacks like differential analysis, statistical attack and relate-key attacks. Ciphers used for network VPN and Web security should be analyzed thoroughly before they can be used, otherwise, attackers will break into systems when ciphers don’t provide the required maximum network security. Simple metrics can be employed in measuring resistance to cryptographic analysis and common attacks of ciphers. These metrics include plaintext sensitivity, key sensitivity and ciphertext randomness (Lian, 2009). It can therefore be said that the cryptographic algorithm is of high security only when the encryption algorithm is heavily secured against cryptographic analysis and attacks. In case the algorithm doe not provide this essential requirement, the encryption algorithm is then considered to be of low security. Key sensitivity refers to changes in ciphertext as a result of changes in keys. Good ciphers will recognize the slightest difference in keys and cause significant changes in ciphertext. Plain text sensitivity is almost similar to plaintext sensitivity and is defines as the alteration in ciphertext as a result of plaintext changes. Good ciphers should also be able to recognize any slight difference in plaintext changes and therefore cause significant ciphertext changes. Ciphertext randomness basically differs from the plaintext. In good ciphers, the ciphertext always has good randomness which makes it hard for attackers to establish holes in statistical properties of ciphertexts (Lian, 2009). Ciphers transform original intelligible data into a form which is unintelligible by the help of keys. This method is used to secure data confidentiality. Hash always uses the original data to generate short strings used to protect data integrity. Digital signatures employ the key-based hash in the generation of hash values for the data which is to be protected. Digital signatures are often used in the detection whether operations are done by the authenticated owner or not. This is critical in online transactions such as those involving online payment methods such as AlertPay, PayPal and MoneyBookers. Key generation and authentication provide critical methods which help in the generation and distribution of multiple keys during communication. Hackers use cryptoanalytical methods to analyze and break into networked systems through cryptographic means. Cryptoanalysis provides some special or common means to analyze hash, cipher, digital signatures or key generation and authentication algorithms securities. The best cryptographic methods in VPN and Web security should be immune to cryptoanalytical methods before they can be applied in system network security. Conclusion Encryption algorithms offer secure communication against cryptanalysis used by attackers such as known-plaintext attack, ciphertext-only attack and select-plaintext attacks. Complete encryption offers security to traditional and novel ciphers against cryptanalysis by hackers. Partial encryption allows some parameters to be encrypted using ciphers which are immune to cryptographic attacks. Compression-combined encryption involves the combination of encryption and comprension operations which make it secure from the perspective of cryptanalysis. VPN encryption utilizes basic encryption mechanisms which secure the traffic flowing across shared or public network. The encryption is critical in allowing VPN traffic to traverse public or shared network like the Internet. Banking systems have always employed complex security measures such as SSL VPN and IPsec VPN to encrypt traffics by the use of encryption algorithm in shared VPN connections. References: Malik, S (2003). Network security principles and practices. Indianapolis, IN: Cisco Press. Mogollon, M (2007). Cryptography and security services: mechanisms and applications. Hershey, New York: Cybertech Publishing. Lian, S (2009). Multimedia content encryption: Techniques and applications. New York: Taylor & Francis Group. Li, X (n. d). Cryptography and network security. Retrieved July 31, 2010 from, http://www. cs. iit. edu/~cs549/lectures/CNS-1. pdf. Microsoft Corporation (2005). Data encryption between VPN server and client. Retrieved August 4, 2010 from, http://technet. microsoft. com/en- us/library/cc778013%28WS. 10%29. aspx Microsoft Corporation (2003). Virtual private networking with Windows Server 2003: Overview. Retrieved August 1, 2010 from, http://www. microsoft. com/windowsserver2003 MyCrypto. net (n. d). Encryption algorithm. Retrieved August 4, 2010 from, http://www. mycrypto. net/encryption/crypto_algorithms. html Riikonen, K (2002). RSA algorithm. Retrieved August 4, 2010 from, http://www. cs. uku. fi/kurssit/ads/rsa. pdf