Encryption
in Access Control
In the
process of sending information from sender to receiver, an unauthorized user
may work in an active way (update it) or passive way (read or delay in
sending). There must be some techniques which assures receiver that whatever
information received from authorized user as well as must be same as sent from
sender side, in addition to this receiver never make Denial of service.
Nowadays sharing of information or resources is a very common thing from single
user to the network to the cloud. When information is moving from one node to
another node, security is a big challenge. When information is stored on the
user’s computer, it is under control but when it is in movement user lose
control over it. In the world of security, to convert information from one form
to another form, Encryption is used, so that only authorized party will able to
read. Encryption is a technique for any security-conscious organization.
Access
control is one of the techniques for security for providing integrity and
confidentiality. Its main task is to regulate the sharing of resources or
information. Access control denotes whether a particular user has rights to
perform particular operation on particular data. Access control policies define
the users’ permission in order to provide security. These policies are defined
according to an access control model. It prevents unauthorised sharing of
resources or information. It also secures data against internal attacks and
disclosure, leakage of information to cyberterrorist.
As an
RFID access card gets close to its reader, it begins to wirelessly transmit its
binary code. If using 125KHz proximity, then the wireless protocol is typically
Wiegand, an older technology that can no longer provide the security needed
today. In a worst case scenario, hackers could simply lift that fixed Wiegand
clear text, retransmit it to the card reader and, from there, physically enter
the facility and thereby the network, allowing these characters free rein to
target the IT system. Data encryption is part of good practice and is, indeed,
an opportunity for the security industry.
Mostly
Access control is user identification to do a specific job, provide
authentication, then provide that person the right to access data This is just
like granting an individual permission to log in to network using name and
password, allowing then to use resources after confirming whether they have
permit to do particular job. So, how to provide permission to a particular user
to perform their task? Here access control is used.
There are three major elements to
access control system encryption:
Authentication: Determining whether someone
is, in fact, who they say they are. Credentials are compared to those on file
in a database. If the credentials match, the process is completed and the user
is granted access. Privileges and preferences granted for the authorized
account depend on the user’s permissions, which are either stored locally or on
the authentication server. The settings are defined by an
administrator. For example, multifactor authentication, using a card plus
keypad, has become commonplace for system logins and transactions within higher
security environments.
Integrity: This ensures that digital
information is uncorrupted and can only be accessed or modified by those
authorized to do so. To maintain integrity, data must not be changed in
transit; therefore, steps must be taken to ensure that data cannot be altered
by an unauthorized person or program. Should data become
corrupted, backups or redundancies must be available to restore the
affected data to its correct state. Measures must also be taken to
control the physical environment of networked terminals and servers because
data consistency, accuracy and trustworthiness can also be threatened by
environmental hazards such as heat, dust or electrical
problems. Transmission media (such as cables and connectors) should also
be protected to ensure that they cannot be tapped; and hardware and storage
media must be protected from power surges, electrostatic discharges and
magnetism.
Non-repudiation: This declares that a user
cannot deny the authenticity of their signature on a document or the sending of
a message that they originated. A digital signature – a mathematical
technique used to validate the authenticity and integrity of a message,
software or digital document – is used not only to ensure that a message
or document has been electronically signed by the person, but also to ensure
that a person cannot later deny that they furnished it, since a digital
signature can only be created by one person.
Here is Encryption Algorithms
1. AES
The Advanced
Encryption Standard (AES) is the algorithm trusted as the standard by the
U.S. Government and numerous organizations.
Although
it is extremely efficient in 128-bit form, AES also uses keys of 192 and 256
bits for heavy duty encryption purposes.
AES is
largely considered impervious to all attacks, with the exception of brute
force, which attempts to decipher messages using all possible combinations in
the 128, 192, or 256-bit cipher. Still, security experts believe that AES will
eventually be hailed the de facto standard for encrypting data in the private
sector. AES-128, AES-192 and AES-256 module is FIPS 140-2 certified. “FIPS mode” doesn't make Windows more secure. It just blocks access to newer cryptography schemes that haven't been FIPS-validated.
2.
Twofish
Computer
security expert Bruce Schneier is the mastermind behind Blowfish and its
successor TrueCrypt. Keys used in this algorithm may be up to 256 bits in
length and as a symmetric technique, only one key is needed.
Twofish
is regarded as one of the fastest of its kind, and ideal for use in both
hardware and software environments. Like Blowfish, Twofish is freely available
to anyone who wants to use it. As a result, you’ll find it bundled in
encryption programs such as PhotoEncrypt, GPG, and the popular open source
software TrueCrypt.
3.
Triple DES
Triple
DES was designed to replace the original Data Encryption Standard (DES)
algorithm, which hackers eventually learned to defeat with relative ease. At
one time, Triple DES was the recommended standard and the most widely used
symmetric algorithm in the industry.
Triple
DES uses three individual keys with 56 bits each. The total key length adds up
to 168 bits, but experts would argue that 112-bits in key strength is more like
it.
Despite
slowly being phased out, Triple DES still manages to make a dependable hardware
encryption solution for financial services and other industries.
Here is How Encryption Works
Encryption
consists of both an algorithm and a key. Once a number is encrypted, the system
needs to have a key to decrypt the resultant cyphertext into its original form.
There are two varieties of algorithms— private (symmetric) and public
(asymmetric).
Private
key encryption uses the same key for both encryption and decryption. Be
aware—if the key is lost or intercepted, messages may be compromised. Public
key infrastructure (PKI) uses two different but mathematically linked keys. One
key is private and the other is public.
With
PKI, either key can be used for encryption or decryption. When one key is used
to encrypt, the other is used to decrypt. The public portion of the key is
easily obtained for all users. However, only the receiving party has access to
the decryption key allowing messages to be read. Systems may use private
encryption to encrypt data transmissions but use public encryption to encrypt
and exchange the secret key.
Using
one or both these algorithms, access credential communications may be
encrypted. Many modern cards support cryptography. Look for terms such as 3DES,
AES (which the government uses to protect classified information), TEA and RSA.
Adding Encryption to an Access Control System
Integrators
should consider 13.56 MHz smart cards to increase security over 125 KHz
proximity cards. One of the first terms you will discover in learning about
smart cards is “Mifare,” a technology from NXP Semiconductors.
The
newest of the Mifare standards, DESFire EV1, includes a cryptographic module on
the card itself to add an additional layer of encryption to the card/reader
transaction. This is amongst the highest standard of card security currently
available. DESFire EV1 protection is therefore ideal for sales to customers
wanting to use secure multi-application smart cards in access management,
public transportation schemes or closed-loop e-payment applications.
Valid ID
is a relatively new anti-tamper feature available with contactless smartcard
readers, cards and tags. Embedded, it adds yet an additional layer of
authentication assurance to traditional Mifare smartcards. Valid ID enables a
smartcard reader help verify that the sensitive access control data programmed
to a card or tag is indeed genuine and not counterfeit.
Encrypted Cards and Readers Inhibit Hackers
Whether
you need to guard against state sponsored terrorists or the neighborhood teen
from hacking the electronic access control systems that you implement, security
today starts with encryption. But, that’s just a beginning. To take steps that
will further hinder hackers, ask for your manufacturer’s Cybersecurity
Vulnerability Checklist.
While
many believe that opening their network to cloud services might welcome greater
risks, these studies and common mishaps suggest otherwise. Lack of employee
education or defined cyber security policies, gaps in physical security and
insufficient system maintenance contribute to the greatest number of threats.
How Connected Applications are Shaping Up to Be
More Secure
Cloud is
not all or nothing. Cloud services can be added to complement an on-premises
system and its infrastructure. This can include using cloud applications to store
long-term evidence, instead of on local servers or on external storage devices
which can end up in the wrong hands. Cloud services can also play a critical
role in disaster recovery.
In case
servers are damaged by a fire or natural disaster, a full system back-up can be
restored using cloud services so operations can continue without delay.
Organizations can connect on-premises systems to cloud services to strengthen
security and minimize internal and external threats. Here is how.
Automating Updates to Avoid Known
Vulnerabilities
Many
vulnerabilities that hackers prey on are quickly identified and fixed by
vendors in software version updates. Even when an IT team sets scheduled
updates in a closed environment, it might not happen fast enough to prevent a
breach. The perk of deploying cloud services is that system updates are
facilitated by the vendor. As soon as the latest versions and fixes are
available, the client will have access to them. This helps to ensure that their
systems are always protected against known vulnerabilities.
Considering Security in the Selection of Your
Cloud Service Provider
All
cloud solutions are not created equally. To identity the most secure cloud
services, it’s important for organizations to take a closer look at the vendor’s
security policies and built-in security mechanisms. This should include
encrypted communications, data protection capabilities, and strong user
authentication and password protection.
These
mechanisms help protect organizations against hackers and other internet- based
attacks. From an internal standpoint, they also ensure only those with defined
privileges will be able to access or use resources, data and applications.
Organizations
should also look at the back-end cloud platform on which the services are
built. Tier-one cloud providers such as Microsoft have a global incident
response team that works around the clock to mitigate attacks. The company also
builds security into its cloud platform from the ground up, embedding mandatory
security requirements into every phase of the development process. Top cloud
providers also go out of their way to comply with international and
industry-specific compliance standards, and participate in rigorous third-party
audits which test and verify security controls.
NFC to Be More Secure
Nowadays
a set of short range wireless technologies is use for public transport, opeing
a door or parking lot it’s called NFC (Near Field Communication). These chips
are most compatible with devices due to they are formatted in NFC Data Exchange
Format (NDEF) and implemented standards published by NFC forum. Their
content can be encrypted and some examples are NTAG212, NTAG213, NTAG215 y
NTAG216. MIFARE is the NXP Semiconductors-owned trademark and it covers
proprietary technologies based upon various levels of the ISO/IEC 14443,
incorporating some encryption standards (AES and DES/Triple-DES) and also an
older proprietary encryption algorithm.
Access
Control is the primary thing for security and is used to protect private and
confidential data from attack. Basic access control understanding helps us to
manage information security. Four basic models are discussed here. Apart from
these four, several models have been developed to increase authenticity,
integrity, confidentiality. Another way to provide security is the encryption
which uses mathematical algorithm with proper to key to perform operation. Both
encryption and access control are used for privacy and to prevent unauthorized
users from accessing some object. That data will be in motion so copy or
deletion will be possible. With ACL, you can just allow or reject access on a
software level not on physical storage. Encryption is used to provide
confidentiality of data but data may be access by untrusted entity. Access
control is used to provide limited access to the particular entity to
particular user as defined by owner.
Note: FIPS (Federal Information Processing Standard) 140-2 is the benchmark for validating the effectiveness of cryptographic hardware. If a product has a FIPS 140-2 certificate you know that it has been tested and formally validated by the U.S. and Canadian Governments.
What is the difference between FIPS 140-2 and FIPS 197 certification? FIPS 197 certification looks at the hardware encryption algorithms used to protect the data. FIPS 140-2 is the next, more advanced level of certification. FIPS 140-2 includes a rigorous analysis of the product's physical properties.
FIPS 140-2 requires that any hardware or software cryptographic module implements algorithms from an approved list. The FIPS validated algorithms cover symmetric and asymmetric encryption techniques as well as use of hash standards and message authentication
References
G.Wang,Q.Liu,J.Wu “Hierarchical attribute-based
encryption for fine-grained access control in cloud storage services”2010
M.Green,G.Ateniese “Identity-based proxy
re-encryption”2007