1923708 - SECURITY ASSESSMENT & RISK ANALYSIS

UNIT–V: OPERATIONS SECURITY

OPSEC surveys/OPSEC planning INFOSEC: computer security – audit, cryptography–encryption (e.g.,
point–to–point, network, link), cryptography–key management (to include electronic key),
Cryptography–strength (e.g., complexity, secrecy, characteristics of the key). Case study of threat and
vulnerability assessment.

5.1 OPSEC surveys/OPSEC planning

Operational security (OPSEC) is a security and risk management process that prevents sensitive
information from getting into the wrong hands.

Another OPSEC meaning is a process that identifies seemingly innocuous actions that could
inadvertently reveal critical or sensitive data to a cyber criminal. OPSEC is both a process and a
strategy, and it encourages IT and security managers to view their operations and systems from
the perspective of a potential attacker. It includes analytical activities and processes like
behavior monitoring, social media monitoring, and security best practice.

A crucial piece of what is OPSEC is the use of risk management to discover potential threats and
vulnerabilities in organizations’ processes, the way they operate, and the software and hardware
their employees use. Looking at systems and operations from a third party’s point of view
enables OPSEC teams to discover issues they may have overlooked and can be crucial to
implementing the appropriate countermeasures that will keep their most sensitive data secure.

OPSEC IMPORTANTANCE

OPSEC is important because it encourages organizations to closely assess the security risks they
face and spot potential vulnerabilities that a typical data security approach may not. OPSEC
security enables IT and security teams to fine-tune their technical and non-technical processes
while reducing their cyber risk and safeguarding them against malware-based attacks.

An effective OPSEC program is important to prevent the inadvertent or unintended exposure of

classified or sensitive data. It enables organizations to prevent the details of their future
activities, capabilities, and intentions from being made public. However, the key to achieving this
is understanding what this information is about, where it is located, what level of protection is
applied to it, what the impact would be if it is compromised, and how the organization would
respond.

If such information is leaked, attackers may be able to cause major damage. For example, they
may be able to build wider cyberattacks and commit identity fraud or theft if employees reuse
their login credentials across multiple online services.

THE 5 STEPS OF OPERATIONAL SECURITY

There are five steps to OPSEC that allow organizations to secure their data processes.

1|Page
Identify Sensitive Data

Understanding what data organizations have and the sensitive data they store on their
systems is a crucial first step to OPSEC security. This includes identifying information
such as customer details, credit card data, employee details, financial statements,
intellectual property, and product research. It is vital for organizations to focus their
resources on protecting this critical data.
Identify Possible Threats

With sensitive information identified, organizations then need to determine the potential
threats presented to this data. This includes third parties that may want to steal the data,
competitors that could gain an advantage by stealing information, and insider threats or
malicious insiders like disgruntled workers or negligent employees
Analyze the Vulnerabilities

Organizations then need to analyze the potential vulnerabilities in their security defenses
that could provide an opportunity for the threats to materialize. This involves assessing
the processes and technology solutions that safeguard their data and identifying
loopholes or weaknesses that attackers could potentially exploit.

Identify the Threat Level

Each identified vulnerability then has to have a level of threat attributed to it. The
vulnerabilities should be ranked based on the likelihood of attackers targeting them, the
level of damage caused if they are exploited, and the amount of time and work required to
mitigate and repair the damage. The more damage that could be inflicted and the higher
the chances of an attack occurring, the more resources and priority that organizations
should place in mitigating the risk.
Devise a Plan To Mitigate the Threats

This information provides organizations with everything they need to devise a plan to
mitigate the threats identified. The final step in OPSEC is putting countermeasures in
place to eliminate threats and mitigate cyber risks. These typically include updating
hardware, creating policies around safeguarding sensitive data, and providing employee
training on security best practice and corporate data policies.

An OPSEC process plan must be simple to understand, straightforward to implement and

follow, and be updated as the security threat landscape evolves.

2|Page
PROCEDURES FOR OPSEC SURVEYS

1. General

a. The purpose of an OPSEC survey is to thoroughly examine an operation or activity

to determine if adequate protection from adversary intelligence exploitation
exists.
b. Ideally, the operation or activity being surveyed will be using OPSEC measures to
protect its critical information. The OPSEC survey is used as a check on how
effective the measures are. The survey will determine if the critical information
identified during the OPSEC planning process is being protected.
c. A survey cannot be conducted until after an operation or activity has at least
identified its critical information. Without a basis of identified critical information,
there can be no specific determination that actual OPSEC vulnerabilities exist.

2. Uniqueness

a. Each OPSEC survey is unique. Surveys differ in the nature of the information
requiring protection, the adversary collection capability, and the environment of
the activity to be surveyed.
b. In combat, a survey's emphasis must be on identifying operational indicators that
signal friendly intentions, capabilities, and/or limitations and that will permit the
adversary to counter friendly operations or reduce their effectiveness.
c. In peacetime, surveys generally seek to correct weaknesses that disclose
information useful to potential adversaries in the event of future conflict. Many
activities, such as operational unit tests, practice alerts, and major exercises, are of
great interest to a potential adversary because they provide insight into friendly
readiness, plans, crisis procedures, and C2 capabilities that enhance that
adversary's long-range planning.

3. OPSEC Surveys versus Security Inspections

a. OPSEC surveys are different from security evaluations or inspections. A survey

attempts to produce an adversary's view of the operation or activity being
surveyed. A security inspection seeks to determine if an organization is in
compliance with the appropriate security directives and regulations.
b. Surveys are always planned and conducted by the organization responsible for the
operation or activity that is to be surveyed. Inspections may be conducted without
warning by outside organizations.
c. OPSEC surveys are not a check on the effectiveness of an organization's security
programs or its adherence to security directives. In fact, survey teams will be
seeking to determine if any security measures are creating OPSEC indicators.
d. Surveys are not punitive inspections, and no grades or evaluations are awarded as
a result of them. Surveys are not designed to inspect individuals but are employed
to evaluate operations and systems used to accomplish missions.

3|Page
 e. To obtain accurate information, a survey team must depend on positive
cooperation and assistance from the organizations participating in the operation
or activity being surveyed. If team members must question individuals, observe
activities, and otherwise gather data during the course of the survey, they will
inevitably appear as inspectors, unless this nonpunitive objective is made clear.
f. Although reports are not provided to the surveyed unit's higher headquarters,
OPSEC survey teams may forward to senior officials the lessons learned on a
nonattribution basis. The senior officials responsible for the operation or activity
then decide to further disseminate the survey's lessons learned.

4. Types of Surveys. There are two basic kinds of OPSEC surveys: command and formal.

a. A command survey is performed using only command personnel and concentrates

on events within the particular command.
b. A formal survey requires a survey team composed of members from inside and
outside the command and will normally cross command lines (after prior
coordination) to survey supporting and related operations and activities. Formal
surveys are initiated by a letter or message stating the subject of the survey,
naming the team leader and members, and indicating when the survey will be
conducted. Commands, activities, and locations to be visited may also be listed,
with the notation that the team may visit additional locations if required during
the field portion of the survey.
c. Both types of surveys follow the same basic sequence and procedures that are
established in the annexes to this appendix.

5. Survey Execution

a. Careful prior planning, thorough data collection, and thoughtful analysis of the
results are the key phases of an effective OPSEC survey.
b. The following annexes describe the three phases of an OPSEC survey.

BASIC OPERATIONS SECURITY (OPSEC) PLAN

1. PURPOSE: The BASIC OPSEC Program will provide the structure needed to offer OPSEC
guidance and support to BASIC operations worldwide, conduct and/or support OPSEC
assessments,
and recommend improvements. The program will also:
Provide an analytic process to identify critical information.
Assist in identifying cost-effective countermeasures that will close vulnerability gaps and
lower risk to operations and activities worldwide.
Ensure that the number one vulnerability – lack of awareness – is countered through effective,
regular and mandatory OPSEC Awareness training.

4|Page
2. ORGANIZATION: This OPSEC Program and its requirements apply to all BASIC personnel who
will participate in the OPSEC program under the following management structure (see Figure 1):

3. Roles and Responsibilities.

3.1 OPSEC Program Manager. The BASIC OPSEC Program Manager is responsible for
developing
the OPSEC Plan and monitoring its implementation and operation to ensure compliance. He
serves as the principal advisor to the Chief of the Organization and/or Chief of Security on all
OPSEC matters
and will:
1) Coordinate all OPSEC policy responsibilities and procedures within the program.
2) Revise the OPSEC Plan as necessary, including the critical information lists, threat
assessment, vulnerabilities, risk, and countermeasures.
3) Accumulate and disseminate updated threat information and awareness materials to program
personnel.
5) Assist in the review of contract requirements for OPSEC considerations.
6) Ensure that the OPSEC Coordinators and selected POCs will complete OPSEC training to
develop skills, which may include the following:
Threat assessment;
Identification of unclassified critical information;
Identification of OPSEC indicators;
Analysis of OPSEC vulnerabilities;
Assessment of risk;
Countermeasures development and implementation;

5|Page
 Contingency and emergency planning; and,
Awareness training development and presentation.
Training may be computer-based (CBT) or delivered via instructor-led briefings.
7) The BASIC PMO OPSEC Program manager will provide to the OPSEC Coordinators: the
BASIC OPSEC Plan with generally written annexes and updates (unclassified critical
information list, threat information, vulnerabilities, and the OPSEC SOP (countermeasures)),
awareness training software, and/or other awareness materials, as appropriate. Critical
Information Lists, threat, vulnerability and countermeasures should be coordinated with
personnel from the lowest possible tier to ensure effectiveness.

3.2. OPSEC Coordinators. The OPSEC Coordinators will successful

complete OPSEC training.The role of the OPSEC coordinator is to provide OPSEC oversight for
the lower tier levels and to interface with the OPSEC Program Manager to elevate issues that
affect BASIC at large.
OPSEC Coordinators will be responsible for awareness training, identification of critical
information lists and countermeasures, other OPSEC issues and vulnerabilities, and
implementation of OPSEC policies and procedures, and will work through OPSEC Points of
Contact (POCs) who are identified in lower tiers of the company. The OPSEC Coordinators will
maintain employee training records which must be made available if they are requested from
the BASIC OPSEC Program Manager. They will ensure that any OPSEC issues that are identified
by OPSEC POCs or personnel are provided to the BASIC

OPSEC Program Manager. These may include the identification of potential unclassified critical
information items, vulnerabilities, and/or countermeasures that may need to be addressed.

3.3. OPSEC Working Group. The role of the OPSEC working group is to ensure the BASIC
OPSEC Program implementation is consistent across the organization, and is integrated at the
working
level. The working group will also assist the OPSEC Program Manager to develop general
countermeasures and solutions. The working group will provide coordination of all
recommendations
being forwarded to senior leadership, and will assist with development of briefings and reports.
4. POLICY: All mandated areas in the company will participate in the OPSEC program.
4.1. All personnel will receive OPSEC orientation training within [30/60/90] days of
assignment. OPSEC coordinators will conduct initial orientation training using materials
provided by
the OPSEC program manager.
4.2. All personnel will participate in [annual/biannual/quarterly/monthly] OPSEC awareness
training. Coordinators will ensure that attendance for all personnel in their department is
documented,
and will provide a memo to that effect to the OPSEC Program Manager within [10/30] days of
the
training.
4.3. The OPSEC Program Manager will participate as an emergency actions team member,
and will provide appropriate OPSEC analysis support and countermeasures recommendations.
4.4. The OPSEC Program Manager will brief the Chief of the Organization on OPSEC issues

6|Page
and changes to the intelligence threat [periodically/weekly/monthly/quarterly].
4.5. Each company department will provide a senior representative to the OPSEC working
group. Managers will ensure the working group representative is replaced should the assigned
person
be unable to participate due to extended illness, extended travel requirements, or reassignment.
Working group members will attend training as determined by the OPSEC program manager.

4.6. Each [division/branch/functional area] will provide one or more OPSEC coordinators
depending on size and responsibilities of each element. The OPSEC Program Manager will
ensure that the OPSEC coordinator is replaced should the assigned person be unable to
participate due to extended illness, extended travel requirements, or reassignment. OPSEC
coordinators will attend training as
determined by the OPSEC program manager. OPSEC coordinators will provide reports, assist
with orientation and awareness training, and perform other OPSEC functions as determined by
the OPSEC program manager.
4.7. All personnel will be familiar with the critical information list for their department or
program, and will be prepared to describe appropriate OPSEC countermeasures they can apply
to protecting that information in accordance with their awareness training

5.2 INFORMATION SECURITY (INFOSEC)

Information security, often referred to as InfoSec, refers to the processes and tools designed and
deployed to protect sensitive business information from modification, disruption, destruction,
and inspection.

TYPES OF INFORMATION SECURITY (INFOSEC)

APPLICATION SECURITY
Application security is a broad topic that covers software vulnerabilities in web and mobile
applications and application programming interfaces (APIs). These vulnerabilities may be found
in authentication or authorization of users, integrity of code and configurations, and mature
policies and procedures. Application vulnerabilities can create entry points for significant
InfoSec breaches. Application security is an important part of perimeter defense for InfoSec

CLOUD SECURITY
Cloud security focuses on building and hosting secure applications in cloud environments and
securely consuming third-party cloud applications. “Cloud” simply means that the application is
running in a shared environment. Businesses must make sure that there is adequate isolation
between different processes in shared environments

CRYPTOGRAPHY

Encrypting data in transit and data at rest helps ensure data confidentiality and integrity. Digital
signatures are commonly used in cryptography to validate the authenticity of data.
Cryptography and encryption has become increasingly important. A good example of

7|Page
cryptography use is the Advanced Encryption Standard (AES). The AES is a symmetric key
algorithm used to protect classified government information.

INFRASTRUCTURE SECURITY

Infrastructure security deals with the protection of internal and extranet networks, labs, data
centers, servers, desktops, and mobile devices.

5.3 COMPUTER SECURITY

Computer security refers to measures and controls that ensure the confidentiality, integrity and
availability of the information processed and stored by a computer. This includes everything
from protecting physical information assets, to data security and computer safety practices.

Generally, basic computer security focuses on protecting computer systems from unauthorized
access and use. For your own personal computer security, this can include steps like installing
antivirus software, using a password generator and protecting the data you share online.

Computer security experts work to instantiate computer security (i.e., cybersecurity) best
practices within organizations. This involves managing computer and network security and
creating a security-focused culture within their organization. At its core, computer security
functions as well as an organization’s people follow security protocols — many cases of
unauthorized access and security breaches happen due to an employee clicking on a phishing
email or disregarding security policies.

Computer security experts must also establish computer ethics best practices within their
organization. Specifically, computer ethics refers to the ethical implementation and use of
computing resources, according to Technopedia. This includes avoiding infringement of
copyrights and trademarks, unauthorized distribution of digital content and the behavior and
approach of a human operator, workplace ethics and compliance with the ethical standards that
surround computer use.

TYPES OF COMPUTER SECURITY

There are several different types of computer security that impact various elements of an
organization’s physical and digital infrastructure. As a result, there are many different types of
security that professionals must focus on, including

Application security

Application security is the process of adding specific features to software that prevents a variety
of cyber threats. Examples include two-step authentication, high-level encryption, logging,
firewalls, intrusion prevention systems (IPS) and more.

8|Page
Information security

Information security revolves around protecting company data assets from unauthorized use.
Typically, information security involves the CIA triad model, which focuses on protecting data
confidentiality, integrity and availability without impacting an organization’s productivity.

Network security

This type of computer security focuses on procedures network administrators implement to

avoid unauthorized access, modification, exploitation or denial of the networks and their
resources. Conducted effectively, these procedures block the majority of viruses, malware and
other cyber threats from accessing or altering secure information.

Endpoint security

Endpoint security is the practice of safeguarding individual network endpoints — individual

devices that connect to an organization’s network. This practice has become more important in
recent years as many people use personal computers, phones and other devices to access
company information and networks while working from home. Ensuring that these devices can
access needed information without compromising an organization’s security posture is a major
concern in modern computer security.

3.3 CYBERSECURITY AUDIT

A cybersecurity audit involves a comprehensive analysis and review of your IT infrastructure. It

detects vulnerabilities and threats, displaying weak links and high-risk practices.

Significant benefits of IT security audits are:

 Risk assessment and vulnerability identification

 Strengthened security measures
 Compliance with regulations and standards
 Incident response preparedness
 Safeguarding sensitive data and customer trust
 Proactive threat detection and prevention

The Scope of a Cybersecurity Audit

Cybersecurity audits ensure a 360-degree in-depth audit of your organization’s security

posture. They aim to identify vulnerabilities, risks, and threats that may affect the
organization. These audits cover various areas, including:

9|Page
  Data Security – involves reviewing network access control, encryption use, data
security at rest, and transmissions.
 Operational Security – involves a review of security policies, procedures, and
controls.
 Network Security – a review of network & security controls, anti-virus
configurations, security monitoring capabilities, etc.
 System Security – This review covers hardening processes, patching processes,
privileged account management, role-based access, etc.
 Physical Security – a review that covers disk encryption, role-based access
controls, biometric data, multifactor authentication, etc.

Internal vs. External Cybersecurity Audit

Cybersecurity audits can be conducted by either external cybersecurity services

companies or internal teams.
External cybersecurity audits are performed by experienced professionals from
specialized companies. These professionals possess in-depth knowledge of security
protocols and utilize advanced software and tools to conduct a comprehensive audit.
Their expertise allows them to identify vulnerabilities and flaws in an organization’s
cybersecurity risk management effectively.
On the other hand, internal security audits are conducted by an organization’s in-house
team. These audits can be performed more frequently and provide the advantage of
having direct access to internal systems and processes. Internal auditors are familiar
with the organization’s specific security requirements and can tailor the audit to address
its unique challenges.
Both external and internal security audits offer distinct advantages and serve different
purposes. Key points to consider include:

External Security Audit:

 Independence: External auditors offer an unbiased assessment as they are not

directly involved in the company’s day-to-day operations.
 Expertise and Experience: External auditors often have specialized knowledge
and experience in conducting security audits across various industries.
 Compliance and Regulations: External audits help ensure compliance with
industry regulations, standards, and legal requirements.
 Objectivity: External auditors objectively evaluate the company’s security
controls without any internal bias or conflicts of interest.

10 | P a g e
To get better value from the external security audit, you must find the right and
affordable auditing company, set expectations for auditors, submit relevant and accurate
information, and implement suggested changes.
Despite the benefits of external audits, many organizations opt for internal cybersecurity
audits due to their cost, efficiency, speed, and consistency.
Internal Security Audit:

 In-depth Knowledge: Internal auditors have a better understanding of the

company’s internal systems, processes, and culture, which allows for a more
comprehensive assessment.
 Cost-effectiveness: Conducting internal audits can be more cost-effective since
there is no need to engage external resources.
 Continuous Monitoring: Internal audits can be performed regularly, providing
ongoing monitoring and evaluation of the organization’s security measures.
 Company-specific Focus: Internal audits can specifically address the company’s
unique security challenges and requirements

3.SECURITY AUDIT

A security audit is a systematic evaluation of the security of a company's information

system by measuring how well it conforms to an established set of criteria. A
thorough audit typically assesses the security of the system's physical configuration
and environment, software, information handling processes and user practices.

SECURITY AUDITS IMPORTANT

There are several reasons to do a security audit. They include these six goals:

1. Identify security problems and gaps, as well as system weaknesses.

2. Establish a security baseline that future audits can be compared with.

3. Comply with internal organization security policies.

4. Comply with external regulatory requirements.

5. Determine if security training is adequate.

6. Identify unnecessary resources.

11 | P a g e
SECURITY AUDIT NEEDED

How often an organization does its security audits depends on the industry it is in, the
demands of its business and corporate structure, and the number of systems and
applications that must be audited. Organizations that handle a lot of sensitive data -- such
as financial services and heathcare providers -- are likely to do audits more frequently.
Ones that use only one or two applications will find it easier to conduct security audits
and may do them more frequently. External factors, such as regulatory requirements,
affect audit frequency, as well.

Types of security audits

Security audits come in two forms, internal and external audits, that involve the following
procedures:

 Internal audits. In these audits, a business uses its own resources and internal audit
department. Internal audits are used when an organization wants to validate business
systems for policy and procedure compliance.

 External audits. With these audits, an outside organization is brought in to conduct

an audit. External audits are also conducted when an organization needs to confirm it
is conforming to industry standards or government regulations.
Steps involved in a security audit

These five steps are generally part of a security audit:

1. Agree on goals. Include all stakeholders in discussions of what should be achieved

with the audit.

2. Define the scope of the audit. List all assets to be audited, including computer
equipment, internal documentation and processed data.

3. Conduct the audit and identify threats. List potential threats related to each
Threats can include the loss of data, equipment or records through natural disasters,
malware or unauthorized users.

12 | P a g e
 4. Evaluate security and risks. Assess the risk of each of the identified threats
happening, and how well the organization can defend against them.

5. Determine the needed controls. Identify what security measures must be

implemented or improved to minimize risks.

5.4 CRYPTOGRAPHY

Cryptography is the process of hiding or coding information so that only the person a
message was intended for can read it. The art of cryptography has been used to code
messages for thousands of years and continues to be used in bank cards, computer
passwords, and ecommerce.

Modern cryptography techniques include algorithms and ciphers that enable the
encryption and decryption of information, such as 128-bit and 256-bit encryption keys.
Modern ciphers, such as the Advanced Encryption Standard (AES), are considered
virtually unbreakable.

The Importance of Cryptography

Cryptography remains important to protecting data and users, ensuring confidentiality,

and preventing cyber criminals from intercepting sensitive corporate information. Common uses
and examples of cryptography include the following:

Privacy and Confidentiality

Individuals and organizations use cryptography on a daily basis to protect their privacy
and keep their conversations and data confidential. Cryptography ensures confidentiality
by encrypting sent messages using an algorithm with a key only known to the sender and
recipient. A common example of this is the messaging tool WhatsApp, which encrypts
conversations between people to ensure they cannot be hacked or intercepted.

Cryptography also secures browsing, such as with virtual private networks (VPNs), which
use encrypted tunnels, asymmetric encryption, and public and private shared keys.

13 | P a g e
Authentication

Integrity

Similar to how cryptography can confirm the authenticity of a message, it can also prove
the integrity of the information being sent and received. Cryptography ensures
information is not altered while in storage or during transit between the sender and the
intended recipient. For example, digital signatures can detect forgery or tampering in
software distribution and financial transactions.
Non repudiation
Cryptography confirms accountability and responsibility from the sender of a message,
which means they cannot later deny their intentions when they created or transmitted
information. Digital signatures are a good example of this, as they ensure a sender cannot
claim a message, contract, or document they created to be fraudulent. Furthermore, in
email nonrepudiation, email tracking makes sure the sender cannot deny sending a
message and a recipient cannot deny receiving it.

Key Exchange
Key exchange is the method used to share cryptographic keys between a sender and their
recipient.

5.5 TYPES OF CRYPTOGRAPHIC ALGORITHMS

There are many types of cryptographic algorithms available. They vary in complexity and
security, depending on the type of communication and the sensitivity of the information
being shared.

Secret Key Cryptography

Secret key cryptography, also known as symmetric encryption, uses a single key to
encrypt and decrypt a message. The sender encrypts the plaintext message using the key
and sends it to the recipient who then uses the same key to decrypt it and unlock the
original plaintext message.

Stream Ciphers
Stream ciphers work on a single bit or byte at any time and constantly change the key
using feedback mechanisms. A self-synchronizing stream cipher ensures the decryption
process stays in sync with the encryption process by recognizing where it sits in the bit
keystream. A synchronous stream cipher generates the keystream independently of the

14 | P a g e
message stream and generates the same keystream function at both the sender and the
receiver.

Block Ciphers
Block ciphers encrypt one block of fixed-size data at a time. It will always encrypt a
plaintext data block to the same ciphertext when the same key is used. A good example of
this is the Feistel cipher, which uses elements of key expansion, permutation, and
substitution to create vast confusion and diffusion in the cipher.

The stages of encryption and decryption are similar if not identical, which means
reversing the key reduces the code size and circuitry required for implementing the
cipher in a piece of software or hardware.

Public Key Cryptography

Public key cryptography (PKC), or asymmetric cryptography, uses mathematical

functions to create codes that are exceptionally difficult to crack. It enables people to
communicate securely over a nonsecure communications channel without the need for a
secret key. For example, proxy reencryption enables a proxy entity to reencrypt data
from one public key to another without requiring access to the plaintext or private keys.

A common PKC type is multiplication vs. factorization, which takes two large prime
numbers and multiplies them to create a huge resulting number that makes deciphering
difficult. Another form of PKC is exponentiation vs. logarithms such as 256-bit encryption,
which increases protection to the point that even a computer capable of searching
trillions of combinations per second cannot crack it.

Generic forms of PKC use two keys that are related mathematically but do not enable
either to be determined. Put simply, a sender can encrypt their plaintext message using
their private key, then the recipient decrypts the ciphertext using the sender’s public key.

Common PKC algorithms used for digital signatures and key exchanges include:

RSA
RSA was the first and remains the most common PKC implementation. The algorithm is
named after its MIT mathematician developers, Ronald Rivest, Adi Shamir, and Leonard
Adleman, and is used in data encryption, digital signatures, and key exchanges. It uses a
large number that is the result of factoring two selected prime numbers. It is impossible
for an attacker to work out the prime factors, which makes RSA especially secure.

15 | P a g e
Elliptic Curve Cryptography (ECC)
ECC is a PKC algorithm based on the use of elliptic curves in cryptography. It is designed
for devices with limited computing power or memory to encrypt internet traffic. A
common use of ECC is in embedded computers, smartphones, and cryptocurrency
networks like bitcoin, which consumes around 10% of the storage space and bandwidth
that RSA requires.

Digital Signature Algorithm (DSA)

DSA is a standard that enables digital signatures to be used in message authentication. It
was introduced by the National Institute of Standards and Technology (NIST) in 1991 to
ensure a better method for creating digital signatures.

Identity-based Encryption (IBE)

IBE is a PKC system that enables the public key to be calculated from unique information
based on the user’s identity, such as their email address. A trusted third party or private
key generator then uses a cryptographic algorithm to calculate a corresponding private
key. This enables users to create their own private keys without worrying about
distributing public keys.

5.6 ENCRYPTION

Encryption is a way of scrambling data so that only authorized parties can understand the
information. In technical terms, it is the process of converting human-readable plaintext
to incomprehensible text, also known as ciphertext. In simpler terms, encryption takes
readable data and alters it so that it appears random. Encryption requires the use of
a cryptographic key: a set of mathematical values that both the sender and the recipient
of an encrypted message agree on.

How does encryption work?

Encryption is a mathematical process that alters data using an encryption algorithm and
a key. Imagine if Alice sends the message "Hello" to Bob, but she replaces each letter in
her message with the letter that comes two places later in the alphabet. Instead of "Hello,"
her message now reads "Jgnnq." Fortunately, Bob knows that the key is "2" and can
decrypt her message back to "Hello."

Alice used an extremely simple encryption algorithm to encode her message to Bob. More
complicated encryption algorithms can further scramble the message:

16 | P a g e
What is a key in cryptography?

A cryptographic key is a string of characters used within an encryption algorithm for

altering data so that it appears random. Like a physical key, it locks (encrypts) data so
that only someone with the right key can unlock (decrypt) it.

What are the different types of encryption?

The two main kinds of encryption are symmetric encryption and asymmetric encryption.
Asymmetric encryption is also known as public key encryption.

In symmetric encryption, there is only one key, and all communicating parties use the
same (secret) key for both encryption and decryption. In asymmetric, or public key,
encryption, there are two keys: one key is used for encryption, and a different key is used
for decryption. The decryption key is kept private (hence the "private key" name), while
the encryption key is shared publicly, for anyone to use (hence the "public key" name).
Asymmetric encryption is a foundational technology for TLS (often called SSL).

Why is encryption important?

Privacy: Encryption ensures that no one can read communications or data at rest except
the intended recipient or the rightful data owner. This prevents attackers, ad networks,
Internet service providers, and in some cases governments from intercepting and reading
sensitive data, protecting user privacy.

Security: Encryption helps prevent data breaches, whether the data is in transit or at
rest. If a corporate device is lost or stolen and its hard drive is properly encrypted, the
data on that device will still be secure. Similarly, encrypted communications enable the
communicating parties to exchange sensitive data without leaking the data.

Data integrity: Encryption also helps prevent malicious behavior such as on-path
attacks. When data is transmitted across the Internet, encryption ensures that what the
recipient receives has not been viewed or tampered with on the way.

17 | P a g e
Regulations: For all these reasons, many industry and government regulations require
companies that handle user data to keep that data encrypted. Examples of regulatory and
compliance standards that require encryption include HIPAA, PCI-DSS, and the GDPR.

What is an encryption algorithm?

An encryption algorithm is the method used to transform data into ciphertext. An

algorithm will use the encryption key in order to alter the data in a predictable way, so
that even though the encrypted data will appear random, it can be turned back into
plaintext by using the decryption key.

What are some common encryption algorithms?

Commonly used symmetric encryption algorithms include:

 AES

 3-DES

 SNOW

Commonly used asymmetric encryption algorithms include:

 RSA

 Elliptic curve cryptography

What is a brute force attack in encryption?

A brute force attack is when an attacker who does not know the decryption key attempts
to determine the key by making millions or billions of guesses. Brute force attacks are
much faster with modern computers, which is why encryption has to be extremely strong
and complex. Most modern encryption methods, coupled with high-quality passwords,
are resistant to brute force attacks, although they may become vulnerable to such attacks
in the future as computers become more and more powerful. Weak passwords are still
susceptible to brute force attacks.

18 | P a g e
How is encryption used to keep Internet browsing secure?

Encryption is foundational for a variety of technologies, but it is especially important for

keeping HTTP requests and responses secure. The protocol responsible for this is
called HTTPS (Hypertext Transfer Protocol Secure). A website served over HTTPS instead
of HTTP will have a URL that begins with https:// instead of http://, usually represented
by a secured lock in the address bar.

HTTPS uses the encryption protocol called Transport Layer Security (TLS). In the past, an
earlier encryption protocol called Secure Sockets Layer (SSL) was the standard, but TLS
has replaced SSL. A website that implements HTTPS will have a TLS certificate installed
on its origin server. Learn more about TLS and HTTPS.

To help keep the Internet more secure, Cloudflare offers free TLS/SSL encryption for any
websites using Cloudflare services. Learn more about Universal SSL from Cloudflare.

5.7 KEY MANAGEMENT IN CRYPTOGRAPHY

In cryptography, it is a very tedious task to distribute the public and private keys between
sender and receiver. If the key is known to the third party (forger/eavesdropper) then the
whole security mechanism becomes worthless. So, there comes the need to secure the
exchange of keys.
There are two aspects for Key Management:
1. Distribution of public keys.
2. Use of public-key encryption to distribute secrets.

Distribution of Public Key:

The public key can be distributed in four ways:
1. Public announcement
2. Publicly available directory
3. Public-key authority
4. Public-key certificates.
These are explained as following below:
1. Public Announcement: Here the public key is broadcasted to everyone. The major
weakness of this method is a forgery. Anyone can create a key claiming to be someone else
and broadcast it. Until forgery is discovered can masquerade as claimed user.

19 | P a g e
2. Publicly Available Directory: In this type, the public key is stored in a public directory.
Directories are trusted here, with properties like Participant Registration, access and allow
to modify values at any time, contains entries like {name, public-key}. Directories can be
accessed electronically still vulnerable to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves security by tightening
control over the distribution of keys from the directory. It requires users to know the public
key for the directory. Whenever the keys are needed, real-time access to the directory is
made by the user to obtain any desired public key securely.
4. Public Certification: This time authority provides a certificate (which binds an identity
to the public key) to allow key exchange without real-time access to the public authority
each time. The certificate is accompanied by some other info such as period of validity,
rights of use, etc. All of this content is signed by the private key of the certificate authority
and it can be verified by anyone possessing the authority’s public key.
First sender and receiver both request CA for a certificate which contains a public key and
other information and then they can exchange these certificates and can start
communication.

20 | P a g e