Date: 10/12/2024 to 17/12/2024 Total Marks = 5

Department
Computer Science Section BSCS3B

Information Security: BSCS3B

Assignment-2
Fall, 2024

(Information Security (3)

Students Name: Malik Muhammad Umer

Student ID: CSC-23F-078

Expected Outcome:
Clo-2: Understand the fundamental principles and theories underlying cryptographic
Algorithms, including the mathematical foundations of cryptography.

Total (5 marks)

Q1
A. Web security and protocols for secure electronic commerce (IPsec, SSL, TLS, SET)?
B. Discusses the cryptography and identify the challenges in cryptography ?

Note: Your assignment must have contained 300 words

Referencing: Follow the IEEE referencing model
Introduction

Web security is an integral part of safe electronic commerce, which makes it possible to conduct secure
transactions and communication over the internet. Secure protocols such as IPsec, SSL, TLS, and SET play
very important roles in ensuring confidentiality, integrity, authentication, and non-repudiation of online
transactions.

• IPsec (Internet Protocol Security)

Overview:

IPsec is a family of protocols which are meant for ensuring secure communications through the internet
protocol by authenticating as well as encrypting every internet protocol packet in any given session of
communication. This, at the same time, runs through the network layer in the IEEE reference model.

Characteristics:

1. Authentication: Guarantees the authenticity of sources with AH.

2. Encryption: Confidentiality of data can be ensured with ESP.
3. Key Management: Utilization of internet key exchange is a protocol used to do it securely.
4. Integrity: This method detects packet alteration while in transit.

How it Works:

IPsec operates in two modes:

1. Transport Mode:
Encrypts the payload of the IP packet only.
2. Tunnel Mode:
The entire IP packet is encrypted including the header.

Applications for E-commerce:

Protects the communication of clients and server at the IP layer. Protection for VPNs, where this kind of
network connection is quite popular in e-commerce settings.

IEEE Reference Model Mapping:

IPsec is aligned to the Network Layer (Layer 3) in the IEEE model because it protects IP communications.
 • SSL (Secure Sockets Layer) and TLS (Transport Layer Security)

Overview:

SSL and TLS are cryptographic protocols aimed at providing secure communication over the internet. TLS is
the successor of SSL and is more secure and efficient.

Characteristics:

1. Encryption: Data exchanged between the client and server is unreadable to eavesdroppers.
2. Authentication: Uses digital certificates to verify servers and optionally client identities.
3. Integrity: Prevents data from being changed during transmission.

How it Works:

1. Handshake Protocol:

• Negotiates encryption algorithms and cryptographic keys.

• Exchanges certificates for authentication.

2. Record Protocol:

• Encrypt application data using symmetric encryption.

• Ensures data integrity using Message Authentication Codes (MACs).

Applications in E-commerce:

• Supports HTTPS, the secure variant of HTTP.

• It protects credit card information, personal data, and login credentials.

IEEE Reference Model Mapping:

SSL and TLS run on the Transport Layer (Layer 4). It protects application-layer protocols such as HTTP.

• SET (Secure Electronic Transaction)

Overview:

SET is a protocol developed by Visa and MasterCard to ensure electronic credit card transactions. It ensures
the protection of payment data in online transactions.
Characteristics:

1. Confidentiality: Encrypts the payment information.

2. Authentication: Utilizes digital certificates to authenticate all parties involved: the customer,
merchant, and payment gateway.
3. Integrity: Guarantees that the transaction data is not altered.

How it Works:

1. Customer Initialization:
The customer's digital certificate is issued by a trusted Certificate Authority (CA).
2. Merchant Authentication:
The merchant's identity is authenticated using their digital certificate.
3. Payment Processing:
The credit card details of the customer are encrypted and sent to the payment gateway.

Applications in E-commerce:

1. For protecting credit card transactions.

2. Offers end-to-end encryption of payment information.

IEEE Reference Model Mapping:

Protocol Layer (IEEE Model) Main Functions Applications

IPsec Network Layer It uses encryption to VPNs, safe
secure the IP packets communications among
the networks
SSL/TLS Transport Layer Secures data at the HTTPS, secure client-
transport level server communication
SET Application Layer Secures electronic E-commerce credit card
transactions transactions

Conclusion:

The combination of these protocols covers various layers of security in e-commerce, offering robust
defense against cyber threats. While IPsec protects data at the network layer, SSL/TLS protects transport
layer communications, and SET provides protection at the application layer for financial transactions.

The implementation of these protocols together allows end-to-end security, thus ensuring safe and
trustworthy e-commerce experiences.
Introduction
Cryptography is the science domain related to securing information by using mathematical algorithms and
techniques. It can provide assurance in aspects of confidentiality, integrity, authentication, and non-
repudiation in different fields such as secured communications, financial operations, and data protection.
However, cryptography also faces a variety of technological progress and computational restrictions along
with novel threats.

1. Types of Cryptography

There are mainly two types of cryptography:

• Symmetric-Key Cryptography

➢ Key type:
It is the same key for encryption and decryption.
➢ Algorithms:
AES (Advanced Encryption Standard), DES (Data Encryption Standard), and RC4.
➢ Applications:
Safe file storage, VPN, fast encryption of large amounts of data.

• Asymmetric-Key Cryptography:

➢ Description:
Uses different keys for encryption (public key) and decryption (private key).
➢ Algorithms:
RSA, ECC or Elliptic Curve Cryptography, and Diffie-Hellman.
➢ Applications:
Secure email, digital signatures, SSL/TLS protocols.

• Hashing:

➢ Description:
Data is converted into a fixed-size hash value to ensure data integrity.
➢ Algorithms:
SHA (Secure Hash Algorithm), MD5 (Message Digest 5).
➢ Applications:
Include password storage, integrity verification, and blockchain systems.

• Post-Quantum Cryptography:

➢ Definition:
Cryptographic techniques that are resistant to attack by quantum computers.
➢ Algorithms:
Lattice-based cryptography, Code-based cryptography.
 ➢ Applications:
Long-term data security, future-proof systems.

2. Comparing Cryptography with the IEEE Reference Model:

The IEEE reference model categorizes cryptographic implementations into different layers:

Layer Role in Cryptography Examples

Physical Layer Protects the data being Frequency hopping, Spread
transmitted from the physical spectrum
attacks of interception
Data Link Layer Protect frames over local MACSec, frame-by-frame
networks encryption
Network Layer Supports end-to-end packet IPsec
encryption
Transport Layer Ensures data transfer between SSL/TLS, DTLS
systems
Application Layer Provide application layer security PGP, HTTPS, SET
to users

3. Difficulties in Cryptography:
Despite being efficient, cryptography still meets significant challenges:

• Computational Burden

➢ Description:
Cryptographic algorithms are highly computationally intensive, creating performance bottlenecks in
resource-constrained environments like IoT and mobile devices.
➢ Impact:
It causes higher latency in secured communications.

• Key Management

➢ Description:
Generating, distributing, storing, and revocation of cryptography keys should be done appropriately.
➢ Impact:
Weak key management weakens the entire security system.

• Quantum Computing Threats

➢ Description:
Quantum computers can crack the conventional public-key algorithms such as RSA and ECC using a
quantum algorithm called Shor's algorithm.
 ➢ Impact:
It undermines the base of existing encryption systems.

• Side-Channel Attacks

➢ Description:
Take advantage of physical weaknesses through variability in time, radio emission, or power consumption.
➢ Impact:
Compromises the security of cryptographic implementations without directly attacking the algorithm.

• Exploits and poor Implementations

➢ Description:
Weak or poor designs of cryptographic systems, malicious backdoors, or poor-quality random number
generators compromise security.
➢ Impact:
It produces weaknesses that can be exploited.

• Scalability

➢ Description:
It is quite challenging to describe cryptography-based system scalability over such giant-scale systems.
➢ Impact:
Effects on cloud security, blockchain, and distributed systems.

• Usability and Security

➢ Description:
Even understanding such advanced cryptographical schemes, particularly their implementation, may be
tricky for users, resulting in misconfigurations.
➢ Impact:
It creates vulnerabilities because of user errors.

• Rapid Technological Advancement

➢ Description:
Computational power and attack techniques are advancing much faster than the development of secure
cryptographic algorithms.
➢ Impact:
It's always under update and change.
 4. Addressing Cryptographic Challenges

• Enhancing Computational Efficiency:

➢ Implement lightweight cryptography algorithms such as ChaCha20 in resource constrained

environments.
➢ Use hardware acceleration, such as AES-NI, to accelerate encryption.

• Resilient Management of Keys:

➢ Implement automated management of key lifecycles through Public Key Infrastructure (PKI).
➢ Implement protocols such as Hardware Security Module (HSM) for secure storage of keys.

• Post-Quantum Cryptography:

➢ Transition to quantum-safe algorithms such as lattice-based cryptography.

➢ Standards, such as those of NIST's Post-Quantum Cryptography Project.

• Mitigation Side-Channel Attacks:

➢ Use hardware and software countermeasures that involve masking and adding noise.
➢ Regular audit of cryptographic implementations.

• Guaranteeing Appropriate Execution:

➢ Follow industry standards, such as IEEE 1363 for cryptographic techniques.

➢ All should be fuzzed rigorously and undergo formal verification.

• Friendlier to Users:

➢ It should be well-documented and user-friendly.

➢ Educate users and developers on how to use cryptography best.

Conclusion:

Cryptography is one of the basic pillars in modern information security, providing a security layer based on
layers of the IEEE reference model. However, this can be effective only if problems such as computational
overhead, key management, quantum computing threats, and side-channel attack vulnerabilities can be
addressed. Innovative approaches, such as post-quantum cryptography and following international
standards, will allow organizations to overcome these hurdles and to maintain robust security despite a
constantly evolving threat environment.
References:

1. Menezes, A. J., van Oorschot, P. C., & Vanstone, S. A. (1996). *Handbook of Applied Cryptography*.
CRC Press.
2. Stallings, W. (2020). *Cryptography and Network Security: Principles and Practice*. Pearson.
3. IEEE Standards Association. (2024). *IEEE 1363: Standard Specifications for Public Key Cryptography*.
IEEE.
4. National Institute of Standards and Technology (NIST). (2022). *Post-Quantum Cryptography
Standardization Project*.
5. IEEE Standards Association. (2024). *IEEE Standards for Cryptographic Protocols*. IEEE.
6. Dierks, T., & Rescorla, E. (2008). *The Transport Layer Security (TLS) Protocol Version 1.2*. RFC 5246.