Ways Of Securing Communications In Cyber Security
Organizations must provide support to secure the data as it travels across links. This may include internal traffic, but it is even more important to protect the data that travels outside of the organization to branch sites, telecommuter sites, and partner sites. In this article, I want to take about means of securing communications in cyber security. Follow me as we look at that in this article.
These are the four elements of secure communications:
- Data Integrity – Guarantees that the message was not altered. Any changes to data in transit will be detected. Integrity is ensured by implementing either of the Secure Hash Algorithms (SHA-2 or SHA-3). The MD5 message-digest algorithm is still widely in use, however, it is inherently insecure and creates vulnerabilities in a network. The use of MD5 should be avoided.
- Origin Authentication – Guarantees that the message is not a forgery and does actually come from whom it states. Many modern networks ensure authentication with algorithms such as hash-based message authentication code (HMAC).
- Data Confidentiality – Guarantees that only authorized users can read the message. If the message is intercepted, it cannot be deciphered within a reasonable amount of time. Data confidentiality is implemented using symmetric and asymmetric encryption algorithms.
- Data Non-Repudiation – Guarantees that the sender cannot repudiate, or refute, the validity of a message sent. Nonrepudiation relies on the fact that only the sender has the unique characteristics or signature for how that message is treated.
Cryptography can be used almost anywhere that there is data communication. In fact, the trend is toward all communication being encrypted.
Cryptographic Hash Functions
Hashes are used to verify and ensure data integrity. Hashing is based on a one-way mathematical function that is relatively easy to compute, but significantly harder to reverse. Grinding coffee is a good analogy of a one-way function. It is easy to grind coffee beans, but it is almost impossible to put all of the tiny pieces back together to rebuild the original beans. The cryptographic hashing function can also be used to verify authentication.
The figure shows a printed piece of paper with words to the side: plaintext message (data of arbitrary length). An arrow goes from the paper into a funnel that has the words hash function beside it. An arrow goes out of the funnel into a text box: e883aacb24c09f and the words fixed-length hash value.
A hash function takes a variable block of binary data, called the message, and produces a fixed-length, condensed representation, called the hash. The resulting hash is also sometimes called the message digest, digest, or digital fingerprint.
With hash functions, it is computationally infeasible for two different sets of data to come up with the same hash output. Every time the data is changed or altered, the hash value also changes. Because of this, cryptographic hash values are often called digital fingerprints. They can be used to detect duplicate data files, file version changes, and similar applications. These values are used to guard against an accidental or intentional change to the data, or accidental data corruption.
The cryptographic hash function is applied in many different situations for entity authentication, data integrity, and data authenticity purposes.
Cryptographic Hash Operation
Mathematically, the equation h= H(x) is used to explain how a hash algorithm operates. As shown in the figure, a hash function H takes an input x and returns a fixed-size string hash value h.
The figure shows a circle with H(x) inside the circle. At the top is a textbox that says arbitrary length text and an arrow going into the circle pointing to the x. To the right of the textbox is x and an icon for a plaintext message. In the centre is a textbox with the words hash function and an arrow pointing to the h inside the circle. There is an H to the right of the textbox, a funnel icon, and the hash of the word function. At the bottom is a textbox that leads from the circle and has the words hash value, the letter h beside the textbox, and a rectangle that has e883aa0b24c09f in it.
The example in the figure summarizes the mathematical process. A cryptographic hash function should have the following properties:
- The input can be any length.
- The output has a fixed length.
- H(x) is relatively easy to compute for any given x.
- H(x) is one way and not reversible.
- H(x) is collision-free, meaning that two different input values will result in different hash values.
If a hash function is hard to invert, it is considered a one-way hash. Hard to invert means that given a hash value of h, it is computationally infeasible to find an input for x such that h=H(x).
MD5 and SHA
Hash functions are used to ensure the integrity of a message. They ensure data has not changed accidentally or intentionally. In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to ensure that the message is not accidentally altered on its way to the receiver. Deliberate changes that are made by a threat actor are still possible.
The figure shows hash computations of a message in which the starting hash and the ending hash are different. The message sent says, Pay to Alex $100.00. The message received says, Pay to Jeremy $1000.00. The starting hash is 4ehlDx67NMop9 and the ending hash is 12ehqPx67NMoX.
There are four well-known hash functions:
- MD5 with 128-bit digest – Developed by Ron Rivest and used in a variety of internet applications, MD5 is a one-way function that produces a 128-bit hashed message. MD5 is considered to be a legacy algorithm and should be avoided and used only when no better alternatives are available. It is recommended that SHA-2 or SHA-3 be used instead.
- SHA-1 – Developed by the U.S. National Security Agency (NSA) in 1995. It is very similar to the MD5 hash functions. Several versions exist. SHA-1 creates a 160-bit hashed message and is slightly slower than MD5. SHA-1 has known flaws and is a legacy algorithm.
- SHA-2 – Developed by the NSA. It includes SHA-224 (224 bit), SHA-256 (256 bit), SHA-384 (384 bit), and SHA-512 (512 bit). If you are using SHA-2, then the SHA-256, SHA-384, and SHA-512 algorithms should be used whenever possible.
- SHA-3 – SHA-3 is the newest hashing algorithm and was introduced by NIST as an alternative and eventual replacement for the SHA-2 family of hashing algorithms. SHA-3 includes SHA3-224 (224 bit), SHA3-256 (256 bit), SHA3-384 (384 bit), and SHA3-512 (512 bit). The SHA-3 family are next-generation algorithms and should be used whenever possible.
While hashing can be used to detect accidental changes, it cannot be used to guard against deliberate changes that are made by a threat actor. There is no unique identifying information from the sender in the hashing procedure. This means that anyone can compute a hash for any data, as long as they have the correct hash function.
For example, when the message traverses the network, a potential attacker could intercept the message, change it, recalculate the hash, and append it to the message. The receiving device will only validate against whatever hash is appended.
Therefore, hashing is vulnerable to man-in-the-middle attacks and does not provide security to transmitted data. To provide integrity and origin authentication, something more is required.
Note: Hashing algorithms only protect against accidental changes and does not protect the data from changes deliberately made by a threat actor.
To add origin authentication and integrity assurance, use a keyed-hash message authentication code (HMAC). HMAC uses an additional secret key as input to the hash function.
Note: Other Message Authentication Code (MAC) methods are also used. However, HMAC is used in many systems including SSL, IPsec, and SSH.
As shown in the figure, an HMAC is calculated using any cryptographic algorithm that combines a cryptographic hash function with a secret key. Hash functions are the basis of the protection mechanism of HMACs.
Only the sender and the receiver know the secret key, and the output of the hash function now depends on the input data and the secret key. Only parties who have access to that secret key can compute the digest of an HMAC function. This defeats man-in-the-middle attacks and provides authentication of the data origin.
If two parties share a secret key and use HMAC functions for authentication, a properly constructed HMAC digest of a message that a party has received indicates that the other party was the originator of the message. This is because the other party possesses the secret key.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Download Our App.
Follow Us On Telegram
CEHNigeria On Google Playstore
GET SEOPOZ . OUTSMART YOUR BLOG COMPETITORS
Joint Our Whatsapp Group
Follow Us On Twitter and I will Follow Back
Follow Us On Twitter
Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.