Encryption focuses on four fundamental pillars:
Authentication: Is a major part of cryptography and its main purpose is to verify the user. It provides the assurance as to the identity of a user. Authentication can be achieved using either symmetric or asymmetric systems and can be done by any number of mechanisms from passwords, smartcards, biometrics to location tracking.
Single Factor Authentication which is the simplest form of authentication. This form only requires a single method for access like a password, security pin, PIV card etc. But this method is typically associated with poor security and can be hack by any number of methods from guessing, data breaches of stolen information, phishing to keyloggers.
Two Factor Authentication: This method requires a second factor to verify a user. Like some of the more resent methods to strength a single factor process is to require you to log in and then they will email you a single one-time user code or pin you will have to enter in order to gain access. 2FA is far more secure then a single Sign-On method and can stop many data breaches of the past. Resent research has shown it can stop of to 80% of current authentication hacks.
Multi-Factor Authentication: is a far more sophisticated method and leverages two or more factors to grant a user access.
Authentication Protocols: Authentication methods like usernames and passwords or even going to multi-factor scenario can provide a more secure environment, but if your linking your access through some type of 3rd party app either on your phone or laptop. These apps might be storing your information in an unsecure way leaving you open to attack. In addition, Android apps have been hit with a number of programs focusing on acquiring your banking information. This program waits for you to access your bank account and copies everything from your key strokes to passwords and sends them off to another IP address. Many of these types of apps are now popping on any number of online stores from Apple to Google. So if you have some of these on your phone right now delete them!
This by far is not a complete list because many new ones are created each day. To be safe don’t share information with 3rd party apps. You can also limit your exposure using methods like Oauth, OpenID, SAML and FIDO, but there are others you should also look into to protect yourself.
API Authentication: API’s can handle large amounts of data and can be designed to add a dimension’s to security.
HTTP Basic Auth is one. This method simply makes the user with username and password prove who they are. It looks at the HTTP header information to authenticate the user but theirs is many ways to spoof this method, and it can be used to capture the user’s credentials
OAuth is a very secure method of API authentication/authorization. OAuth does not share your password but instead uses tokens to prove an identify between users and services. It uses authentication protocol that allows you to approve one application interacting with another without giving away passwords.
SAML (Security Assertion Markup Language) allows identity providers to pass authorization credentials to service providers SAML enables Single-Sign On (SSO), a term that means users can log in once, and those same credentials can be reused to log into other service providers.
Biometrics: Biometrics is changing the way a lot of people access systems. Things like Face/Eye scanning, to TouchID and voice recognition are being built into many devices from Laptops to cell phones. Some of the most secure systems use a combination of facial and voice recognition with fingerprint scanning. Now hacking biometrics is more challenging but not impossible because 3-D face modeling has proven to breached some of these systems, and replay attacks on eye scanners can be done but far more difficult. The easiest of theses is the fingerprint reader because making an impression using a photographed fingerprint off glass or some other type of impression using molded plastic to candle wax is not that hard.
Confidentiality: Ensures secrecy and prevents unauthorized disclosure of data in transit, on disk or during transmission. Confidentiality can be achieved by encrypting data that is stored or in transit using logical or physical access controls, transmission protocols, database views, and controlled traffic flow. This also includes protecting the data from unauthorized modification or deletion. In short, confidentiality is the assurance that information is not disclosed to unauthorized people, processes or applications, and only authorized people can change the data.
Integrity: Trust but verify that your data has not been altered or changed in any way except by authorized personal. Message integrity is enforced by a mean of an encrypted message digest you create and can be enforced by a public and or secret key cryptosystem. Remember the term message digest since we will also look into this more, but it can be called by many names: hash, hash value, CRC, checksum, and digital ID. Most message digest are 128 bits or larger, but the longer the message the better the security. I will cover Hash functions later, but the most common ones are SHA, MD2, MD4, MD5 and HMAC to name but a few.
Now there are many forms of encryption, but the major thing to remember is it can be done either through symmetric or asymmetric methods. Moreover, when it’s in transit you want to ensure that your data has not been altered in any way. One of the main methods of verifying the authentication of the messages is by creating a hash value or message digest guaranteeing the message sent is the same as the one received because confidentiality cannot exist without integrity.
Non-Repudiation: – Ensures that a sender cannot deny sending a message. Some of the techniques used can be encryption, digital signatures, and notarization.