Unit 30 Applied Cryptography in The Cloud
Unit 30 Applied Cryptography in The Cloud
Assessor Internal
Verifier
Unit 30: Applied Cryptography in the Cloud
Unit(s)
Assignment title
Student’s name
List which assessment criteria Pass Merit Distinction
the Assessor has awarded.
Unit Title
Assignment Number 1 Assessor
12/01/2025 Date Received
Submission Date 1st submission
Date Received 2nd
Re-submission Date submission
Assessor Feedback:
LO1 Analyse encryption ciphers and algorithms as methods to secure data in a cloud
environment
Pass, Merit & Distinction P1 P2 M1 D1
Descripts
LO2 Discuss security risks and issues related to public key encryption in practice
Pass, Merit & Distinction P3 M2 D2
Descripts
LO3 Demonstrate the use of cryptographic and cryptoanalysis tools for improving
security in a virtual private network
Pass, Merit & Distinction P4 P5 M3 M4 D3
Descripts
LO4 Evaluate advanced encryption protocols and their application for an organisation
considering a move to the cloud
Pass, Merit & Distinction P6 P7 M5 D4
Descripts
Resubmission Feedback:
* Please note that grade decisions are provisional. They are only confirmed once internal and external moderation has taken place
and grades decisions have been agreed at the assessment board.
Assignment Feedback
Formative Feedback: Assessor to Student
Action Plan
Summative feedback
Assessor Date
signature
Student Date
signature
Pearson Higher Nationals in
Computing
Unit 30: Applied Cryptography in the Cloud
Assignment 01
General Guidelines
1. A Cover page or title page – You should always attach a title page to your assignment. Use
previous page as your cover sheet and make sure all the details are accurately filled.
2. Attach this brief as the first section of your assignment.
3. All the assignments should be prepared using a word processing software.
4. All the assignments should be printed on A4 sized papers. Use single side printing.
5. Allow 1” for top, bottom , right margins and 1.25” for the left margin of each page.
1. The font size should be 12 point, and should be in the style of Time New Roman.
2. Use 1.5 line spacing. Left justify all paragraphs.
3. Ensure that all the headings are consistent in terms of the font size and font style.
4. Use footer function in the word processor to insert Your Name, Subject, Assignment No, and
Page Number on each page. This is useful if individual sheets become detached for any reason.
5. Use word processing application spell check and grammar check function to help editing your
assignment.
Important Points:
1. It is strictly prohibited to use textboxes to add texts in the assignments, except for the compulsory
information. eg: Figures, tables of comparison etc. Adding text boxes in the body except for the
before mentioned compulsory information will result in rejection of your work.
2. Avoid using page borders in your assignment body.
3. Carefully check the hand in date and the instructions given in the assignment. Late submissions
will not be accepted.
4. Ensure that you give yourself enough time to complete the assignment by the due date.
5. Excuses of any nature will not be accepted for failure to hand in the work on time.
6. You must take responsibility for managing your own time effectively.
7. If you are unable to hand in your assignment on time and have valid reasons such as illness, you
may apply (in writing) for an extension.
8. Failure to achieve at least PASS criteria will result in a REFERRAL grade .
9. Non-submission of work without valid reasons will lead to an automatic RE FERRAL. You will
then be asked to complete an alternative assignment.
10. If you use other people’s work or ideas in your assignment, reference them properly using
HARVARD referencing system to avoid plagiarism. You have to provide both in-text citation and
a reference list.
11. If you are proven to be guilty of plagiarism or any academic misconduct, your grade could be
reduced to A REFERRAL or at worst you could be expelled from the course
Student Declaration
I hereby, declare that I know what plagiarism entails, namely to use another’s work and to
present it as my own without attributing the sources in the correct form. I further understand
what it means to copy another’s work.
Unit Number and Title Unit 30: Applied Cryptography in the Cloud
Unit Tutor
Assignment Title LAN Design & Implementation for Enclave Films Company
Submission format
The submission is in the form of an individual technical report. This should be written in a
concise, formal business style using single spacing and font size 12. You are required to
make use of headings, paragraphs and subsections as appropriate, and all work must be
supported with research and referenced using the Harvard referencing system. Please also
provide an end list of references using the Harvard referencing system.
The recommended word count is 3,000–3,500 words for the report excluding
annexures, although you will not be penalised for exceeding the total word limit.
Unit Learning Outcomes:
LO1 Analyse encryption ciphers and algorithms as methods to secure data in a cloud
environment.
LO2 Discuss security risks and issues related to public key encryption in practice
LO3 Demonstrate the use of cryptographic and cryptoanalysis tools for improving
security in a virtual private network.
LO4 Evaluate advanced encryption protocols and their application for an organisation
considering a move to the cloud.
Activity
Write a technical report on the use of cryptography for the security on the
cloud as follows.
Task 1
Compare and critically analyse the fundamental differences, advantages and
drawbacks between stream cipher and block cipher. Simple examples can be
used in explanations. Discuss the improvements that can be introduced to
ShipCargo cloud by stream cipher. Justify your answer.
Ciphers like DES and AES use bitwise XOR operations in their algorithm.
Implement an algorithm to show how a 4-bit input can be encrypted with a 4-
bit key using XOR function. Provide screenshots of the code.
Task 2
Discus how public key algorithms can be used to provide authentication and
confidentiality to ShipCargo and discuss the security vulnerabilities of
encrypting with a single key. Analyse the benefits and importance of using
encryption techniques (Eg: KEMs, DEMs, PKEs) to secure a public key system
and provide justified recommendations suitable for securing public key
algorithms.
Task 3
Illustrate with diagrams, the encryption and decryption process in PKI
environment for the cloud solution proposed for ShipCargo. Identify and assess
the security risks and challenges likely to occur when using a cloud- hosted
PKI in the company’s private network.
Design a security case for an identified threat for ShipCargo and implement the
designed case using suitable cryptography and cryptoanalysis tools. Provide a
critical review of the implemented system and how it meets the intended
security objectives of the company with any suggestions for further
improvements.
Task 4
P1
Analyse the functions of stream cipher and block cipher, using a range of
appropriate examples in practice.
P2
Produce code that implements mathematical ciphers and algorithms to
encrypt and decrypt data.
M1
Critically analyse the operational differences between stream cipher and
block cipher, using a range of appropriate examples in practice.
D1
Justify improvements introduced by stream ciphers compared to block
ciphers for public and private key encryption.
LO2 : Discuss security risks and issues related to public key encr
P3
Discuss risks and issues in security of public key encryption schemes,
using a range of appropriate examples in practice.
M2
Analyse key benefits of encryption techniques including KEMs, DEMs
and PKEs and the importance of securing public key systems
D2
Provide justified recommendations, synthesising different definitions of
provable security, suitable for securing public key systems.
LO3 : Demonstrate the use of cryptographic and cryptoanalysis tools for improving
P4
Illustrate, using a diagram, encryption and decryption process functions
in a PKI environment for a business scenario.
P5
Design a security case, representative of a business scenario, to solve a
security threat.
M3
Assess security risks and challenges of using cloud-hosted PKI in a
private network.
M4
Implement the system designed, in response to a security case, using
cryptographic and cryptanalysis methods or tools.
D3
Provide a critical review of the implemented system in terms of how it
meets defined security objectives and make suggestions for
improvement.
LO4 : Evaluate advanced encryption protocols and their application for an organis
P6
Evaluate the key benefits of using a range of cryptography and hybrid
cryptosystems to improve cloud security.
P7
Assess common factors influencing an organisations choice of cloud
solution(s) to improve security.
M5
Critically analyse the use of selected cryptography and hybrid
cryptosystems in protecting data within an organisation.
D4
Justify the use of different cryptographic applications, for an
organisation, that will inform their move to the cloud.
Grading Rubric
Acknowledgement
Figure Tables
Figure 1 Encryption............................................................................................................20
Figure 2 Caesar Cipher Code.............................................................................................29
Figure 3 Response for Caesar Cipher Code.......................................................................30
Figure 4 Vigenère Cipher Code 01.....................................................................................31
Figure 5 Vigenère Cipher Code 02.....................................................................................32
Figure 6 Vigenère Cipher Response...................................................................................32
Figure 7 Python how encrypt a 4-bit input with a 4-bit key...............................................33
Figure 8 Response for 4-Bit input with 4-bit key using.....................................................33
Figure 9 Public key infrastructure......................................................................................89
Figure 10 Encryption..........................................................................................................98
Figure 11 Asymmetric Encryption...................................................................................100
Figure 12 Decryption Process..........................................................................................100
Figure 13 Encrypt and Decrypt........................................................................................101
Figure 14 Cloud Hosting..................................................................................................105
Task 01
1.1 analyse the function of stream ciphers and block ciphers using a variety of
relevant example from practice.
Encryption
Encryption can mess up information in such a way that it is only understandable by
those with proper authority. Technically, it's the process of changing human-readable
plaintext into a completely unreadable text called ciphertext. In simple terms, encryption
transforms readable data into a format that it no longer makes any sense, looking like
randomness. Encryption makes use of something called a cryptographic key-several
mathematical values agreed upon both by the sender and recipient of an encrypted
message. (cloudflare, n.d.)
Figure 1 Encryption
There are two types of encryption algorithms: stream ciphers and block ciphers. Each
has distinct characteristics, benefits, and drawbacks.
Stream cipher
Stream ciphers are symmetric keystreams that generate ciphertext bit by bit for a
plaintext communication of any length. The operation of a stream cipher performs
encryption on continuous strings of binary integers, changing the plain text data by
time-varying. Keystreams are generated from the cipher that is a pseudorandom integer
XORed with the plaintext to produce the ciphertext, using a combination of a key
(128/256 bits) and a digit nonce (64-128 bits). Although the key and the nonce can be
reused, in every round of encryption, a different keystream must be used for security.
Feedback shift registers are used in stream encryption ciphers to generate the unique
nonce number used once needed for keystream generation. The stream cipher is a kind
of encryption based on a sequence of pseudorandom cipher digits and plain text
integers. This stream of pseudorandom encryption digits is supplied one bit at a time to
each binary digit. For any given key, this encryption technique uses an infinite number
of pseudorandom cipher digits. (geeksforgeeks, 2024)
Advantages
Speed and Efficiency: Stream ciphers are normally faster as compared to block
ciphers because they encrypt or decrypt one bit or byte at a time. Because of
their speed, they turn out to be very useful in real-time communications and
applications requiring low latency.
Key Stream Reusability: In many cases, the same key stream can be used
multiple times for different portions of the plaintext without compromising
security. This could simplify key management under certain conditions.
Disadvantages
Key Management: A typical stream cipher would generate a key stream, which is
always very difficult to set and maintain properly. Since the key must be
genuinely random and unpredictable, generation of such a stream is required.
However, following the key management procedures correctly in practice—that
is, proper key distribution, storage, and rotation—could be either very difficult or
very error-prone.
Vulnerability to Key Reuse: The reuse of a single key stream with multiple
messages can make stream ciphers prone to cryptographic attacks. Since the key
stream is reused, there is a tendency that the encryption mechanism is
compromised, and in the process, an adversary can retrieve plaintext data or
initiate further cryptanalytic attacks. This shows that stream cipher security
depends on proper key management and prevention of key reuse.
Examples
1. RC4 is a popular stream cipher that is not recommended for use in secure
communications owing to vulnerabilities.
2. Salsa20 is a cutting-edge, highly effective stream cipher that stresses both speed
and security.
3. A5/1: Used for GSM mobile phone encryption; however, security issues have
been identified.
4. One sort of stream encryption is the simple XOR cipher. The ciphertext for
encrypting the plaintext "110011" with a key stream (101010) is "011001"
(110011 XOR 101010).
Block Cipher
Encrypt a given fixed-size-data block by using a shared key and a symmetric
cryptographic technique called a block cipher. For the encryption process, we use
plaintext, and this encrypted output is what we call ciphertext. The same key is used to
encrypt the plaintext along with the ciphertext. (geeksforgeeks, 2024)
An example of such a processing is a block cipher, in which a given block size of data is
fed into the software. Blocks are smaller than the whole message. So a long message
will be fragmented in various successive blocks of messages on which the cipher
executes block function by block. (geeksforgeeks, 2024)
It uses a symmetric secret key shared with everyone who uses the block cipher. Each
block of input data will be fetched, and the entire operation will be performed using the
shared secret key as input and output. Because the size of the block is always known,
padding is not required. It is a symmetrical algorithm. The shared key will transform the
text into in-cypher text. It will retrieve the in-cypher text as plain text back into original
from decryption using the same key that was used. Input: output matches both
lengthwise. (geeksforgeeks, 2024)
Advantages
Security Strength of Block Ciphers: Block ciphers are secured by repeatedly
encrypting the data.
Error Propagation: The error tolerance is increased; these guarantee that a fault
in one block does not affect the decryption of subsequent blocks.
Availability: Block ciphers are adaptable and hence can fulfil various security
and application demands. Some of the most common modes are Galois/counter
mode (GCM), cipher block chaining (CBC), and electronic codebook (ECB).
Key Administration: This means that block ciphers usually have well-defined
forms for key management, since block ciphers usually have only one key
associated with each block. Thus, a well-defined structure concerning key
distribution, rotation, and updates can be used.
Disadvantages
Now block size is quite fixed. For instance, the well-established Advanced
Encryption Standard (AES) allows block sizes that are fixed: 128 bits; hence, if
the input data's length is not a multiple of the block size, padding must be done,
and this adds to the inefficiency.
Processing Fees for Brief Communications: Block ciphers may not always be
optimal in terms of encrypting short messages. One of the constraints that inhibit
encoding a tiny chunk of message is the overhead related to processing the entire
block.
Regardless of these pitfalls, it still stands that block ciphers are, and will remain, one of
the most crucial elements of modern encryption systems. Understanding weaknesses
permits the choice put into motion of the most-fitting block cipher for the specific needs
and characteristics of the intended application. (geeksforgeeks, 2024)
Examples
1. The older block cipher known as DES (Data Encryption Standard) is now
considered insecure because of its small key size.
2. The Advanced Encryption Standard, or AES, is a widely accepted standard that is
trusted and found in many different applications.
3. The Advanced Encryption Standard (AES) is one well-liked block cipher. If we
have a 128-bit key and a block of plaintext, AES will encrypt the block into
ciphertext over the course of several rounds.
4. Two fish: This symmetric key block cipher, which is well-known for its versatility
and security, was a finalist in the AES competition.
1.2 write code that encrypts and decrypts data using mathematical cipher and
algorithms.
Caesar Cipher
Named after Julius Caesar, it is one of the simplest and oldest known encryption
techniques. According to reports, Caesar used it to communicate in secrecy. To perform
the cipher, a given number is added to or subtracted from the alphabet position of a letter
in the plaintext. An example would be changing the letter A into D, B into E, and so on,
with a shift of three. Because of this looping, Z would move to C. The message recipient,
knowing the shifting value, can decode the cipher by shifting the ciphered letters back the
same number of letters. (geeksforgeeks, 2024)
While strikingly simple to implement, the Caesar Cipher is one of the worst choices for
security. For the field of modern cryptography though, with 26-1=25 possible keys
(assuming the standard English alphabet), the difficulty here lies in performing a blind
brute-force attack whereby the various shift candidates could be put to test to find the one
that retrieves readable text. Moreover, frequency analysis exploits the knowledge that
different letters appear at different frequencies in natural language texts to break this
cipher even in the lack of the key. As simple as it gets with no protection, the Caesar
Cipher provides ground concepts in cryptography and is commonly used to introduce
basic concepts of encryption. (geeksforgeeks, 2024)
Code
Figure 2 Caesar Cipher Code
Response
The polysyllabic substitution Vigenère Cipher, invented in the 16th century by French
cryptographer Blaise de Vigenère, is a notable improvement over the good old Caesar
Cipher. And whereas Julius Caesar's cipher practically had a unifying shift applied to
every letter, Vigenère's cipher employs a keyword or passphrase for determining the
shifting of the letters in the plaintext. Each letter in the plaintext is shifted in accordance
with its corresponding letter in the key; the key is cycled through as many times as
necessary until the entire plaintext has been provided a corresponding key letter. For
instance, if "KEY" is used as the keyword, then "K" would shift "H", "E" would shift "E",
"L" would shift "Y" and so on in reference to the word "HELLO". (geeksforgeeks, 2024)
Being a polyalphabetic substitution cipher, Vigenère provides much more security over
the simple Caesar Cipher because the shifts vary throughout the communication, making
frequency analysis even more challenging. Still, however, they are vulnerable to
cryptanalysis, especially if the plaintext reveals patterns or the key is not so long. Such
repetitive patterns in the ciphertext may be a Kasiski examination, which may lead to
determining the length and nature of the word used. (geeksforgeeks, 2024)
The Vigenère Cipher was withstood much use over the centuries until its vulnerabilities
to certain attacks ultimately stymied its survivability. Even with almost regular algorithms
for breaking it, before the introduction of the microcomputer with its ability to engage
more straightforward statistical analyses like frequency analysis of letter combinations,
weakness in[sic] the Vigenère Cipher had remained little known. Yet even as it came to
be recognized as a truly important historical landmark in cryptography, it still stands as a
testament to early encryption techniques, which are being studied even today.
(geeksforgeeks, 2024)
Code
Figure 4 Vigenère Cipher Code 01
Response
These pieces of code encrypt and decrypt data using the Vigenère and Caesar ciphers,
respectively. Remember, these are classic ciphers and are not meant for use in security-
critical environments! Modern cryptographic libraries and algorithms (such as AES,
RSA, etc.) should be applied in practice for secure data encryption and decryption.
An Example in Python Showing how to encrypt a 4-bit input with a 4-bit key using
the XOR Function.
The xor_encrypt function iterates through each byte of the input and key.
Each bit is transformed into an integer, the outcome is added to the encrypted string, and
the bits are then subjected to the same location's XOR operation.
1.3Analyze the operational distinction between block and stream cipher critically,
drawing on a variety of relevant real-world examples.
Distinctions in operations
Stream Cipher
The encryption process on any stream cipher works bit-by-bit or byte-wise where each
bit or byte of the plaintext is combined with the pseudo randomly generated keystream.
Ultimately, the main purpose of keystream generation is to yield a stream of bits that
would appear surprising and random to an opponent. Then, using bitwise logical
operations of exclusive or, the plaintext is combined with this pseudo-random stream to
form the ciphertext.
Principal elements:
Key: Stream ciphers utilize a secret key to generate the keystream. Due to their
unpredictability and confidentiality, stream ciphers' algorithms are important for
enhancing their security.
Initialization: The PRNG uses the encryption key for initialization. This
procedure blesses every encryption session with a distinct keystream.
Stream Refreshment some stream cipher designs, the PRNG may be periodically
refreshed or reseeded, thus enhancing security and countering cryptanalysis.
Examples
Keystream creation is demonstrated using the RC4 algorithm, one of the simplest
stream ciphers.
2. RC4 generates the keystream by pseudo-randomly shuffling the state array over
and over. A stream of pseudo-random bytes is produced as a result.
3. The plaintext and keystream are bitwise XORed to form the ciphertext.
Advantages
Adaptability: Integrating with stream ciphers, users get to choose freely the
PRNG algorithms of their choice. Adding this flexibility to the security selected
satisfies various security needs.
Disadvantages
Risks to Security: Properly constructing the keys will be made into challenging
threats like predictable keystreams or possible key recovery attacks.
The keystream generation forms a crucial component of stream ciphers, ensuring the
required randomness for security during encryption. Great attention is required to the
preservation of key secrecy and the efficiency of the PRNG algorithm to mitigate security
loopholes.
The simplest and most common applied cryptographic operation is bitwise XOR,
particularly in processes of encryption and decryption. For certain types of encryption
schemes, like stream ciphers and block ciphers, a bitwise XOR operation can be done
between the plaintext and key or keystream to arrive at the ciphertext. Thus, this ensures
an easy and unproblematic yet, at the same time, invertible masking of the plaintext in
order not to be read unauthorized. (geeksforgeeks, 2024)
Principal elements:
Plain text: The original communication that need to be encrypted
Key: The secret value, sometimes referred to as keystream, that is combined with
plaintext
Ciphertext: The encrypted plain text after the XOR technique is applied.
Binary Representation: The system turns the plaintext, key, and keystream into
binary code. It converts each character in the plaintext to its ASCII or Unicode
value before changing it to binary.
Bitwise XOR: The process combines each bit of the plaintext with the matching
bit of the key or keystream using XOR. When one bit is 0 and the other is 1, it
results in 1. When both bits match, it gives 0.
This method creates an encrypted version called ciphertext. It uses a combining function
named XOR to apply bits to the plaintext.
Examples
Plaintext:”101010”
Keystream:”110011”
Processor with bitwise XOR:
I. Simple text: 101010
II. 110011 is the key
III. Outcomes: 011001
Therefore, the ciphertext that would emerge would be “011001”
Advantages
Low complexity of the Implementation: The XOR operation can be easily
realized both in hardware and in software.
Reversibility: In this process, XORing the ciphertext again with the key or
keystream, which was applied to encrypt the information, reverses this process.
Disadvantages:
Determinism: Given several encryptions using the same key or keystream, equal
parts of plaintext will result in the same sections of ciphertext. This may be
exploited by adversaries.
Key management: Since the key could be used to decrypt the ciphertext, secure
key management will be necessary to prevent unauthorized access to the key or
keystream.
In a nutshell, encryption through the bitwise XOR operation is a simple cryptographic
technique that merges the plaintext with a key or keystream to form the ciphertext. Its
reversibility and simplicity make it very useful in securing data transfer and storage.
However, proper key management must be employed to ensure security regarding the
encrypted data.
Example of Stream Cipher: RC4(used in WEP and WPA for WI-FI encryption).
Block Cipher
encrypts fixed-size blocks of plaintext (64 or 128 bits in length) under a key and then
transforms the block into the corresponding ciphertext.
Block Dimensions
One of the most integral elements of block cipher methods involves block size.
Block size refers to the regulation of block length for plaintext and ciphertext
through the encryption process.
The block size denotes the block cipher's input amount it can process in a single
operation. It provides a guideline on how the blocks of plaintext are divided into
discrete pieces that can be independently encrypted and decrypted.
Principal Elements
Blocks of Plaintext: The original message is first split into blocks of the same
size; each being defined by the block size.
Blocks of Ciphertext: In the entire process of encryption, each block of plaintext
is transformed into a block of ciphertext of equal size.
Padding: In cases where the block size does not go in multiple, plaintext might be
padded to complete each block.
Advantages
Flexibility in Security: It provides the capability to adjust the block size to suit an
application's needed security level with respect to the encryption algorithm.
Standardization: Standard block sizes in cryptographic algorithms make
interoperability easier to achieve because, among other advantages, they have a
simpler way of incorporation into different systems and protocols.
Disadvantages:
Performance Impact: This is because a larger block size will affect the
effectiveness and speed in which encryption and decryption processes may occur
since it uses more computational powers.
Padding Overhead: More padding may be required for small block sizes,
increasing the ciphertext size. As such, this brings inefficiency to storage and
transmission.
Conclusion: The block size will seriously affect interoperability, security, and the
efficiency of a block cipher algorithm. The choice of block size therefore requires
considering operational constraints together with specific security requirements imposed
on the operation of the cryptographic system.
Important extension
Key expansion in block cipher techniques involves the process of expanding a very small
cryptographic key into a larger set of round keys used in several encryption rounds.
Key expansion aims at generating from the initial cryptographic key a set of round keys.
Round keys improve security over time through increasing the complexity and dispersion
of the encryption and decryption process.
Principal elements
Cryptographic Key: Larger than the original key that the user provided.
Key Schedule: It is the algorithm that is used to transform the original key into a
round key.
Round Key Generation: From the key-scheduling technique, several round keys
are produced, each for use in a different encryption or decryption round.
Round Key Size: The size of each round key is determined by the block cipher
method and its implementation specifications.
Repercussion of key extension
Improved Security: Key expansion enhances security by increasing the
complexity and unpredictability of the encryption process.
Key Sensitivity: The security of the encryption system is highly dependent upon
the secrecy and unpredictable nature of the original cryptographic key.
For instance:
The Advanced Encryption Standard (AES) has been designed to expand the
original key into a set of round keys for every encryption round by using the
Rijndael key scheduling algorithm.
DES, or Data Encryption Standard, on the other hand, generates round keys by
using a fixed key scheduling approach for each of the 16 rounds.
Blowfish: It uses a key expansion technique that re-hashes the original key into
round keys in a recursive manner.
Advantages
Improved Security: The process of encryption becomes more difficult and
unpredictable for the round keys due to key expansion.
Disadvantages
Key expansion, in general, enables block cipher schemes to be far more secure, creating a
set of round keys from the original cryptographic key. Key expansion techniques ensure
that encrypted data integrity and confidentiality are preserved by preventing
cryptographic attacks.
Round function
The round function is the heart of block cipher algorithms, which, utilizing some
cryptographic techniques, transforms the input plaintext block into ciphertext during
encryption and vice versa during decryption. The round function performs several
cryptographic operations on each block of plaintext or ciphertext during encryption or
decryption. Its main purpose is to enhance the cryptographic strength and security of the
algorithm by introducing confusion and then diffusing it.
Principal Elements:
The plaintext/ciphertext block: The name of the data input block that the round
function processes.
Round Key: A subkey that adds variation and unpredictability to the
plaintext/ciphertext block, derived from the principal cryptographic key.
Where applicable, this last block of ciphertext or decrypted plaintext-should the operation
just have exited its final cryptographic operation-or its equivalent in an iterated round
output serves as an input in another round in general.
Example
The rounds that are used by the Advanced Encryption Standard, or AES, are
mixing (AddRoundKey), substitution (SubBytes), permutation (ShiftRows), and
mixing (MixColumns).
Blowfish: This algorithm makes use of a Feistel network structure with numerous
rounds. Each round consists of complex S-box substitution operations along with
permutations that depend on the key.
Benefits
Drawbacks:
Performance Overhead: Complex round functions come at some computational
overhead regarding the efficiency of performing encryption and decryption
operations.
Risk for Cryptanalysis: In the case of defects or weaknesses in the round
function, cryptanalysis attacks may compromise the security of the algorithm.
In a nutshell, the round function plays a major role in block cipher algorithms, as it
implements cryptographic operations, which transform the plaintext into ciphertext and
vice-versa. The design of the encryption algorithm, therefore, has a bearing on the
efficiency and robustness of the encryption. Care and research are needed while
developing and implementing secure round functions.
Useful illustrations
RC4 is one example of a stream cipher that was once used to encrypt WiFi,
namely WEP, WPA.
I. Advantages: Suitable for streaming data applications like real time
communications.
II. Drawbacks: It is susceptible to attacks because of the improper IV handling and
key-scheduling.
I. It offers better security robustness and flexibility for various types of encryption
needs.
II. Its need for appropriate key management and likely cost increase to obtain the
speed of communications are its drawbacks.
Some practical differences, advantages, and disadvantages are the basis for choosing
between block ciphers and stream ciphers. It is decided based on the type of data, security
requirements of the application, and performance requirements.
1.4 Justify the enhancements in public and private key encryption that stream
cipher bring over block ciphers.
Real-time encryption is when the data, at the same instance it is being transported or used,
is immediately encrypted and decrypted without noticeable delay or buffering. This is
very critical in applications where integrity and secrecy of data are essential, such as
secure channels of communication, real-time data transmission, and video streaming.
Key Management Complexity: Besides the security aspect, this calls for added
key management complexity in real-time encryption deployments, especially over
distributed or decentralized systems.
Decisions
It is important to select an appropriate encryption technique or modes that give the
best possible speed in real time. Employ lightweight stream ciphers for
applications that require low latency, while AES-GCM for authenticated
encryption.
Hardware Acceleration: Employ hardware cryptographic accelerators such as
dedicated encryption/decryption hardware or GPU acceleration to offload the
cryptography load and thereby increase the speed.
Distribute the load of encryption and decryption across multiple CPU cores or
processing units, thus reducing the overall latency of processes. Increasing the
speed by up to tenfold, while a linear increase in performance will result from
parallelism.
Data Compression: Compress data first before encrypting and reduce the size of
the stream to decrease the processing overhead and maximize throughput in
conditions with low bandwidth.
Useful illustrations
Secure Communication Protocols: TLS/SSL protocols allow for real-time
encryption of online email, web browsing, and other services, ensuring data
integrity and confidentiality.
VoIP: These applications encrypt voice calls in real time to prevent any
unauthorized party from listening in or tampering with the audio data being
transmitted.
Minimal overhead
By the term "low overhead" encryption here means all additional processing time and
computer resources involved for doing encryption and decryption operations, keeping in
mind the requirement that-actually-for being excellent encryption techniques require
overhead to be extremely low, really when a good throughput is available or, normally,
when resources are scare.
Important elements
Encryption: Choosing a lightweight encryption scheme that is reliable, such as an
authenticated encryption scheme, for example, AES-GCM, a block cipher with
lightweight properties, for example, AES-128, or a stream cipher, for example,
ChaCha20.
Key Size: Whenever possible, shorter keys should be used without sacrificing
security. Smaller keys reduce both the memory and computational overhead of an
application while still providing a respectable level of security.
Challenges:
Security vs. Performance-Trade-off: In general, this means striking a balance
between the need for strong cryptographic security and the need for low overhead.
Several of the lightweight encryption techniques have relaxed security for the sake
of speed; hence, trade-offs need to be carefully considered.
Decisions:
At the selection of encryption itself, consider the selection of low-overhead, light
solutions that balance security with good performance-such as lightweight block
ciphers or stream ciphers.
Hardware Acceleration: Consider hardware cryptographic accelerators in the
system. Examples are GPU acceleration or special processor-level
encryption/decryption technologies that cut the time and improve productivity.
Algorithmic Optimizations: Apply efficiency improvements and algorithmic
optimizations whenever they are relevant for the specific demands of the program.
Examples are data movement minimization, reduction in memory footprint, and
optimization of route operations whenever necessary.
Simplify Key Management: Use automatic key rotation, safe key storage
approaches, or centralized services for key management to simplify all related
activities and reduce the associated overhead of managing keys.
Useful illustrations:
Embedded Systems: Internet of Things devices and most embedded systems use
lightweight encryption algorithms such as AES-CCM or ChaCha20/Poly1305,
since they require very low computational overhead and give efficient resource
utilization.
Network Communication: The high-performance network encryption techniques
like IPsec or Wire Guard have a strong concentration on low overhead and
efficient packet processing to allow low latency and high throughput for secure
communication.
Cloud Storage: The cloud storage providers encrypt the data while in transit or at
rest using encryption methods adjusted for minimum overhead without
appreciably reducing storage and retrieval speed.
In other words, lightweight encryption can be done with low overhead by the choice of
proper algorithms for lightweight encryption, optimizing key management processes, and
using hardware acceleration, together with algorithmic optimizations, which shall be
tuned to the requirements of an application and an underlying hardware platform. Strong
cryptographic security can be preserved while yielding significant reductions in
processing time and computer resources using effective optimization techniques.
Key secrecy: No information about the key used for such encryption should be
revealed through any known plaintext attack. If an attacker had recovered the
encryption key, and protection against such types of attacks did not exist, that may
jeopardize the security of the whole encryption system.
Importance in utilization
Secure Communication: Since an attacker can interrupt encrypted data thus
gaining access to plaintext-ciphertext combinations, it becomes important to
protect communication channels like email, encrypted messaging apps, and VPN
tunnels from known-plaintext attacks.
Data Confidentiality: The encryption techniques need to achieve secrecy to protect
sensitive information stored on servers, databases, and cloud storage solutions
against attacks that provide plaintext-ciphertext pairs.
Thus, to protect encryption keys and ensure data confidentiality, encryption algorithms
must be resistant to known-plaintext attacks. To accomplish this, they are built through a
combination of some mathematical properties, cryptographic techniques, and algorithmic
complexity to make it almost impossible for attackers to deduce encryption keys or
decipher plaintexts from known sets of plaintexts and ciphertexts.
Online banking:
Digital signature-the process of ensuring the authenticity of transactions-would rely on
block ciphers such as RSA or ECC, while the stream ciphers, RC4 or Salsa20, may find
their application in securing real-time communication channels in such online banking
applications where efficiency is coupled with security.
Encryption: The sender encrypts the communication with the help of a secret
key; it goes from plaintext to ciphertext.
Decryption: The recipient decrypts the ciphertext with the same secret key used
for encryption and retrieves the actual plaintext communication.
Advantages of private key encryption
Efficiency: The private key techniques of encryption are usually faster and more
efficient compared to methods of public key encryption.
Secure Communication: Only the intended recipient with the proper secret key
can decrypt and access the data encrypted with private key encryption.
Key management includes updating and the safekeeping of the secrecy of the
secret key, which is critical in preventing unauthorized access to encrypted data.
Scalability: Private key encryption does not scale well when there are numerous
communicating parties. This is because, for every pair of communicators, there
must be a different secret key.
Block Cipher
Block ciphers operate on fixed-size blocks of plaintext-one block at a time-with private
keys, which are inappropriate for large volumes of data or streaming applications.
Example: Private key encryption normally makes use of the block cipher known as AES,
for Advanced Encryption Standard; however, padding methods may be needed to
efficiently handle plaintexts of varying lengths.
Stream cipher
Because stream ciphers allow random access and parallelization, to decrypt a portion of
the encrypted stream, previous blocks do not have to be decrypted. Stream ciphers are
hence suitable for scenarios requiring random access to encrypted data.
Example: Stream ciphers can decrypt each packet independently, with no need for packet
synchronization; hence, they are sometimes used in telecommunications to encrypt audio
or video chats.
Block Cipher
Block ciphers operate on fixed-size blocks of plaintext, which can limit parallelization
and random access. This is a problem, for instance, with private key encryption of large
datasets or streaming applications.
As an example, full-disk encryption systems encrypt the data on disk as blocks using
ciphers like AES, but random access to individual sectors might require the decryption of
whole blocks, at some performance penalty.
Stream Cipher
Stream ciphers, when used effectively, are usually more resistant to certain kinds of
attacks such as ciphertext-only attack and certain types of cryptanalyses. They are
suitable for situations that call for protection against attacks and security.
Example: One-Time Pad (OTP) A theoretically unbreakable stream cipher inputting a key
stream of the same length as the plaintext and using it once. In real life, OTPs are never or
hardly applied due to the key management problem.
Block Cipher
Depending on the block cipher and mode of operation being used, block ciphers may be
vulnerable to such attacks as differential cryptanalysis and chosen-plaintext attacks.
Security issues could arise in scenarios where the encryption's strength is crucial.
Example: The Data Encryption Standard (DES) was found to be broken due to
differential cryptanalysis, which led to the adoption of the more secure AES technique in
its stead.
Stream Encryptor
Stream ciphers may require less key management than block ciphers when it comes to
private key encryption, especially for devices with highly constrained resources or for
connections that are long term and encrypted.
Example: Because they are easy to implement and efficient on low-resource devices,
stream ciphers like the E0 algorithm are used in wireless communication protocols such
as Bluetooth. Block Cypher
Block Cipher
In most of the cases, block ciphers require more difficult key management, especially
with operating modes such as CBC that require IVs and padding schemes. Due to such
complexity, there can be additional security flaws.
For example, regarding key management and initialization vectors for block ciphers
operating in CBC mode, it is the very created complexity that could expose disk
encryption systems to potential security vulnerabilities.
Finally, stream ciphers are preferable for private key encryption compared to block
ciphers due to the efficiency, parallelization immunity against specific attack, and ease of
key management. In any case, since each of these cipher types has its merits and demerits,
the choice of one over the other depends on the requirements and constraints of the
application in which encryption is being used.
1.6 Justify the benefits of stream cipher over block cipher for possible use in ship
cargo regarding public and private key encryption.
The two major cryptography techniques for encryption are stream ciphers and block
ciphers; each has its certain advantages and disadvantages. Since public and private key
encryption have different natures, let's look at some advantages of stream ciphers over
block ciphers and how Ship Cargo’s cloud environment can make use of them:
Stream ciphers can also be used in public key encryption to establish secure channels
between entities. The addition of stream ciphers provides another layer of protection
against confidentiality and integrity violation in the data being exchanged via a
communication channel; this could be related to public key encryption methods. Most
applications involving public key encryption techniques involve key exchange and
asymmetric session key encryption. For instance, when using public key encryption, an
organization can use stream ciphers to authenticate and encrypt the streams of data moved
between clients and servers. It is a hybrid solution that combines the best of public key
encryption and stream ciphers to provide confidentiality, integrity, and legality of
communication in a public key environment.
It is also highly applicable to real-time applications and cases requiring very minimal
latency. While block ciphers operate on fixed-size blocks of data, stream ciphers encrypt
streams one bit or byte at a time. It is, therefore, possible to encrypt and decrypt data in an
efficient and timely manner. Since low latency is crucial for a seamless user experience,
stream ciphers naturally fit into applications such as VoIP services and secure messaging.
Companies can use stream ciphers to provide public key encryption for certain real-time
communication scenarios, allowing the business to have necessary security without
compromising responsiveness or efficiency. (Muhammad Rana, 2022)
While stream ciphers are helpful in certain scenarios, it is also worth noting that stream
ciphers do have their own disadvantages and flaws in security that should be considered.
Stream ciphers may, for instance, be vulnerable to the known-plaintext attack or key
stream reuse if used appropriately. What's more, stream ciphers require strict key
management to ensure the security of encrypted data streams. It is thus very important for
companies to follow the best protocols in key production, distribution, and storage to
reduce the possibility of cryptographic weaknesses or key compromise. Finally, while
stream ciphers sometimes offer increased security compared to public key encryption
systems, businesses should carefully investigate their suitability in each environment and
implement necessary security measures to mitigate possible risks. (Muhammad Rana,
2022)
Moreover, symmetric key systems can be further secured using stream ciphers. The cloud
environment data for Ship Cargo, which includes sensitive data, databases, or backups,
can be encrypted using stream ciphers to protect against unauthorized access or data
breaches. Once data is at rest, encryption and the use of appropriate decryption
Key, Ship Cargo ensures that, even in the event of an attacker gaining access to the
storage infrastructure, the data will still be unreadable. This adds an extra layer of security
to ensure that the occurrence of data loss or disclosure during a security breach or
unauthorized access is minimal.
This can be done to ensure that sensitive information is well protected with stream ciphers
not only for the secure storage and transmission of data but also in IoT and mobile
environments. Ship Cargo can track shipments, check inventories, and collect
environmental data using sensors via IoT devices or mobile applications. Ship Cargo can
ensure that data integrity and confidentiality are preserved, both sent from and to the
cloud platform, because the information streams emanating from those devices can be
encrypted with stream ciphers and private key encryption. It will ensure the
confidentiality and reliability of operations through the protection of sensitive data from
tampering or unauthorized access.
However, while making use of private key encryption, several disadvantages and
weaknesses that come along with stream ciphers should be considered. If used in an
inappropriate way, stream ciphers are vulnerable to known-plaintext attacks and other
cryptographic weaknesses, such as key stream reuse. Besides, appropriate key
management Protocols would be required to be implemented to securely keep the data
encrypted and not compromise a key. To minimize the risks of unauthorized access or
cryptographic failure, Ship Cargo should generate, store, and protect the keys correctly.
Given these limitations, stream ciphers can enable companies like Ship Cargo to enhance
the security of their cloud storage, transfer, and communication channels by providing
useful features for encrypting private keys.
Task 02
2. Examine the dangers and problems associated with public key encryption
methods, using several relevant real-world situations.
Key Generation: Keys shall be generated by using secure RNGs and generated in
a manner such that they are unpredictable and random. Suitable key length and
robust keys could be generated using good cryptographic key generation
procedures. The creation of the key must be made in a secure environment to
avoid any manipulation or compromise.
Key Storage: Keys must not fall into unauthorized hands, nor be disclosed.
Therefore, keys shall be stored in a secure way using either Hardware Security
Modules-HSMs or secure key vaults, providing protection against both physical
and logical attacks. Access controls and encryption shall be implemented to
ensure key access, based on the least privilege principle.
Distribution of Keys: Only authorized individuals should receive keys via secure
means. Using key agreement procedures or key exchange protocols, like the
Diffie-Hellman key exchange, cryptographic keys can be securely established
between communication participants. Public key infrastructure (PKI) is a means
of validating and distributing public keys in asymmetric encryption systems.
Key Rotation: The key updating should be very frequent to minimize the chances
of any cryptographic attack or key compromise. Frequent key rotation will help to
ensure long-term security of encrypted data by minimizing breaches. Key rotation
policies must be cautiously thought out to avoid violations and to protect sensitive
information.
Key destruction: A key is destroyed beyond recognition when its useful life has
expired, or it is no longer needed. Keys shall not be recoverable, including by
using methods such as cryptographic erasure or physical destruction of storage
media in a secure manner. It requires proper documentation and auditing to track
major destructive activities.
Key escrow and recovery: Key escrow protocols allow copies of encryption keys
to be deposited securely with trusted third parties. To permit encrypted data to be
recovered in case of system failure or loss of keys, key recovery procedures need
to be implemented. Associated security and privacy issues with key escrow and
recovery systems must be carefully investigated.
Danger
Public key encryption techniques rely on the proper handling of public and private keys
for their security. With a lost or misused private key, encrypted data might fall into the
wrong hands.
For instance:
In 2015, a breach at the U.S. Office of Personnel Management gave hackers access to the
personal data of federal employees. Poor key management practices have been identified
as one of the contributing factors in the incident.
6. Padding Oracle Attacks: Padding oracle attacks are a class of attacks through
which weaknesses in the cryptographic implementation may leak some
information about the padding included in encrypted communications.
For instance:
The “POODLE” attack Padding Oracle on Downgraded Legacy Encryption-in
turn allowed attackers to decrypt encrypted data by using padding oracle
vulnerabilities in the SSL 3.0 protocol.
8. Risk
Using vulnerabilities in cryptography techniques of public key Encryption,
attackers can successfully decrypt ciphertext.
For instance:
The attackers had the "Heartbleed" bug in the year 2014 in SSL/TLS protocol and
this bug had been exploited, it would allow them to get access to the OpenSSL
library as well as to the private keys of SSL/TLS encryption.
How the Attack Works: To achieve the level of intercepting and sometimes altering the
data moving between two parties, the attacker needs to somehow thwart their means of
communication. The offender will pose as either one or both victims to give the illusion
that they are speaking directly to each other. Attacks can, in some instances, enable the
attacker to gain access to sensitive information like private messages passing between
victims, login passwords, and financial transactions. (Kinza Yasar, 2022)
Danger
Attackers can steal with sensitive information or perform crimes, when they
listen to conversations among participants and adopt the identity of one or both
sides.
For instance:
Digi Notar, the Dutch certificate Authority got hacked in 2011 meaning attackers
could get fake SSL certificates. After that, the certificates were exploited in
MitM attacks to decrypt messages.
Cryptographic systems with weak key exchange protocol are some of non-secure
implementations that an intruder can exploit to tap on encrypted communications privacy
or integrity. This exposed them to exploit the encryption keys, where result- attackers
decoding of slave messages and other such illicit actions. (docs.oracle, n.d.)
Vulnerability: The RSA key exchange is a potential target for attackers if weak
or malformed keys are used. Additionally, poorly implemented in the RSA key
exchange can be leveraged as source of security through wrong implementation
into SSL/TLS protocol.
E.g.: The 2017 discovery of a vulnerability called RoCA impacted Infineon's RSA
key generation software. Through this flaw, attackers could break RSA numbers
and maybe decrypt stuff.
Mitigation: There needs to be a practise within the organization to use strong,
properly generated RSA keys of an appropriate length to mitigate RSA key
exchange issues. Not forgetting to also patch regular upgrades and enhancements
for your SSL/TLS implementations to fix holes.
The Key Encapsulation Mechanisms (KEMs) are the most suitable cryptographic
techniques to be applied for the secure exchange of keying material in the asymmetric
encryption systems. They address the problem of transferring symmetric keys over
insecure links securely through the process of putting the symmetric key into a cipher that
has been encrypted using the recipient’s public key. Lastly, it means that keys may be
exchanged without previously shared secret keys at all. (geeksforgeeks, 2024)
Important generating:
The very first thing that you need to do is generate a session key; this is a random
symmetric key you will use to encrypt the data.
Summarization:
The encapsulated key where different types of data and configurations needed for
decryption are stored also holds the encrypted symmetric key. The encapsulated
key may also contain information on the encryption algorithm used apart from the
encrypted symmetric key.
Transfer:
The encapsulated key is then transferred to the insecure channel of
communication to the receiver. The encapsulated key is then encrypted by the
sender’s public key with the recipient’s public key to prevent anyone from
intercepting or overhearing the transmission.
Deciphering:
Upon getting the wrapped key, the receiver then uses their own private key to
decrypt the received ciphertext to give the symmetric key. The regained
symmetric key can be later used to encrypt/decrypt the actual data that was
conveyed/shipped between a sender and a recipient.
Safe communication:
It is after KEM has been used to securely transport the symmetric key that the
sender and the recipient are able to talk securely about plaintexts. The Final
Concept The principal concept of symmetric keys is that of data encryption and
decryption whereas that of asymmetric keys is safe keying over an insecure
channel
Benefits of KEM
Security: Because a level of security is needed for exchange keys, KEMs employ
asymmetric encryption. It is encrypted with the help of the recipient’s public key
so that the intended recipient having the corresponding private key for decryption
can only retrieve the symmetric key.
Forward Confidentiality: Another feature which most KEMs provide is forward
security, which is referred to as perfect forward security (PFS). In forward
secrecy, a new symmetric key is created for any encryption process that is
employed. It as well means that every communication session has a private key
and therefore, held or next conversation sessions cannot be distorted even if one or
perhaps two symmetric keys are breached.
Efficiency: KEMs are efficient compared with other key exchange techniques.
Instead of exchanging the large symmetric keys directly, KEMs only encrypt such
a symmetric key within an asymmetric ciphertext. Consequently, there is
decreased data traffic and short and secure key exchange on the network.
Adaptability: KEMs offer a great deal of freedom on how keys are distributed
and managed. As we know, a symmetric key is always encrypted and thus can be
transmitted in a clear text over such insecure lines without the probability of
someone intercepting or eavesdropping on the communication. This makes it
possible to have secure interaction between the communicating parties without
necessarily sharing prior agreed secret keys.
Compatibility: KEMs are compatible with all existing schemes of cryptographic
protocols and algorithms. They can be included in currently in use cryptographic
systems and protocols like IPSec, SSL/TLS, and secure messaging protocols for
secure interchange of key in various applications.
Two Fish: Two fish is an alternative developed by Bruce Schneier and associates
of Blowfish as the symmetric encryption technique. Data is processed in 128-bit
blocks and keys can be 128, 192 or 256 bits in length. Two fish is a competitor
that provides powerful secure and efficient AES for AES marketplace.
(geeksforgeeks, 2024)
There exists information that person named Daniel J. Bernstein is the author of the
ChaCha20 symmetric encryption algorithm. It has an opportunity to work with
input data of any length and supports two key sizes – 128 and 256 bits. ChaCha20
comes with architecture that is both safe and fast and can therefore be used in any
protocol where performance is important this includes, encrypted messaging and
VPNs. (tutorialspoint, n.d.)
DEM Benefits
Efficiency: Maximum plaintext space and minimum computation and
communications requirements are usually higher in DEMs than in asymmetric
encryption techniques. Because symmetric encryption employs lesser
computational assets, it forms a perfect technique of encrypting and decrypting
huge numbers of-byte data rapidly.
Speed: As for the organic symmetric encryption techniques, for example the
Advanced Encryption Standard (AES), are meant to provide fast processes of
encryption as well as decryption. Low latency and high frequency throughputs
require DEMs; systems that include data storage and secure networking protocols
benefit from DEMs.
Scalability: As DEMs have shown to be easily scalable for any given situation, it
can be used for the defence of overall databases and network traffics, or for
protection of specific files and communications. Due to the symmetric encryption,
the encryption system may be easily designed to accommodate large amounts of
data, where the numbers of users are also high.
DEM Drawbacks
Key Distribution and Management: In case of DEMs symmetric key distribution
and management should be done in a secure manner. Relating to the secure
handling of keys, it can be difficult to define and uphold secure ways of
identifying and distributing key players when operating remotely or with a large
team.
Overhead for Key Exchange: If there is use of secure channels or semi secure
channels for transfer of symmetric keys than there may be added overhead about
transfer of keys securely between two parties. Quite understandably, this overhead
can make things slightly more complicated and impact how well things operate.
Restricted Transparency: Forward secrecy is, by and large, not given by DEMs,
contrary to asymmetric encryption schemes, which do in many cases. If the
symmetric key was discovered, then all further and further communications which
were previously encrypted with this key might be deciphered.
One Point of Failure: All the symmetric keys which a system possesses could be
vulnerable to attack in case of breach of the central key repository as seen in
centralized KM systems like KDCs. What this does is it eliminates one level of
protection and introduces great risk to exposure at the worst possible moment.
Significant Storage Weaknesses: Due to the nature of symmetric keys, they need
to be protected, and this makes their storage a complicated affair. However, key
storage is not entirely easy, especially in the case of software systems that
incorporate the use of the symmetric key. Any break in security that affects crucial
storage methods, or illegal access to stores containing keys, could pose a threat to
the privacy of encrypted information.
Rotating Keys Is Difficult: The use of a symmetric key presents a challenge since
keys need to be changed periodically to ensure high security minimizes the risks
arising from loss of keys. Sometimes it is not easy to implement a key rotation
process due to continuous connections or data encryption when the workstation is
idle. It may be cumbersome to communicate or require conducting of stopping
maintenance with main keys turned over.
Limited Use Cases: The most suitable use cases for DEMs are data encryption in
transit and data warehousing in a secure environment. As a result, CAFs may not
be effective in cases where dictionary permission is not usable such as in secure
multi-tenancy or many party data sharing.
DEM instances
Standard for Advanced Encryption (AES)
The Data Encryption Standard
Standard for Triple Data Encryption
Blowfish
Two-Fish
RC4
A cryptographic technique that protects data generated and passed between parties within
communication channel and interface using different encryption methodologies. Every
member of the PKE has two keys, one private and one public. The former is freely
distributable and used in encrypting a text, while the latter is to be kept secret, and is used
in decrypting the same text.
Key Generation: The main idea is that each participant creates two large
numbers: The Public Key and the Private Key. While these keys are logically
connected, in the implementation process, one of them cannot be derived from the
other.
Public Key Distribution: The public keys when required for further
communication can be exchanged between participants over the key server or held
in digital certificates, which can be made available to public. It means that only
the receiver can decipher messages through the help of their public key while
anyone can make messages encrypted for the receiver.
Encryption: When encrypt a communication, what the sender does is to have the
recipient’s public key. The message thereby sent cannot be read by anyone but the
recipient who uses his or her own private key to decode it.
Decryption: The means that the recipient uses their private key in order to
decipher the encrypted message that has been sent by the sender. The receiver
only, and only he who has the matching to the public key that was used for the
encryption of the communication, is the only person who can decipher the
communication.
Authenticity and Confidentiality: The public key encryption maintains
confidentiality by making sure that the message encrypted might only be
understood by the intended user. It also offers means of authentication because a
corresponding private key can be utilized for decryption of the message as well as
the validation of the fact it was encrypted by the owner of a concurrent public key.
Electronic Signatures: Our public key cryptography can also be applied in both
generation and verification of the digital signatures. Message integrity and non –
repudiation is done by creating a digital signature on a message digest that is
encrypted by the sender’s private key. To use this digital signature, any person
who can access the series of bytes that contains the sender’s public key can be
used to verify it.
Safe Key Exchange: Public key encryption can also be used for safe key
exchange in hybrid encryption techniques. A symmetric encryption key, for
example, can be safely shared via public key encryption, and all subsequent
communications can be effectively encrypted using the key.
Authentication: Public key encryption lets users check who's talking to them.
Anyone with the sender's public key can confirm digital signatures made with the
sender's private key. This means people can be sure messages are real and haven't
been changed while being sent.
Response to Key Exchange Risks: Public key encryption has no effect on key
exchange risks such as man-in-the-middle attacks. Since each party's public key is
publicly available and verified by all, enemies are unable to eavesdrop and change
conversations without being discovered.
Help: Public key encryption algorithms and standards are widely used and
interoperable with a wide range of devices, operating systems, and applications.
This ensures compatibility with existing communication protocols and systems as
well as a seamless transition. (Dougherty, 2023)
Distribution and Administration Are Crucial: Two keys – one private and
another open – are used in public key encryption, and thus, its safety highly
depends on the proper key distribution and management. The problem of verifying
the authenticity and genuineness of public key and its scalability for managing
dynamic membership and key revocation in large scale distributed systems.
Impact of Performance on Large Data: When it comes to the encryption of files
and records, then it is observed that the symmetric key encryption, performs better
than the public key encryption since records can, in most cases, be large. One of
the problems of public key cryptography in encrypting and decoding large data
collections is that it causes great overheads and longer time for processing than
that of the symmetric encryptions.
Difficulties with Private Key Security: Symmetric encryption’s weakness is also
a need for public key encryption to work, and that’s the protection of the private
keys. Anyone who has or gets or breaching a private key can decode encrypted
data, spoof digital signatures and the attacker can impersonate the owner of the
key too. Safeguarding private keys from unauthorized access and misuse is pivotal
for maintaining security of the public key encryption.
Complexity of Key Management: It emerge that while making use of public key
encryption; the management of keys is more complex as compared to the
symmetric encryption. The strong control of the key materially to support and
address key revocation and expiration, to store and protect public and private keys
as well as to verify the genuineness and soundness of keys.
Based on the public key systems, digital transactions and secured communications are
made possible. In such a case of compromised private keys, unauthorized decryption of
encrypted information and impersonation of good organizations might take place.
Authenticate private information and communication channels and maintain integrity and
confidentiality, and that would also apply to public key systems, freight forwarding firms,
Ship Cargo in this instance. Provable security offers a very accurate basis for assessing
the security guarantees given by a cryptographic system.
This step is very necessary for the freight forwarding organizations such as Ship Cargo: it
entails standardization of cryptographic algorithms as one of the main ensuring
components for the security and integrity of public key systems.
6. Key storage
Ship Cargo must keep private keys under a secure, impenetrable manner to avoid
unauthorized access or exposure. The following are two secure methods of storing
private keys: hardware security modules (HSMs) and secure key vaults, which
prevent unauthorized access, theft, or tampering.
All-long-lived keys that might be used for digital signatures and encryption cryptographic
function should undergo periodic updating and replacement by a Ship Cargo key rotation
process. This reduces the probability of key compromise as years pass, hence fortifying
the security against cryptographic systems. (Shiftan, 2023)
Besides conducting security audits Ship Cargo should carry out penetration testing on its
public key systems-it somehow evaluates the systems for resilience to real attacks.
Penetration testing works by simulating attack scenarios to discover possible breaches
and validate the security measures put in place.
Ship cargo software developers need to practice safe coding techniques incorporating
cryptography library integration in their applications and systems. Such safe codes protect
sensitive elements, validate input parameters, manage cryptographic keys and secrets
well, and avoid typical cryptographic security issues such padding oracle timing attacks
and side-channel attacks. (Ghalleb, 2024)
Task 03
During the encryption process, unencrypted plaintext data is converted into encrypted
ciphertext data using an encryption algorithm and cryptographic key.
Data Entry
The encryption process begins with the data to be encrypted, commonly known as
plaintext. Text, files, multimedia, and other digital data that need to be protected from
unauthorized access or interception may all be categorized as plaintext.
Symmetric Key Encryption: In this technique, the same key is used for both encryption
and decryption. The sender and the receiver must share this secret key in a secure manner.
Two examples of symmetric encryption techniques are AES and DES.
Asymmetric Key Encryption: This technique uses a pair of keys: a public key and a
private key. The public key is used for encryption,
where the private key must be used to decrypt it. The public key is publicly distributed,
while the private key is retained in secret by the owner. Two of the well-known
asymmetric encryption algorithms are RSA and Elliptic Curve Cryptography (ECC).
Not by Encryption plain text makes it e.g. text-an octogenarian ciphertext-begin or end
for valuable process from unauthorized personalizing rights, as coverts it. It is an
algorithm and uses an encryption key for securing data.
The initial stage consists of the initial plain text entered an encryption algorithm. The key
to the algorithm, a unique string of characters, is then needed to transform text into
ciphertext. The strength of the encryption mostly relies on the length of the key and the
complexity of the algorithm. Classical encryption is symmetric encryption (the same key
used for encryption and decryption) or asymmetric encryption (different keys for the two
processes).
Encryption serves confidentiality, integrity, and security. Thus, with this, it does not limit
modern cyber-security practices. (cloud, n.d.)
As only legitimate users possessing the requisite decryption keys can decipher plaintext,
therefore, ciphertext is protected as it can be exchanged over unsecured channels like the
internet or kept in untrusted locations.
Figure 10 Encryption
Synopsis
The data that must be sent in plain text will now be encrypted by the encryption
engine.
Now it will encrypt the data with the recipient's public key that has been acquired
from PKI.
For secure cloud communication, the encrypted data is constructed and ready in
ciphertext form.
1. Receiving Ciphertext: The intended recipient gets the encrypted message. It will
remain in such a format that is unreadable by anyone but him to maintain security
during the communications.
2. Choosing a Decryption Algorithm: The recipient uses the same algorithm that
was used for encryption. Suppose AES encryption; in that case, AES decryption is
applied.
5. Integrity Check: After decryption, the plaintext is checked for integrity to ensure
that data integrity is intact, and no pieces of information were lost during
transmission.
Decryption Method
Decryption of ciphertext is the recovery to plaintext through an algorithm with a certain
key. In this way, it enables secure communication by allowing the authorized user to
access the encrypted data. Decryption schemes can either be symmetric or asymmetric.
In symmetric decryption, the same key is used as was used for encryption. Some common
symmetric algorithms include DES, AES, Triple DES. Symmetric decryption is relatively
fast and has better data handling but requires key management.
Asymmetric involves the use of a public key encryption and private key decryption. Some
of the algorithms using asymmetric decryption are RSA and ECC. Asymmetric
decryption is much more secure for sharing information among groups but is slower to
execute.
In decryption, a specific algorithm is supposed to receive the ciphertext and the key for
turning the round towards an earlier stage. This ensures that only the authorized parties
using a certain information for decoding will de-manifest any information, keeping the
confidentiality and integrity of the data intact. (ibm, 2024)
Synopsis
Encrypted data downloaded from the cloud is then decrypted via the decryption
engine.
The decryption engine uses the recipient's private key, which is an integral part of
the PKI-based infrastructure, for decoding the data.
Using Ship Cargo technology, the plaintext encrypted data is extracted and made
available for further processing.
Commercial Situation
Since quality and preservation of confidential/bulk cargo data while being sent through an
online medium is at stake with Ship Cargo, a freight forwarding company, it follows a
policy of using a PKI environment for data encryption and decryption to maintain the
integrity and confidentiality of the data being sent.
Synopsis
At the outset of the conceding process, Ship Cargo’s sensitive shipment specifics
(in plaintext) must be conveyed to safety.
The encryption engine at Ship Cargo uses the public key of the intended
recipient (kindly acquired through the partner firm's PKI) to encrypt sensitive
cargo information.
The encrypted data has been transformed into ciphertext, before being readied
for internet transmission.
The encrypted data is securely sent over the internet to the partner company.
Upon receipt of the encrypted data, the decryption engine of the partner
company will decrypt it with the help of its own private key—part of its PKI.
The partner company now receives the decrypted sensitive shipping data in
plaintext form, for whatever further processing or utilization that may ensue.
3.3 Security Regulator and Mitigation Strategies
Encrypt Personal Data: It will encrypt critical information first before putting it
to the shipping database, again, to prevent unauthorized access to data. Guarantee
the confidentiality and integrity of the data in encrypting techniques.
Conduct security audits on a regular basis: Conduct regular security audits and
vulnerability assessments of the shipping database to identify and address security
vulnerabilities or configuration problems.
Unauthorized access to Ship Cargo’s cargo database presents risks, including financial
loss, loss of reputation, and legal consequences. To counter this risk: Ship Cargo should
implement access controls, encrypt sensitive data, monitor database access, perform
regular security audits, arrange education and training for its staff, and develop an
incident response plan. Through the implementation of a focused security controls and
countermeasures, Ship Cargo could improve its defence against unauthorized access and
safeguard the confidentiality, availability, and integrity of critical cargo data.
3.5 Examine the Difficulties and Security danger associated with using Cloud-
Hosted PKI in a Private network
Cloud-Based Software
Cloud computing has opened the door to all sorts of services and applications for users,
thereby eliminating the need for equipment on premises. Cloud computing is a paradigm
for the allocation and utilization of computer resources over the internet. With cloud
computing, resources such as servers, storage, databases, networking, software, and
analytics are provided as services to users who can dynamically scale their IT
infrastructures in response to demand. (smartb, n.d.)
Important Features
On-demand Self-service: This enables users to access server instances and storage
on demand without service provider intervention.
Broad Network Access: Cloud services, accessible over the internet from a range
of platforms and devices, allow users to access applications and data anywhere an
internet connection is available.
Resource Pooling: Cloud providers pool and share instances of computing
resources to offer efficient resource consumption and achieve cost optimization
amongst various clients and end-users.
Rapid elasticity: Well, very adaptable. The resources can be resized readily, if the
need arose, so ease does not suffer.
Data Protection and Compliance: Complying with guidelines related to strict legal
standards for data privacy might seem inconsistent within the realm of what cloud
computing permits. Organizations face undue problems from many quarters, such
as data residency, jurisdiction (i.e., which country's laws will govern what
happens?), and industry legislation, such as compliance with GDPR, HIPAA, or
PCI-DASS. This ensures that data sovereignty and compliance with local
regulation laws are put as a priority while handling and storing sensitive data on
the cloud.
Reliance on Service Providers: As organizations put out more and more cloud-
computing services, they become dependent on those companies as a one-stop
centre for their every infrastructure, software, and platform need. Any disruption,
outage, or change in service levels made by the cloud services provider could
affect the cloud services' reliability, efficiency, and availability. Besides that, the
inability to maintain service levels or come up with any changes, and vendor lock-
in, create significant pressures for organizations.
Network Connectivity and Latency: Cloud computing requires that the process be
done over the Internet, but unfortunately, this is a poor transmission medium
riddled with capacity constraints, latency issues, and several points of failure. Poor
connectivity or consumed latency resources may have a profound influence on the
responsiveness and performance of cloud-based applications and services,
especially for workloads that require immediacy, responsibility, or reasonable
latency. (cloud.google, n.d.)
A cloud host is an organization that provides computing resources and services over the
internet. This is also known as a cloud service provider or cloud hosting company. These
resources, usually virtual servers, storage, networking, and some other infrastructure
components are rented by paying for their usage via a data centre which boosts customer
confidence that they are not procuring a lot of things every month. (amazon, n.d.)
Using a Public Key Infrastructure (PKI) hosted in the cloud within a private network has
advantages and disadvantages.
Benefits
Scalability: Cloud-hosted public key infrastructure (PKI) systems can easily scale
to handle the increasing demand for certificate administration and issuance. This
scalability is beneficial for companies with fluctuating demand or rapid growth.
Cost-Effectiveness: Cloud-based PKI minimizes personnel, software, and
hardware initiation and recurring costs by removing the requirement for on-
premises infrastructure and maintenance.
Availability and Reliability: Cloud providers typically provide very high levels of
availability and redundancy with guaranteed availability of PKI services. As a
result of its reliability, there is less likelihood of downtime, and certificates are
constantly available to users and applications.
Global Accessibility: Cloud-hosted public-key infrastructure (PKI) solutions can
be easily accessed from any internet-accessible location, providing seamless
certificate management and issuing across the geographically distributed systems.
Disadvantages
There are a host of security and compliance-related issues born of keeping crucial
cryptographic keys and certificates on the cloud involving data secrecy, integrity,
and regulatory compliance. Organizations must ascertain that cloud providers
enforce stringent security measures and adherence to industry-centric compliance
regulations.
Data Privacy and Sovereignty: Cloud-based PKI solutions may raise data privacy
and jurisdictional concerns usually involved where residency and jurisdictional
issues arise. Organizations must consider legal and regulatory ramifications of
housing PKI data in the cloud, particularly in places where data protection laws
are very strict.
Depending on the Cloud Provider: Organizations using cloud-based PKIs must
generally fall upon the policies, infrastructure, and service standards of the cloud
provider. Any delays in the services or outages in the cloud facility will impact the
availability and performance of PKI services, causing business interruption.
Network Latency and Connectivity: Organizations must ensure stable network
connectivity for users to access cloud-hosted PKI services. Network problems,
latency, or network bandwidth limitations may hinder PKI applications
performance, especially during real-time certificate validation and issuance.
The challenges and security risks of using PKI hosted in the cloud on a private
network
Data privacy and confidentiality: As much as these measures protect against
information leakage, storing credential information, and cryptographic keys, in the
cloud may leave a soft spot against data privacy and confidentiality. Enterprises
will have to sift above other protocols for the protection of privileged PKI
information: encryption, access control, and encryption key management.
Cloud Provider Security: The security of the hosted Public Key Infrastructure
(PKI) will depend on that of the systems, infrastructure, and services provided by
the cloud hosting company. Businesses will need to conduct rigorous security
evaluation of the cloud provider's security rules, certifications, and compliance
requirements to evaluate whether the measures put in place are adequate against
insider attacks, cyber threats, or breaches.
Utilizing cryptanalysis and cryptography techniques and tools, put into practice the
system that was created in response to a security case.
AES stands for Advanced Encryption Standard, widely considered one of the best.
Application: A method that uses symmetric key for the confidentiality of data.
AES is an important symmetric-key encryption design put forth to replace the
aged DES. It is believed safe against known threats if it is used well enough. AES
can use key size length of 128, 192, or 256 bits. (Srėbaliūtė, 2024)
RSA
Application: It employs asymmetric key encryption; it uses digital signatures and
key exchange. The RSA algorithm is a commonly used asymmetric-key technique
for encryption and digital signatures. Furthermore, the challenge of secure
communication and authentication relies mainly on factoring of large prime
numbers, which is a taxing computation. (securew2, 2024)
To select the appropriate cryptographic algorithms for a given use case, it is essential to
carefully consider the specific security requirements, performance constraints, and
compatibility difficulties while implementing the system developed in response to a
security scenario. It is also essential to follow best practices for key management,
algorithm parameter selection, and cryptographic protocol design to preserve the overall
security and integrity of the system.
3.7 Using the following steps to implement the encryption and decryption
techniques in the security case
John the Ripper: John the Ripper is a notorious open-source password cracker used for
auditing and cryptanalysis. It can work against several password hashing algorithms and
makes use of a broad variety of attack strategies, including hybrid or dictionary or brute-
force attacks. John the Ripper is a tool widely used by penetration testers and security
researchers to test the strength of password hashes and the effectiveness of password
restrictions.
Hashcat: Fast password recovery tool tooled for cracks using GPU acceleration—can
perform timed cracks of SHA-256, MD5, SHA-1, and bcrypt password hashes. An
arsenal of optimizations and attack methods is offered by Hashcat commonly used to
audit passwords from hashed data. (Tiwari, 2018)
Brute-force attack tools are essential for assessing the security of passwords, encryption
keys, and other security measures in the field of cybersecurity. They work by carefully
trying every possible combination until the one that works.
John the Ripper: John the Ripper is a very widely used and popular open-source
password cracker. It supports several attacks: hybrid, brute-force, and dictionary
attacks. It can decrypt password hashes generated by such cryptographic hash
techniques as SHA-256, MD5, SHA-1, and bcrypt. In addition, John the Ripper is
very flexible and can be parallelized for maximum efficiency in password
cracking.
TShark: This is a command-line tool for network traffic analysis and capture like
Wireshark. It has the same features for packet capture and display filters that
Wireshark has, and it also allows you to export the captured packets as pcap,
JSON, or CSV files. It is very useful for scripting and automating network
analysis tasks as well as cooperating with other tools and systems.
3.9 Give a Critical assessment of the system implementation of how well it satisfies
the established security goals and offer recommendations for development.
Least Privileges: As per the principle of least privilege, the minimum required
access should be allocated to the user to perform his job. User permissions must
be reviewed and altered on a regular basis to ensure that activation capabilities
remain in sync with the current job position and duty.
User management: The policies set in place for user management should include
versatile mention of account audits, account deletion, and prompt access negation
for those contractors or officials quit. Also, stern policies for password: complex
passwords and periodic password renewal.
Network Segmentation: Isolate the shipping database within yet another part of a
network to enable unimpeded access to only approved individuals or devices.
Firewalls, VLANs, and other network security solutions can be used to apply
access policy and prevent the database from being accessed by unwanted traffic.
(Novikava, 2024)
Digital Signatures: Digital signatures are used to authenticate the data and check
its integrity. Important data entries or digital transactions can be signed using
asymmetric cryptography techniques such as RSA and ECDSA. Verify digital
signatures when data is retrieved so that the data can be confirmed unchanged
since signing. (docusign, n.d.)
Load balancing: Use load balancing techniques for a more even distribution of
incoming traffic over multiple database servers or resources. Load balancers
perform health and performance checks of servers and automatically reroute
traffic to servers that are functioning well, to optimize resource usage and prevent
overloads that could result in downtime.
Monitoring and Alert: Use reliable monitoring and alerting systems for
anticipation of performance problems or potentials. Key performance indicators
that should be monitored include RAM, CPU, disk input/output, and network
traffic. Alerts should notify administrators anytime something seems peculiar.
(fiixsoftware, n.d.)
Task 04
4.1 Examine the Main advantages of enhancing cloud security with a variety of
cryptography and hybrid cryptosystems.
Security and Efficiency
Hybrid encryption establishes secure communication channels by exchanging keys
asymmetrically, rather than transmitting vital symmetric keys
over unsecured networks. That is, asymmetric encryption provides the secure
way of transferring keys, while symmetric encryption allows for efficient and fast data
encryption.
Combination encryption
Hybrid encryption embodies the strengths of symmetric and asymmetric encryption to
prevent some of the weaknesses in either method. Under this, in hybrid encryption,
symmetric encryption of the data is done with a jointly agreed secret key; delivering the
secret key is done securely using asymmetric encryption. (A. Kousalya a, 2023)
2. Asymmetric Encryption
In an asymmetric encryption, the private key decrypts the encrypted text, and the
public key encrypts it. This was initially proposed to solve the key-sharing
problem in symmetric encryption. However, in the real world, it is usually more
inefficient and sluggish while encrypting large volumes of data.
3. Key-Exchange
A hybrid cryptosystem normally makes use of asymmetric encryption for the
purpose of key exchange. The sender will encrypt the symmetric key using the
public key of the recipient together with the encrypted message. The recipient
then decrypts the communication and makes use of his private key to decode the
symmetric key. (Kime, 2023)
Flexibility: In hybrid cryptosystems, the choice of the key exchange and the
mechanism for data encryption could be freely chosen. One may use a common
asymmetric encryption technique like RSA or ECC to exchange keys, while data
can then be encrypted with much stronger symmetric algorithms like AES.
A hash function provides a potential for data integrity check and identification of
unauthorized alterations by producing fixed-length hash values from variable-
length data inputs. Ship Cargo can make checksums using hash functions for
governing cloud-stored files, facilitating periodic checks to ascertain the integrity
of data and make sure that it is not tempered with. Ship Cargo checks for
discrepancies that can indicate data modification by comparing hash values before
and after transit or storage.
1. Data Confidentiality
For example, Ship Cargo can efficiently encrypt large volumes of data using
symmetric encryption schemes like AES (Advanced Encryption Standard). This
will ensure that highly sensitive information stored on cloud storage remains
confidential and cannot be accessed directly by any third party. Asymmetric
enciphering methods such as RSA could also provide key exchange and
transmission protection for symmetric encryption keys.
2. Data Correctness
For example, Ship Cargo may employ cryptographic hash functions such as SHA-
256 to create checksums for cloud-stored data. This enables Ship Cargo to
periodically check the current checksum against the stored checksum for
correctness and detection of unauthorized modifications or attempts to manipulate
the data. Digital signatures can be used to attest to data integrity through
asymmetric cryptography by providing a means of verification of an origin and
authenticity of said data.
1. Regulatory Compliance
Organizations must ensure compliance of the cloud solution with regulatory
requirements specific to the industry. A good example is METROPOLIS
CAPITAL Bank, where the institution must comply with Central Bank
regulations, as well as ISO standards. Non-compliance can lead to legal penalties
and damage to an institution's reputation; thus, cloud solutions must provide
appropriate features such as data encryption, secure access controls, and auditing
capabilities.
2. Data Sensitivity
The sensitivity of the organization's data is a critical consideration. Financial
institutions handle highly sensitive customer information, requiring robust data
protection mechanisms such as encryption at rest and in transit, secure key
management, and advanced threat detection. A cloud solution should guarantee
these capabilities to maintain confidentiality and integrity.
3. Scalability and Flexibility
Cloud solutions provide scalability and flexibility, enabling organizations to adapt
to changing needs. For instance, expanding operations or transitioning to work-
from-home models requires scalable security measures. A cloud solution should
accommodate these demands without compromising security, ensuring seamless
integration with existing systems.
4. Cost Implication
Budget constraints often play a significant role. Cloud solutions can reduce
upfront costs associated with on-premises hardware and software while offering
predictable, subscription-based pricing. However, organizations must balance cost
savings with the need for comprehensive security features to avoid vulnerabilities
that could result in higher expenses later. (aimconsulting, n.d.)
4.5 Ship Cargo claims that cloud system will improve security
4.6 Examine critically how specific cryptography and hybrid cryptosystem are
used in an organization to protect data
The process begins by feeding the plaintext into a complex mathematical formula—the
encryption algorithm. This formula, guided by the secret key, shuffles and changes the
data, creating the ciphertext. This ciphertext looks like random gibberish, completely
hiding the original message's meaning. It can then travel safely across any communication
path, from email to a secure network.
The recipient, possessing the correct key, uses the same algorithm, but in reverse
(decryption). This reverses the scrambling, revealing the original message. The security
relies on the key's secrecy and the algorithm's strength—its resistance to unauthorized
decryption attempts.
There are different types of codes. Some use the same key for both scrambling and
unscrambling, requiring careful key sharing. Others use a pair of keys: a public key,
freely shared for scrambling, and a private key, kept secret for unscrambling. This clever
system avoids the need for risky key exchanges.
One-way functions, like hashing, also play a role. These create a unique fingerprint of
data, used to verify its authenticity and detect any changes made during transmission or
storage. These methods, combined with careful key management, form the backbone of
modern cryptography, protecting our digital world. (Ghimiray, 2023)
Advantages
Confidentiality of Information: Encryption ensures that only an authorized
individual has access to sensitive data under protection from being disclosed and
breached. This is particularly important in the health, finance, and government
industries, where breaches can result in severe consequence.
Integrity of Information: Cryptographic techniques from hashing to digital
signatures enable data to remain unchanged during transmission or storage. This
serves to protect data from being tampered with and to ensure its authenticity.
Authentication and Non-Repudiation: Cryptography makes possible secure
authentication, allowing identification of users while making sure
communications originate from perpetrating sources. Non-repudiation is made
possible with digital signatures, thereby preventing parties from denying their
actions or involvement in transactions.
Able to Meet Regulatory Requirements: Industries require data protection
compliance regulations including HIPAA, PCI DSS, and GDPR. Use of
cryptography aids enterprises in complying with applicable statutes and
parameters, therefore reducing legal and financial risk in the confines of data
breaches.
Disadvantages
Inside an organization, data security takes precedence over others, with the usage of
various cryptographic techniques to safeguard sensitive information. A hybrid
cryptosystem combines the powers of symmetric and asymmetric encryption. Here, the
data are encrypted using symmetrical methods, with speed and efficiency enjoyed when
large amounts of data are involved. However, the symmetric key is securely exchanged
by using asymmetric encryption, allowing only authorized individuals holding the private
key associated with the symmetric key to decrypt it for accessing the data. In the end, this
coupling is a strong alternative for data protection, which has a balance between security
and performance. Other organizations may resort to specific cryptographic algorithms
like AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman) for their
purposes. AES in coding might serve the encryption of data at rest while RSA could
accomplish the digital signature purpose to verify the underlying authenticity of
documents. The use of cryptography and hybrid cryptosystems should be proportionate to
the required security standards, data sensitivity issues, and organization resources.
Data protection in ship cargo operations is vital for protecting sensitive information,
controlling security compliance, and guarding against cyber threats. As the maritime
industry increasingly integrates digital systems, making sure that adequate data security is
fairly in place is imperative. Some of the considerations include:
2. Encryption
Both sent and stored data should be encrypted so that the sender or recipient cannot
intercept them or access them unsolicitedly. Such secure means of communication can
include the likes of HTTPS, Transport Layer Security (TLS), or Virtual Private Networks
(VPNs) in transmitting data in between ship and shore-based systems.
3. Cybersecurity Measures
Protecting the cargo management system from cyber threats will be paramount. Security
measures will involve:
Firewalls and Intrusion Detection Systems (IDS): suckless to kill malicious
activities.
Endpoint protection: securing devices like on-board terminals and handheld
scanners.
Regular patching and updates: guaranteeing that all systems are fixed and
regularly updated not to suffer from vulnerabilities. (nibusinessinfo, n.d.)
To achieve better security for ship cargo data, the selected cryptosystem and
cryptographic techniques should be effective. The choice depends on the sensitivity of
data, operational requirements, and the threat landscape in the maritime operating
environment. Following are the recommended cryptosystem and cryptographic
techniques for ship cargo data protection:
1. Data Encryption
The fundamental layer of security for cargo-sensitive information is encrypting data at
rest and in transit. This involves the use of AES-256 encryption for data in the cloud and
TLS 1.3 for secure communication in data transmission. These encryption standards will
assure that any unauthorized users cannot access or intercept the data.
4.9.2 Suggestion to the ship cargo company Regarding the Cloud platform
AWS would be an apt cloud solutions provider for Ship Cargo due to its ability to store
sensitive data securely, facilitate communication, and guarantee scalability. AWS also
offers a rich catalog of services designed for scalable infrastructure, secure
communication, and various data encryption options that are suitable for Ship Cargo.
Some of the AWS services that Ship Cargo can utilize include Amazon S3 for secure
storage of customer and shipping records, Amazon RDS for managed databases for
holding transactional information, and AWS Key Management Service (KMS) for
dependable encryption key management. Most importantly, AWS provides secure
communication routes through services like AWS Direct Connect and Amazon Virtual
Private Cloud (VPC), ensuring confidentiality and integrity of data carried over the
network.
It is so easy to scale any of Ship Cargo's business with AWS's extensive offering of
compute resources, including virtual servers (Amazon EC2), containers (Amazon
ECS/EKS), and serverless computing (AWS Lambda). With its global data center
network, compliance certifications, and state-of-the-art security features, AWS guarantees
that you are always in compliance while allowing you to build resilient and uptime
solutions.
References
A. Kousalya a, N.-k. B. b., 2023. sciencedirect. [Online]
Available at: https://www.sciencedirect.com/science/article/pii/S2666603023000040
[Accessed 19 12 2024].
aimconsulting, n.d. aimconsulting. [Online]
Available at: https://aimconsulting.com/insights/evaluate-cloud-service-provider-
security-benefits-criteria/?utm_source=chatgpt.com
[Accessed 20 12 2024].
amazon, n.d. aws.amazon. [Online]
Available at: https://aws.amazon.com/what-is/cloud-hosting/
[Accessed 17 12 2024].
cloud.google, n.d. cloud.google. [Online]
Available at: https://cloud.google.com/learn/advantages-of-cloud-computing?hl=en
[Accessed 17 12 2024].
cloudflare, n.d. cloudflare. [Online]
Available at: https://www.cloudflare.com/learning/ssl/what-is-encryption/
[Accessed 10 12 2024].
cloud, n.d. cloud.google. [Online]
Available at: https://cloud.google.com/learn/what-is-encryption?hl=en
[Accessed 17 12 2024].
darktrace, n.d. darktrace. [Online]
Available at: https://darktrace.com/cyber-ai-glossary/data-encryption-explained?
utm_source=chatgpt.com
[Accessed 15 12 2024].
docs.oracle, n.d. docs.oracle. [Online]
Available at:
https://docs.oracle.com/cd/E95618_01/html/sbc_scz810_acliconfiguration/GUID-
63700646-0BDD-4F38-AAF7-EFD49ABCD13E.htm
[Accessed 15 12 2024].
docusign, n.d. docusign. [Online]
Available at: https://www.docusign.com/how-it-works/electronic-signature/digital-
signature/digital-signature-faq
[Accessed 19 12 2024].
Dougherty, R., 2023. kiteworks. [Online]
Available at: https://www.kiteworks.com/secure-file-sharing/public-vs-private-key-
encryption/
[Accessed 13 12 2024].
Dougherty, R., 2023. kiteworks. [Online]
Available at: https://www.kiteworks.com/secure-file-sharing/public-vs-private-key-
encryption/#:~:text=Secure%20Communication%3A%20Public%20key
%20encryption,recipient%20can%20read%20the%20message.
[Accessed 16 12 2024].
Elaine Barker, S. C. B. ,. S., 2013. A Framework for Designing, s.l.: NIST.
Fernigrini, L., 2022. vertabelo. [Online]
Available at: https://vertabelo.com/blog/database-constraints-types/
[Accessed 19 12 2024].
fiixsoftware, n.d. fiixsoftware. [Online]
Available at: https://fiixsoftware.com/glossary/system-availability/
[Accessed 19 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/difference-between-block-cipher-and-
stream-cipher/
[Accessed 10 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/caesar-cipher-in-cryptography/
[Accessed 11 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/vigenere-cipher/
[Accessed 11 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/bitwise-xor-operator-in-programming/
[Accessed 12 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/easy-key-management-in-cryptography/
[Accessed 14 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/implementation-diffie-hellman-algorithm/
[Accessed 15 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/introduction-to-key-encapsulation-
mechanism-api-in-java/
[Accessed 15 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/blowfish-algorithm-with-examples/
[Accessed 15 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/twofish-encryption-algorithm/
[Accessed 15 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/digital-signature-algorithm-dsa/
[Accessed 17 12 2024].
geeksforgeeks, 2024. geeksforgeeks. [Online]
Available at: https://www.geeksforgeeks.org/hash-functions-and-list-types-of-hash-
functions/
[Accessed 19 12 2024].
Ghalleb, Z., 2024. wiz. [Online]
Available at: https://www.wiz.io/academy/secure-coding-best-practices
[Accessed 16 12 2024].
Ghimiray, D., 2023. avast. [Online]
Available at: https://www.avast.com/c-cryptography#:~:text=Cryptography%20works
%20by%20taking%20plaintext,all%20except%20the%20intended%20recipient.
[Accessed 21 12 2024].
ibm, 2024. ibm. [Online]
Available at: https://www.ibm.com/docs/en/was/8.5.5?topic=apis-decryption-methods
[Accessed 17 12 2024].
ibm, n.d. ibm. [Online]
Available at: https://www.ibm.com/docs/en/wca/3.0.0?topic=security-authentication-
versus-access-control
[Accessed 21 12 2024].
imperva, n.d. imperva. [Online]
Available at: https://www.imperva.com/learn/application-security/brute-force-attack/
[Accessed 19 12 2024].
Karen Scarfone, 2022. techtarget. [Online]
Available at: https://www.techtarget.com/searchsecurity/tip/The-benefits-and-
challenges-of-managed-PKIs
[Accessed 17 12 2024].
Kime, C., 2023. esecurityplanet. [Online]
Available at: https://www.esecurityplanet.com/trends/types-of-encryption/
[Accessed 20 12 2024].
Kinza Yasar, M. C., 2022. techtarget. [Online]
Available at: https://www.techtarget.com/iotagenda/definition/man-in-the-middle-
attack-MitM#:~:text=(MitM)%20attack%3F-,A%20man%2Din%2Dthe%2Dmiddle
%20(MitM)%20attack,communicating%20directly%20with%20each%20other.
[Accessed 14 12 2024].
Meghanathan, D. N., n.d. Key Distribution and, s.l.: jsums.
Muhammad Rana, .. R. I. i., 2022. sciencedirect. [Online]
Available at: https://www.sciencedirect.com/topics/computer-science/stream-cipher
[Accessed 14 12 2024].
nibusinessinfo, n.d. nibusinessinfo. [Online]
Available at: https://www.nibusinessinfo.co.uk/content/common-cyber-security-
measures
[Accessed 21 12 2024].
Novikava, A., 2024. nordlayer. [Online]
Available at: https://nordlayer.com/blog/how-to-prevent-unauthorized-access/
[Accessed 19 12 2024].
okta, 2024. okta. [Online]
Available at:
https://www.okta.com/identity-101/rc4-stream-cipher/#:~:text=RC4%20(also
%20known%20as%20Rivest,very%20large%20pieces%20of%20data.
[Accessed 15 12 2024].
Peter Loshin, F. S. T., 2021. techtarget. [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/key
[Accessed 16 12 2024].
Rahul Awati, C. B. C., 2024. techtarget. [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/Advanced-
Encryption-Standard
[Accessed 15 12 2024].
securew2, 2024. securew2. [Online]
Available at: https://www.securew2.com/blog/what-is-rsa-asymmetric-encryption
[Accessed 18 12 2024].
sematext, n.d. sematext. [Online]
Available at: https://sematext.com/glossary/ssl-tls-handshake/
[Accessed 15 12 2024].
shardsecure, 2023. shardsecure. [Online]
Available at: https://shardsecure.com/blog/advantages-data-encryption
[Accessed 20 12 2024].
Shiftan, A., 2023. piiano. [Online]
Available at: https://www.piiano.com/blog/key-rotation?utm_source=chatgpt.com
[Accessed 16 12 2024].
smartb, n.d. smartb. [Online]
Available at: https://www.smartb.co/what-is-cloud-based-software/
[Accessed 17 12 2024].
Srėbaliūtė, A., 2024. nordlayer. [Online]
Available at: https://nordlayer.com/blog/aes-encryption/
[Accessed 17 12 2024].
stackexchange, n.d. rypto.stackexchange. [Online]
Available at: https://crypto.stackexchange.com/questions/111557/the-advantages-of-
using-kem-compared-to-applying-traditional-pke-approach
[Accessed 16 12 2024].
Thakor, V. A. & Razzaque, M. A., 2021. ieeexplore. [Online]
Available at: https://ieeexplore.ieee.org/abstract/document/9328432
[Accessed 16 12 2024].
Tiwari, Y., 2018. infosecinstitute. [Online]
Available at: https://www.infosecinstitute.com/resources/cryptography/cryptanalysis-
tools/
[Accessed 19 12 2024].
tutorialspoint, n.d. tutorialspoint. [Online]
Available at:
https://www.tutorialspoint.com/cryptography/cryptography_chacha20_encryption_algor
ithm.htm
[Accessed 15 12 2024].