Security-related Technologies Version 2.0
Authentication Technologies
Authentication is the process of determining whether
someone or something is, in fact, who or what it
is declared to be. In private and public computer
networks (including the Internet), authentication
is commonly done through the use of logon passwords. Knowledge
of the password is assumed to guarantee that the
user is authentic. Each user registers initially
(or is registered by someone else), using an assigned
or self-declared password. On each subsequent
use, the user must know and use the previously declared
password. The weakness in this system for transactions
that are significant (such as the exchange of money)
is that passwords can often be stolen, accidentally
revealed, or forgotten.
Biometric Devices
A biometric is a measurement of a unique characteristic
which is digitized and recorded on the card. Biometrics
is the authentication of a person's identity by verifying
his unique physiological or behavioral characteristics.
Instead of relying on keys, cards or passwords, it
makes use of a unique feature of the user's body
to establish user's identity . http://www.sjug.org/jcsig/others/biometrics.htm
-
BioLink mouse (brand name)
A built-in thumbprint sensor for network or Internet identity verification. It
also includes a small window on the side where your thumb would normally
rest. Software can verify a user's identity once or at many
different stages of program operation automatically without the operator
even needing to let go of the mouse. “Security becomes hands-on
with biometrics“, John McCormick , Dec 7, 1999, Tech Republic
-
BioMouse (brand name)
A mouse-shaped fingerprint scanner with a red-eyed window you press
any finger against. “Security becomes hands-on with
biometrics“, John McCormick , Dec 7, 1999, Tech Republic
Electronic Authentication Devices
Any device which attempts to bind a particular piece
of information in an electronic environment (such
as someone's name and address) to another piece of
information which is more susceptible to electronic
verification (such as password, a cryptographic key
or a piece of biometric information), such that the
verification of the latter will confirm the validity
of the former.
-
Digital Certificate
A digital certificate is an electronic "credit card" that establishes
your credentials when doing business or other transactions on the
Web. It is issued by a certification authority (CA). It
contains your name, a serial number, expiration dates, a copy of
the certificate holder's public key (used for encrypting and decrypting
messages and digital signatures), and the digital signature of the
certificate-issuing authority so that a recipient can verify that
the certificate is real. Digital certificates can be kept in registries
so that authenticated users can look up other users' public keys.
-
iKey
A USB-based token identification device that operates like a Smart
Card. It uses a 128-bit encrypted key combined with a personal
identification number for each authorized user. "Security
becomes hands-on with biometrics," John McCormick, December 7,
1999, Tech Republic.
-
Public Key Infrastructure (PKI)
A PKI (public key infrastructure) enables users of a basically unsecure
public network such as the Internet to securely and privately exchange
data and money through the use of a public and a private cryptographic
key pair that is obtained and shared through a trusted authority. The
public key infrastructure provides for digital certificates that
can identify individuals or organizations and directory services
that can store and, when necessary, revoke them.
-
Cards
Smart Card
Security features are an important aspect to smart cards to prevent
unauthorized users from gaining access to information contained
on the card. The advantage smart cards have over magnetic stripe
cards is that the smart card contains the computer chip which stores
the password or PIN. Therefore, the password is not sent over a
communication line to a computer system for verification, which
can easily be tapped. http://www.sjug.org/jcsig/others/biometrics.htm
A smart card is a card that is embedded with
either a microprocessor and a memory chip or
only a memory chip with non-programmable logic.
The microprocessor card can add, delete, and
otherwise manipulate information on the card,
while a memory-chip card (for example, pre-paid
phone cards) can only undertake a pre-defined
operation. http://java.sun.com/products/javacard/smartcards.html
Swipe Card
Swipe cards hold data in the form of magnetic encoding or in the
form of a barcode. The card is swiped through a reader, which
decodes the information and responds appropriately based on the
card information. Proximity cards fall within this classification
and are used to limit access to defined areas.
Tokens
Tokens are physical cards similar to credit cards that work in conjunction
with a user-ID to identify a user to the system. They combine
something a person knows, such as a password or PIN, with something
they possess, a token card. Token cards commonly generate
either dynamic passwords or a response in a challenge-response
communication between the user and the system. Tokens are
commonly used for secure remote access where high levels of security
are required. It is likely that tokens will become obsolete
and will be replaced by PKI as PKI matures. "An Information
Technology Security Architecture for Ohio", Ohio Dept. of Administrative
Services, Nov. 16, 1999
Cryptography Technologies
Encryption is the conversion of data into
a form, called a cipher, that cannot be
easily understood by unauthorized people. Decryption is
the process of converting encrypted data back into
its original form, so it can be understood.
The use of encryption/decryption is as old as the
art of communication. In wartime, a cipher,
often incorrectly called a "code," can be employed
to keep the enemy from obtaining the contents of
transmissions. (Technically, a code is
a means of representing a signal without the intent
of keeping it secret; examples are Morse code and
ASCII.) Simple ciphers include the substitution of
letters for numbers, the rotation of letters in the
alphabet, and the "scrambling" of voice signals by
inverting the sideband frequencies. More complex
ciphers work according to sophisticated computer
algorithms that rearrange the data bits in digital
signals.
-
PGP (Pretty Good Privacy)
PGP (Pretty Good Privacy) is a popular program used to encrypt and
decrypt e-mail over the Internet. It can also be used to send an
encrypted digital signature that lets the receiver verify the sender's
identity and know that the message was not changed en route. Available
both as freeware and in a low-cost commercial version, PGP is the
most widely used privacy-ensuring program by individuals and is
also used by many corporations. Developed by Philip R. Zimmermann
in 1991, PGP has become a de facto standard for e-mail security.
PGP can also be used to encrypt files being stored so that they
are unreadable by other users or intruders.
Access Control Technologies
Technology concerned with the distribution and allocation
of system resources to satisfy or deny user requests
based upon user-specific access privileges
-
Firewall
A firewall is a set of related programs, located at a network gateway
server, that protects the resources of a private network from users
from other networks. (The term also implies the security
policy that is used with the programs.) An enterprise with
an intranet that allows its workers access to the wider Internet
installs a firewall to prevent outsiders from accessing its own
private data resources and for controlling what outside resources
its own users have access to.
Basically, a firewall, working closely with a
router program, filters all network packets to
determine whether to forward them toward their
destination. A firewall also includes or works
with a proxy server that makes network requests
on behalf of workstation users. A firewall is often
installed in a specially designated computer separate
from the rest of the network so that no incoming
request can get directly at private network resources.
There are a number of firewall screening methods. A
simple one is to screen requests to make sure they
come from acceptable (previously identified) domain
names and IP addresses. For mobile users, firewalls
allow remote access in to the private network by
the use of secure logon procedures and authentication
certificates.
A number of companies make firewall products. Features
include logging and reporting, automatic alarms
at given thresholds of attack, and a graphical
user interface for controlling the firewall. http://www.whatis.com/firewall.htm
-
Virtual Private Network (VPN)
A way of using a public network (typically the Internet) to link
two sites of an organization. A VPN is typically set up by protecting
the privacy and integrity of the communication line using a secret
session key. The secret session key is usually negotiated using
the public keys of the two principals. Relative to the Internet,
tunneling is using the Internet as part of a private secure network. The "tunnel" is
the particular path that a given company message or file might
travel through the Internet.
Electronic Intrusion Technologies
-
Intrusion/detection
Intrusion Detection System (IDS) technology is an important component
of a comprehensive enterprise security strategy. IDS products help
security administrators by alerting them to suspicious activity
that may be occurring on their systems and networks in real time.
It has long been a subject of theoretical research, but is now
gaining mainstream popularity.
-
Internet Protocol Security (IPSec)
A whole new industry is emerging to satisfy the growing need for
secure electronic communications over the Internet. One of the
most visible elements of the new industry is focused on providing
security for the Internet Protocol (IP) environment. The IP is
the foundation protocol for the Internet. IP is part of Transmission
Control Protocol/Internet Protocol (TCP/IP), a network-layer standard
developed by the U.S. Department of Defense to manage the routing
and relaying of data between network nodes or components. IP Security
or IPSec is short for the IP Security Architecture, a developing
architecture that has the goal to provide interoperable, cryptographically-based
security services for IP layer environments. The principal security
services provided by IPSec are authentication, data integrity and
confidentiality.
-
Monitoring
Packet Sniffing
A program and/or device that monitors data traveling over a network. Sniffers
can be used both for legitimate network management functions and
for stealing information off a network. Unauthorized sniffers
can be extremely dangerous to a network's security because they are
virtually impossible to detect and can be inserted almost anywhere. This
makes them a favorite weapon in the hacker's arsenal. On TCP/IP
networks, where they sniff packets, they're often called packet sniffers.
A packet sniffer is a program that can record all network packets
that travel past a given network interface, on a given computer,
on a network. It can be used to troubleshoot network problems,
as well as to extract sensitive information such as credentials from
unencrypted login sessions.
Firewall Logs
Records of activities pertinent to firewall operations, usually associated
with transfer of packets or the operation of the firewall software
and the system on which it runs. Firewall logs are critical
to the prevention and recovery from failures and can be very useful
in determining how and when intrusions are occurring for the purpose
of improving the firewall.
|
