mod 3
1
Asymmetric Ciphers
Randall Harrell
Rasmussen University
CIS4028C Cryptography and Traffic Analysis
Joel Christensen
January 24, 2021
This study source was downloaded by 100000762646252 from CourseHero.com on 10-25-2021 20:39:15 GMT -05:00
https://www.coursehero.com/file/80061769/CIS4028C-Mod-3-Assignmentdocx/
Th is
stu dy
re so
ur ce
w as
sh ar
ed v
ia C
ou rs
eH er
o. co
m
2
Asymmetric Ciphers
Medical Wise has decided to implement a text message system to read and download
their medical records to serve their customers better. However, this will necessitate the customers
to provide the organization with private and personally identifiable information to track their
requests. Medical Wise's CEO has requested a risk assessment to determine what encryption
level can be used to protect this information. First, one must be allowed to identify what would
be regarded as personally identifiable information, referred to as PII. PII is any piece of data that
can potentially identify an individual and distinguish one from another. This material can be
sensitive or non-sensitive. Non-sensitive information doesn't need to be encrypted as it may not
cause any harm the person if it becomes compromised, as it is usually available in public records.
Sensitive information can cause damage if compromised, such as health information, financials,
and unique identifiers such as a social security number or biometrics. (Rouse, "What is
personally identifiable information (PII)?"
Description of PKI
To understand what type of information must be protected, one can review the available
types of encryption. This writer intends to discuss asymmetric ciphers, also known as PKI
(Public Key Infrastructure). Asymmetric Cryptography is another term used to describe the use
of a PKI. Asymmetric cryptography uses a public and a private key to encrypt and decrypt data.
One key, also known as the public key, can be shared with anyone. The private key is kept secret.
Both keys can encrypt a message, but the opposing key is what will be used to decrypt the
message. (Rouse, Rosencrance, & Cobb, "What is Asymmetric Cryptography? - Definition from
WhatIs.com") By definition, a PKI provides the necessary support to distribute, verify, and, if
necessary, revoke keys or digital certificates used in encryption and decryption. (Rouse, Loshin,
This study source was downloaded by 100000762646252 from CourseHero.com on 10-25-2021 20:39:15 GMT -05:00
https://www.coursehero.com/file/80061769/CIS4028C-Mod-3-Assignmentdocx/
Th is
stu dy
re so
ur ce
w as
sh ar
ed v
ia C
ou rs
eH er
o. co
m
3
& Cobb, "What is PKI (public key infrastructure)?" It also allows public keys to be linked with
an identity. Without a PKI, we would be unable to exchange information over the Internet in a
secure manner.
Necessary requirements for a public key
Dam and Lin include an exhaustive list of what the National Institute of Standards and
Technology (NIST) requires of federal public-key infrastructure. Some of these requirements
include ease of use, user authentication, security and legal efficacy, and finally, certificate
revocation lists. (Dam & Lin, Cryptography's role in securing the information society, 1996, pp.
450-452) The requirements mentioned above are not all of the requirements but some that are
important for this scenario. Since Medical Wise is attempting to build a text message system, the
authentication process must be easy for the average user to navigate, secure enough to hold PII,
and give Medical Wise and the user the ability to revoke access at any time.
Description of the practical aspects of PKI
Asymmetric cryptography has several features that provide a higher security level, such
as access control, mutual authentication, and secure updates. With PKI, one can determine what
level of access a user has to a device or asset based on the unique and verifiable identities.
Additionally, one can also deny access to anyone who does not have the appropriate certificates,
and if necessary, revoke access privileges if a certificate becomes compromised. With digital
certificates, mutual authentication is now a possibility. Rather than using a username and
password on a website to verify that the servers are not compromised, PKI makes it possible for
the servers to confirm the device's identity attempting to gain access.
In contrast, the device verifies the identity of the servers. Finally, updates will no longer
be a guessing game. Many IT professionals are aware that many device updates can cause issues
This study source was downloaded by 100000762646252 from CourseHero.com on 10-25-2021 20:39:15 GMT -05:00
https://www.coursehero.com/file/80061769/CIS4028C-Mod-3-Assignmentdocx/
Th is
stu dy
re so
ur ce
w as
sh ar
ed v
ia C
ou rs
eH er
o. co
m
4
because they are not legitimate or have not been thoroughly tested. With PKI's secure over-the-
air (OTA) update feature, devices will only accept verified updates and come from a trusted
server. (Ih, "3 Benefits of a Public Key Infrastructure", 2017)
The reasoning for why or why not
While there are many positive aspects of deploying a PKI, there are some downsides as
well. The primary downside is that the processing necessary to perform PKI operations can be
very intensive. In an organization with a large amount of data to protect and distribute, this could
become very taxing on the equipment. It can also make wait times on said information grow
exponentially. (Wood, "PKI, The What, The Why, and The How," 2002) Another significant risk
that often gets overlooked by how useful it is is the private key. Since asymmetric cryptography
depends on this key being kept a secret, one must be sure who can access it.
In conclusion, as referred to previously, the many features of asymmetric cryptography
make it the more appealing choice for Medical Wise and their text message system. With features
such as access control, mutual authentication, and the ability to revoke certificates, the text
message system can securely maintain the PII that it needs to function. Simultaneously, it still
provides a simple interface for users to plan their visits and special events.
This study source was downloaded by 100000762646252 from CourseHero.com on 10-25-2021 20:39:15 GMT -05:00
https://www.coursehero.com/file/80061769/CIS4028C-Mod-3-Assignmentdocx/
Th is
stu dy
re so
ur ce
w as
sh ar
ed v
ia C
ou rs
eH er
o. co
m
5
References
Cooper, M. (2018, May 14). PKI EXPLAINED: WHY IT IS NECESSARY AND RELEVANT NOW
MORE THAN EVER. Retrieved October 18, 2019, from https://cybersecurity.isaca.org/articles-
details?articleId=pki-explained-why-it-is-necessary-and-relevant-now-more-than-ever.
Cooper, M. (2019, February 8). The Benefits of Correctly Deploying a PKI Solution. Retrieved October
18, 2019, from https://www.infosecurity-magazine.com/opinions/benefits-deploying-pki/.
Dam, K. W., & Lin, H. S. (1996). Cryptography's role in securing the information society: Kenneth W.
Dam and Herbert S. Lin, editors. Retrieved from https://www.nap.edu/read/5131/chapter/22
Ellison, C., & Schneier, B. (2000). Risks of PKI: Secure Email. Communications of the ACM, 43(1).
DOI: 10.1145/323830.323850
Ih, R. (2017, October 3). 3 Benefits of a Public Key Infrastructure (PKI). Retrieved October 18, 2019,
from https://www.kyrio.com/blog/3-benefits-public-key-infrastructure-pki.
Khan, S., Zhang, Z., Zhu, L., Li, M., Khan Safi, Q. G., & Chen, X. (2018). Accountable and Transparent
TLS Certificate Management: An Alternate Public-Key Infrastructure with Verifiable Trusted
Parties. Security & Communication Networks, 1–16. https://doi.org/10.1155/2018/8527010
PKI authentication explained: The basics for IT administrators. Retrieved October 15, 2019, from
https://searchitoperations.techtarget.com/tip/PKI-authentication-explained-The-basics-for-IT-
administrators.
Rouse, M., Loshin, P., & Cobb, M. (n.d.). What is PKI (public key infrastructure)? Retrieved October
15, 2019, from https://searchsecurity.techtarget.com/definition/PKI.
This study source was downloaded by 100000762646252 from CourseHero.com on 10-25-2021 20:39:15 GMT -05:00
https://www.coursehero.com/file/80061769/CIS4028C-Mod-3-Assignmentdocx/
Th is
stu dy
re so
ur ce
w as
sh ar
ed v
ia C
ou rs
eH er
o. co
m
6
Rouse, M. (n.d.). What is personally identifiable information (PII)? Retrieved October 13, 2019, from
https://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information.
That Certificate You Bought Could Get You Hacked. (2016). IEEE Security & Privacy, Security &
Privacy, IEEE, IEEE Secure. Privacy, (5), 93. https://doi.org/10.1109/MSP.2016.106
Wood, D. (2002, March 26). SANS.org. Retrieved October 18, 2019, from https://www.sans.org/reading-
room/whitepapers/vpns/pki-what-why-764.
This study source was downloaded by 100000762646252 from CourseHero.com on 10-25-2021 20:39:15 GMT -05:00
https://www.coursehero.com/file/80061769/CIS4028C-Mod-3-Assignmentdocx/
Th is
stu dy
re so
ur ce
w as
sh ar
ed v
ia C
ou rs
eH er
o. co
m
Powered by TCPDF (www.tcpdf.org)