In this lesson, we are taught about application security.
We covered on email security. Normally the security features provided in email is as follows:
• Confidentiality
• Data origin authentication
• Message integrity
• Non-repudiation of messages
• Key management
Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of e-mail to support:
Text in character sets other than ASCII
Non-text attachments
Message bodies with multiple parts
Header information in non-ASCII character sets
Threats enabled by email are as follows:
• Disclosure of sensitive information
• Exposure of systems to malicious code
• Exposure of systems to denial of service attack
• Spamming
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption).
Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications.
Web security includes:
• Security of server
• Security of client
• Network security between a browser and server.
SSL/TLS is used in web browsers and servers to support ‘secure e-commerce’ over HTTP. SSL architecture provides two layers which are SSL Record Protocol and Upper Layer Carrying.
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. SSH provides security at the application layer.
SSH applications include:
• WRQ SSH supports SSH protocol 2 and sftp file transfers.
• SecureCRT from Van Dyke Technologies, Inc. supports the sftp protocol via its vcp command.
• SSH Communications Security offers a free client for non-commercial use.
SET is an open encryption and security specification designed to protect credit card transactions on the internet.
Drawbacks of SET are:
• Two pairs of public keys per entity
• Assumes full PKI is available
• Merchant does not see payment instrument used
As we all know how the Internet works, I will not explain on that. The thing that we should concern about is how to secure the web. The web can be secured with these methods:
• Authentication
• Access control via address
• Multilayer security
What most interests me about application security is biometrics. Biometrics refers to methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In information technology, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance.
Verification is a one-to-one comparison which confirms a claimed identity while identification is a one-to-many comparison which establishes the identity of a subject from a set of enrolled persons.
Biometric characteristics can be divided in two main classes:
Physiological are related to the shape of the body. Examples include, but are not limited to fingerprint, face recognition, DNA, hand and palm geometry, iris recognition, which has largely replaced retina, and odor/scent.
Behavioral are related to the behavior of a person. Examples include, but are not limited to typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics for this class of biometrics.
Static biometric methods:
Fingerprint recognition
Retinal scan
Iris scan
Hand geometry
Dynamic biometric methods:
Signature recognition
Speaker recognition
Keystroke dynamics
0 comments:
Post a Comment