Delivery in day(s): 3
CSC8421 Network Security Project Report
The user saves their confidential data on web application on the basis of secure server. The server plays the trust maker in the case of web application. The unauthorised access to the website can misplace the trust of user. By which means data can be leaked from the server and actually there are lots of techniques in which theft can be performed on user data. As the with the technology the related issues are also increased. The server software can be exploiting by vulnerability. The database administrator manages the data in their best way. There has one question is arrived that if there are so much risk then how website prototype application and client-server architect is secure? So the answer is there is risk but that can be resolvable by implement some technology and proper awareness. The first step towards the data security is to store data only encryption whether it is related to user or other entity of the web application. It is promissory approach in securing user data and it ensures nobody can read or see user sensitive information from the server even after the server is hacked by the intruders or attackers. Because decryption key couldn’t be hacked by intruders if it accessing the server. In the current scenario, most of the web applications use the encryption of user data. Our application is privacy conscious. Any web application in client-server architecture generally faces issues one is functionality, efficiency and security. Security elapsed if there is compromised server which can affect indirectly client side code. The server needs to be not to interfere too much with the application. If the website provides data sharing between users than it must be develop with more security and awareness about the feature. It is crucial function, because sharing is complex issue in the implementation of security. This issue can be resolved using encryption of shared documents and document must be share via server.
There are many techniques and functions that can be implemented to protect data confidentiality. Now we will discuss about approached used for developing web applications, securing websites with untrusted servers and working on data that is saved in encrypted form.
Security of web application
Case study to understand encryption- decryption in web application
Let us consider example of Dropbox. It is tool for storing files, media on the cloud and can be accessible from anywhere. The data encryption end to end and local decryption has been done in most application similar it. When a user connect once with the Dropbox, it synchronise the all data and transfer it over in the encrypted connection. The encrypted connection requires so, user data will not be interfered by intruders. Dropbox stores all the information in the encrypted form.
The encrypted data is secured and locked to provide the security. This data is visible for the user, because use has the key to that virtual lock. Dropbox also keeps the key to manage user files on their server. They manage user data in encrypted form. Dropbox keeps the key for any surveillance or other law related issue, but technically it has private key to access the encrypted information. When the user wants to download or view the file, Dropbox uses the private key of user to decrypt the data for user system. This methodology is local encryption and decryption. It is also known as end to end decryption. In this methodology data is decrypted at the end user screen. Take the same example for the email scenario in which the email is sent in encrypted from the source and decrypted at the user system. The email service provider and the transmission cannot decrypted or view this message.
This case study helps in the development of the secure system in which user data is saved in database in encrypt form and when user access that data, it is visible to it in decrypted format. (Howtogeek.com, 2015)
What is encryption?
Encryption is done with the various mathematical operations on the data. It results the alternative form of data. The sequence in which operations applied on the data is called algorithm. The general form of data is known as plain text and the operated form of data is called cipher text. Encryption ensures the security of information. Even the intruder’s hack the information cannot able to get its right mean. The vice versa process on cipher text is known as the data decryption.
There are two types of encryption algorithms on the basis of key. One is public key and second is symmetric key algorithm. Public key algorithm is also known as asymmetric key algorithm.
Algorithm design principles- The idea is block encryption algorithm that capable of works on plain text of 64-bit with the length of 128 bit. The concept is mixing operations from different algebraic groups.
Symmetric encryption- In this encryption methodology, single key is used for the encryption and decryption. In other words, encryption key is analysed from the decryption key. Generally the both keys are identical for many cases. Symmetric key algorithm works in two ways. First is known as stream algorithm which works on single bit at a time. The other is block algorithm which works on group of bits. Identical key has one drawback that if the hackers get the key in transmission then it can decrypt and modify the key
Asymmetric encryption- In this methodology, two keys is used. Public key used for encrypt the data that’s why it is known as public key encryption and private key used for the decrypt the data. It is more secure compare to symmetric key. In the web application the user data has been encrypted using public key and when user request for data, private key is sent to decrypt the data at user end.
Transparent Data encryption – For the encryption of database of web application, transparent data encryption is used. For further security, log files of database are also encrypted. It is methodology not technology. In this data encryption key (DEK) is used. DEK stored in the master database of the web application. It helps in the data recovery. Transparent data encryption is a perfect way of securing application database. In this methodology data is encrypt before it save in disk and decrypt on the user end. The encryption and decryption process has performed at the SQL layer of database. The SQL layer makes the database transparent for the application and database.
This type of encrypted is performed for the user privacy. It ensures that the data which is stored will be saving in secure form thus no other can able to see the user credentials. This encryption is the part of the database design. In the database level encryption, encryption can be implemented to the selective fields only like particular table or particular row or column in database. Encryption of database may process some changes in the application development. It depends on the approach applied for the Database and encryption integration. It is always better to use full encryption rather than selective encryption for this purpose. Selective encryption doesn’t impact at the table level but may impact at the row and column approach.
Basically the security of encrypted data relies on three things which are applied encryption algorithm, encryption key size and its protection level.
The AES advance encryption standard is termed as strong algorithm of encryption. It can be decrypted if the protection level chosen is inappropriate. For the database encryption, protection level plays important role because there is repetitive pattern i.e. common attributes value and identity. For the database context, database algorithm must be adequate. It matters because volume of data, updates and mutual attributes are part of database.
The term key management is way through which generated cryptographic keys are managed. The key based cryptography protects the data as per the keys. The access restrictions and locations of keys also matters. In the case of database the key management is easy because the keys can be managed in restricted database table. The concept of master key lies here. All the cryptography keys will be managed by a single master key. Key management allows administrators to access the encrypt database. With this privileged accessibility, it can decrypt any user’ data. Thus to manage user privacy and resolve this problem, hardware security module is used. Hardware security module is cryptographic chipsets which are resist tamper. HSM stored encryption keys. Practically the encryption keys are stored by master key and the master key stored in the HSM. When local encryption or decryption performed, the keys are transformed by HSM dynamically. After the transformation, HSM cleans the server memory. The database management system also kept security module, by which user authentication and privilege for encrypt and decryption has been performed. Suppose a case where database is accessed by two authorities respectively DBA (Database administrator) and SA (system administrator). If there is conspiracy between them, the HSM will not disclose the encrypted keys to anybody. The database server memory is hardly exploited by the intruders.
Most common encryption algorithm and technique
TSFS algorithm provides high security to the database. TSFS acronyms of for Transposition-Substitution-Folding-Shifting encryption algorithm. These four are the techniques which are used to implement this algorithm. It limits the time for encryption and decryption and also works only on the sensitive data. It is type of symmetric encryption algorithm. In this, each transformation have invert operation. The pseudo code form of this algorithm makes this easy to understand.
(kaur and Kumari, 2015)
With a great security, it has limitation that it not supports the symbols. It supports alphabetical characters (capital and small) and numbers. But data can be of various types.
Transposition – As the name suggests, it changes the position of elements. It implements the changes by the transformation. The changed elements are relocated with diagonal transposition. So it reads the data matrix in zig zag way. Transposition of data starts from the upper left corner.
Substitution – The second type of TSFS algorithm is substitution transformation. This algorithm substitutes the elements of data matrix with the distinct function. This algorithm works for all that is alphabets, numbers and symbols. It substitutes the same elements on the place changed element. In other words, it replaces alphabet with alphabet, number with number and symbol with other symbol
Folding – The third algorithm under the TSFS is folding algorithm. It encrypts the data of given text, from the given text. In simple words, it just shuffles the elements of data matrix. In this algorithm, folding of data can be performed in diagonal, vertical and horizontal form. The vertical folding is done from shuffling the element of first column and last column. The horizontal folding is done from shuffling elements of first row and last row. The diagonal approach is different, data elements are shuffled with inner cell elements to outer cell elements.
Shifting – The fourth algorithm is under this TSFS algorithm, is shifting algorithm. It provides the easy way to encrypt the data. It uses single array which can be incremented. The dynamic size of array is USP of this algorithm. It supports all type of characters.
PGP (pretty good privacy) Technique
Pretty good privacy technique uses hybrid cryptosystem. It is combination of the public key and conventional cryptography. In PGP technique, the plain text has been compressed first, it enhances the modem transmission and also increases the security. The data compression also helps in reducing the risk factor of cryptanalysis. In cryptanalysis, to get the key patterns, cipher text were escapade by intruders.
With the compression of data, PGP also generates one-time secret key that called session key. The session key is generated randomly on the basis of keystroke and mouse movements. The session key works well with the encryption algorithm. This session key is encrypted with the user’s public key. This cipher text with session key is send to the user.
The PGP technique applied in four phases to provide data security in the web application.
- Preliminary investigation
- Analysis and design
- Preliminary investigation
To implement it in the web application, the investigation is necessary. Many organisations and the individual persons are not so much concern and aware about the security of their data from the server. No users wish to know how an organisation or web portal manages data of many users in secure way. With the changing environment of computer TCP/IP networking, the data insecurity is increase. Thus websites required, a simple and unique application to make user data more secure. The concept of PGP is selected for the development of application. It ensures the increase security level for the database. The intruder will not break the level of data security easily. To develop the secure web application preliminary investigation is gained from the course books, journal and websites.
Analysis and Design: - In this phase of PGP, the security flow sequence is will be designed. The development of this web application has been carried out by PGP. The user data will be save in database encrypted format, further if, it will request the data will be decrypt at server end, and viewed in the plain text format to user. This application will use the same key for encryption and decryption, this phenomenon is known as conventional PGP method. To carried out the secure data on the network, this application will use Transmission control protocol. At this stage the client- server methodology has been followed for deliver the data in plain text at user end. TCP /IP has important role in it. In client server environment, the client and server match their port number for security purpose.
Implementation: - The implementation of PGP required a program for secret key for the system and within a system. One module is dedicated to compression and encryption process. To implement this language PHP is selected as the core language for the development of this application. PHP is secure language with greater interface. The main advantage of PHP is to it comes with the integrated My SQL database. Thus to database cannot be solely hacked. This web application has been done in two main modules. First is key generation module and second is for encryption and decryption module.
- Implementation of encryption in a web application has done in three ways.
- Data to encrypt
- Defined method by which encryption is performed
- Conjunction of encryption keys with the database.
The modern programming language comes with wide library of cryptographic algorithm such as AES (advance encryption standard). The algorithm plays important part in the implementation as it will responsible for the evaluation, security, performance of the web application. In the implementation of algorithm it is necessary to protect keys from offenders. Because if it happens, it can be a critical issue due to unauthorised access. The security of keys is maintained by key management infrastructure. It consists two components one is storage layer and second is management layer. The storage layer secures the plain text and management layer limits the key usage. In KMI, hardware security module is used. It is dedicated storage and data processing device. The HSM accomplishes the cryptographic operations using device keys. The administration of HSM, controlled by the software based authorization layer. It also defines the use of keys for the particular user or part of the applications.
Testing: - For the testing purpose, we just need to see user details in the database. The thing to be tested is to the user details how shown in database. If it shown in encrypted way then this methodology is successfully implemented.
Implemented Web Application
This web application is named to cryption technique. This application has functionality to encrypt user defined data. With this application, user can save their contact and other data in encrypted form. These are front end operation. For this purpose, user has to register into the web application. The user details also saved in encrypt form in the database. Generally most of the applications use this encryption as it is matter of user privacy and service provider’s trust ability.
- Information Technology used
- Front end- PHP
- Back end- MySQL
- Functionality of the website
- The website will provide the facility of data encryption in two ways.
- Contact encryption
- Data encryption
- Flow diagram of the website
The application is developed after a deep study on the data encryption and decryption. With the development of this application and the course, it gives us help to understand the value of encryption and decryption in the technical elements. Actually it gives learning to, how web application uses encryption and their need to implement it. I study the case study of Dropbox web application to understand the real-time encryption and decryption. It gives the idea to make something only for encryption. Thus this web application is developed. The developed web application uses the encryption and decryption facility at both front end and back end.
Anwar, D. and Riyazuddin, D. (2011). Transparent Data Encryption- Solution for Security of Database Contents. International Journal of Advanced Computer Science and Applications, 2(3).
Awad Al-Hazaimeh, O. (2013). A New Approach for Complex Encrypting and Decrypting Data.IJCNC, 5(2), pp.95-103.
Beer, K. and Holland, R. (2013). Securing Data at Rest with Encryption. [online] Amazon web services. Available at: https://d0.awsstatic.com/whitepapers/aws-securing-data-at-rest-with-encryption.pdf [Accessed 18 Sep. 2015].
Howtogeek.com, (2015). Why Most Web Services Don’t Use End-to-End Encryption. [online] Available at: http://www.howtogeek.com/166507/why-most-web-services-dont-use-end-to-end-encryption/ [Accessed 18 Sep. 2015].
Kamarudin, S. and Mohammad, M. (2011). File Security based on Pretty Good Privacy (PGP) Concept.CIS, 4(4).
kaur, A. and Kumari, S. (2015). Secure Database Encryption in Web Applications. International Journal of Advanced Research in Computer and Communication Engineering, [online] 3(7). Available at: http://www.ijarcce.com/upload/2014/july/IJARCCE5A%20a%20aman%20Secure%20Database%20Encryption%20in%20Web%20Applications.pdf [Accessed 16 Sep. 2015].
Shokeen, V. and Yadav, N. (2011). Encryption and Decryption Technique for Message Communication. IJECT,
Bouganim, L. and GUO, Y. (2015). Database Encryption. [online] Available at: http://www-smis.inria.fr/~bouganim/Publis/BOUGA_B6_ENC_CRYPT_2009.pdf [Accessed 18 Sep. 2015].
Khatkar, K. (2015). A Review: Data Security and Privacy Advancement Approach on Webos with Desktop - As - A - Service. International Journal of Advanced Business Research in Computer and Communication Engineering, [online] 4(3). Available at: http://www.ijarcce.com/upload/2015/march-15/IJARCCE%20124.pdf [Accessed 18 Sep. 2015].