Security and cryptography
A free email alerter of the latest news items and associated URLs.
Adverts from Google
Security is probably one of the most active areas in Interactive Electronic Publishing. This reflects the important part security systems will play in the protection of IPR and the use of electronic commerce in the Information Society.
This section concentrates on the security required within an electronic commerce environment whilst the associated areas of:
are covered on separate topic pages.
Verity have coined the phrase "digital shrinkwrapping" in a free "Guide to Internet Security for Software Developers" which is available for download from their site. Aimed at developers, who are interested in delivering software over the Internet - the guide provides information on code-signing technology - for either Microsoft Authenticode or Netscape Object signing.
Verisign has developed software for digitally "signing" code - ensuring that software delivered via the Internet has not been altered or corrupted during transmission.
As more and more companies use XML to transmit structured data across the web, the security of documents becomes increasingly important. This article presents some basics of web security, describes the components of the IBM XML Security Suite, and gives examples that illustrate how the technologies in the XML Security Suite increase the security of web commerce.
In order to service the evergrowing millions of dial-up Internet users without compromising security the IETF is generating protocols to handle the identification of users, giving them access to the resources they should have and tracking their consumption of those resources.
These protocols are at present largely proprietary to organisations like CISCO and associated with the network access servers that we dial into. More info at the IETF.
The ITU Recommendation X.509 provides the "definitive reference for designing applications related to Public Key Infrastructures (PKI). The elements defined within X.509 are widely utilized, from securing the connection between a browser and a server on the Web to providing digital signatures that enable electronic transactions to be conducted with the same confidence as in a traditional paper-based system".
Recommendation X.509, in specifying public-key and attribute certificate frameworks, is also one of the premier elements of the X.500-series of Directory recommendations.
SecurityFocus.com is designed to facilitate discussion on security related topics, create security awareness, and to provide the Internet's largest and most comprehensive database of security knowledge and resources to the public. SecurityFocus.com is a single place, or community, on the Internet where people and corporations can go to find security information and have security questions answered by leading authorities in the industry.
This site provides access to security links and resources including news, books, mailing lists, tools and products, and security services. In addition to this knowledge, SecurityFocus.com features one of the strongest collection of security advisories, vulnerabilities and solutions available on the Internet. Each of these resources may be customised for your needs via the "personalise" option on the home page.
There are a number of sites that have links to the majority of security resources world wide. A good starting point for security on the web is the World Wide Web Consortium's (W3C) Security page.
One of the sites that is linked from the W3C site, that has links to sites throughout the world, covering all aspects of security is the COAST page, which has links to university, government and commercial sites.
An excellent list of links to recent literature and upcoming conferences is provided by the Cipher site, maintained by the IEEE Computer Society Technical Committee on Security and Privacy.
A comprehensive set of pointers to other security and cryptography pages, including: bibliographies; organisations including government, research and commercial; news groups; news sites and software.
A key technology in introducing e-commerce and other Internet transaction systems, is that of authenticating users. Security has in the past largely been based on passwords, PINs, ID cards, etc. Biometric technology is developing recognition / authentication systems that recognise us by our biological or behavioural characteristics. Current systems include fingerprint scans, voice authentication and eye scans.
The Biometric Consortium, is a US government focal point for R&D, and application information on Biometrics. The Association for Biometrics (AfB) is a UK organisation promoting awareness of Biometric technology, BioAPI consortium is a group of software vendors (IBM, Microsoft, Novell) developing a standard API that is OS and biometric method independent, BIOTEST is an ESPRIT project working on standard metrics for comparing biometric devices. The "Biometric Digest" is an online biometric journal, which offers a weekly email news service (sign-up at the site below). The International Biometric Industry Consortium provides information from biometrics manufacturers and users, whilst "Fight the Fingerprint" argues against the use of biometrics due to the potential for infringing human rights.
URL: Biometric Consortium http://www.biometrics.org/
URL: AfB http://www.afb.org.uk/
URL: BioAPI http://www.bioapi.org/
URL: BIOTEST http://www.npl.co.uk/npl/sections/this/biotest/
URL: "Biometric Digest" http://webusers.anet-stl.com/~wrogers/biometrics/
URL: International Biometric Industry Consortium http://www.ibia.org
URL: Fight the Fingerprint http://www.networkusa.org/fingerprint.shtml
The BioAPI Consortium have publish the BioAPI specification which is available for download from the BioAPI web site.
The BioSEC Alliance, a group of security vendors, run a web site to act as a portal for companies looking for security solutions, especially those based on biometric authentication. Initiated by BNX Systems, the alliance is open to any vendor whose products are compliant with the "BioSEC framework of biometric and non-biometric authentication options".
URL: BioSEC http://www.BioSEC.com/
URL: BNX Systems http://www.bnx.com
IriScan is a developer of iris recognition technology, a branch of biometrics, that identifies people by the patterns in the iris of the eye. According to the developers iris recognition, rivals DNA in reliability, yet identifies an individual in seconds using a video-based imaging process. The applications for iris recognition technology include virtually anywhere positive identification is required to minimise or eliminate fraud, deception, theft, error, unauthorised disclosure, or violation of privacy. The company have a PC-based iris imaging product, which is intended for computer and network security, log-on control, data and records protection, and a number of other applications.
IriScan holds the exclusive worldwide patents on iris recognition, including the initial concept originated by Drs. Leonard Flom and Aran Safir, and the software and process technology invented by Dr. John Daugman, Cambridge University, UK.
Bank United, America's first bank to pilot iris recognition ATMs with its customers published the results of a consumer survey into their use. The iris recognition ATMs, were provided by Diebold and use iris recognition products supplied by Sensar.
Sensar's iris recognition products used standard video cameras and real-time image processing to acquire a picture of a person's iris, digitally encode it, and compare it with one on file, all in "less than a few seconds".
Some of the most notable findings from the customer survey include:
- 98% of the users described their first experiences with the ATM positively;
- users overwhelmingly agreed that they believed these ATMs were more secure, more convenient, easier, quicker, and more reliable than regular ATMs;
- the most-liked feature was that customers did not to use an ATM card.
URL: Bank United http://www.bankunited.com/
URL: Sensar http://www.sensar.com/
URL: Diebold http://www.diebold.com/
A company called Malin provides packaged ActiveX/COM objects for use in layered biometric face verification and recognition applications. The company web site provides documentation, along with on-line and on-site support.
PrintScan International have developed WinFing fingerprint verification software which includes an ActiveX control, making it possible to more easily integrate fingerprint verification technology into applications. A demo version of the of the software can be downloaded free of charge from the PrintScan web site.
The BioNetrix Authentication Management Infrastructure (AMI) aims to provide organisations with an infrastructure for managing disparate authentication technologies such as password tokens and biometrics. The company claim that AMI solves the "interoperability and integration issues that previously hindered a company's ability to enhance existing security environments with additional authentication technologies, including biometrics".
A web site on biometrics is available in French. The Security and cryptography topic page includes resources and links concerned with the subject of biometrics.
URL: El.pub security and cryptography topic page top009.htm
VeriSign, a provider of Internet trust services for authentication, validation and payment, offers a digital certificate service for Wireless Application Protocol (WAP) servers and gateways. The service issues digital certificates for wireless servers by Motorola, Nokia, and Phone.com. Digital certificates are "electronic credentials used to authenticate parties and enable encrypted communications and transactions over the Internet". VeriSign is offering developers and service providers free trial WAP server certificates, in the hope of accelerating the development and deployment of WAP server-based applications. These digital certificates enable Wireless Transport Layer Security (WTLS), the security layer in the WAP architecture.
URL: VeriSign http://www.verisign.com/
RSA Security and Ericsson plan to work together on the development of security for smartphones. Behind the move, is the belief by both companies that mobile phones will be "used broadly to access the Internet, to function as a trusted form of authentication and provide a secure platform for digitally signing e-commerce transactions". The first results of this collaboration is expected to be in the Ericsson smartphone R380 which will feature authentication for secure corporate access.
URL: RSA Security http://www.rsasecurity.com/
URL: Ericsson http://www.ericsson.se/
Ensure Technologies has a US patent for its wireless security technology used in its XyLoc wireless PC security system. Differentiating features covered by the patent include:
- Proximity-Based Authentication: using radio frequency (RF) or infrared transceivers to automatically detect the presence or absence of authorized users to grant or deny access to computer systems;
- and Full-Time Access Control: using RF or infrared transceivers to constantly monitor for the continued presence of authorized users.
URL: Ensure Technologies http://www.ensuretech.com/
"Web Security A Matter of Trust" is the title of the Summer 1997 issue of the W3C's, World Wide Web Journal. This issue aimed to refocus the debate over securing electronic commerce, going beyond cryptography by discussing "trust management", an approach to protecting open, decentralized systems like the web. Trust management demands more than technological solutions, requiring:
- careful administration,
- the deployment of new cryptographic protocols,
- an infrastructure for public key distribution
International Commerce eXchange (ICX) wishes to act as a single focal point encompassing all aspects of creating trust in the global information infrastructure. ICX plans to address this issue by bringing together large, medium and small business users, suppliers and governments and through them:
- identifying the legal and regulatory requirements;
- developing and disseminating business best practices and procedures;
- pinpointing and promoting appropriate technical standards and controls.
There is a special interest group called TRUSTe who concentrate on issues relating to privacy on the Internet, both from the Web publisher's point of view and from the Web user's perspective.
A report on research which considered "what constitutes trust" online, attempts to quantify many of the abstract concepts which contribute to establishing "trusted relationships".
As the value of information rises rapidly, its security and protection become ever more critical. The Journal of Infrastructural Warfare takes a look at information warfare and provides a forum for the discussion of threat analysis.
An article that explores security and the role of user names, passwords and digital certificates. Includes links to a number of useful additional resources.
Cryptography scrambles a message so it cannot be understood. Steganography (watermarking), a technology that is often related to cryptography hides the message so it cannot be seen. is Watermarking is covered in greater detail on the Intellectual property rights and their protection topic page of this site.
The Tao Group collaborates with NTRU Cryptosystems to develop C and Java versions of NTRU's encryption and authentication technology, which will then be licensed to developers and integrators. The aim of the collaborations is to produce new versions of NTRU which will make it easier to embed fast, powerful, low memory encryption capabilities into a variety of emerging Internet services and applications. A major goal being to enable digital media companies to copyright-protect multimedia content.
URL: NTRU http://www.ntru.com
URL: Tao http://www.tao.co.uk
Information on cryptography in Europe can be found on the "Cryptography in Europe" and the "Crypto Law Survey" web sites. Both sites contain a selection of information about individual countries and Europe in general.
URL: Cryptography in Europe http://www.modeemi.cs.tut.fi/~avs/eu-crypto.html
URL: Crypto Law Survey http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
Other security regulatory sites include:
The links to vendor pages listed in the product information section provides good links to further information on e-commerce, networked payment mechanisms, cyber-banking and digital cash with a more commercial bias.
The Electronic Privacy Information Center (EPIC) newsletter of October 12, 2000 has a report on the National Institute of Standards and Technology (NIST) selecting a new algorithm to be used as the US government's official encryption standard for the 21st century. Rijndael, named after its Belgian creators Joan Daemen and Vincent Rijmen, will replace the Data Encryption Standard (DES), adopted by the federal government as the Federal Information Processing Standard (FIPS) since 1977.
URL: AES on NIST http://www.nist.gov/aes/
URL: EPIC Alert http://www.epic.org/alert/EPIC_Alert_7.18.html
With the growth of 'always on' connections, from ADSL and cable modems, the SOHO or home PC can become much less secure. The solution for large companies is installing a firewall, but this can be beyond the capabilities of most users. Personal firewalls are becoming available that are designed for the non-expert. A review of some of the available packages has been published by ezine Security Portal. Other privacy tools are listed in the EPIC Online Guide to Practical Privacy Tools.
File Downloads - Please note
|File downloads from the El.pub site are currently suspended - the links however have not been updated to reflect this. If you would like access to a particular download file - please email firstname.lastname@example.org with a suitable request confirming a description of the file you wish to download.|
El.pub - Interactive
Electronic Publishing R & D News and Resources
We welcome feedback and contributions to the information service, and proposals for subjects for the news service (mail to: email@example.com)
Edited by: Logical Events Limited - electronic marketing, search engine marketing, pay per click advertising, search engine optimisation, website optimisation consultants in London, UK. Visit our website at: www.logicalevents.co.uk
Last up-dated: 10 July 2017
© 2017 Copyright and disclaimer El.pub and www.elpub.org are brand names owned by Logical Events Limited - no unauthorised use of them or the contents of this website is permitted without prior permission.