Running Head: Cryptography Best Practices and Resource Portfolio

Cryptography Best Practices and Resource Portfolio

SEC577 Cryptography and Security Mechanisms

 Cryptography Best Practices and Resource Portfolio

Table of Contents

Company Background .................................................................................................................... 3

Problem Statement .......................................................................................................................... 3
Purpose Statement ........................................................................................................................... 3
Alibaba Service and Product Category ........................................................................................... 4
Categories of Information and Services Requiring Cryptography Application.............................. 5
Feasible Attacks .............................................................................................................................. 5
Digital Encryption Standards .......................................................................................................... 6
Password-Based Encryption ........................................................................................................... 6
Good Passwords .............................................................................................................................. 7
The Application of Keys ................................................................................................................. 7
How Public Key Cryptography Works ........................................................................................... 8
Crypto Accelerator .......................................................................................................................... 8
Public Key Infrastructures .............................................................................................................. 9
Secure Socket Layer (SSL) ........................................................................................................... 10
Non- Repudiation .......................................................................................................................... 10
Dealing with Legal Environment .................................................................................................. 11
Internet Protocol Security and Architecture ................................................................................. 11
Smart Cards................................................................................................................................... 12
Biometrics ..................................................................................................................................... 12
Learning Lessons from Break-Ins ................................................................................................. 13
Solutions ....................................................................................................................................... 13
Online Wire Transfers/Customer financial transactions ......................................................................... 13
Alibaba Cloud ......................................................................................................................................... 14
AliExpress ............................................................................................................................................... 14
The Corporate network and Intellectual Properties ................................................................................ 15
Conclusion .................................................................................................................................... 16
References ..................................................................................................................................... 17

2|Page
 Cryptography Best Practices and Resource Portfolio

Company Background
Founded in 1999, Alibaba has grown to become one of the top e-commerce company with

several affiliate companies with a global overreach. Alibaba Provides a platform where

businesses, manufacturers, suppliers, and clients can interact while conducting business.

Moreover, theirs is a platform where business, merchants, and brands can leverage the power of

new technology to operate efficiently. According to Jack Ma, one of the founders, the company

was founded on the belief that the internet would provide a level ground for businesses to adopt

technology and enhance their competitiveness (Alibaba, 2018).

Problem Statement
For an e-commerce company such as Alibaba, securing the constant data flow within their

networks remains to be a challenge. Such like their platform is a field prone to attacks from

hackers. As such, Data (both stored and in transit) requires adequate protection in order to

maintain its integrity. While technological advancements have made hacking easier, it has also

provided ways in which data protection can be achieved — one such method through which data

protection is through the use of Cryptography.

Purpose Statement
Whereas cryptography purposes to ensure that the integrity of the company remains intact by

ensuring the data flow and storage is protected, it is also paramount to consider factors related to

its implementation. It is, therefore, essential to consider the internal and external factors that

affect the security of information in regard to cryptography. Most importantly, like in our case,

Alibaba should consider measures put in place/ associated with the implementation of this

technology (cryptography). Such, this brief seeks to discuss some of the aspects that relate to the

3|Page
 Cryptography Best Practices and Resource Portfolio

implementation of the technology. Some of these factors include the Public Key Infrastructure,

legal environment, and Non-repudiation among others.

Alibaba Service and Product Category

Alibaba provides a platform where small and large enterprises can make purchases and sell their

products, their list of retail products is extensive. Alibaba product line includes a catalog of

consumer products such as electrical equipment and components, electronics, bags, health and

beauty products, gift and sports equipment, machinery and industrial parts, office materials, auto

parts, and toys among many others. All these products can be purchased through their affiliate e-

commerce websites such as AliExpress, Taobao, TMALL, and Aliyun among others. These

avenues are prone to attacks, and as such, they may require a combination of cryptography

techniques to beef up their security and their related systems. An assessment conducted revealed

a need to enhance the security of the above products and their associated systems. Services

requiring crypto techniques and information to be protected include;

 Alibaba Cloud

 AliExpress

 Online Wire transfers/customer financial transactions

 Intellectual properties and, the corporate network

4|Page
 Cryptography Best Practices and Resource Portfolio

Categories of Information and Services Requiring Cryptography

Application
Cryptography is the technique of converting ordinary plain text or data into unintelligible text for

storage or transmission (Mao, 2003). The process ensures that the information is accessible and

understandable to parties to which it is intended. This technique not only protects data from

alteration and theft but can also be adopted for user authentication. This method of encrypting

has been adopted to provide and maintain confidential information in government agencies, the

corporate world, and financial institutions. In such an environment like ALIBABA, cryptography

technique comes in handy in securing transactions information, intellectual properties, digital

cash, and digital right management systems among others. Most importantly, the protection of

customer financial transactions is paramount to ensure the integrity of the firm.

While the process of making an order involves various steps and exchange of a wide variety of

information, cryptography technique can be adopted in several areas of the process. It is possible

to adopt it in authentication, the electronic transaction itself, and in the network through which

the transaction takes place or better yet, in the entire network system.

Feasible Attacks
Hackers targeting the infrastructures mentioned above, services, data centers, and network are

likely to employ different tactics. Such may include;

 Passive attacks- By adopting this method, an attacker monitors unencrypted traffic by

investigation traffic, and supervising unprotected communications for clear-text

passwords. They may also decrypt poorly encrypted passwords.

5|Page
 Cryptography Best Practices and Resource Portfolio

 Native attacks- In this method, the attacker endeavors to bypass protected systems using

worms, Trojans and even viruses. Such an attack may lead to data theft, data

modification, and Denial of Service.

 Phishing attack- This type intends to steal real data (username and password) by creating

a forged site that looks like an original. If a client uses this site, the hacker collects the

information and uses it to access the real website.

 Password Attack- Here, the attacker attempts to crack passwords retained in a mesh

account database. This type of attack may come in three forms (brute force attack, hybrid

attack or a dictionary attack.)

Digital Encryption Standards

The data encryption standards are a block cipher. Therefore, a cryptographic key is used on a

block of data simultaneously. Data to be encrypted is grouped in 64-bits blocks and enciphered

independently (Kumar, 2015). The only possible way of decrypting such a message is by brutal

force. However, the length of the encryption key is such that it would take too long to decipher.

Taking into consideration the transactions occurring per minute in the ALIBABA network,

adopting such a system is preferable as data transmission is such that it would not allow enough

time for hackers to crack. The 56-bit encryption key cannot be cracked easily and hence provide

security for an organization such as ALIBABA.

Password-Based Encryption
The password-based encryption system is among the most popular method of encryption used

mainly on the consumer end. A customer password is used to generate a secret key used in

deciphering the information. The generation of the secret key is random such that it cannot be

6|Page
 Cryptography Best Practices and Resource Portfolio

derived from the users’ password. PBE algorithms adopt additional parameters to ensure the

secret key is as unique as possible (Saraireh, 2013). The additional parameter used include a salt

and iteration count. Salt is a random number used to prevent attackers from creating keys from

random phrases used as passwords. The iteration count makes the key generation process more

complex thus time-consuming, which is a benefit to the client as brute force attacks suffer

increasingly from processes taking too much time. In the case of ALIBABA, clients with

accounts in the company’s system or making purchases are/should be prompted to use PBE to

encrypt their data and avoid any possible hack. The PBEs also aids in the generation of secret

keys used for password recovery.

Good Passwords
Most often than not, passwords are the most crucial aspect of protection on the consumer end.

Therefore, it paramount that the password used by a client/consumer is unique and robust enough

to prevent a dictionary attack. In such an instance as the ALIBABA platform, passwords should

be made to have different characters and a number larger than four. Adoption of such a password

enhances security. On the other hand, password recovery measures can be created to include

questions with answers only known to the user. The process, further, aids to avoid easy password

regeneration by attackers.

The Application of Keys

Keys are defined as strings of bits used to encrypt or transform plain text into encrypted text and

vice versa. There are two types of encryption keys categorized as symmetrical and asymmetrical

(public) keys (Staff, 2005).

7|Page
 Cryptography Best Practices and Resource Portfolio

The symmetrical system adopts one key to encrypt and decrypt data. AES is a standard

symmetric key algorithm used today. The asymmetrical key cryptography uses a pair of related

keys. Each of the keys can be used for either decrypting or encrypting a message. However, a

key can only decrypt data encrypted with a related key.

The adoption of such a system in ALIBABA would come in handy when exchanging emails and

confidential information among producers, consumers, and retailers. It can also be useful when

exchanging information among the management teams and administrators.

How Public Key Cryptography Works

Public key cryptography is designed to protect data transmitted through/across open networks.

The system adopts the use of two different set of keys. Each client is issued with a private and

public key. The personal key is known only by the user while the public key is made available

over the network (Saraireh, 2013). Therefore, data transmission is encrypted using the receivers

public key and can only be decrypted using his/her private key. Consequently, transmission of

encrypted information is achieved across an open network.

Such a system can be adopted in an organizational communication network. In the case of

ALIBABA, where the management and other employees are interconnected in the same open

office network, such a system can be used to ensure information is sent to the intended

client/user without the possibility of decryption by another user.

Crypto Accelerator
Cryptography comes with a requirement for high computing power. A personal computer has the

capacity to provide strong encryption for one user. However, on a commercial scale such as that

of ALIBABA, we need machines or specialized systems that can provide enough computing

8|Page
 Cryptography Best Practices and Resource Portfolio

power for all the encryption taking place per second. Such massive computation arises due to the

large data sizes being exchanged by consumers/clients and the system (Mao, 2003).

On the other hand, there are thousands of transactions taking place every second in the

ALIBABA network. Adding crypto accelerators to the servers (ALIBABA) increases the

computation power and consequently, increases the number of transactions per second. The

result is that cost is cut down per transaction compared to increasing the power/speed of the

server per transaction.

Public Key Infrastructures

With the structure adopted by Alibaba in its product and service delivery, it is evident that the

company relies mostly on transactions done online. As such, it is right to conclude that for a

single process/transaction to be completed successfully, there is an interaction between different

networks. For instance, when a customer is making a purchase, there are at least three networks

involved; the clients’ network, the payments’ network provider and the merchants’ network and

most importantly the Alibaba network. During information exchange through these networks,

data becomes vulnerable (Batten, 2013). It is at this point that the Public Key Infrastructure

(PKI) comes in. PKI/cryptography, in this case, is used to tie service providers and individuals to

provide public keys. Such an association is achieved by assigning certificates to the parties

involved. The certificates are further strengthened with registration. The certificate authority

(CA) issues certificates such that they can either reject or accept the details during the

verification process (ORACLE, 2015). During the registration process, the Registration

Authority (RA) is responsible for correct data registration. It also accepts and authenticates the

entity or individuals making requests.

9|Page
 Cryptography Best Practices and Resource Portfolio

Secure Socket Layer (SSL)

Clients/customers utilize internet browsers from their PCs while purchasing or making a

transaction for products and services offered on all Alibaba and affiliated e-commerce websites.

During these processes, there is a possibility of third parties gaining access to that information

without the client knowledge. There lies a window of opportunity for attackers in between the

browser and servers. As such, SSL comes in to secure the exchange of information at this stage.

SSL secures the information coming from the server to the browser by ensuring it remains

private (Elizabeth, 1982). An SSL certificate classifies parts of the website private while

keeping others public by using different keys. The dynamics adopted while integrating an SSL

certificate are, however, hidden from the user to enhance web usage and make the site user-

friendly.

Non- Repudiation
Non-Repudiation acts as a reinforcement to the security of the customer and the company as a

whole. If a user/client becomes compromised due to irregular sharing of his/her details, Non-

repudiation takes effect. There are instances where a claim is launched by a customer citing

nonparticipation in activities undertaken by their account. While this information may have been

secured through cryptography, the irregular dissemination of personal information by the client

may lead to attacks or irregular activities. As such, Alibaba and other institutions of its caliber

should make it public that clients should not disclose their personal information such as

passwords and PINs. Such public announcements ensure that customers do not repudiate

activities occasioned by the institution. Usually, this method reinforces security by ensuring that

users remain extra vigilant and when handling sensitive data that if disseminated randomly may

lead to unauthorized activities.

10 | P a g e
 Cryptography Best Practices and Resource Portfolio

Dealing with Legal Environment

The legal environment is a factor that goes into consideration before the implementation of any

technology. It is influenced partly by the political environment of a country and has three

attributes to it.

 The local laws (home country)

 Foreign laws of the target markets and

 The general international Law (Elizabeth, 1982)

Cryptography is no exception when seeking to implement it. It is, therefore, paramount for

Alibaba and its affiliate e-commerce companies to consider the policies of their international

markets to encrypted data and how it would affect its implementation or applicability.

Most importantly, they need to understand the process of dealing with criminal cases as a result

of encrypted data or lack of it. How then can encrypted information be used as evidence in a

court? It appears, therefore, that Alibaba should modify its cryptography applications such that

data in question can be used to aid security agencies and the company to navigate quickly

through the legal hurdles. It should be such that it aids in retaining the company’s integrity and

security.

Internet Protocol Security and Architecture

IPsec is an integral part of providing cryptographic protection to networks. It is effective while

protecting IP datagrams utilizing IPv4and IPv6 network packets (ORACLE, 2015). IPsec was

designed such that it provides users’ data confidentiality. Additionally, it ensures that data

integrity is preserved. The protection offered by IPsec can also include partial sequence integrity

and data authentication. When adopted in the right manner, it is an effective tool for securing

11 | P a g e
 Cryptography Best Practices and Resource Portfolio

network traffic. As such it becomes a necessary tool in protecting customers’ information in

Alibaba and such e-commerce websites.

Smart Cards
The use of smart cards (plastic cards with embedded microchips) is perhaps the most commonly

used and effective mode of payment. It is, therefore, one of the highest manifestations of the use

of cryptography in securing data involved in transactions. By the use of cryptography, data

stored in smartcards can also be used for personal identification and authentication (Raihi, 1996).

In matters Alibaba and affiliate companies, smart cards can offer a haven for account numbers

and passwords. As such, they cannot fall into the hand of hackers easily. This technology

requires authentication via PIN or biometrics which also adds an extra layer of protection.

Biometrics

Biometrics is generally affiliated with physiological traits for identification. Therefore, by

adopting biometrics, we utilize physical attributes to identify and authenticate thus allow or

deny. As such, combining (the eye, hand, prints, face, etc.) with cryptography, we can effectively

achieve a higher level of security (Elizabeth, 1982). These two technologies are viewed from a

complementary perspective when it comes to data protection.

Additionally, biometrics can be used to resolve the issue of repudiation. For instance, where

biometrics are used as a form of authentication, it becomes difficult for a user to deny claims of

accessing the account. The goal is not only to eliminate the aspect of repudiation but to reinforce

security. Alibaba can use the Biometrics mode of authentication especially in areas of sensitive

data storage. As such, only the people with verified biometrics can access such stations.

12 | P a g e
 Cryptography Best Practices and Resource Portfolio

Learning Lessons from Break-Ins

Advancements in security technology or better yet in cryptography has been as a result of

identified vulnerabilities in previous cryptographic functions and applications. Consequently,

learning from attempts made in Alibaba systems become instrumental in determining the best

cryptographic measures to adopt. For instance, the breaking of DES resulted in the development

of AES that is much secure. Today, systems adopting AES are used as an integral part of a more

extensive protection system in Alibaba networks.

Solutions
Online Wire Transfers/Customer financial transactions

Most of the transactions taking place in the Alibaba network involve the use of credit cards, debit

cards or direct bank to bank transfer (Ajeet Singh, 2012). When a customer identifies a product,

he/she wishes to purchase, they initiate a funds transfer. The system for these transfers should

provide for authentication, secrecy, data integrity and non-repudiation. Achieving the mentioned

factors is attained by adopting the SSL protocol. The protocol provides confidentiality by

encrypting data moving across the parties, providing authentication for the session by using the

RSA algorithm. However, advanced financial data protection can be achieved by moving to the

Secure Electronic Transaction (SET) protocol (Ajeet Singh, 2012). This system allows for

confidentiality for payment information, order information, ensures data integrity merchant

authentication, generates a protocol independent of transport security mechanism and facilitates

software interoperability among network providers (Ajeet Singh, 2012).

13 | P a g e
 Cryptography Best Practices and Resource Portfolio

Alibaba Cloud

Alibaba is a top provider of Infrastructure as a Service (IaaS). Since founded in 2009, it has

continued to provide secure data storage for several institutions including Panasonic and Team

Viewer. Considering that cloud computing is an open environment, it follows that any weakness

will cause information security risks. As a result, security begins at the infrastructure, service,

and application software level (Eng. Hashem H. Ramadan, 2017). ALIBABA have continued to

enhance the cloud security by adopting the application of keys. Adopting the latest modes of the

asymmetric offline key mechanism (Quantum Direct Key) comes in handy when encrypting data

stored in the cloud. By adopting QDK, all entities will get/gets a public and private key

according to their identification (Akansha Deshmukh, 2015). As such, each user receives a

private key and any public key generator. As such, data transmission remains secure and only

accessible through the utilization of a related private key.

AliExpress

AliExpress is one of ALIBABA’s platform where customers get to purchase a variety of

products. It is, therefore, evident that a lot of processes prone to attacks occur here. Such include

the exchange of personal information including login data, financial transaction data and order

data. As such, security at this platform is paramount. Data leaks in this section can be prevented

by first, adopting good passwords and adopting digital encryption standards. The company

should develop a password policy that improves how clients/customers create their passwords.

The password should be such that it only accepts an input of;

 At least eight alphanumeric

 Contains upper- and lower-case characters,

 Has at least one symbol (@ $ % # etc.)

14 | P a g e
 Cryptography Best Practices and Resource Portfolio

 Does not have any relation to the customers’ legal identification names (Staff, 2005).

This data collected at this level are stored on servers or in the cloud. Both these platforms

require encryption to prevent data loss. The software adapted for encrypting during transmission

and storage should be that it allows for 128 and 256-bit AES encryption. AES is the standard

mode of encryption that guarantees data security (Mao, 2003).

However, encryption and decryption of data consume/requires high processing power. As such,

due to the number of clients accessing the system and making transactions per second, and

consequently, the rate of encryption and decryptions per second, the server’s resources are under

constant heavy use. At this point, they become slow. Crypto accelerators overcome a

performance issue by providing more computing power and consequently, increases the number

of transactions per second. The result is that cost is cut down per transaction compared to

increasing the power/speed of the server per transaction.

The Corporate network and Intellectual Properties

ALIBABA network is expansive and allows for remote access. Remote access comes with its

benefits and its fair share of challenges. Accessing organizational resources including its

intellectual properties from a remote location also means attackers can also gain access to the

network remotely with ease. Where a VPN is used, RSA ACE servers can be adapted to manage

access entry. This system requires the user to have an RSA token after inputting their username.

Finally, a static pin is needed to complete authentication. Users allowed to the data centers

containing the Intellectual properties data and another form of critical data should be

authenticated by the use of Biometrics (Colin Soutar, 2017). By using the patterns obtained from

the eye, face, hand, fingerprint or even the voice, only individuals with such patterns stored in

the database can access such information.

15 | P a g e
 Cryptography Best Practices and Resource Portfolio

Additionally, keys can be secured using biometrics. By adopting Biometric Encryption™, an

innovative technique developed by Mytec Technologies, a key linked to biometrics can be used

to provide additional security on data. The combination of the biometrics and the key produces a

set of data called Bioscrypt™ (Colin Soutar, 2017). The Bioscrypt™ acts as a secure key

management system. Adopting such a method for ALIBABA would add a line of protection to

their data.

Conclusion
It is evident that cryptography can provide adequate protection to networks and systems.

However, for maximum protection, it should be complemented with other protection systems to

ensure the systems are protected from even the most of brutal attacks. On the other hand, Alibaba

should look at the legal environment broadly to understand the measures to undertake in the

event a user engages in illegal activities using their accounts.

16 | P a g e
 Cryptography Best Practices and Resource Portfolio

References
Ajeet Singh, K. S. (2012). A Review: Secure Payment System for Electronic Transaction. International

Journal of Advanced Research in Computer Science and Software Engineering, 1-8.

Akansha Deshmukh, H. K. (2015). Security on Cloud Using Cryptography. International Journal of

Advanced Research in Computer Science and Software Engineering, 1-4.

Can, Y. (2016, October 13th). Most Admired Companies. Retrieved from Fortune Magazine:

http://en.people.cn/n3/2016/1013/c90000-9126591.html

Colin Soutar, D. R. (2017, May 5th). Biometrics Encryption. Retrieved from Bioscrypt Inc:

http://www.cse.lehigh.edu/prr/Biometrics/Archive/Papers/BiometricEncryption.pdf

Eng. Hashem H. Ramadan, M. A. (2017). Using Cryptography Algorithms to Secure Cloud Computing.

American Journal of Engineering Research (AJER), 1-4.

Kumar, S. N. (2015). Review on Network Security and Cryptography. Science and Education Publishing

(International Transaction of Electrical and Computer Engineers System), 11. Retrieved from

http://pubs.sciepub.com/iteces/3/1/1/#

Mao, W. (2003). Modern Cryptography: Theory and Practice. Prentice Hall Professional Technical

Reference.

Saraireh, S. (2013). A Secure Data Communication System Using Cryptography and Steganography.

International Journey of Computer Networks & Communication, 13.

Staff, C. M. (2005, June 16). Cryptography Techniques for Secure Communications. Retrieved from

Certification Magazine: http://certmag.com/cryptography-techniques-for-secure-communications/

Ajeet Singh, K. S. (2012). A Review: Secure Payment System for Electronic Transaction. International

Journal of Advanced Research in Computer Science and Software Engineering, 1-8.

17 | P a g e
 Cryptography Best Practices and Resource Portfolio

Akansha Deshmukh, H. K. (2015). Security on Cloud Using Cryptography. International Journal of

Advanced Research in Computer Science and Software Engineering, 1-4.

Alibaba. (2018). About us. Retrieved December 3rd, 2018, from

https://www.alibabagroup.com/en/about/leadership

Batten, L. M. (2013). Public Key Cryptography. New York: on Wiley & Sons Inc.

Colin Soutar, D. R. (2017, may 5th). Biometrics Encryption. Retrieved from Bioscrypt Inc:

http://www.cse.lehigh.edu/prr/Biometrics/Archive/Papers/BiometricEncryption.pdf

Elizabeth, D. (1982). Cryptography and Data Security. Addison-Wesley Publishing Company.

Eng. Hashem H. Ramadan, M. A. (2017). Using Cryptography Algorithms to Secure Cloud Computing.

American Journal of Engineering Research (AJER), 1-4.

Mao, W. (2003). Modern Cryptography: Theory and Practice. Prentice Hall Professional Technical

Reference.

ORACLE. (2015). IPsec and IKE Administration Guide. Retrieved December Monday, 2018, from

https://docs.oracle.com/cd/E19683-01/817-2694/ipsec-ov-1/index.html

Raihi, D. M. (1996). Semantic Scholar/ cryptographic smart cards. Retrieved December 7th, 2018, from

https://www.semanticscholar.org/paper/Cryptographic-smart-cards-Naccache-

M'Ra%C3%AFhi/1818e54eed48983ff58c365e47b3aec5826ff0a1

Staff, C. M. (2005, June 16). Cryptography Techniques for Secure Communications. Retrieved from

Certification Magazine: http://certmag.com/cryptography-techniques-for-secure-communications/

Can, Y. (2016, October 13th ). Most Admired Companies. Retrieved from Fortune Magazine:

http://en.people.cn/n3/2016/1013/c90000-9126591.html

18 | P a g e