Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
2|Page
Cryptography Best Practices and Resource Portfolio
Company Background
Founded in 1999, Alibaba has grown to become one of the top e-commerce company with
several affiliate companies with a global overreach. Alibaba Provides a platform where
businesses, manufacturers, suppliers, and clients can interact while conducting business.
Moreover, theirs is a platform where business, merchants, and brands can leverage the power of
new technology to operate efficiently. According to Jack Ma, one of the founders, the company
was founded on the belief that the internet would provide a level ground for businesses to adopt
Problem Statement
For an e-commerce company such as Alibaba, securing the constant data flow within their
networks remains to be a challenge. Such like their platform is a field prone to attacks from
hackers. As such, Data (both stored and in transit) requires adequate protection in order to
maintain its integrity. While technological advancements have made hacking easier, it has also
provided ways in which data protection can be achieved — one such method through which data
Purpose Statement
Whereas cryptography purposes to ensure that the integrity of the company remains intact by
ensuring the data flow and storage is protected, it is also paramount to consider factors related to
its implementation. It is, therefore, essential to consider the internal and external factors that
affect the security of information in regard to cryptography. Most importantly, like in our case,
Alibaba should consider measures put in place/ associated with the implementation of this
technology (cryptography). Such, this brief seeks to discuss some of the aspects that relate to the
3|Page
Cryptography Best Practices and Resource Portfolio
implementation of the technology. Some of these factors include the Public Key Infrastructure,
products, their list of retail products is extensive. Alibaba product line includes a catalog of
consumer products such as electrical equipment and components, electronics, bags, health and
beauty products, gift and sports equipment, machinery and industrial parts, office materials, auto
parts, and toys among many others. All these products can be purchased through their affiliate e-
commerce websites such as AliExpress, Taobao, TMALL, and Aliyun among others. These
avenues are prone to attacks, and as such, they may require a combination of cryptography
techniques to beef up their security and their related systems. An assessment conducted revealed
a need to enhance the security of the above products and their associated systems. Services
Alibaba Cloud
AliExpress
4|Page
Cryptography Best Practices and Resource Portfolio
storage or transmission (Mao, 2003). The process ensures that the information is accessible and
understandable to parties to which it is intended. This technique not only protects data from
alteration and theft but can also be adopted for user authentication. This method of encrypting
has been adopted to provide and maintain confidential information in government agencies, the
corporate world, and financial institutions. In such an environment like ALIBABA, cryptography
cash, and digital right management systems among others. Most importantly, the protection of
While the process of making an order involves various steps and exchange of a wide variety of
information, cryptography technique can be adopted in several areas of the process. It is possible
to adopt it in authentication, the electronic transaction itself, and in the network through which
the transaction takes place or better yet, in the entire network system.
Feasible Attacks
Hackers targeting the infrastructures mentioned above, services, data centers, and network are
5|Page
Cryptography Best Practices and Resource Portfolio
Native attacks- In this method, the attacker endeavors to bypass protected systems using
worms, Trojans and even viruses. Such an attack may lead to data theft, data
Phishing attack- This type intends to steal real data (username and password) by creating
a forged site that looks like an original. If a client uses this site, the hacker collects the
Password Attack- Here, the attacker attempts to crack passwords retained in a mesh
account database. This type of attack may come in three forms (brute force attack, hybrid
block of data simultaneously. Data to be encrypted is grouped in 64-bits blocks and enciphered
independently (Kumar, 2015). The only possible way of decrypting such a message is by brutal
force. However, the length of the encryption key is such that it would take too long to decipher.
Taking into consideration the transactions occurring per minute in the ALIBABA network,
adopting such a system is preferable as data transmission is such that it would not allow enough
time for hackers to crack. The 56-bit encryption key cannot be cracked easily and hence provide
Password-Based Encryption
The password-based encryption system is among the most popular method of encryption used
mainly on the consumer end. A customer password is used to generate a secret key used in
deciphering the information. The generation of the secret key is random such that it cannot be
6|Page
Cryptography Best Practices and Resource Portfolio
derived from the users’ password. PBE algorithms adopt additional parameters to ensure the
secret key is as unique as possible (Saraireh, 2013). The additional parameter used include a salt
and iteration count. Salt is a random number used to prevent attackers from creating keys from
random phrases used as passwords. The iteration count makes the key generation process more
complex thus time-consuming, which is a benefit to the client as brute force attacks suffer
increasingly from processes taking too much time. In the case of ALIBABA, clients with
accounts in the company’s system or making purchases are/should be prompted to use PBE to
encrypt their data and avoid any possible hack. The PBEs also aids in the generation of secret
Good Passwords
Most often than not, passwords are the most crucial aspect of protection on the consumer end.
Therefore, it paramount that the password used by a client/consumer is unique and robust enough
to prevent a dictionary attack. In such an instance as the ALIBABA platform, passwords should
be made to have different characters and a number larger than four. Adoption of such a password
enhances security. On the other hand, password recovery measures can be created to include
questions with answers only known to the user. The process, further, aids to avoid easy password
regeneration by attackers.
vice versa. There are two types of encryption keys categorized as symmetrical and asymmetrical
7|Page
Cryptography Best Practices and Resource Portfolio
The symmetrical system adopts one key to encrypt and decrypt data. AES is a standard
symmetric key algorithm used today. The asymmetrical key cryptography uses a pair of related
keys. Each of the keys can be used for either decrypting or encrypting a message. However, a
The adoption of such a system in ALIBABA would come in handy when exchanging emails and
confidential information among producers, consumers, and retailers. It can also be useful when
The system adopts the use of two different set of keys. Each client is issued with a private and
public key. The personal key is known only by the user while the public key is made available
over the network (Saraireh, 2013). Therefore, data transmission is encrypted using the receivers
public key and can only be decrypted using his/her private key. Consequently, transmission of
ALIBABA, where the management and other employees are interconnected in the same open
office network, such a system can be used to ensure information is sent to the intended
Crypto Accelerator
Cryptography comes with a requirement for high computing power. A personal computer has the
capacity to provide strong encryption for one user. However, on a commercial scale such as that
of ALIBABA, we need machines or specialized systems that can provide enough computing
8|Page
Cryptography Best Practices and Resource Portfolio
power for all the encryption taking place per second. Such massive computation arises due to the
large data sizes being exchanged by consumers/clients and the system (Mao, 2003).
On the other hand, there are thousands of transactions taking place every second in the
ALIBABA network. Adding crypto accelerators to the servers (ALIBABA) increases the
computation power and consequently, increases the number of transactions per second. The
result is that cost is cut down per transaction compared to increasing the power/speed of the
company relies mostly on transactions done online. As such, it is right to conclude that for a
networks. For instance, when a customer is making a purchase, there are at least three networks
involved; the clients’ network, the payments’ network provider and the merchants’ network and
most importantly the Alibaba network. During information exchange through these networks,
data becomes vulnerable (Batten, 2013). It is at this point that the Public Key Infrastructure
(PKI) comes in. PKI/cryptography, in this case, is used to tie service providers and individuals to
provide public keys. Such an association is achieved by assigning certificates to the parties
involved. The certificates are further strengthened with registration. The certificate authority
(CA) issues certificates such that they can either reject or accept the details during the
verification process (ORACLE, 2015). During the registration process, the Registration
Authority (RA) is responsible for correct data registration. It also accepts and authenticates the
9|Page
Cryptography Best Practices and Resource Portfolio
transaction for products and services offered on all Alibaba and affiliated e-commerce websites.
During these processes, there is a possibility of third parties gaining access to that information
without the client knowledge. There lies a window of opportunity for attackers in between the
browser and servers. As such, SSL comes in to secure the exchange of information at this stage.
SSL secures the information coming from the server to the browser by ensuring it remains
private (Elizabeth, 1982). An SSL certificate classifies parts of the website private while
keeping others public by using different keys. The dynamics adopted while integrating an SSL
certificate are, however, hidden from the user to enhance web usage and make the site user-
friendly.
Non- Repudiation
Non-Repudiation acts as a reinforcement to the security of the customer and the company as a
whole. If a user/client becomes compromised due to irregular sharing of his/her details, Non-
repudiation takes effect. There are instances where a claim is launched by a customer citing
nonparticipation in activities undertaken by their account. While this information may have been
secured through cryptography, the irregular dissemination of personal information by the client
may lead to attacks or irregular activities. As such, Alibaba and other institutions of its caliber
should make it public that clients should not disclose their personal information such as
passwords and PINs. Such public announcements ensure that customers do not repudiate
activities occasioned by the institution. Usually, this method reinforces security by ensuring that
users remain extra vigilant and when handling sensitive data that if disseminated randomly may
10 | P a g e
Cryptography Best Practices and Resource Portfolio
technology. It is influenced partly by the political environment of a country and has three
attributes to it.
Cryptography is no exception when seeking to implement it. It is, therefore, paramount for
Alibaba and its affiliate e-commerce companies to consider the policies of their international
markets to encrypted data and how it would affect its implementation or applicability.
Most importantly, they need to understand the process of dealing with criminal cases as a result
of encrypted data or lack of it. How then can encrypted information be used as evidence in a
court? It appears, therefore, that Alibaba should modify its cryptography applications such that
data in question can be used to aid security agencies and the company to navigate quickly
through the legal hurdles. It should be such that it aids in retaining the company’s integrity and
security.
protecting IP datagrams utilizing IPv4and IPv6 network packets (ORACLE, 2015). IPsec was
designed such that it provides users’ data confidentiality. Additionally, it ensures that data
integrity is preserved. The protection offered by IPsec can also include partial sequence integrity
and data authentication. When adopted in the right manner, it is an effective tool for securing
11 | P a g e
Cryptography Best Practices and Resource Portfolio
Smart Cards
The use of smart cards (plastic cards with embedded microchips) is perhaps the most commonly
used and effective mode of payment. It is, therefore, one of the highest manifestations of the use
stored in smartcards can also be used for personal identification and authentication (Raihi, 1996).
In matters Alibaba and affiliate companies, smart cards can offer a haven for account numbers
and passwords. As such, they cannot fall into the hand of hackers easily. This technology
requires authentication via PIN or biometrics which also adds an extra layer of protection.
Biometrics
adopting biometrics, we utilize physical attributes to identify and authenticate thus allow or
deny. As such, combining (the eye, hand, prints, face, etc.) with cryptography, we can effectively
achieve a higher level of security (Elizabeth, 1982). These two technologies are viewed from a
Additionally, biometrics can be used to resolve the issue of repudiation. For instance, where
biometrics are used as a form of authentication, it becomes difficult for a user to deny claims of
accessing the account. The goal is not only to eliminate the aspect of repudiation but to reinforce
security. Alibaba can use the Biometrics mode of authentication especially in areas of sensitive
data storage. As such, only the people with verified biometrics can access such stations.
12 | P a g e
Cryptography Best Practices and Resource Portfolio
learning from attempts made in Alibaba systems become instrumental in determining the best
cryptographic measures to adopt. For instance, the breaking of DES resulted in the development
of AES that is much secure. Today, systems adopting AES are used as an integral part of a more
Solutions
Online Wire Transfers/Customer financial transactions
Most of the transactions taking place in the Alibaba network involve the use of credit cards, debit
cards or direct bank to bank transfer (Ajeet Singh, 2012). When a customer identifies a product,
he/she wishes to purchase, they initiate a funds transfer. The system for these transfers should
provide for authentication, secrecy, data integrity and non-repudiation. Achieving the mentioned
factors is attained by adopting the SSL protocol. The protocol provides confidentiality by
encrypting data moving across the parties, providing authentication for the session by using the
RSA algorithm. However, advanced financial data protection can be achieved by moving to the
Secure Electronic Transaction (SET) protocol (Ajeet Singh, 2012). This system allows for
confidentiality for payment information, order information, ensures data integrity merchant
13 | P a g e
Cryptography Best Practices and Resource Portfolio
Alibaba Cloud
Alibaba is a top provider of Infrastructure as a Service (IaaS). Since founded in 2009, it has
continued to provide secure data storage for several institutions including Panasonic and Team
Viewer. Considering that cloud computing is an open environment, it follows that any weakness
will cause information security risks. As a result, security begins at the infrastructure, service,
and application software level (Eng. Hashem H. Ramadan, 2017). ALIBABA have continued to
enhance the cloud security by adopting the application of keys. Adopting the latest modes of the
asymmetric offline key mechanism (Quantum Direct Key) comes in handy when encrypting data
stored in the cloud. By adopting QDK, all entities will get/gets a public and private key
according to their identification (Akansha Deshmukh, 2015). As such, each user receives a
private key and any public key generator. As such, data transmission remains secure and only
AliExpress
products. It is, therefore, evident that a lot of processes prone to attacks occur here. Such include
the exchange of personal information including login data, financial transaction data and order
data. As such, security at this platform is paramount. Data leaks in this section can be prevented
by first, adopting good passwords and adopting digital encryption standards. The company
should develop a password policy that improves how clients/customers create their passwords.
14 | P a g e
Cryptography Best Practices and Resource Portfolio
Does not have any relation to the customers’ legal identification names (Staff, 2005).
This data collected at this level are stored on servers or in the cloud. Both these platforms
require encryption to prevent data loss. The software adapted for encrypting during transmission
and storage should be that it allows for 128 and 256-bit AES encryption. AES is the standard
However, encryption and decryption of data consume/requires high processing power. As such,
due to the number of clients accessing the system and making transactions per second, and
consequently, the rate of encryption and decryptions per second, the server’s resources are under
constant heavy use. At this point, they become slow. Crypto accelerators overcome a
performance issue by providing more computing power and consequently, increases the number
of transactions per second. The result is that cost is cut down per transaction compared to
ALIBABA network is expansive and allows for remote access. Remote access comes with its
benefits and its fair share of challenges. Accessing organizational resources including its
intellectual properties from a remote location also means attackers can also gain access to the
network remotely with ease. Where a VPN is used, RSA ACE servers can be adapted to manage
access entry. This system requires the user to have an RSA token after inputting their username.
Finally, a static pin is needed to complete authentication. Users allowed to the data centers
containing the Intellectual properties data and another form of critical data should be
authenticated by the use of Biometrics (Colin Soutar, 2017). By using the patterns obtained from
the eye, face, hand, fingerprint or even the voice, only individuals with such patterns stored in
15 | P a g e
Cryptography Best Practices and Resource Portfolio
innovative technique developed by Mytec Technologies, a key linked to biometrics can be used
to provide additional security on data. The combination of the biometrics and the key produces a
set of data called Bioscrypt™ (Colin Soutar, 2017). The Bioscrypt™ acts as a secure key
management system. Adopting such a method for ALIBABA would add a line of protection to
their data.
Conclusion
It is evident that cryptography can provide adequate protection to networks and systems.
However, for maximum protection, it should be complemented with other protection systems to
ensure the systems are protected from even the most of brutal attacks. On the other hand, Alibaba
should look at the legal environment broadly to understand the measures to undertake in the
16 | P a g e
Cryptography Best Practices and Resource Portfolio
References
Ajeet Singh, K. S. (2012). A Review: Secure Payment System for Electronic Transaction. International
Can, Y. (2016, October 13th). Most Admired Companies. Retrieved from Fortune Magazine:
http://en.people.cn/n3/2016/1013/c90000-9126591.html
Colin Soutar, D. R. (2017, May 5th). Biometrics Encryption. Retrieved from Bioscrypt Inc:
http://www.cse.lehigh.edu/prr/Biometrics/Archive/Papers/BiometricEncryption.pdf
Eng. Hashem H. Ramadan, M. A. (2017). Using Cryptography Algorithms to Secure Cloud Computing.
Kumar, S. N. (2015). Review on Network Security and Cryptography. Science and Education Publishing
(International Transaction of Electrical and Computer Engineers System), 11. Retrieved from
http://pubs.sciepub.com/iteces/3/1/1/#
Mao, W. (2003). Modern Cryptography: Theory and Practice. Prentice Hall Professional Technical
Reference.
Saraireh, S. (2013). A Secure Data Communication System Using Cryptography and Steganography.
Staff, C. M. (2005, June 16). Cryptography Techniques for Secure Communications. Retrieved from
Ajeet Singh, K. S. (2012). A Review: Secure Payment System for Electronic Transaction. International
17 | P a g e
Cryptography Best Practices and Resource Portfolio
https://www.alibabagroup.com/en/about/leadership
Batten, L. M. (2013). Public Key Cryptography. New York: on Wiley & Sons Inc.
Colin Soutar, D. R. (2017, may 5th). Biometrics Encryption. Retrieved from Bioscrypt Inc:
http://www.cse.lehigh.edu/prr/Biometrics/Archive/Papers/BiometricEncryption.pdf
Eng. Hashem H. Ramadan, M. A. (2017). Using Cryptography Algorithms to Secure Cloud Computing.
Mao, W. (2003). Modern Cryptography: Theory and Practice. Prentice Hall Professional Technical
Reference.
ORACLE. (2015). IPsec and IKE Administration Guide. Retrieved December Monday, 2018, from
https://docs.oracle.com/cd/E19683-01/817-2694/ipsec-ov-1/index.html
Raihi, D. M. (1996). Semantic Scholar/ cryptographic smart cards. Retrieved December 7th, 2018, from
https://www.semanticscholar.org/paper/Cryptographic-smart-cards-Naccache-
M'Ra%C3%AFhi/1818e54eed48983ff58c365e47b3aec5826ff0a1
Staff, C. M. (2005, June 16). Cryptography Techniques for Secure Communications. Retrieved from
Can, Y. (2016, October 13th ). Most Admired Companies. Retrieved from Fortune Magazine:
http://en.people.cn/n3/2016/1013/c90000-9126591.html
18 | P a g e