Exercise 12. Designing a secure framework

1. SET was a standard originally designed and advocated by VISA. I first got to learn about this Secure Electronic Transaction (hence SET) protocol in 1995 when developing mobile applications. I At the same time, Digital Certifications - CA - and other trusts issues were prevalent and hotly contested. Even my humble self has got involved and learn all about CA and digital trust and relationships. SET Version 1.0 were finalised in 1997 (Clark, 1999) and didn't make much impact to the industry and were attempted to be tested and pilot at banking community.

In the SET protocol, two different encryption algorithms are used – DES and RSA. The DES algorithm has been used since the 1970’s (Schneier, 1996), and that they were responsible for reducing its key size from the original 128-bits to 56.

RSA 128 bit encryption is a form of asymmetric system. According to the explanation in Wikipedia, with a key of length bits, there are 2¹²⁸ possible keys. The large number of operations (2¹²⁸) required to try all possible 128-bit keys is considered extremely hard to break with the digital computing power of today. Some crytography specialists claimed they have broken higher number of keys (TheRegister.co.uk , 2008)

2. Intrusion detection system is commonly known as IDS. Internet Security Systems (2009) defined that when an IDS looks for these patterns in network traffic, it’s network-based. When an IDS looks for attack signatures in log files, it’s host-based. In either case, IDS of both types look for attack signatures, specific patterns that usually indicate malicious or suspicious intent.

The typical NIDS scenario where an attempt has been made to funnel the traffic through the NIDS device on the network. It does not take a genius to see that if you had to isolate a single machine and take the machine away from the network like is done by many business people when in transit that NIDS would be very flawed. The Red device represents where the NIDS has been installed.


Host based IDS are a more comprehensive solution and displays great strengths in all network environments. It does not matter where the machines are even if they are away from the network they will be protected at all times. The Orange machines represent where the HIDS is installed.





3. "Phishing" is the term used to describe illegal "email sending to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The Web site, however, is bogus and set up only to steal the user’s information.

TD Canada Trust, a bank from Canada, had a few sagas of their customers randomly receiving "phishing" emails over the years and had issued clear statements and instructions to their customers on their website to educate customers how to detect "emails" that could be phishing emails. (TD Canada Trust Website, 2009)




Reference

1. Clark. T (1999), Visa, Mastercard try to revive SET. CNET news online.
Retrieved on May 10, 2009 at http://news.cnet.com/2100-1017-225723.html

2. Schneier, B. (1996) Applied Cryptography, John Wiley & Sons, Canada.

3. The Register.co.uk (2008) , RSA is dead. Discussion Thread at
Retrieved on May 9, 2009 at http://www.theregister.co.uk/2007/05/22/unreadable_writing_is_on_the_wall/comments/

4. TD Canada Trust Web site (2009) Email Safety.
Retrieved on May 10, 2009 at http://www.td.com/security/email.jsp