Information Technology Reference
In-Depth Information
9.15.1.2
Cryptographic Services and
Mechanisms: A Brief Example
Assume the business at hand is an Internet-based E-commerce site that provides con-
sumer product ordering. The front office interface device is the consumer's PC. The
type of PC is unpredictable; however, the consumer's Web browser is an industry stan-
dard. Further, communication between the consumer PC and the E-commerce site is
nonpermanent, meaning the consumer will likely log on, perform whatever transac-
tion is desired, and log off; this is contrary to establishing a permanent link into the E-
commerce site, which may be of more interest to a business partner than a consumer.
Further, assume the cryptographic service of choice is session encryption, which
narrows to two types:
n
−
n
−
Symmetric
DES, IDEA, AES
Asymmetric
RSA, Diffie-Hellman
Cryptographic mechanics supporting session encryption include Secure Sock-
ets Layer (SSL) and IPSec. In this example, SSL is selected based on the benefits
and drawbacks of the two alternatives. Note the clear mapping between the busi-
ness requirement of secure E-commerce and the IA mechanism of IPSec support-
ing that requirement.
9.15.1.3 Cryptographic Inluence on the IA
2
F
Customer interface subsystems in this example include E-commerce Web site,
retail assistant, cashier, and the call center agent. Consider an abstract transaction.
Customers will encounter an interface subsystem either to request assistance or to
make a purchase. This subsystem collects customer data, which is processed locally,
within the subsystem, or sent to a regional or central location for processing. If all
goes well, the customers exit the subsystem with their expectations satisfied.
IA concerns in the scenario above include security and privacy in subsystem
data collection, transmission, back office processing, transmission of results, data
storage, data sharing, and later data analysis outside of the literal transaction con-
text. Overall, this is quite an IA task that includes technology infrastructure, poli-
cies, business process, and people. There is need for identity management, privilege
management, and nonrepudiation.
The complexities of cryptography clearly exemplify the need for a logical map-
ping of business requirements to the choice of cryptographic services, mechanics,
and the application of cryptography in the business flow. Abstracting from the
particulars of cryptographic influence, the IA
2
F must map business requirements
to IA operations. This mapping is useful in both the appropriate application of
