Cryptography Reference
In-Depth Information
AN OLD OFFICE
Imagine an office where there are no computers, no fax machines, no telephones
and no Internet. The business conducted in this office relies on information
coming fromboth external and internal sources. The employees in this office need
to be able to make decisions about the accuracy and authenticity of information.
In addition, they need mechanisms for controlling who has access to information.
So, what basic security mechanisms allow people working in such an office to
make decisions about the security of information that they receive and process?
We can fairly safely assume that most information dealt with in this office
is either spoken or written down. Some basic security mechanisms for spoken
information might be:
• facial or vocal recognition of people known to staff in the office;
• personal referrals or letters of introduction for people not known to staff in the
office;
• the ability to hold a private conversation in a quiet corner of the room.
Some basic security mechanisms for written information might be:
• recognition of handwriting of people known to staff in the office;
• handwritten signatures on documents;
• sealing documents in an envelope;
• locking a document in a filing cabinet;
• posting a letter in an official post box.
Note that these security mechanisms are not particularly strong. For example,
people who do not know each other well could misidentify a voice or face. An
envelope could be steamed open and the contents altered. Ahandwritten signature
could be forged. Nonetheless, these mechanisms tend to provide 'some' security,
which is often 'good enough' security for many applications.
A MODERN OFFICE
Now consider a modern office, full of computers that are networked to the outside
world via the Internet. Although some information will undoubtedly be processed
using some of the previous mechanisms, for reasons of convenience and efficiency
there will be a vast amount of information handled by electronic communication
and storage systems. Imagine that in this office nobody has considered the new
information security issues.
Here is a list of just some of the security issues that staff in this office should be
considering:
• How can we tell whether an email from a potential client is a genuine inquiry
from the person that it claims to have come from?
• How can we be sure that the contents of an electronic file have not been
altered?
