OPENSSL HEARTBLEED LOOPHOLE
i) Implementation process of OpenSSL communication tool
As the government data is sensitive, it is required to encrypted data through a secure encryption tool. In this situation Bob and Alice has decided to use OpenSSL tool for transferring data from one end to another (Fischer et al. 2015). OpenSSL is an open source tools that can be download through their website and after that data scientist of the organization needs to know about the version of the tool so that they can understand functionality of the tools.
Figure 1: Process for implementing OpenSSL system
In these tools, data scientists are needed to implement encryption before sending the data. In this data encryption process should be as follow. For example if the developers want to encrypt and text “Bob and Alice” following command should be used.
echo ” Bob and Alice ” > plain.txt
openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin
//enter aes-256-cbc encryption password: Alice and Bob
//Verifying – enter aes-256-cbc encryption password: Alice and Bob
After that encryption process it is needed to create private as well as public key so that user can decrypt and encrypt data (Haque, 2015).
openssl genrsa -out key.pem 1024 command is useful for creating RSA key and this process allows the tool to create public and private key with .pem file. Digital signature is also required to create for verification purpose. openssl dgst -<hash_algorithm> -out <digest> <input_file> command is used by the data scientist for creating signature (Laskar et al. 2017). Additional security is required in the database and for that purpose database developers must generate SSL certificates.
In OpenSSL security tool secure socket layer technology has been used and developers need to create link between client and server.
In symmetric encryption, pre shared key encryption process is followed by the developers. In this purpose Bob and Alice has used a single key for both encryption and decryption process (Malav, 2019). Sender encrypts as message with a key and the receiver for decrypting the message uses an identical key.
Figure 2: Symmetric encryption process and key exchange
(Source: Influenced by Malav, 2019)
In general data scientist of the concern government office has created the key with the size of 265 bits as the high key size can increase the security level of the database. Though the high number key has been used in this purpose, stronger encryption capabilities are required in the system (Pal & Chakraborty, 2017). Two types of algorithms can be used in symmetric encryption process including stream and block algorithms. In block algorithms block are used for encrypting bit length so that user can specify their key. System is programmed in a way that data in memory can be hold for future use. In stream algorithms, developers do not use memory; instead streams are used for data encryption purpose (Fischer et al. 2015).
Security key exchange
Figure 3: Security key exchange process in OpenSSL
(Source: Influenced by Pal & Chakraborty, 2017)
In a public network, key exchange operation can be performed. In this technique multiple user can access a single security key without understand the actual key. Both RSA and elliptic curve cryptography technique has been followed by the data scientists (Pal & Chakraborty, 2017). Multiple key can be produced in digital encryption process so that the users can access a specific power in the database.
Several types of issues can be there in key exchange process. As the ECC algorithm is depends on the finite fields and its algebraic structure, base point of the curve element can be impractical. In this situation, integer factorization in the key exchange process should be presumed and this can be responsible for large integer’s implementation in the server (Fischer et al. 2015). User of this system is allowed for creating product along with publishing it though large prime number implementation. One of the biggest challenges in this purpose is to keep the key private from other users in the same network.
All the issue that can be happen in key exchange process may be solved by implementing certificate authority. It is recommend that the data scientist of the organization do no need to distribute the validate fingerprint as well as public key. Even at the time of updating and creating key pairs these keys are not needed to be validated. This entire technique is responsible for solving key exchange process.
Gurjar, S., Baggili, I., Breitinger, F., & Fischer, A. (2015). an empirical comparison of widely adopted hash functions in digital forensics: does the programming language and operating system make a difference? Proceedings of the Conference on Digital Forensics, Security and Law, , 57-68. Retrieved from https://search.proquest.com/docview/1791621609?accountid=188056
Haque, M. S. (2016). Web server vulnerability analysis in the context of transport layer security (TLS). International Journal of Computer Science Issues (IJCSI), 13(5), 11-19. doi:http://dx.doi.org/10.20943/01201605.1119
Shaw, N., Dey, B., Mazumder, S., & Laskar, F. M. (2017). enhance the data security by changingthe encryption technique based on data pattern in block based private key data encryption. International Journal of Advanced Research in Computer Science, 8(7) Retrieved from https://search.proquest.com/docview/1931130680?accountid=188056
Malav, A. (2019). Security improvement for realistic data using international data encryption cryptographic algorithm. I-Manager’s Journal on Computer Science, 7(2), 19-25. doi:http://dx.doi.org/10.26634/jcom.7.2.15465
Pal, S. K., & Chakraborty, N. (2017). Application of cosmos’s law of merge and split for data encryption. International Journal of Computer Network and Information Security, 9(5), 11. doi:http://dx.doi.org/10.5815/ijcnis.2017.05.02
Khalaf, E. F., & Kadi, M. M. (2017). A survey of access control and data encryption for database security. Journal of King Abdulaziz University, 28(1), 19-30. doi:http://dx.doi.org/10.4197/Eng.28-1.2