物联网英文文献

CRVol.14,No1&2,2004ADISCUSSIONOFCURRENTANDPOTENTIALISSUESRELATINGINFORMATIONSECURITYFORINTERNETCOMMUNICATIONSbyJagannathanV.IyengarINTRODUCTIONInformationsecurityisaboutprotectingthreethings:theconfidentiality,theintegrity,andtheavailabilityofdata.SecuringInternetCommerceisprobablythebiggestchallengethatinformationprofessionalshaveyetfaced.Fiveyearsago,InternetCommercedidnotexist.Todayitisattractingenormousfinancialinterest.InvestorsareenthusiasticallybackingcompaniesthatpromisetodeliverthehardwareandsoftwarethatInternetCommercerequires.CompaniesareinvestinginpurchasesofhardwareandsoftwaretopermitthemtoengageinInternetCommerce.Formanycompanies,InternetCommercemeanstakingcreditcardordersfromcustomersshoppingelectroniccatalogsontheWorldWideWeb.Forothers,InternetCommercemeansdealingelectronicallywithclientsandsuppliersratherthandealingoverthetelephoneorfaxmachine.Anareaofincreasingimportance,whichoverlapsbothoftheothers,isdigitalauthenticationofanythingfromcontractsandinvoicestophotographsandsoundbites.TheissuesinvolvedinInternetCommerceaffectcompanieslargeandsmall.AsofJanuary1996,halfofallbusinesseswithmorethan1000employeeshadatleastonewebsite,accordingtoarecentsurvey.Thesamesurveyalsofoundthattwo-thirdsofallcompanieswithwebsiteshadlessthan100companies.TheInternetisattractivetosmallercompaniesbecauseitenablesthemtoreachawiderangeofmarkets,includingthemarketsthatmuchlargercompaniesenjoy.Atthesametimemostcorporationsseeenoughpotentialtoinvestsignificantdollars.INFORMATIONATTRIBUTESININTERNETThereisconsiderable,andjustifiable,fearthatconfidentialinformationsuchascreditcardandpersonaldetailscouldbeinterceptedduringtransmissionovertheInternetwhensubmittinganorderformontheweb.ThechallengeistotransmitandreceiveinformationovertheInternetwhileinsuringthat:(1)itisinaccessibletoanyonebutsenderandreceiver,(2)ithasnotbeenchangedduringtransmission,(3)thereceivercanbesureitcamefromthesender,(4)thesendercanbesurethereceiverisgenuine,and(5)thesendercannotdenyhe/shesentit.Withoutspecialsoftware,allInternettraffictravelsintheclearandsoanyonewhomonitorstrafficcanreadit.ThisformofattackisrelativelyeasytoaccomplishusingfreelyavailablepacketsniffingsoftwaresincetheInternethastraditionallybeenaveryopennetwork.IfyouweretotracetherouteofamessageacrosstheInternetyoucouldseehowmanysystemsthedatapassesthroughonthewayfromclienttoserver.Atthebeginningandattheendofthelistyouwillprobablyseelocalproviders.Mostoftheseareconsideredeasytargetsbyhackers,particularlyifthelocalproviderhasserversonacollegecampus.Inbetweenyouwouldprobablyseeseveralmachinesoperatedbymajorcommunicationsproviders,suchasSprintorMCI.Thesemaybemoresecure,butillegalpenetrationofeventhesesystemsposesnoproblemtosomehackers.ENCRYPTIONTypically,asniffingattackproceedsbycompromisingalocalprovideratoneendofthetransmission.Nospecialphysicalaccessisrequired.Passwordandcreditcardscanbedistinguishedfromtherestofthetrafficusingsimplepatternmatchingalgorithms.Thedefenseagainstthistypeofattackistoencryptthetraffic,oratleastthatportionwhichcontainsthesensitivedata.However,encryptionreducessystemperformanceandrequirescoordinationbetweenlegitimatepartiestothecommunication.Incommercialterms,suchcoordinationrequireswidespreadstandardsforsecuredtransactions,whichhavebeenslowtoemerge.Protectingtransactionsisonlyoneelementofthesecuretransactionproblem.Onceconfidentialinformationhasbeenreceivedfromaclientitmustbeprotectedontheserver.Currentlywebserversareamongthesoftesttargetsforhackers,largelyduetotheimmaturityofthetechnology.Thestandardsecurityadviceforwebserversistotreatthemachineasasacrificiallamb,i.e.,unconnectedtoanyin-housenetworksandregularlybackedupinordertorecoverfromtheinevitableattacks.However,manycurrentwebapplicationsrequirethatthewebserverinteractwithcompanydatabases,necessitatingalinktointernalnetworks.Thislinkthenbecomesapathwayintoyoursystemsfromyourwebsite.While90CRVol.14,No1&2,2004firewalltechnologycanhelptoblockthispath,itisseldominstalledormaintainedeffectivelyanddoesnotprotectmanywebservices.VirtualprivatenetworksareaspecializedformofencryptedInternettransactionallowingasecurechanneltobeestablishedbetweentwosystemsforthepurposesofelectronicdatainterchange.Thisdiffersfromcreditcardandconsumer-orderingtransactionsinthatthevolumeofdatabetweenthetwopartiesisgreaterandthetwopartiesarewellknowtoeachother.Thismeansthatcomplexandproprietaryencryptionandauthenticationtechniquescanbeusedsincethereisnopretensetoofferuniversalconnectivitythroughthischannel.Despitethepotentialforgreatersecuritythevirtualprivatenetworkisstillaworryingdevelopmentfromasecurityperspective.Forstarters,thereistheattentionthatthisincreasedsecuritywillattractfromhackersandcyberpunks,possiblyleadingtoembarrassingorevencostlycrackingofcodes.However,eveniftheencryptiontechniquesemployedbythedigitalchannelsystemscurrentlyonthemarketorunderdevelopmentprovetobeverypowerful,thusinsuringconfidentialityandavailabilityofdata,thisstillleavesthethirdaspectofsecurity,availability.Fortheforeseeablefuture,thereisahugepotenti