SECURING DATA COMMUNICATION FOR SMALL AND MEDIUM ENTERPRISE USING CRYPTOGRAPHY
ABSTRACT
Information protection is one of the most important issues in every domain, especially when we are talking about enterprises. Information safety can be translated into three key terms: integrity, availability and data protection. There is a great number of means used in order to achieve the three objectives simultaneously. The most popular is cryptography because it offers a lot of techniques which nowadays are impossible to fail. In this paper we want to prove their efficiency by comparing the different types of crypto algorithms and by presenting their weaknesses and strengths. In order to maximize the benefits of the crypto techniques, we propose a hybrid approach that combines three crypto algorithms.
INTRODUCTION
Cryptography is a technique to scramble confidential information to make it "unreadable." It is commonly used in Internet communications to transmit data in secure way. Some potential problems during data communication on networking like unauthorized access, disclosure, interruption, use, modification, inspection, recording or destruction. The main ideas that security system has to respect are: confidentiality, data integrity, availability and authentication. These concepts characterize the data security achievement and must be accomplished by every secure communication that aims to be functional. Most security systems use cryptography because it offers various algorithms and techniques practically impossible to break because of their complexity. Cryptography, not only secure data from unauthorized access or modification, but it can also be used for user authentication.
PROBLEM STATEMENT:
This paper presents an alternative inside-out design which takes general crypto/security architecture and then wraps a language-independent interface around it to make particular portions of the architecture available to the user. In this case it is important to distinguish between the architecture and the API used to interface to it -- with most approaches the API is the architecture, whereas the approach presented in this paper concentrates on the internal architecture only.

Motivation of study:
Cryptography provides a number of security goals to ensure the privacy of data, non alteration of data and so on. Due to the great security advantages of cryptography it is widely used today. Following are the various goals of cryptography. Confidentiality Information in computer is transmitted and has to be accessed only by the authorized person and not by anyone else. Integrity Only the authorized person is allowed to alter the transmitted information. No one in between the sender and receiver are allowed to alter the given message. Non Repudiation ensures that neither the sender, nor the receiver of message should be able to deny the transmission. Access Control Only the authorized person are able to access the given information.

Problem Statement
Information protection is one of the most important issues in every domain, especially when we are talking about enterprises. Information safety can be translated into three key terms: integrity, availability and data protection. There is a great number of means used in order to achieve the three objectives simultaneously. The most popular is cryptography because it offers a lot of techniques which nowadays are impossible to fail. In this paper we want to prove their efficiency by comparing the different types of crypto algorithms and by presenting their weaknesses and strengths. In order to maximize the benefits of the crypto techniques, we propose a hybrid approach that combines three crypto algorithms.

Research objectives:
The architecture presented here is built on the following design principles: * Independent objects. Each object is responsible for managing its own resource requirements such as memory allocation and use of other required objects, and the interface to other objects is handled in an object-independent manner. * Intelligent objects. The architecture should know what to do with data and control information passed to objects, including the ability to hand it off to other object where required. * Full isolation of architecture internals from external code. The architecture internals are fully decoupled from access by external code, so that the implementation may reside in its own address space (or even physically separate hardware) without the user being aware of this.

Research question
How can we secure data communication in small and medium enterprises using cryptography? This research seeks to address the design of the cryptography architecture.
Research motivation
To protect and ensure secure communication in small and medium enterprises using best cryptographic designs and architectures.
Research premises
Related work:
Object Internals
It is necessary to first explore the scope of the object internals so that the entire architecture can be analyzed in details. In creating or instantiating a new object involves obtaining a new handle, allocating and initializing an internal data structure which stores information on the object, setting ACL's, connecting the object to any underlying hardware or software if necessary (for example establishing a session with a smart card reader or database backend), and finally returning the object's handle to the user. Although the user sees a single object type which is consistent across all computer systems and implementations, the exact (internal) representation of the object can vary considerably. In the simplest case, an object consists of a thin mapping layer which translates calls from the architecture’s internal API to the API used by a hardware implementation. Since encryption contexts, which represent the lowest level in the architecture, have been designed to map directly onto the functionality provided by common hardware crypto accelerators, these can be used directly when appropriate hardware is present in the system.
If the encryption hardware consists of a crypto device with a higher level of functionality or even a general-purpose secure coprocessor rather than just a simple crypto accelerator, more of the functionality can be offloaded onto the device or secure coprocessor. For example while a straight crypto accelerator may support functionality equivalent to basic DES and RSA operations on data blocks, a crypto device such as a PKCS #11 token would provide extended functionality including the necessary data formatting and padding operations required to perform secure and portable key exchange and signature operations, and more sophisticated secure coprocessors which are effectively scaled-down PC's can take on board architecture functionality at an even higher level. Figure 9 shows the levels at which external hardware functionality can be integrated, with the lowest level corresponding to the functionality embodied in an encryption context, while the higher levels correspond to functionality in envelope and certificate objects. Proposed methodology
This proposal will present a methodology in object form for simplicity. The methodology also captures all physical scenarios of small and medium enterprise data communication.

The Object Model Architecture
The architecture implements two types of objects, container objects and action objects. A container object is an object which contains one or more items such as data, keys, certificates, security state information, and security attributes. The container types can be broken down roughly into three types, data containers (referred to as envelope or session objects), key and certificate containers (keyset objects), and security attribute containers (certificate objects). An action object is an object which is used to perform an action such as encrypting, hashing, or signing data (referred to as an encryption context). Action objects are fairly simple and encapsulate the functionality of a security algorithm such as DES or RSA, these functions mainly as building blocks used by the more complex object types. In addition to these standard object types, there is also a device object type which constitutes a meta-object used to work with external encryption devices such as smart cards or Fortezza cards which may require extra functions such as activation with a user PIN before they can be used. Once they’re initialised as required, they can be used like any of the other object types whose functionality they provide, for example an RSA action object could be created through the device object for a smart card with RSA capabilities, or a certificate object could be stored in a device object for a Fortezza card as if it were a keyset. The implementation of each object is completely hidden from the user, so that the only way they can access the object is by sending information to it across a carefully- controlled channel. Figure 1 illustrates how three low- level action objects (implementing DES, SHA-1, and RSA) would be handled. The object handles are small integer values, unrelated to the object itself, which are used to pass control information and data to and from the object.

Container objects generally contain other objects (as well as data and attributes) within them. For example each certificate object has an (internal) public or private key context attached to it as shown in Figure below.

This encryption context can't be directly accessed by the user, but can be used in the carefully controlled manner provided by the certificate object. For example if the certificate object contains an attribute specifying that the attached public-key context may only be used for digital signature (but not encryption) purposes then any attempt to use the object for encryption purposes would be flagged as an error.
Object Security and Access Control
The most important security feature of the architecture is that each object is contained entirely within its security perimeter, so that data and control information can only flow in and out in a very tightly-controlled manner, and that objects are isolated from each other within the perimeter by the security kernel. For example once keying information has been sent to an object, it can't be retrieved by the user except under tightly-controlled conditions (the only real case where this can occur is when an object's ACL permits a short-term session key to be exported in encrypted form, or a private key to be stored in encrypted form to a permanent storage medium such as a smart card or disk). In general keying information isn't even visible to the user, since it is generated inside the object itself and never leaves the security perimeter. This design is ideally matched to hardware implementations which perform strict red/black separation, since sensitive information can never leave the hardware.
Associated with each object is a mandatory access control list (ACL) which determines who can access a particular object and under which conditions the access is allowed. At a very coarse level, each object has a mandatory access control setting which determines whether it is externally visible or not (that is, whether it has a handle which is valid outside the security perimeter). Only externally visible objects can be (directly) manipulated by the user, with ACL enforcement being handled by the architectures security kernel.
Another ACL entry is used to determine which processes or threads can access an object. This entry is set by the object's owner either when it is created or at a later point when the security properties of the object are changed, and provides a much finer level of control than the internal/external access ACL. Since an object can be bound to a process or a thread within a process by an ACL, it may be invisible to other processes or threads, resulting in an access error if an attempt is made to access it from another process or thread.
A typical example of this ACL's use is shown in diagram below, which illustrates the case of an object created by a central server thread setting up a key in the object and then handing it off to a worker thread which uses it to encrypt or decrypt data. This model is typical of multithreaded server processes which use a core server thread to manage initial connections and then hand further communications functions off to a collection of active threads. Object Security Implementation
When an object is created, it is identified to the entity which requested its creation through an arbitrary handle, an integer value which has no connection to the objects data or associated code. The handle represents an entry in an internal object table which contains information such as a pointer to the objects data and ACL information for the object. Both the object table and the object data are protected through locking and ACL mechanisms. Creating a new object works as follows: caller requests object creation by kernel lock object table; create new object with requested type and attributes; if( object was created successfully ) add object to object table; set object state = under construction; unlock object table; caller completes object-specific initialisation caller sends initialisation complete message to kernel lock object table; set object state = normal; unlock object table;
This simply creates an object of the given type with the given attributes, adds an entry for it to the object table, marks it as under construction so it can't be accessed in the incomplete state, and returns a pointer to the object data to the caller (the caller being code within the architecture itself, the user never has access to this level of functionality). At this point the caller can complete any object-specific initialisation, after which it sends an "init complete" message to the kernel which sets the objects state to normal, unlocks the object and returns its handle to the user.
The object table is maintained by the security kernel. When a new object is created, it tries to allocate a handle into the object table, with the handles being allocated in a pseudorandom manner, not so much for security purposes but to avoid the problem of the user freeing a handle by destroying an object and then immediately having the handle reused for the next object allocated, leading to problems if some of the users code still expects to find the previous object accessible through the handle. If the object table is full, it is expanded to make room for more entries. When an object is created, the kernel sets an ACL entry which marks it as being visible only within the architecture, so that the calling routine has to explicitly make it accessible outside the architecture by changing the ACL (that is, it defaults to deny-all rather than permit-all). The object can also have a variety of attributes specified for its creation such as the type of memory used (some systems can allocate limited amounts of protected, nonpageable memory which is preferred for sensitive data such as encryption contexts).
When the user passes an objects handle to crypt-lib, it performs the following actions: lock object table; verify that the handle is valid; verify that the object allows this type of operation; verify that the ACL allows external access; verify that the ACL allows access by the calling thread; if( access allowed ) set object state = processing message; further messages will be enqueued for later processing unlock object table; forward message to object; lock object table; set object state = normal; unlock object table;
This performs the necessary ACL checking for the object in an object-independent manner. The link from external handles through the cryptlib-wide object table and ACL check to the object itself is shown in Figure below

Expected results
Schedule
Estimated budget
Conclusion
This paper has presented a flexible, platform-independent cryptographic security architecture which is suited to software, hardware, and hybrid implementations. By encapsulating the functionality inside independent intelligent objects protected by a central security kernel, portions of the architecture can be replaced or updated with a minimum of effort while guaranteeing a consistent interface and handling of the objects within the architecture. As implemented in crypt-lib, this design has been successfully deployed on systems ranging from 16-bit microcontrollers through to supercomputers, languages ranging from C/C++ through to Perl and Visual Basic, and interfaced to a wide variety of cryptographic hardware and other devices, providing a single consistent interface across all of these platforms and languages (write once, encrypt anywhere).

REFERENCES: * Masashi Une and Masayuki Kanda, "Year 2010 Issues on Cryptographic Algorithms", Discussion Paper No. 2006-E-8, IMES, C.P.O BOX 203 Tokyo, 100-8630 Japan * Ing. Cristian MARINESCU, prof.dr.ing. Nicolae PU; "An Overview of the Attack Methods Directed Against the RSA Algorithm" Revista Informatica Economica, nr. 2(30)/2004 * Information Technology and Organizations: "Trends, Issues, Challenges and Solutions", VOLUME 1, 2003 Information Resources Management Association, International Conference,Philadelphia, Pennsylvania, USA,May 18-21, 2003

--------------------------------------------
[ 2 ]. (A hybrid approach of system security for small and medium enterprises: Combining different cryptography techniques - ResearchGate. Available from: http://www.researchgate.net/publication/261161670_A_hybrid_approach_of_system_security_for_small_and_medium_enterprises_Combining_different_cryptography_techniques [accessed Jun 17, 2015].