1st Edition

Security without Obscurity A Guide to Confidentiality, Authentication, and Integrity

By J.J. Stapleton Copyright 2014
    355 Pages 78 B/W Illustrations
    by Auerbach Publications

    The traditional view of information security includes the three cornerstones: confidentiality, integrity, and availability; however the author asserts authentication is the third keystone. As the field continues to grow in complexity, novices and professionals need a reliable reference that clearly outlines the essentials. Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity fills this need.

    Rather than focusing on compliance or policies and procedures, this book takes a top-down approach. It shares the author’s knowledge, insights, and observations about information security based on his experience developing dozens of ISO Technical Committee 68 and ANSI accredited X9 standards. Starting with the fundamentals, it provides an understanding of how to approach information security from the bedrock principles of confidentiality, integrity, and authentication.

    The text delves beyond the typical cryptographic abstracts of encryption and digital signatures as the fundamental security controls to explain how to implement them into applications, policies, and procedures to meet business and compliance requirements. Providing you with a foundation in cryptography, it keeps things simple regarding symmetric versus asymmetric cryptography, and only refers to algorithms in general, without going too deeply into complex mathematics.

    Presenting comprehensive and in-depth coverage of confidentiality, integrity, authentication, non-repudiation, privacy, and key management, this book supplies authoritative insight into the commonalities and differences of various users, providers, and regulators in the U.S. and abroad.

    Introduction
    About This Book
         Audience for This Book 
         Guide to This Book
    Standards
         Standards Organizations 
         ISO TC68 Financial Services 
         ASC X9 Financial Services 
         Standards Depreciation 
    Risk Assessment 
         Threat Analysis 
         Vulnerability Analysis 
         Probability Analysis 
         Impact Analysis 
         Control Adjustments 
         Example Assessment

    Confidentiality 
    Data Classification 
         Data Groups 
         Data Tagging
    Data States 
         Data in Transit 
              Encryption Methods 
              Encryption Methods 2 
              Encryption Methods 3
         Data in Process 
         Data in Storage
    Data Encryption 
         Session Encryption 
         Field Encryption 
         Data Tokenization 
         Data Encryption Keys

    Authentication 
    Authentication Factors 
         Single-Factor Authentication 
         Multifactor Authentication 
         Multisite Authentication
    Knowledge Factors 
         Person Entity (PE) Authentication 
         Nonperson Entity (NPE) Authentication 
         Knowledge-Based Authentication (KBA) 
         Zero Knowledge (ZK) Authentication
    Possession Factors 
         Hardware Objects 
         Data Objects 
         Software Objects 
         One-Time Passwords (OTP)
    Biometric Factors 
         Biometric Technology 
         Biometric Enrollment 
         Biometric Verification 
         Biometric Identification
    Cryptography Factors 
         Symmetric Cryptography
         Asymmetric Cryptography 
         Cryptographic Authentication 
         Cryptographic Protocols
    Signature Synonyms 
         Handwritten Signatures 
         Dynamic Signatures 
         Digital Signatures 
         Electronic Signatures
    Provisioning

    Integrity
    Integrity Check Value (ICV) Description 
         ICV Composition 
          Integrity Check Points
    Data Integrity States
         Data in Transit 
         Data in Process 
         Data in Storage
    Integrity Check Methods
         Longitudinal Redundancy Check (LRC) 
         Cyclic Redundancy Check (CRC) 
         Hash and Message Digest 
         Message Authentication Code (MAC) 
         Hashed Message Authentication Code (HMAC) 
         Digital Signature 
         Time-Stamp Token (TST)

    Nonrepudiation
    Technical Considerations
    Cryptographic Considerations
    Operational Considerations
    Legal Considerations

    Privacy
    Technical Considerations 
         Privacy Data Elements 
         Cross-Border Jurisdictions
    Cryptographic Considerations
    Operational Considerations
         Roles and Responsibilities 
         Security Policy
    Legal Considerations 
         European Union (EU) Privacy Directive 
         Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) 
         United Kingdom Data Privacy Act (DPA) 
         United States Privacy Laws and Guidelines 
         Federal Trade Commission (FTC)—Privacy of Consumer Financial Information
         Health Insurance Portability and Accountability Act (HIPAA) 
         Fair Credit Reporting Act (FCRA) 
         Federal Privacy Act

    Key Management
    Cryptographic Algorithms 
         Encryption
         Message Authentication Code (MAC) 
         Hashed Message Authentication Code (HMAC) 
         Hash 
         Digital Signature 
         Key Transport 
         7 Key Agreement 
         Summary of Algorithms
    Cryptographic Modules 
         Common Criteria 
         NIST Cryptographic Modules 
         ANSI Tamper Resistant Security Modules
         ISO Secure Cryptographic Modules
    Key-Management Life Cycle 
         Cryptography Risks 
         Life-Cycle Phases 
         Life-Cycle Controls
    Cryptographic Architecture 
         Security Policies, Practices, and Procedures
         Key Inventory 
         Network, Data, and Key Diagrams
    Public Key Infrastructure 
         Certificate Authority 
         Registration Authority
         Subject 
         Relying Party

    Bibliography

    Index

    Biography

    Jeff J. Stapleton has over 30 years experience developing and assessing payment systems and security techniques, including cryptography and biometrics. His career includes the major card brands (MasterCard, Visa, American Express, and Discover) for payment systems and security assessments; big-four accounting firm experience performing security assessments of applications, systems, and products; working with large and medium-sized financial institutions providing risk assessments and security compliance audits; and developing policies, practices, and procedures for security systems.

    Jeff has participated in developing ISO and X9 security standards for over 25 years within the financial services industry. For the first five years, he participated on several X9 workgroups and has been an industry liaison and U.S. expert several times for various ISO workgroups. In addition, he has been chair of the X9F4 Cryptographic Protocols and Application Security Workgroup for 15 years. His experience includes participation on several X9 and ISO workgroups and development of over three dozen ISO and X9 standards. Some of the standards have multiple parts, which add to the overall count.

    Jeff has published articles in various information security journals, IEEE papers, PKI Forum notes, and is a contributing author to several books on biometrics and cryptography. He is also a patent holder for cryptographic solutions.

    Jeff has also authored various white papers for customers on debit card payments, key management, data loss prevention (DLP) solutions, and format-preserving encryption (FPE). He is a CISSP® and former Certified TG-3 Assessor (CTGA®) and PCI Qualified Security Assessor (QSA®). The CTGA and QSA are only viable for security consultants in active practice. He has also been a frequent public speaker at information security conferences, seminars, and webinars.

    Jeff's extensive practical experience in applying information security and his expertise in cryptographic standards makes this book a must-read for the information security professional. Security without Obscurity: A Guide to Confidentiality, Authentication, and Integrity deserves a place in your reference library.
    —Ralph Spencer Poore, CFE, CISA, CISSP, CHS-III, PCIP, ISSA Distinguished Fellow, ISSA Honor Roll

    Having worked at the same consulting firm and also on a project with author J.J. Stapleton (full disclosure); I knew he was a really smart guy. In Security without Obscurity: A Guide to Confidentiality, Authentication and Integrity, Stapleton shows how broad his security knowledge is to the world. When it comes to the world of encryption and cryptography, Stapleton has had his hand in a lot of different cryptographic pies. He has been part of cryptographic accreditation committees for many different standard bodies across the globe. ... Those looking for a highly technical overview, interoperability guidance, and overall reference will find the book most rewarding. ... One of the ways Stapleton brings his broad experience to the book is in the many areas where he compares different types of cryptosystems, technologies and algorithms. This enables the reader to understand what the appropriate type of authentication is most beneficial for the specific requirement. ... For anyone looking for an authoritative text on how to fully implement cross-platform security and authentication across the enterprise, this is a valuable reference to get that job done.
    —Book review by Ben Rothke, writing on slashdot.org
    View the full review at: http://books.slashdot.org/story/14/06/16/1245237/book-review-security-without-obscurity


    … the author is well qualified to assay the vital information technology field of computer network security … The text is peppered with instructive figures and tables … very clearly written …
    —John Maxymuk for ARBAonline