Information centre menu
News Newsletters Events Press Cuttings Articles - Articles Archive 2007 - Articles Archive 2006 - Articles Archive 2005 - Articles Archive 2004 - Articles Archive 2003 - Articles Archive 2002 - Articles Archive 2001 - Articles Archive 2000 - Articles Archive 1999 - Articles Archive 1998	Halt who goes there Chris Gledhill, Managing Director, PDMS Aug 2001 Security, its a big theme in the internet world and a huge source of confusion for anyone trying to work out how to deliver services on line. Unfortunately it is also a classic example of how the IT industry is its own worst enemy. As with so many things in IT the focus of the industry is on how to create intellectual property rights, or how to maintain the inflated share price of immature companies rather than on the mundane business of applying appropriate and available technology to solving practical problems in a way we can all understand. Although the technology may sound very complex the practical issues of internet security are directly analogous to the mundane concerns of physical security we all deal with on a day to day basis. As with any specialist technology we need to establish some practical analogies between what is going on in cyberspace and the real world. This makes it far easier to predict the consequences of decisions and keeps the decision making process accessible to non-technical people. The underlying elements of Internet security are actually quite simple to understand and can be divided into three main issues as follows. Preventing break-ins Businesses store data and have connections between their systems and the outside world. Protecting this data against theft is one of the practical issues in designing the underlying architecture of their computer networks and connections. Whilst this is a technical issue, it is directly analogous to designing a building to minimize the risk of physical attack. To pursue the analogy there is little difference between a hacker trying to break through a firewall and a ram raider crashing through a shop window. Both are real risks which can be minimized by design; thinking about it, both are probably carried out by disaffected teenage boys as well. Confirming identity In order to do business in anything but a face to face cash transaction we need to exchange information with confidence, again this is something we take completely for granted in the course of normal business when things are bought on account or someone checks a driving license or passport. Foiling spies Very few people would send confidential business information to one another on post cards, this does not mean they don't trust the Post Office its just common sense. That's why we have envelopes and, where proof of delivery is important, registered post. Similarly information transmitted over the internet may need to be protected from prying eyes and as with the mail the degree of protection depends on the sensitivity of the information and the consequences of it falling into the wrong hands. Of these three main themes the first is about the design of systems and should be invisible to the customer whilst the other two are essential components of any online transaction. And it is these aspects, in the jargon, 'authentication' and 'encryption', which I would like to examine in more detail here. Authentication is what happens when I put my cash card into a cash point machine and enter a pin number. The combination of the card which is something I have and the pin number which is something I know (on a good day) is sufficient to prove to the bank that it really is me that wants more cash in other words I have been recognized or 'authenticated'. Actually the process of authentication which led to the issue of cash from a hole in the wall has two parts. The first happens when I open the account. Providing personal details such as address and phone number, proof of identity, and specimen signatures is all part of the authentication process but it only happens once. In effect opening an account, which requires a fairly high level of scrutiny, creates a relationship. Then the bank can issue me with a unique key in the form of a cash card (something I have), and a pin number (something I know) to protect it in the event that it falls into the wrong hands. Once the account has been opened the key and the pin number are quite enough to authenticate my subsequent cash withdrawals. So the conclusion is that in order to take money from a bank account which is probably as big a security issue as we are likely to encounter, we need to establish our identity by opening an account and then we need a physical key and a password to confirm who is turning it. It's simple enough in the high street and no more complicated in cyberspace; the question is simply who opens the account and what kind of key do they issue. Encryption, or 'foiling spies', is the other main issue to consider. Information which passes through the Internet can theoretically be intercepted and abused. This applies to both e-mails and information entered directly onto forms within web sites. Encryption means sending these messages in code so that they cannot be read by anyone but the intended recipient. One of the most famous examples of encryption is the enigma machines used to encode and decode messages to German U-boats during the second world war. Similar to the internet, the Germans could not prevent the interception of the radio signals but the information in the transmissions was hidden from all but the intended recipient who was in possession of the physical decoding machine. Encryption in the internet world works in much the same way, information is encoded using a unique key. The message can then only be interpreted by a counter party with the equivalent decoding key. There are two main ways to transact business over the internet, either through an exchange of emails, or by direct access to business systems through forms on a web site. Of these entering information directly into a form on a web site is a much simpler process to protect. For this type of communication the encryption capability is built into the web browser and can be activated automatically by the web site. Also the risk is intrinsically lower because a web form provides a direct interface with the service providers systems whilst a email can still get 'lost in the post'. Both encryption and authentication are important considerations when designing online services but the main difference between taking money out of a cash machine and paying our taxes on line is not the technical complexity it's the novelty.

Information centre menu

Halt who goes there

Chris Gledhill, Managing Director, PDMS

Aug 2001

Security, its a big theme in the internet world and a huge source of confusion for anyone trying to work out how to deliver services on line. Unfortunately it is also a classic example of how the IT industry is its own worst enemy. As with so many things in IT the focus of the industry is on how to create intellectual property rights, or how to maintain the inflated share price of immature companies rather than on the mundane business of applying appropriate and available technology to solving practical problems in a way we can all understand.

Although the technology may sound very complex the practical issues of internet security are directly analogous to the mundane concerns of physical security we all deal with on a day to day basis. As with any specialist technology we need to establish some practical analogies between what is going on in cyberspace and the real world. This makes it far easier to predict the consequences of decisions and keeps the decision making process accessible to non-technical people.

The underlying elements of Internet security are actually quite simple to understand and can be divided into three main issues as follows.

Preventing break-ins

Businesses store data and have connections between their systems and the outside world. Protecting this data against theft is one of the practical issues in designing the underlying architecture of their computer networks and connections. Whilst this is a technical issue, it is directly analogous to designing a building to minimize the risk of physical attack. To pursue the analogy there is little difference between a hacker trying to break through a firewall and a ram raider crashing through a shop window. Both are real risks which can be minimized by design; thinking about it, both are probably carried out by disaffected teenage boys as well.

Confirming identity

In order to do business in anything but a face to face cash transaction we need to exchange information with confidence, again this is something we take completely for granted in the course of normal business when things are bought on account or someone checks a driving license or passport.

Foiling spies

Very few people would send confidential business information to one another on post cards, this does not mean they don't trust the Post Office its just common sense. That's why we have envelopes and, where proof of delivery is important, registered post. Similarly information transmitted over the internet may need to be protected from prying eyes and as with the mail the degree of protection depends on the sensitivity of the information and the consequences of it falling into the wrong hands.

Of these three main themes the first is about the design of systems and should be invisible to the customer whilst the other two are essential components of any online transaction. And it is these aspects, in the jargon, 'authentication' and 'encryption', which I would like to examine in more detail here.

Authentication is what happens when I put my cash card into a cash point machine and enter a pin number. The combination of the card which is something I have and the pin number which is something I know (on a good day) is sufficient to prove to the bank that it really is me that wants more cash in other words I have been recognized or 'authenticated'.

Actually the process of authentication which led to the issue of cash from a hole in the wall has two parts. The first happens when I open the account. Providing personal details such as address and phone number, proof of identity, and specimen signatures is all part of the authentication process but it only happens once. In effect opening an account, which requires a fairly high level of scrutiny, creates a relationship. Then the bank can issue me with a unique key in the form of a cash card (something I have), and a pin number (something I know) to protect it in the event that it falls into the wrong hands. Once the account has been opened the key and the pin number are quite enough to authenticate my subsequent cash withdrawals.

So the conclusion is that in order to take money from a bank account which is probably as big a security issue as we are likely to encounter, we need to establish our identity by opening an account and then we need a physical key and a password to confirm who is turning it. It's simple enough in the high street and no more complicated in cyberspace; the question is simply who opens the account and what kind of key do they issue.

Encryption, or 'foiling spies', is the other main issue to consider. Information which passes through the Internet can theoretically be intercepted and abused. This applies to both e-mails and information entered directly onto forms within web sites. Encryption means sending these messages in code so that they cannot be read by anyone but the intended recipient.

One of the most famous examples of encryption is the enigma machines used to encode and decode messages to German U-boats during the second world war. Similar to the internet, the Germans could not prevent the interception of the radio signals but the information in the transmissions was hidden from all but the intended recipient who was in possession of the physical decoding machine.

Encryption in the internet world works in much the same way, information is encoded using a unique key. The message can then only be interpreted by a counter party with the equivalent decoding key.

There are two main ways to transact business over the internet, either through an exchange of emails, or by direct access to business systems through forms on a web site. Of these entering information directly into a form on a web site is a much simpler process to protect. For this type of communication the encryption capability is built into the web browser and can be activated automatically by the web site. Also the risk is intrinsically lower because a web form provides a direct interface with the service providers systems whilst a email can still get 'lost in the post'.

Both encryption and authentication are important considerations when designing online services but the main difference between taking money out of a cash machine and paying our taxes on line is not the technical complexity it's the novelty.