I have read lot of articles about data security. Most of them focus on cracking by social engineering, sniffers, man in the middle attacks, deciphering raw data etc. Even a small mistake by the user can hamper his personal data. Monthly financial statements, credit reports, online shopping accounts, and so on can be cracked easily. Also we often read about fraud cases by the company employee.
Laws can protect the data but not completely. Most of the people are still relying on others for protecting their personal information. Can we remove this dependency on others with simple solutions? Is it really possible to protect our data by ourselves? Wouldn’t it be great if data is hidden even if our credentials are compromised?
One of the frustrating things about the protection is that password needs to be easy to be remembered. This leads many users to incorporate the personal information into their password and most of the passwords are same or have a slight change for many accounts.
What if individual uses the SSL key to encrypt the data before saving into the server? So if password is known to the intruder, he will not able to view the data. Here individual means self, group, company etc. How is it possible? There are various ways to implement this solution.
Currently I thought about the three possibilities to implement the extra protection
1. Application itself is providing security: user creates ssl key (public and private) & store them at location and inform the location to application.
Pros: user doesn’t need to put extra efforts for protecting.
Cons: applications may implement the security differently and user may require managing the multiple keys which could be difficult to remember.
2. Most convenient way to view the data is through http. What if we get the data from network layer (In Windows get the data through NDIS) , use a key to encrypt (say private key) it and send to the server. While receive the data from the server use key (say public key) to decrypt the encrypted data.
Cons: a. Difficult to provide support for other platform.
b. Extracting information could be difficult from the application.
3. What if http adds one tag in to its parser say <encryption> </encryption> tag. Keys for the encryption is stored in browser with some identification for groups, login etc. whenever user visits the site browser will use appropriate key to decrypt the encrypted data.
Solution 3 could be implementing for other communication protocols. It may provide support on other platform as well and very generic way to implement the pages by self.
Looking in the future:
By “self protection” individuals can share the information by means of Cloud computing, p2p & mails. A small scale companies can buy space from hosting sites and secure the data by “self protection”.
Obviously this is not the end for the protecting the data. Based on “biometric” methods individual may use to protect the data, but until then a digital “self protection” might be a great thing to start with.
By Abhijeet Phatak