[Random Thought] My Kerckhoff Program

Named after a Dutch cryptographer Auguste Kerckhoff, my program, Information Security Technology - Kerckhoff's program, is studying the technology in securing information. It was a three universities program, which means during my study I am registered as a student of -and also studying at- three universities in The Netherlands. They are TU/Eindhoven (my base), Radboud University, and University of Twente.

Just fyi, Auguste Kerckhoff was known of his Kerckhoff's principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge [wiki].

I may say that the more I studying security the more I understand that security is more than just hacking and breaking stuff. Well, any attack possibility is "a must" to be kept in mind, but there are other aspect in security that need to be considered.

There are security in network (as we are working in the network almost all the time), security in software (bug is always one of the attacker most loved thing), security in hardware (well, side channel attack has proved that hardware could reveal a lot of information regardless how secure the program is), and security in mobile devices (as mobile devices such as smart phone or sensor device has become one of our daily life nowadays). 

Some introduction of practical hacking such as active and passive attack is always part of most courses in this program. And I may say, passive attack, such as eavesdropping, is the easiest way of attack, as along as you can enter the network. However, one of the challenge is to make the attacker unlisted in the log file. And relay is always one way to make the attacker *a bit* unreachable. Active attack, well, as soon as you could obtain the key by spoofing stuffs, you can easily impostor the user. Easy to say, a bit hard to do though. Everything is easy with some of term and condition apply. :p

As the center of security there is always cryptography method, which would cipher our plain text so that it can be sent pleasantly in public. Another important thing is the protocol or in which manner we will send the information between parties, since a loophole in a communication protocol might open a slot for the attacker to infiltrate.

We might have seen in a bunch of movies about a con-man who deceiving people to divulge their secret password. This is what make social engineering as one of the interesting security aspect. Similar with the side channel, this method may leak the secret information regardless how secure is the security program. However, instead of leaking information from the hardware processing, this social leakage was caused by the tendency of "trust"between people. 

Then of course, we are facing the real world where some of us might taking a job in a company. That's where the security in organization works. In here we study about the security standard, lots of ISO stuffs, in which (based on my experience) is a really important matter in assuring the company's security level. Well, this is more of bureaucratic matter though, but it is still good to know if we are handling the company's IT security division. 

Another aspect in security that's more in fashion recently is about privacy. In the world of social network where we publicly announced our daily life, there are some part of ourselves that we want to keep for ourselves. This is where the data protection come to protect our individual data to prevent an impostor disguising as us. And, of course, we are living in a lawful world that protect our rights against arbitrariness, so we also studying law in cyberspace. Or in another point of view, we need to understand the law so that we would not be obstructed by law.