Information Security Best Practices

  • Keith MayesEmail author
  • Konstantinos Markantonakis


We are increasingly reliant on the use of IT systems in our normal day- to-day business and personal activities. It is of paramount importance that these systems are sufficiently secure to protect sensitive, valuable and private data, and associated storage, communications and transactions. Therefore, the design and use of such systems should be in accordance with best practices for information security that have been developed by industry, government and the worldwide expert community. This chapter emphasises the need for system security and goes on to explain technical choices such as algorithms, key size and trust management, and concludes with a real-world case study.


Smart Card Block Cipher Advance Encryption Standard Certification Authority Near Field Communication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Hacking at Random, [Online Available]
  2. 2.
    Hack a Day site, [Online Available]
  3. 3.
    K. Mayes, K. Markantonakis, “Smart Cards, Tokens, Security and Applications”, Springer Verlag, 2007Google Scholar
  4. 4.
    Federal Information processing Standards, Data Encryption Standard (DES), FIPS publication 46–3 [Online Available]
  5. 5.
    Federal Information processing Standards, Advanced Encryption Standard (AES), FIPS publication 197. [Online Available]
  6. 6.
    Rivest, R.; A. Shamir; L. Adleman (1978). “Method for Obtaining Digital Signatures and Public-Key Cryptosystems”. Communications of the ACM 21 (2): 120–126.Google Scholar
  7. 7.
    Jan Petzl (2006), “Cryptanalysis with a low cost FPGA Cluster”, IPAM Workshop Special Purpose Hardware for Cryptography [Online Available]
  8. 8.
    SP 800-57 Recommendation for Key Management - Part 1: General, and Part 2: Best Practices for Key Management Organizations, NIST, March 2007Google Scholar
  9. 9.
    SP 800-131, Recommendations for the Transitioning of Cryptographic Algorithms and Key Lengths. NIST, drafted June 2010Google Scholar
  10. 10.
    ECRYPT II Yearly Report on Algorithms and key-sizes (2009–2010), Revision 1.0, ECRYPT II, 30th March 2010Google Scholar
  11. 11.
    Diffie, Whitfield; Hellman, Martin E. (June 1977). “Exhaustive Cryptanalysis of the NBS Data Encryption Standard”. Computer 10 (6): 74–84Google Scholar
  12. 12.
    Ralph Merkle, Martin Hellman: On the Security of Multiple Encryption (PDF), Communications of the ACM, Vol 24, No 7, pp 465–467, July 1981Google Scholar
  13. 13.
    Paul van Oorschot, Michael J. Wiener, A known-plaintext attack on two-key triple encryption (PDF), EUROCRYPT’90, LNCS 473, 1990, pp 318–325Google Scholar
  14. 14.
    Auguste Kerckhoffs, “La cryptographie militaire”, Journal des sciences militaires, vol. IX, pp. 5–83, Jan. 1883, pp. 161–191, Feb. 1883Google Scholar
  15. 15.
    P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis”, technical report, 1998; later published in Advances in Cryptology - Crypto 99 Proceedings, Lecture Notes In Computer Science Vol. 1666, M. Wiener, ed., Springer-Verlag, 1999Google Scholar
  16. 16.
    Crypto++, Benchmarks, [Online Available], April 2011
  17. 17.
    M. Bellare, P. Rogaway. Optimal Asymmetric Encryption - How to encrypt with RSA. Extended abstract in Advances in Cryptology - Eurocrypt’94 Proceedings, Lecture Notes in Computer Science Vol. 950, A. De Santis ed, Springer-Verlag, 1995Google Scholar
  18. 18.
    Birthday attack, [Online Available]
  19. 19.
    FIPS 180–2: Secure Hash Standard (SHS) (PDF,) - Current version of the Secure Hash Standard (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512), 1 August 2002, amended 25 February 2004.Google Scholar
  20. 20.
    rfc2104, [Online Available]
  21. 21.
    NIST SP 800–90. Recommendation for Random Number Generation, March 2007.Google Scholar
  22. 22.
    EMV Books 1–4 Version 4.1 2004, [Online Available]
  23. 23.
    GlobalPlatform, [Online Available]
  24. 24.
  25. 25.
    Common Criteria Portal [Online Available]
  26. 26.
    Nohl K, Starbug, Plotz H. MIFARE, little security, despite obscurity. Presentation on the 24th Congress of the Chaos Computer Club (CCC); December 2007Google Scholar
  27. 27.
    Courtois NT, Nohl K, O’Neil S. Algebraic attacks on the crypto-1 stream cipher in MIFARE Classic and oyster cards, vol. 166. Cryptology ePrint Archive, [Online Available]; 2008. Report.
  28. 28.
    Gans GK, Hoepman JH, Garcia FD. A practical attack on the MIFARE Classic. Proceedings of the 8th Smart Card Research and Advanced Application Workshop (CARDIS 2008). LNCS 5189, pp. 267–282. Heidelberg: Springer; 2008.Google Scholar
  29. 29.
    Garcia FD, Gans GK, Muijrers R, Rossum P, Verdult R, Schreur RW, et al. Dismantling MIFARE Classic. Proceedings of ESORICS 2008, LNCS 5283. Springer; 2008. pp. 97–114.Google Scholar
  30. 30.
    OV-Chipkaart System, [Online Available]
  31. 31.
    Dutch News Public transport smart card fraud under investigation 6th July 2011 [Online Available]
  32. 32.
    M. Hilbert and P. Lopez, “The world’s technological capacity to store, communicate and compute information”, Science Express: Feb. 10, 2011. [Online Available]
  33. 33.

Copyright information

© Springer Science+Business Media New York 2014

Authors and Affiliations

  1. 1.Information Security Group, Smart Card CentreRoyal Holloway, University of LondonLondonUnited Kingdom

Personalised recommendations