System Security You've been entrusted with personal, financial and valuable information about your card holders. With identity theft being the fastest growing crime in the United States, the security of your student's information is a pressing concern. What follows is a technical look at the IAS security system. You may wish to forward this information to your IT department for review. IAS Security All transactions within the IAS system are encrypted using the Advanced Encryption Standard (AES). The AES, which is actually the Rijndael (pronounced "Rain Doll") cipher, was developed by two Belgium cryptographers Dr. Joan Daemen of Proton World International and Dr. Vincent Rijmen , a postdoctoral researcher in the Electrical Engineering Department (ESAT) of Katholieke Universiteit Leuven. On May 26th 2002 the Secretary of Commerce approved the Rijndael cipher as the AES. It became the official U.S. Government standard. The AES has been developed to replace DES, but NIST (National Institute of Standards and Technology) anticipates that Triple DES will remain an approved algorithm (for U.S. Government use) for the foreseeable future. Single DES is being phased out of use, and is currently permitted in legacy systems, only. In the late 1990s, specialized multi-processor "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message. Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255^10 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old. Unfortunately encryption is not the total answer in securing your transactions from abuse. Encrypted packets are still vulnerable to attack. All a hacker has to do is capture one packet. Even if he has no knowledge as to what the packet contains, he can simply retransmit the packet causing the same transaction to be executed over and over again. Bruce Schneier, author of Applied Cryptography, Secrets and Lies, Fast Software Encryption, E-Mail Security, and the creator of the twofish encryption algorithm agrees. In the November 2003 issue of Dr. Dobb's Journal, Bruce states, "Encryption is important, but authentication is more important". To implement authentication we use Packet-Lok, a token passing scheme. Every response from a server contains a nearly unique encrypted token. The next transaction from the device must contain the token. If the token is different or the token has been used before as in the previous paragraph, the packet is discarded. No attempt is made to acknowledge the bad packet. If your facility processes 10000 transactions each day, the nearly unique token will be reused every 1176 years. IAS was designed and developed for secure high performance operation. Network security and performance were key design concerns. This commitment to research has resulted in the IAS being a high performance, highly scalable totally secure One Card system, and possibly the only secure system available to date. IAS Mobile Wireless Security Wireless network technology implements the 802.11 Wireless Encryption Protocol (WEP). According to scientists at Houston's Rice University, the WEP is "totally insecure". Using off the shelf hardware and software, the researchers were able to break WEP at its highest level of security. The attack was totally passive and undetectable. It took only a few hours to break. The Gartner Group predicts that by the end of next year 30% of enterprises will suffer a security breach through their wireless networks. Gartner's findings show that although wireless technology offers great flexibility and convenience, it also exposes the enterprise to an expanding set of access threats. IAS Mobile implements Packet-Lok, our AES token passing system described above, making it the only totally secure product in this market using wireless technology.

/map>