22 april
This presentation is the property of its rightful owner.
Sponsored Links
1 / 51

22 April PowerPoint PPT Presentation


  • 57 Views
  • Uploaded on
  • Presentation posted in: General

22 April. Final Deliverables and Presentations Privacy and Security. Final Deliverables: due at start of final. On your home page. In a single easily visible box, links/directions Not in the box means not there. Documentation Functional spec Design document User manuals. Project

Download Presentation

22 April

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


22 april

22 April

Final Deliverables and Presentations

Privacy and Security


Final deliverables due at start of final

Final Deliverables:due at start of final


On your home page

On your home page

In a single easily visible box, links/directions

Not in the box means not there

Documentation

Functional spec

Design document

User manuals

  • Project

    • Executable

    • Code

  • Presentation


Project executable

Project Executable

  • Access

    • Desktop: instructions for download and install

      • These should be the instructions for any user, not just for me

    • Web-based: url and supported browsers

  • Log-ins

    • Login name and password if needed

    • If there is an administrator or super-user, I need an id with that privilege

  • Hardware needed to run

    • Give it to me after presentation or

    • Where in Sitterson I can get it


Project code

Project code

  • Where I can find it

    • If I need to be given access to it, do it

      • [email protected] or [email protected]

  • How I can view it

    • Do I need to install any software?

    • Is there a preferred IDE or tool?

  • General description of who wrote which pieces


Documentation

Documentation

  • List of user manuals

    • If they are part of your program (e.g., on-line help), explain how I find it

  • SINGLE web page or document that incorporates each of

    • Functional spec

    • Design document

    • Each user manual


Retrospective

Retrospective

  • Final essay

  • Team evaluation


Final presentations a celebration of your achievement

Final Presentations:A Celebration of Your Achievement


The plan

The Plan

  • Final is 4-7 on Thursday, May 1

    • Pizza dinner to be provided at 7

    • Pot luck dessert

  • Each team has 20 minutes including set-up

  • Clients will be invited

    • Scheduling based on client availability and preference

  • Open to the public


Presentation content

Presentation Content

  • What the project is

  • Why it is important

  • How it was built

    • Platform

    • Architecture

    • (Interesting development aspects)

  • Process lessons: NOT personal

  • Most important piece: demo


Privacy

Privacy


Aspects of privacy

Aspects of Privacy

  • Freedom from surveillance

  • Control of our own information

  • Freedom from intrusion


Historical basis of privacy

Historical Basis of Privacy

  • Justice of Peace Act (England 1361)

    • Provides for arrest of Peeping Toms and eavesdroppers

  • Universal Declaration of Human Rights (1948)

    • No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.

  • European Convention on Human Rights (1970)

    • Everyone has the right to respect for his private and family life, his home and his correspondence.


Legal realities of privacy

Legal Realities of Privacy

  • Self-regulation approach in US, Japan

  • Comprehensive laws in Europe, Canada, Australia

  • European Union

    • Limits data collection

    • Requires comprehensive disclosures

    • Prohibits data export to unsafe countries

      • Or any country for some types of data


Implementing privacy

Implementing Privacy

  • Anonymity

  • Security

  • Transparency and Control: knowing what is being collected


Privacy and trust

Privacy and Trust

  • Right of individuals to determine if, when, how, and to what extent data about themselves will be collected, stored, transmitted, used, and shared with others

  • Includes

    • right to browse the Internet or use applications without being tracked unless permission is granted in advanced

    • right to be left alone

  • True privacy implies invisibility

  • Without invisibility, we require trust


Technologies

Technologies

  • privacy aware technologies (reactive)

    • non-privacy-related solutions that enable users to protect their privacy

    • Examples

      • password and file-access security programs

      • unsubscribe

      • encryption

      • access control

  • privacy enhancing technologies (proactive)

    • solutions that help consumers and companies protect their privacy, identity, data and actions

    • Examples

      • popup blockers

      • anonymizers

      • Internet history clearing tools

      • anti-spyware software


Impediments to privacy

Impediments to Privacy

  • Data collection and sharing

  • Cookies

    • Web site last year was discovered capturing cookies that it retained for 5 years

  • Sniffing, Snarfing, Snorting

    • All are forms of capturing packets as they pass through the network

    • Differ by how much information is captured and what is done with it


22 april

P3P

  • Platform for Privacy Preference

    • World Wide Web Consortium (W3C) project

  • Voluntary standard published as a “note”

  • Web site

    • Policy machine readable, structured

  • Browsers

    • Understand policy

    • Behave according to user’s preferences


Privacy and wireless

Privacy and Wireless

  • “Wardriver” program: scans for broadcast SSIDs

    • broadcasting improves network access, but at a cost

  • once the program finds the SSID

    • obtains the IP address

    • obtains the MAC address

  • Lowe’s was penetrated this way

    • Stole credit card numbers


Security

Security


Network security

Network Security

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench”

– Gene Spafford (Purdue)


Attacks

Attacks

  • Information Transmission

  • Information Systems


Information transmission attack

Message

Message

Secure Message

Secure Message

Information Transmission Attack

Trusted Third Party

arbiter, distributor of

secret information

Sender

Receiver

Secret

Information

Secret

Information

Security related

transformation

Information channel

Opponent


Information systems attack

Information Systems Attack

Gate

Keeper

Data

Software

Opponent

- hackers

- software

Access Channel

Internal

Security Control

Gatekeeper – firewall or equivalent, password-based login

Internal Security Control – Access control, logs, audits, virus scans etc.


Firewall techniques

Firewall Techniques

  • Filtering

    • Doesn’t allow unauthorized messages through

    • Can be used for both sending and receiving

    • Most common method

  • Proxy

    • The firewall actually sends and receives the information

    • Sets up separate sessions and controls what passes in the secure part of the network


Dmz demilitarized zone

DMZ: Demilitarized Zone

  • Arrangement of firewalls to form a buffer or transition environment between networks with different trust levels

Fire

wall

Fire

wall

Internal resources

Internet


Three tier dmz

Fire

wall

Fire

wall

Fire

wall

Internal resources

Internet

Three Tier DMZ

Web

Server

App

Server


Issues in network security

Issues in Network Security

  • Physical and logical placement of security mechanisms

  • Effect of communication protocols

  • Encryption (cryptography) can provide several of the security services

    • Private key vs. public key

  • Distribution of secret information to enable secure exchange of information is important


Key technologies

Key Technologies

  • Encryption

  • Authentication


Encryption

Encryption

  • All encryption algorithms from BC till 1976 were secret key algorithms

    • Also called private key algorithms or symmetric key algorithms

    • Julius Caesar used a substitution cipher

    • Widespread use in World War II (enigma)

  • Public key algorithms were introduced in 1976 by Whitfield Diffie and Martin Hellman


Security level of encrypted data

Security Level of Encrypted Data

  • Unconditionally Secure

    • Unlimited resources + unlimited time

    • Still the plaintext CANNOT be recovered from the ciphertext

  • Computationally Secure

    • Cost of breaking a ciphertext exceeds the value of the hidden information

    • The time taken to break the ciphertext exceeds the useful lifetime of the information


Private key

Private Key


Caesar cipher

Caesar Cipher

  • Substitute the letter 3 ahead for each one

  • Example:

    • Et tu, Brute

    • Hw wx, Euxwh

  • Quite sufficient for its time

    • High illiteracy

    • New idea


Enigma machine germany world war ii

Enigma Machine(Germany, World War II)

  • Simple Caesar cipher through each rotor

  • But rotors shifted at different rates

    • Roller 1 rotated one position after every encryption

    • Roller 2 rotated every 26 times…

http://www.trincoll.edu/depts/cpsc/cryptography/enigma.html


Types of attacks

Types of Attacks

  • Ciphertext only

    • adversary has only ciphertext

    • goal is to find plaintext, possibly key

  • Known plaintext

    • adversary has plaintext and ciphertext

    • goal is to find key

  • Chosen plaintext

    • adversary can get a specific plaintext enciphered

    • goal is to find key


Attack mechanisms

Attack Mechanisms

  • Brute force

  • Statistical analysis

    • Knowledge of natural language

    • Examples:

      • All English words have vowels

      • There are only 2 1-letter words in English

      • High probability that u follows q


Private key cryptography

Private Key Cryptography

  • Sender, receiver share common key

    • Keys may be the same, or trivial to derive from one another

    • Sometimes called symmetric cryptography or classical cryptography

  • Two basic types

    • Transposition ciphers (rearrange bits)

    • Substitution ciphers

  • Product ciphers

    • Combinations of the two basic types


Des data encryption standard

DES (Data Encryption Standard)

  • A block cipher:

    • encrypts blocks of 64 bits using a 64 bit key

    • outputs 64 bits of ciphertext

    • A product cipher

      • performs both transposition (permutation) and substitution on the bits

  • Considered weak

    • Susceptible to brute force attack

  • http://www.tropsoft.com/strongenc/des.htm


History of des

History of DES

  • IBM develops Lucifer for banking systems (1970’s )

    NIST and NSA evaluate and modify Lucifer (1974)

  • Modified Lucifer adopted as federal standard (1976)

    • Name changed to Data Encryption Standard (DES)

    • Defined in FIPS (46-3) and ANSI standard X9.32

  • NIST defines Triple DES (3DES) (1999)

    • Single DES use deprecated - only legacy systems.

  • NIST approves Advanced Encryption Std. (AES) (2001)

    • AES which will replaces DES and 3DES.


Cracking des

Cracking DES

  • 1998: Electronic Frontier Foundation cracked DES in 56 hrs using a supercomputer

  • 1999: Distributed.net cracked DES in 22 hrs

  • For an investment of $1 million for specialized hardware, DES can be cracked in less than an hour.


Public key

Public key


Public key cryptography

Public Key Cryptography

  • Two keys

    • Private key known only to individual

    • Public key available to anyone

      • Public key, private key inverses

  • Confidentiality

    • encipher using public key

    • decipher using private key

  • Integrity/authentication

    • encipher using private key

    • decipher using public one


Public key requirements

Public Key Requirements

  • Computationally easy to encipher or decipher a message given the appropriate key

  • Computationally infeasible to derive the private key from the public key

  • Computationally infeasible to determine the private key using a chosen plaintext attack


22 april

RSA

  • Public key algorithm described in 1977 by Rivest, Shamir, and Adelman

  • Exponentiation cipher

  • Relies on the difficulty of factoring a large integer

  • RSA Labs FAQ document

    http://www.rsasecurity.com/rsalabs/node.asp?id=2152


Summary

Summary

  • Private key (classical) cryptosystems

    • encipher and decipher using the same key

  • Public key cryptosystems

    • encipher and decipher using different keys

    • computationally infeasible to derive one from the other


Authentication

Authentication

  • Assurance of the identity of the party that you’re talking to

  • Primary technologies

    • Digital Signature

    • Kerberos


Digital signature

Digital Signature

  • Authenticates origin, contents of message in a manner provable to a disinterested third party (“judge”)

  • Sender cannot deny having sent message (service is “nonrepudiation”)

    • Limited to technical proofs

      • Inability to deny one’s cryptographic key was used to sign

    • One could claim the cryptographic key was stolen or compromised

      • Legal proofs, etc., probably required

  • Protocols based on both public and private key technologies


Rsa for digital signature

RSA for Digital Signature

  • Private key to sign

  • Public key to validate


Kerberos

Kerberos

  • Authentication system

    • Central server plays role of trusted third party

  • Ticket (credential)

    • Issuer vouches for identity of requester of service

  • Authenticator

    • Identifies sender

  • User must

    • Authenticate to the system

    • Obtain ticket to use server S

  • Problems

    • Relies on synchronized clocks

    • Vulnerable to attack


The bottom line

The Bottom Line

  • Cyberspace will always have exposures

    • But so does our physical space

  • All decisions are based on risk-benefit analysis

    • System owners, developers, users


  • Login