1 / 29

Security & Privacy

Security & Privacy. DSC340 Mike Pangburn. Agenda. Security Encrypted networking Types of encryption Shared key Public key Information privacy. Networking security: where are the vulnerabilities?. Internet. ISP. ISP. 24.48.0.1. Recall our prior discussion… asusme

leroy
Download Presentation

Security & Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security & Privacy DSC340 Mike Pangburn

  2. Agenda • Security • Encrypted networking • Types of encryption • Shared key • Public key • Information privacy

  3. Networking security: where are the vulnerabilities? Internet ISP ISP 24.48.0.1 Recall our prior discussion… asusme you have a router and thus a private IP address. You Your BFF 192.168.0.1 12.6.1.3

  4. Network connections with encryption Internet ISP ISP Turn on router’s encryption featureto encrypt the wireless signal. 24.48.0.1 Eaves-dropping difficult on this wireless linkafter enabling encryption (e.g., WPA) You Your BFF 12.6.1.3 192.168.0.1

  5. Better: encryption now activated in your friend’s router Internet ISP ISP 12.6.1.3 24.48.0.1 Better to have wireless encryption at both ends, (but you may have no control over the receiving end). You Your BFF 192.168.0.1 192.168.0.1

  6. But, what about all the miles between the small small routers? V u l n e r a b l e ! Internet ISP ISP Even though both you and your BFF areusing encryption at your “ends,” this is not “end to end” encryption. End to end encryption refers to keeping the data encrypted while it travels over the internet.The standard Internet TCP/IP network protocols do not encrypt packet data. But, someapplications send data in encrypted form, and there are options (e.g., VPN) for creating end-to-end encryption. 24.48.0.1 12.6.1.3 Your BFF You 192.168.0.1 192.168.0.1

  7. “End-to-end Encryption” via VPN Internet ISP ISP The University of OregonVPN gateway. VPN encryptionends at VPN server 128.223.3.201 24.48.0.1 VPN benefit: your PC gets a second IP address, this one assigned by the VPN server; makes it appear to UofO servers that your PC is on the UofO network. VPN client software UofO servers 192.168.0.1

  8. What is “encryption”? • Simply put, encryption is a scheme for scrambling data to make it difficult to decipher • Two encryption approaches • The shared key approach • Already discussed, the most “obvious” case • Like having a shared key to a padlock • The public key approach • Not obvious! Give everyone the key to your lock? • We will see how this work in a few minutes.

  9. Shared Key example: the “Caesar” cipher TREATY IMPOSSIBLE Key value: 3 WUHDWB LPSRVVLEOH

  10. Prior scenario was “shared key” (password) ISP • Wireless hub encryption standards(such as WPA or WPA2) use the shared-key approach • You define a password (the key) within the wireless hub, • The same password (key) must be configured in your computer’s networking software 24.48.0.1 192.168.0.1

  11. Shared key encryption also use when communicating with web servers Plaintext Plaintext Jane Smith’s CCN is 4408 3380 7002 2652 Jane Smith’s CCN is 4408 3380 7002 2652 Encrypt Decrypt Cyphertext ud5nh!ntD4go’bQa%tq How is the shared key established?By your computer initially sending password information using the server’s “public key”

  12. Public/private key encryption Mathematically linked Private key Public key • Two mathematically-related, yet separate keys • The formulalinking public and private key #’s is sufficiently complicated that knowing one # doesn’t let you figure out the other • In other words, the formula connecting the two #’s is more complex than:public value + private value = 100 • The couple guys who came up with the formula have earned 100’s of million of $ using it to secure data for customers • They also published the formula for everyone to see • Your Private Key: you keep this # secret • Your Public Key: you publicly disclose this # • Information encrypted by public key can only be decrypted by its own private key, and vice versa.

  13. Public/private Key Encryption Anyone can encrypt using the public key, but only the holder of the private key can decrypt. Security depends on the secrecy of the private key. Source: Wikipedia.org

  14. Using a private key as a “digital signature” Alice scrambles her message with her private key. If you can unscramble the message with Alice’s public key, then you know the message wasn’t tampered with since being scrambled by the holder of Alice’s public key. But, how do you know that person is really Alice? Digital sig. proves message has not been tampered with, but to deal with the impersonation issue industry created “Certificate Authorities” (next slide) Source: Wikipedia.org

  15. Obtaining a public/private key pair for your company? • You pay a “Certificate Authority” (CA) to generate and issue a key pair • Verisign (a big CA) or its competitors • Generally you enter into a 2 year service agreement • For the next 2 years, Verisign’sserver sends all your site visitors a “Verisign digital certificate” that provides your firm’s name and public key for encrypted dialog with your webserver • Browser (e.g., Firefox, IE) can show user that certificate information which show • User can feel safe to the extent they trust in Verisign and public/private key encryption

  16. Summary: 3 diff. security purposes Encryption Digital Signature Digital Certificate

  17. Agenda • Security • Encrypted networking • Types of encryption • Shared key • Public key • Information privacy discussion

  18. Some Modern Threats to Info. Privacy • Electronic Surveillance • Hacker attacks (later) • Phishing email • Look at these two sites: • http://www.mailfrontier.com/forms/msft_iq_test.html • http://www.sonicwall.com/furl/phishing/ • Viruses • SpyWare (“alien ware”) • e.g., keyloggers • Public records • Fundrace example

  19. Personal Information in Databases A Carnegie Mellon study showed that it doesn’t take much to find someone with a minimum of data. Simply by knowing gender, birth date, and postal zip code, 87 percent of people in the United States could be pinpointed by name.

  20. Personal Information in Databases • Companies have four standard approaches for tracking data about us: • Accepting what we knowingly provide • Logging our “clickstream” data • Using cookies to store our session data on their site • Site can thus “remembers us” when we return later (as per our online advertising discussion) • Buying data from data aggregators.

  21. Data Aggregators: big business • Acxiom, a $1.3 billion a year business • The firm holds data profiling some two hundred million Americans. • Combines public source data on real estate, criminal records, and census reports, with private information from credit card applications, warranty card surveys, and magazine subscriptions. • ChoicePoint • Accidentally in 2005 sold financial records on 145,000 people to a cybercrime identity theft ring. • Fined $15M ($0.015B) dollars from the Federal Trade Commission • In February, 2008, Reed Elsevier acquired ChoicePoint for $4.1 billion.

  22. Employee hiring survey

  23. Be careful about how your company handles privacy • For companies and government organizations, policies are evolving and becoming stricter • HIPAA (the U.S. Health Insurance Portability and Accountability Act) governs data use and privacy among healthcare providers, insurers, and employers. • The European Privacy Directive governs data use for firm’s operating in the EU

  24. Corporate “Code of Ethics” • Example: how your firm will treat customer information (“privacy code”) • Opt-out Model • Opt-in Model (friendlier) • Code of Ethics • Should be documented /enforced

  25. Security is a management issue • In a fairly recent Computer Crime and Security Survey… • 90% of large companies and government agencies reported computer security breach • 80% reported sizeable financial loss • Many companies, in addition to the Chief Information Officer (CIO), now have a Chief Information Security Officer (CISO).

  26. Conclusions • Networking and encryption technologies exist (e.g. encryption) to help protect you • Suspicion can protect youfrom many commonthreats • Both high tech (e.g., phishing)and low • Continue to learn about security threats over time

  27. Conclusions • Managers need to identify new business opportunities • Example: car insurance • SafeCo’s “teensurance” • Progressive’s Snap Shot • How far should businesses take these trends? • Pizza delivery scenario • “Picture mining”… Microsoft Sea Dragon

More Related