Security privacy
Download
1 / 29

Security & Privacy - PowerPoint PPT Presentation


  • 109 Views
  • Uploaded on

Security & Privacy. DSC340 Mike Pangburn. Agenda. Security Encrypted networking Types of encryption Shared key Public key Information privacy. Networking security: where are the vulnerabilities?. Internet. ISP. ISP. 24.48.0.1. Recall our prior discussion… asusme

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Security & Privacy' - leroy


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security privacy

Security & Privacy

DSC340

Mike Pangburn


Agenda
Agenda

  • Security

    • Encrypted networking

    • Types of encryption

      • Shared key

      • Public key

  • Information privacy


Networking security where are the vulnerabilities
Networking security: where are the vulnerabilities?

Internet

ISP

ISP

24.48.0.1

Recall our prior discussion… asusme

you have a router and thus a private IP address.

You

Your BFF

192.168.0.1

12.6.1.3


Network connections with encryption
Network connections with encryption

Internet

ISP

ISP

Turn on router’s encryption featureto encrypt the wireless signal.

24.48.0.1

Eaves-dropping difficult on this wireless linkafter enabling encryption (e.g., WPA)

You

Your BFF

12.6.1.3

192.168.0.1


Better encryption now activated in your friend s router
Better: encryption now activated in your friend’s router

Internet

ISP

ISP

12.6.1.3

24.48.0.1

Better to have wireless encryption at both ends, (but you may have no control over the receiving end).

You

Your BFF

192.168.0.1

192.168.0.1


But what about all the miles between the small small routers
But, what about all the miles between the small small routers?

V u l n e r a b l e !

Internet

ISP

ISP

Even though both you and your BFF areusing encryption at your “ends,” this is not “end to end” encryption. End to end encryption refers to keeping the data encrypted while it travels over the internet.The standard Internet TCP/IP network protocols do not encrypt packet data. But, someapplications send data in encrypted form, and there are options (e.g., VPN) for creating end-to-end encryption.

24.48.0.1

12.6.1.3

Your BFF

You

192.168.0.1

192.168.0.1


End to end encryption via vpn
“End-to-end Encryption” via VPN

Internet

ISP

ISP

The University of OregonVPN gateway.

VPN encryptionends at VPN server

128.223.3.201

24.48.0.1

VPN benefit: your PC gets a second IP address, this one assigned by the VPN server; makes it appear to UofO servers that your PC is on the UofO network.

VPN client software

UofO servers

192.168.0.1


What is encryption
What is “encryption”?

  • Simply put, encryption is a scheme for scrambling data to make it difficult to decipher

  • Two encryption approaches

    • The shared key approach

      • Already discussed, the most “obvious” case

        • Like having a shared key to a padlock

    • The public key approach

      • Not obvious! Give everyone the key to your lock?

      • We will see how this work in a few minutes.


Shared key example the caesar cipher
Shared Key example: the “Caesar” cipher

TREATY IMPOSSIBLE

Key value: 3

WUHDWB LPSRVVLEOH


Prior scenario was shared key password
Prior scenario was “shared key” (password)

ISP

  • Wireless hub encryption standards(such as WPA or WPA2) use the shared-key approach

    • You define a password (the key) within the wireless hub,

    • The same password (key) must be configured in your computer’s networking software

24.48.0.1

192.168.0.1


Shared key encryption also use when communicating with web servers
Shared key encryption also use when communicating with web servers

Plaintext

Plaintext

Jane Smith’s CCN is 4408 3380 7002 2652

Jane Smith’s CCN is 4408 3380 7002 2652

Encrypt

Decrypt

Cyphertext

ud5nh!ntD4go’bQa%tq

How is the shared key established?By your computer initially sending password information using the server’s “public key”


Public private key encryption
Public/private key encryption servers

Mathematically linked

Private key

Public key

  • Two mathematically-related, yet separate keys

    • The formulalinking public and private key #’s is sufficiently complicated that knowing one # doesn’t let you figure out the other

      • In other words, the formula connecting the two #’s is more complex than:public value + private value = 100

      • The couple guys who came up with the formula have earned 100’s of million of $ using it to secure data for customers

        • They also published the formula for everyone to see

  • Your Private Key: you keep this # secret

  • Your Public Key: you publicly disclose this #

  • Information encrypted by public key can only be decrypted by its own private key, and vice versa.


Public private key encryption1
Public/private Key Encryption servers

Anyone can encrypt using the public key, but only the holder of the private key can decrypt. Security depends on the secrecy of the private key.

Source: Wikipedia.org


Using a private key as a digital signature
Using a private key as a “digital signature” servers

Alice scrambles her message with her private key. If you can unscramble the message with Alice’s public key, then you know the message wasn’t tampered with since being scrambled by the holder of Alice’s public key.

But, how do you know that person is really Alice?

Digital sig. proves message has not been tampered with, but to deal with the impersonation issue industry created “Certificate Authorities” (next slide)

Source: Wikipedia.org


Obtaining a public private key pair for your company
Obtaining a public/private key pair for your company? servers

  • You pay a “Certificate Authority” (CA) to generate and issue a key pair

    • Verisign (a big CA) or its competitors

    • Generally you enter into a 2 year service agreement

  • For the next 2 years, Verisign’sserver sends all your site visitors a “Verisign digital certificate” that provides your firm’s name and public key for encrypted dialog with your webserver

    • Browser (e.g., Firefox, IE) can show user that certificate information which show

  • User can feel safe to the extent they trust in Verisign and public/private key encryption


  • Summary 3 diff security purposes
    Summary: 3 diff. security purposes servers

    Encryption

    Digital Signature

    Digital Certificate


    Agenda1
    Agenda servers

    • Security

      • Encrypted networking

      • Types of encryption

        • Shared key

        • Public key

    • Information privacy discussion


    Some modern threats to info privacy
    Some Modern Threats to Info. Privacy servers

    • Electronic Surveillance

    • Hacker attacks (later)

      • Phishing email

        • Look at these two sites:

          • http://www.mailfrontier.com/forms/msft_iq_test.html

          • http://www.sonicwall.com/furl/phishing/

      • Viruses

      • SpyWare (“alien ware”)

        • e.g., keyloggers

    • Public records

      • Fundrace example


    Personal information in databases
    Personal Information in Databases servers

    A Carnegie Mellon study showed that it doesn’t take much to find someone with a minimum of data. Simply by knowing gender, birth date, and postal zip code, 87 percent of people in the United States could be pinpointed by name.


    Personal information in databases1
    Personal Information in Databases servers

    • Companies have four standard approaches for tracking data about us:

      • Accepting what we knowingly provide

      • Logging our “clickstream” data

      • Using cookies to store our session data on their site

        • Site can thus “remembers us” when we return later (as per our online advertising discussion)

      • Buying data from data aggregators.


    Data aggregators big business
    Data Aggregators: big business servers

    • Acxiom, a $1.3 billion a year business

      • The firm holds data profiling some two hundred million Americans.

      • Combines public source data on real estate, criminal records, and census reports, with private information from credit card applications, warranty card surveys, and magazine subscriptions.

  • ChoicePoint

    • Accidentally in 2005 sold financial records on 145,000 people to a cybercrime identity theft ring.

      • Fined $15M ($0.015B) dollars from the Federal Trade Commission

    • In February, 2008, Reed Elsevier acquired ChoicePoint for $4.1 billion.



  • Be careful about how your company handles privacy
    Be careful about how your company handles privacy servers

    • For companies and government organizations, policies are evolving and becoming stricter

    • HIPAA (the U.S. Health Insurance Portability and Accountability Act) governs data use and privacy among healthcare providers, insurers, and employers.

    • The European Privacy Directive governs data use for firm’s operating in the EU


    Corporate code of ethics
    Corporate “Code of Ethics” servers

    • Example: how your firm will treat customer information (“privacy code”)

      • Opt-out Model

      • Opt-in Model (friendlier)

    • Code of Ethics

      • Should be documented /enforced


    Security is a management issue
    Security is a serversmanagement issue

    • In a fairly recent Computer Crime and Security Survey…

      • 90% of large companies and government agencies reported computer security breach

      • 80% reported sizeable financial loss

    • Many companies, in addition to the Chief Information Officer (CIO), now have a Chief Information Security Officer (CISO).


    Conclusions
    Conclusions servers

    • Networking and encryption technologies exist (e.g. encryption) to help protect you

    • Suspicion can protect youfrom many commonthreats

      • Both high tech (e.g., phishing)and low

    • Continue to learn about security threats over time


    Conclusions1
    Conclusions servers

    • Managers need to identify new business opportunities

    • Example: car insurance

      • SafeCo’s “teensurance”

      • Progressive’s Snap Shot

    • How far should businesses take these trends?

      • Pizza delivery scenario

      • “Picture mining”… Microsoft Sea Dragon


    ad