1 / 49

Internet and Information Security

Internet and Information Security. The industry of computer and information security is thriving. Challenges of Internet and Information Security. In 2000, 2 Billion users and 200 million computers. (U.S. Computer Emergency Response Team)

schuyler
Download Presentation

Internet and Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet and Information Security • The industry of computer and information security is thriving (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  2. Challenges of Internet and Information Security • In 2000, 2 Billion users and 200 million computers. (U.S. Computer Emergency Response Team) • Global interconnection of computers overwhelms any individual country’s efforts to completely secure computers and networks. • Commerce is impeded by security (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  3. People want privacy - but the internet is one big “party line.” (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  4. Goals of Security of Computers, Systems, and Information • Confidentiality - keep certain information private - no unauthorized party gets in or lets information out • Authenticity - make sure of who you are talking to • Integrity - make sure unauthorized changes are not made to the information (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  5. Balance the Goals of Security Against Usability and Government Over-Control • Security can’t make it is so hard to use that people will not use the system or the data • Some think security shouldn’t make it impossible for the government to insure that the internet is not used for illegal purposes (for, example, terrorism) (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  6. Top Security Products • Firewalls • Access Controls • Encryption • Client/Server security • LAN/WAN Security • Web Security • Network/Communications Security • Disaster Recovery • Email Security • Mainframe Security (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  7. Firewalls • “Moat” with gateways • VPNs = private intranets and networks that the public cannot get to • Offers protection from outside, but not from inside security breaches • Firewall may be defective = liability (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  8. Access Control • Checkpoints • Password Protection/Script-based Single Sign-On (SSO) • Certificate Authorities and Digital Certificates • Attribute certificates can be created to allow access to only certain parts of data • Biometrics • Tokens (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  9. Checkpoints • Checkpoints along the way while traveling into and out of the secure area • Secure data and information as it is being transmitted (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  10. Password Protection/Script-based Single Sign-On (SSO) • People forget the passwords • SSO usually not usable between external users such as clients and business partners. (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  11. Certificate Authorities and Digital Certificates • Certificate Authorities issue and manage digital Ids or passports • Only those who can authenticate their identities and authority through the Certificate Authorities may access the secure data • Attribute Certificates • can be created to allow access to only certain parts of data (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  12. Biometrics • Authenticates users by employing technologies that capture human characteristics for identification purposes: face, iris, voice, or signature, fingerprints or retinas, palm prints, hand or finger geometry, and DNA (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  13. Other Security Measures • Tokens = digipasses, hand-held password, fits into computer • Smart cards = digital credentials, but can also store and retrieve data, contains and imbedded processor and operating systems = used in telephones • Holography = holographic images embossed or incorporated into a photopolymer process - hidden or apparent - hot-stamped foil rainbow-colored wrappers • Processor serial numbers - the serial numbers of that particular computer authenticate the information, and information can be traced back to that particular computer • Time-stamping digital signature • Electronic signatures (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  14. Cryptography • Private Key Encryption : System of coding and then de-coding the message • Encrypt the plaintext by use of a mathematical algorithm and stores it in ciphertext. Then transmit. Then de-code it or decrypt it back into plaintext after transmission. • Need the same key to decode it - to solve the mathematical algorithm and reassemble the message (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  15. Cryptography- Originally Used to Transmit Classified Military Information • It was originally classified as “munitions” under the State Department’s Office of Defense Trade Controls. • Government totally controlled cryptography and possessed all of the keys to decode information. • Government used private key or symmetric encryption in which same key is used to code and decode. (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  16. U.S. Govt.. Adopted Data Encryption Standard (DES) in 1977 • Standard encryption algorithm for many official applications. • Replaced by Advance Encryption Standard (AES) • Originally created by IBM which encrypted plain text into blocks of 64 bits with 56-bit keys. • One supplier and many users = The government could dispense and keep track of the keys. • If the key gets out, there is no security. • Now used are 512-bit strength encryption programs and 1024-bit programs soon (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  17. Cryptography Began to be Used in Commercial Transactions • President Clinton: Executive order 13026 (61 Federal Register 58767 (1996) transferred jurisdiction of commercial cryptography to the Commerce Department (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  18. Public Key/ Private Key Encryption • 1976 Cryptographers Duffie and Hellman invented public key/private key theory • the theory that it is possible for someone to announce the precise method of coding a message while at the same time retaining a secret private key for decoding it. • 3 mathematicians patented their RSA-Algorithm, the public asymmetrical two-key encryption system in use today. • the sender and receiver do not share the same key, • the parties use their own keys that are mathematically related, but not discoverable to each other. • Government does not have control (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  19. Encryption and Decryption • Have become extremely strong or secure through the complexity, and thus the key length, through the introduction of more bits. • Is behind the PKI technology and Secure Electronic Transactions (SETs) used by business today • Can post material on a public website that it can only be available to certain users (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  20. Constitutional Amendments Issues • 1st amendment: is cryptography “speech” and thus protected under the 1st Amendment? • 4th Amendment: can law enforcement control access to recovery/decoding keys without a warrant? • 5th Amendment: self incrimination( can they make you reveal the key?) and substantive due process (is the law fair?) (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  21. 1st amendment Rights • If it is “speech,” Can the government control cryptography? • What kind of speech is it? • Commercial speech is less protected than personal speech • here the government only has to have a rational substantial government reason for the control as opposed to non-commercial speech where the government has to have a real good reason for control • 1st Amendment favors subsequent punishment of speech rather than prior restraint on that speech • courts begin with the presumption that prior restraint is unconstitutional • only legal where the control is narrowly tailored to the speech involved and government demonstrates a compelling interest in regulating this speech • China (in contrast) controls all secrecy speech (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  22. Case • Universal City Studios, Inc., Paramount Pictures, Metro-Goldwyn-Mayer, Tri-Star Pictures, Columbia pictures, Time Warner Entertainment, Disney Enterprises, Twentieth Century Fox v. Corley (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  23. 1998 Regulation • Regulation controlled the export of certain software: downloading or causing the downloading of controlled encryption course code and object code to locations outside the United States; must get government approval • Case law on cryptography is in flux (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  24. 1998 Junger v. Daley(6th Cir. 2002) • Approval needed for exporting items on its Control List. • Junger’s postings were subject to this regulation • Junger filed suit: violation of 1st Amendment rights (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  25. Junger cont…. • 1st Amendment’s purpose: to foster the spread of ideas and to assure unfettered interchange of ideas. • Court held: • expressive software contains an exposition of ideas • functional software is designed to enable a computer to do a designated task. It does not explain a cryptographic theory or describe how the software functions - it merely carries out the function of encryption. • Used to transfer functions, not to communicate ideas - doesn’t tell how to do it, but does it • Not protected • Not a prior restraint because not directed at expressive conduct (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  26. May 1999 Bernstein v. Department of Justice: • The Ninth Circuit said cryptography was “Speech” and protected by the 1st amendment - the court invalidated federal regulations that allowed the government to restrain speech indefinitely with no articulated criteria for review. - • Ninth Circuit will rehear this case. (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  27. Conflict: Government versus Business • Businesses are saying this regulation is hindering U.S. businesses from competing with other makers of encryption software who have no export controls • Law enforcement personnel say regulation is needed to break into communication involving drugs trafficking and terrorism (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  28. 1999 Encryption Policy Changed • Transcript of White House Crypto-briefing • Revised U.S. Encryption Export Control Regulations January 2000 • Submitted to Congress: Cyberspace Electronic Security Act of 1999 (CESA) (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  29. New Rules: • Balance 4 values: national security, public safety privacy, and commerce. • Permit industry to export any 64-bit encryption product or software under a license exemption for commercial non- governmental use, except to Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria. • Retail products exceeding 64-bits may be exported under a license exception to all users including government, except to the seven states • U.S. will support modernization of multilateral encryption export controls • New category of retail encryption commodities and software. • Must still report “post-export” for any products exceeding 64 bits to the government (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  30. Still Problems: Can Export, But Still Have to Get Govt. Approval • Is very costly • Discourages academia and start-up companies • Electronic Privacy Information Center, Electronic Frontier Foundation, and American Civil Liberties Union concur that defects remain - can freely send on paper, what you cannot send electronically (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  31. Scheme still discretionary • Can’t post source code if know it is going to be read by one of the seven states • Can’t provide information on how to create encryption technologies, but can provide information on other source code (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  32. Govt. Has Proposed a National Plan for Information Systems Protection • Govt. would get a copy of the decoding to protect against money laundering tax fraud, bribery, racketeering, terrorism corruption, espionage, and economic crimes (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  33. (D.C. N.D. Calif. 2002) Bernstein v. U.S. Department of Commerce • New case to continue to challenge restrictions on export of encryption technology (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  34. Steganography • Process of hiding messages within a text or graphic • Not apparent that there is a message at all • Commercially – water marks • Used by terrorists to hide instructions (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  35. Fourth Amendment: • Govt. collecting of recovery keys is equal to a warrant less search and seizure? • Katz v. United States: reasonable expectation of privacy in a public phone booth • Is just collecting the the keys and not using them a violation of the 4th Amendment? (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  36. Businesses Beware • Businesses should know the encryption policies of governments around the world if you are going to do business using encryption in these countries (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  37. Kyllo v. United States (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  38. 9/11 • Department of Homeland Security • Chief of Cybersecurity • U.S. Patriot Act (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  39. U.S. Patriot Act (October 2001) • Gives govt. greater authority to track and intercept communications without a warrant • Intercept to and from a trespasser within the system ( with system consent) • Nationwide execution of court orders for access to stored communications • Permits nationwide pen register and trap and trace orders for electronic communications like e-mail • Now data mining is allowed as a basis for generating suspicion to start an investigation • Creates new crimes, two types of forfeiture procedures, harder on aliens, disclosures of suspicious transactions by financial institutions, increases penalties for terrorism (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  40. Two Surveillance Technologies • Carnivore/DCS-1000 – installed on ISPs; reads and analyses packets of data • Key Logger Systems: Magic Lantern – keystroke recoding software • United States v. Scarfo (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  41. 5th Amendment: Protects Against Self Incrimination • Is compulsory registration and disclosure of algorithm keys violative of the right against being compelled to give self-incriminating information? • Is an algorithm code key testimony? Or is it just like a house key, the means to get to the testimony or information (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  42. Fifth Amendment: Affords Due Process • Substantial Due Process • Is the law fair? • Balance right against government reason • if not fundamental right, government does not have to be a compelling reason • Procedural Due Process • Is the process of the law fair? • Should there be a hearing in encryption licensing for export challenges? • Government can’t just be capricious, arbitrary, and unreasonable in the hearing • If for national security, this is probably not capricious, etc. (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  43. Karn v. Department of State • Submitted a commodity jurisdiction request to export the book Applied Cryptography by Bruce Schneier. • Granted • Submitted a commodity jurisdiction request to export the disk Applied Cryptography by Bruce Schneier. • Denied • Court found that the government’s decision was rational - disk being treated differently than was rational (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  44. Privacy, Security, and Crimes: the Evolving Legal Environment • Patchwork of laws • No boundaries • Have to balance with usability • Most systems out there are vulnerable (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  45. International Efforts to set out policy • Clinton’s A Framework for Global Electronic Commerce” to protect the Global Information Infrastructure • June 2002 European Commission Published “Network and Information Security : Proposal for a European Policy Approach” • April 2002 European Commission proposed the “Council Framework Decision on Attacks Against Information Systems” effective Dec. 2003 (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  46. Encryption and Cryptography Systems • EU publication “Ensuring Security and Trust in Electronic Commerce” notes the importance of security and trust in open networks • Cryptography and Liberty Survey – rates nations of the world as to their restrictions on use of cryptography (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  47. Organization for Economic Cooperation and Development (OECD) Guidelines 2002 • 30 nations - Nine principles recommended: • Awareness • Responsibility • Response • Ethics • Democracy • Risk assessment • Security design and implementation • Security management • Reassessment (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  48. Encryption is Still Considered Military Technology • In treaties: “Wassenaar Accord:” reinforced this definition in the agreement among western and former Soviet nations to increase stability and security through export controls on conventional arms and military technology • Encryption (munitions) is still subject to government controls (c) 2004 West Legal Studies in Business A Division of Thomson Learning

  49. Other Countries’ Policies • UK • China • Japan (c) 2004 West Legal Studies in Business A Division of Thomson Learning

More Related