22 april
1 / 51

22 April - PowerPoint PPT Presentation

  • Uploaded on

22 April. Final Deliverables and Presentations Privacy and Security. Final Deliverables: due at start of final. On your home page. In a single easily visible box, links/directions Not in the box means not there. Documentation Functional spec Design document User manuals. Project

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '22 April' - dane-porter

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
22 april

22 April

Final Deliverables and Presentations

Privacy and Security

Final deliverables due at start of final
Final Deliverables:due at start of final

On your home page
On your home page

In a single easily visible box, links/directions

Not in the box means not there


Functional spec

Design document

User manuals

  • Project

    • Executable

    • Code

  • Presentation

Project executable
Project Executable

  • Access

    • Desktop: instructions for download and install

      • These should be the instructions for any user, not just for me

    • Web-based: url and supported browsers

  • Log-ins

    • Login name and password if needed

    • If there is an administrator or super-user, I need an id with that privilege

  • Hardware needed to run

    • Give it to me after presentation or

    • Where in Sitterson I can get it

Project code
Project code

  • Where I can find it

  • How I can view it

    • Do I need to install any software?

    • Is there a preferred IDE or tool?

  • General description of who wrote which pieces


  • List of user manuals

    • If they are part of your program (e.g., on-line help), explain how I find it

  • SINGLE web page or document that incorporates each of

    • Functional spec

    • Design document

    • Each user manual


  • Final essay

  • Team evaluation

Final presentations a celebration of your achievement
Final Presentations:A Celebration of Your Achievement

The plan
The Plan

  • Final is 4-7 on Thursday, May 1

    • Pizza dinner to be provided at 7

    • Pot luck dessert

  • Each team has 20 minutes including set-up

  • Clients will be invited

    • Scheduling based on client availability and preference

  • Open to the public

Presentation content
Presentation Content

  • What the project is

  • Why it is important

  • How it was built

    • Platform

    • Architecture

    • (Interesting development aspects)

  • Process lessons: NOT personal

  • Most important piece: demo

Aspects of privacy
Aspects of Privacy

  • Freedom from surveillance

  • Control of our own information

  • Freedom from intrusion

Historical basis of privacy
Historical Basis of Privacy

  • Justice of Peace Act (England 1361)

    • Provides for arrest of Peeping Toms and eavesdroppers

  • Universal Declaration of Human Rights (1948)

    • No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.

  • European Convention on Human Rights (1970)

    • Everyone has the right to respect for his private and family life, his home and his correspondence.

Legal realities of privacy
Legal Realities of Privacy

  • Self-regulation approach in US, Japan

  • Comprehensive laws in Europe, Canada, Australia

  • European Union

    • Limits data collection

    • Requires comprehensive disclosures

    • Prohibits data export to unsafe countries

      • Or any country for some types of data

Implementing privacy
Implementing Privacy

  • Anonymity

  • Security

  • Transparency and Control: knowing what is being collected

Privacy and trust
Privacy and Trust

  • Right of individuals to determine if, when, how, and to what extent data about themselves will be collected, stored, transmitted, used, and shared with others

  • Includes

    • right to browse the Internet or use applications without being tracked unless permission is granted in advanced

    • right to be left alone

  • True privacy implies invisibility

  • Without invisibility, we require trust


  • privacy aware technologies (reactive)

    • non-privacy-related solutions that enable users to protect their privacy

    • Examples

      • password and file-access security programs

      • unsubscribe

      • encryption

      • access control

  • privacy enhancing technologies (proactive)

    • solutions that help consumers and companies protect their privacy, identity, data and actions

    • Examples

      • popup blockers

      • anonymizers

      • Internet history clearing tools

      • anti-spyware software

Impediments to privacy
Impediments to Privacy

  • Data collection and sharing

  • Cookies

    • Web site last year was discovered capturing cookies that it retained for 5 years

  • Sniffing, Snarfing, Snorting

    • All are forms of capturing packets as they pass through the network

    • Differ by how much information is captured and what is done with it


  • Platform for Privacy Preference

    • World Wide Web Consortium (W3C) project

  • Voluntary standard published as a “note”

  • Web site

    • Policy machine readable, structured

  • Browsers

    • Understand policy

    • Behave according to user’s preferences

Privacy and wireless
Privacy and Wireless

  • “Wardriver” program: scans for broadcast SSIDs

    • broadcasting improves network access, but at a cost

  • once the program finds the SSID

    • obtains the IP address

    • obtains the MAC address

  • Lowe’s was penetrated this way

    • Stole credit card numbers

Network security
Network Security

“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench”

– Gene Spafford (Purdue)


  • Information Transmission

  • Information Systems

Information transmission attack



Secure Message

Secure Message

Information Transmission Attack

Trusted Third Party

arbiter, distributor of

secret information







Security related


Information channel


Information systems attack
Information Systems Attack






- hackers

- software

Access Channel


Security Control

Gatekeeper – firewall or equivalent, password-based login

Internal Security Control – Access control, logs, audits, virus scans etc.

Firewall techniques
Firewall Techniques

  • Filtering

    • Doesn’t allow unauthorized messages through

    • Can be used for both sending and receiving

    • Most common method

  • Proxy

    • The firewall actually sends and receives the information

    • Sets up separate sessions and controls what passes in the secure part of the network

Dmz demilitarized zone
DMZ: Demilitarized Zone

  • Arrangement of firewalls to form a buffer or transition environment between networks with different trust levels





Internal resources


Three tier dmz







Internal resources


Three Tier DMZ





Issues in network security
Issues in Network Security

  • Physical and logical placement of security mechanisms

  • Effect of communication protocols

  • Encryption (cryptography) can provide several of the security services

    • Private key vs. public key

  • Distribution of secret information to enable secure exchange of information is important

Key technologies
Key Technologies

  • Encryption

  • Authentication


  • All encryption algorithms from BC till 1976 were secret key algorithms

    • Also called private key algorithms or symmetric key algorithms

    • Julius Caesar used a substitution cipher

    • Widespread use in World War II (enigma)

  • Public key algorithms were introduced in 1976 by Whitfield Diffie and Martin Hellman

Security level of encrypted data
Security Level of Encrypted Data

  • Unconditionally Secure

    • Unlimited resources + unlimited time

    • Still the plaintext CANNOT be recovered from the ciphertext

  • Computationally Secure

    • Cost of breaking a ciphertext exceeds the value of the hidden information

    • The time taken to break the ciphertext exceeds the useful lifetime of the information

Caesar cipher
Caesar Cipher

  • Substitute the letter 3 ahead for each one

  • Example:

    • Et tu, Brute

    • Hw wx, Euxwh

  • Quite sufficient for its time

    • High illiteracy

    • New idea

Enigma machine germany world war ii
Enigma Machine(Germany, World War II)

  • Simple Caesar cipher through each rotor

  • But rotors shifted at different rates

    • Roller 1 rotated one position after every encryption

    • Roller 2 rotated every 26 times…


Types of attacks
Types of Attacks

  • Ciphertext only

    • adversary has only ciphertext

    • goal is to find plaintext, possibly key

  • Known plaintext

    • adversary has plaintext and ciphertext

    • goal is to find key

  • Chosen plaintext

    • adversary can get a specific plaintext enciphered

    • goal is to find key

Attack mechanisms
Attack Mechanisms

  • Brute force

  • Statistical analysis

    • Knowledge of natural language

    • Examples:

      • All English words have vowels

      • There are only 2 1-letter words in English

      • High probability that u follows q

Private key cryptography
Private Key Cryptography

  • Sender, receiver share common key

    • Keys may be the same, or trivial to derive from one another

    • Sometimes called symmetric cryptography or classical cryptography

  • Two basic types

    • Transposition ciphers (rearrange bits)

    • Substitution ciphers

  • Product ciphers

    • Combinations of the two basic types

Des data encryption standard
DES (Data Encryption Standard)

  • A block cipher:

    • encrypts blocks of 64 bits using a 64 bit key

    • outputs 64 bits of ciphertext

    • A product cipher

      • performs both transposition (permutation) and substitution on the bits

  • Considered weak

    • Susceptible to brute force attack

  • http://www.tropsoft.com/strongenc/des.htm

History of des
History of DES

  • IBM develops Lucifer for banking systems (1970’s )

    NIST and NSA evaluate and modify Lucifer (1974)

  • Modified Lucifer adopted as federal standard (1976)

    • Name changed to Data Encryption Standard (DES)

    • Defined in FIPS (46-3) and ANSI standard X9.32

  • NIST defines Triple DES (3DES) (1999)

    • Single DES use deprecated - only legacy systems.

  • NIST approves Advanced Encryption Std. (AES) (2001)

    • AES which will replaces DES and 3DES.

Cracking des
Cracking DES

  • 1998: Electronic Frontier Foundation cracked DES in 56 hrs using a supercomputer

  • 1999: Distributed.net cracked DES in 22 hrs

  • For an investment of $1 million for specialized hardware, DES can be cracked in less than an hour.

Public key cryptography
Public Key Cryptography

  • Two keys

    • Private key known only to individual

    • Public key available to anyone

      • Public key, private key inverses

  • Confidentiality

    • encipher using public key

    • decipher using private key

  • Integrity/authentication

    • encipher using private key

    • decipher using public one

Public key requirements
Public Key Requirements

  • Computationally easy to encipher or decipher a message given the appropriate key

  • Computationally infeasible to derive the private key from the public key

  • Computationally infeasible to determine the private key using a chosen plaintext attack


  • Public key algorithm described in 1977 by Rivest, Shamir, and Adelman

  • Exponentiation cipher

  • Relies on the difficulty of factoring a large integer

  • RSA Labs FAQ document



  • Private key (classical) cryptosystems

    • encipher and decipher using the same key

  • Public key cryptosystems

    • encipher and decipher using different keys

    • computationally infeasible to derive one from the other


  • Assurance of the identity of the party that you’re talking to

  • Primary technologies

    • Digital Signature

    • Kerberos

Digital signature
Digital Signature

  • Authenticates origin, contents of message in a manner provable to a disinterested third party (“judge”)

  • Sender cannot deny having sent message (service is “nonrepudiation”)

    • Limited to technical proofs

      • Inability to deny one’s cryptographic key was used to sign

    • One could claim the cryptographic key was stolen or compromised

      • Legal proofs, etc., probably required

  • Protocols based on both public and private key technologies

Rsa for digital signature
RSA for Digital Signature

  • Private key to sign

  • Public key to validate


  • Authentication system

    • Central server plays role of trusted third party

  • Ticket (credential)

    • Issuer vouches for identity of requester of service

  • Authenticator

    • Identifies sender

  • User must

    • Authenticate to the system

    • Obtain ticket to use server S

  • Problems

    • Relies on synchronized clocks

    • Vulnerable to attack

The bottom line
The Bottom Line

  • Cyberspace will always have exposures

    • But so does our physical space

  • All decisions are based on risk-benefit analysis

    • System owners, developers, users