1 / 45

Data Security and Cryptography

Data Security and Cryptography. Legal data protection Risk analysis and IT Baseline Protection Data security Cryptography Smart card. Data Security and Cryptography. Data protection, Privacy (legal) Protection of personal data

jolene
Download Presentation

Data Security and Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Security and Cryptography • Legal data protection • Risk analysis and IT Baseline Protection • Data security • Cryptography • Smart card

  2. Data Security and Cryptography Data protection, Privacy (legal) Protection of personal data Protection of persons against not authorized processing of data concerning that person Data Security (technical) Protection against Loss, dammage Not authorised reading, changing

  3. Data protection Legal data protection interdiction with conditionally allowance German Data Protection Act Federal State Data Protection Act special Data Protection Act : Gesundheitsstrukturgesetz (health structure act) Personalvertretungsgesetz (staff / workers council Data Protection Act )

  4. Privacy failure - an example The Hampshire hospital system provides a good example of the failure to fully address privacy issues raised by information technology in the National Health Service (NHS). Because the then health minister held the constituency of Winchester (in Hampshire), new information technology systems were implemented more quickly there than elsewhere. These new systems had the feature that all laboratory tests ordered by general practitioners were entered into a hospital information system, which made them available to all staff on the wards and to consultants in the outpatient department. The stated goal was to cut down on duplicate testing; but the effect was that even highly sensitive matters such as HIV and pregnancy test results were no longer restricted to a handful of people (the general practitioner, practice secretary, the pathologist and the lab technician), but were widely available. As with the London Ambulance Service, a timely warning of impending disaster was ignored, and the system duly went live on schedule. A nurse who had had a test done by her general practitioner complained to him after she found the result on the hospital system at Basingstoke where she worked; this caused outrage among local general practitioners and other medical staff, and may have contributed to the health minister's loss of his seat at the 1997 general election. The eventual outcome was that the relevant parts of the system were turned off at some hospitals.

  5. Data Security safety requirements Reproduction of destroyed data complete, fast, consistent Substitution of destroyed processes Backup of destroyed hardware Backup of programs Protection of the communication Not authorised reading, changing

  6. IT Baseline Protection Federal Office for Information Security http://www.bsi.de/ Consulting of Federal- State- and Local authorities http://www.bsi.de/english/index.htm http://www.bsi.de/english/gstool/index.htm

  7. Uninterruptable Power supply (UPS) • Which devices shall be supplied? • Server • Disks • Clients • Network • How long ? • Only for shutdown • Continue the appliations

  8. emergency power supply http://www.kabel-vereinigung.at/musterhaus/notstrom.htm Stationärer Stromerzeuger 800 kVAFür die Notstromversorgung eines Krankenhauses http://www.bas-aggregate.de/FrameProdukte.htm http://www.energiesparendes-krankenhaus.de/index.php?id=115 http://www.evk-mettmann.de/index.php?section=21

  9. Our UPS Server + Monitor 1kW Disks 3*1.5 kW USV ca. 7 kW for 15 Minutes At a power failure the UPS signals an interrupt to the CPU which shuts down UPS must support the operating system!

  10. Downtime 24 hours operation on 7 days means:

  11. Causes of failure

  12. attacks on the communication Man-in-the-middle the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. Spoofing-Attacke a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage Denial-of-Service make a computer resource unavailable to its intended users Replay data transmission is maliciously or fraudulently repeated or delayed Combination of attacks

  13. Protection against attacks Firewall Encryption Authentication non-repudiation Reception control

  14. Firewall Computer between the internet and the local network. It analyses the data stream and locks or opens the passage depending on the services, addressee and sender.

  15. Firewall Local network Internet e.g. department No access allowed e.g. library All access allowed firewall local Web Server e.g. department certain access allowed

  16. encryption Cryptology Science of coding messages Cryptography Mapping a message on an incomprehensibletext Cryptoanalysis Decryption of an incomprehensibletext Steganography Hiding a message in a harmless text

  17. Skytale D I N A N D S D E G E R O T H L S O D I E B C H E H L F I E N I D D N A E D S R E G H T O O S L E I D H C B L H E E I F

  18. Cäsar Chiffre DERSCHATZLIEGTINEINEMEISENKASTEN ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHIJKLMNOPQRSTUVWXYZ FGTUEJCVBNKGVKPGKGOGKUGPMCUVGP

  19. Cäsar Chiffre Decoding by counting the frequency of letters DERSCHATZLIEGTINEINEMEISENKASTEN FGTUEJCVBNKGVKPGKGOGKUGPMCUVGP

  20. Frequency of letters

  21. Cipheringsymmetric key Exchange of keys Key Key Decryption Encryption plain text Cipher text plain text

  22. Cipheringasymmetric key Certificate Authorities Public key Alice Bob Pub Bob Private key P Alice Private key P Bob Pub Alice Pub Pub Bob P Bob Pub Alice Decryption Encryption %&G(= Plain Text Cipher text Plain Text Plain Text

  23. RSA-CIPHERRivest Shamir Aldeman required: two prime numbers p,q => Public key (encrypt) n = p*q e relatively prime with (p-1)*(q-1) Private Key d with d*e = 1 mod(p-1)*(q-1) encrypt: c = me mod n decrypt: m = cd mod n

  24. RSA-Example p = 47; q = 59; p*q = n = 2773 (p-1) * (q-1) = 46*58 = 2668 e*d = 1 mod 2668 <=> (e*d) / 2668 Rest 1 n = 2773; e = 17; d = 157 HALLO ... => 080112121500... 080117 mod 2773 = 2480 121217 mod 2773 = 2345 2480157 mod 2773 = 801 2345157 mod 2773 = 1212

  25. RSA-CIPHER time to decipher The RSA Factoring Challenge

  26. Pretty Good Privacysending Public key of receiver Private key of sender Symmetric key Random number checksum message Encrypted Random number Digital Signatur Encrypted message

  27. Pretty Good Privacyreceiving Private key of receiver Public key of sender Encrypted Random number Digitale Signatur Symmetric key Random number Encrypted message checksum = ? message checksum

  28. Digital Signaturprocedure Document Storage Document Document Hashfunktion Hashfunktion Checksum Checksum ? = Checksum Signatur Public key Private key Signatur Signatur

  29. Roles of a Signature • Closing • Identity • Authenticity • Evidence • Inhibition threshold

  30. Regulation concerning Digital Signatur (Signaturverordnung - SigV) § 16 Anforderungen an die technischen Komponenten (1) Die zur Erzeugung von Signaturschlüsseln erforderlichen technischen Komponenten müssen so beschaffen sein, daß ein Schlüssel mit an Sicherheit grenzender Wahrscheinlichkeit nur einmal vorkommt und aus dem öffentlichen Schlüssel nicht der private Schlüssel errechnet werden kann. Die Geheimhaltung des privaten Schlüssels muß gewährleistet sein und er darf nicht dupliziert werden können. Sicherheitstechnische Veränderungen an den technischen Komponenten müssen für den Nutzer erkennbar werden.

  31. Regulation concerning Digital Signatur The technical components which are necessary for the production of signature keys must be in a condition that a key will appear only once and that a private key can not be calculated from the public key. The privacy of the private key must be ensured and it should be not possible to dublicate the key. Safety-relevant changes in the technical components must become recognizable for the user.

  32. Realisation of SigG, SigV und SigRL • Linking the public key to its owner • Safe storage of the private key • Building of the digital signature in a safe environment • uniqueness of the key http://www.bsi.bund.de/esig/index.htm

  33. Serial number Name of the owner Public key of the owner ... Signatur of CA certificate • A certificate links a public key to a specific person • A reliable third party (Certification Authority - CA) signs these data • The public key of the CA is known

  34. Certification Authority Die Erteilung von Genehmigungen und die Ausstellung von Zertifikaten, die zum Signieren von Zertifikaten eingesetzt werden, sowie die Überwachung der Einhaltung dieses Gesetzes und der Rechtsverordnung nach § 16 obliegen der Behörde nach § 66 des Telekommunikationsgesetzes Bundesnetzagentur http://www.nrca-ds.de/

  35. Kinds of digital signaturesSimple Signature • Sign under the document • scanned signature • elektronic business card Uncontrolled use, no authenticity

  36. Kinds of digital signatures advanced Signature • exclusively related to the key owner • Permits the identification of the key owner • Is generated under the exclusive control of the key owner • Is related to the signed data in that kind that subsequent change of the data can be detected • examples: PGP, Verisign, Sphinx • May be used inhouse

  37. Kinds of digital signatures Qualified Signaturewithout accreditation of provider • advanced Signature with: • A certificate which is valide at the time of signature • Created with a safe program to create signature keys • The provider registers at Bundesnetzagentur, but will not be reviewed periodically http://www.bundesnetzagentur.de/enid/2.html

  38. Kinds of digital signatures Qualified Signaturewithout accreditation of provider • Qualified Signature • The provider will be checked by Bundesnetzagentur • Longterm reliability is ensured • The signature is equivalent to a signature by hand and the opponent must prove that it is forged

  39. Smart card for the Digital Signatur • tamper-proof and confidential storage • security relevant operations are executed on the smart card • Simple transport and high availability • Highly accepted

  40. Smart card Mikrocontroller • CPU + Co-Prozessor (Crypto-Unit) • RAM (~2k), ROM (~32k) und EEPROM (~32k .. 64k) • I/O RAM Crypto Unit ROM CPU EEPROM I/O System

  41. Data Security and Cryptography • Legal data protection • IT Baseline Protection • attacks on the communication • Symmetric - asymmetric encryption • Digital signature • Smart cards

More Related