Chapter 11 Privacy and Secrets. Chapter Outline Privacy and Regulation What to do about passwords Random Number generation Cryptography Secrets in Memory.

Slides:



Advertisements
Similar presentations
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Advertisements

IT Security Policy Framework
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Division of Information Resources Collaborating with Office 365 Storage Options and Classifications.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Using Cryptography to Protect Data in Computer Networks: case study Vsevolod Ievgiienko National Taras Shevchenko University of Kiev Faculty of Cybernetics.
Security Controls – What Works
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
University of Alaska System and UAF Information Technology Security Review 2007.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
FIT3105 Smart card based authentication and identity management Lecture 4.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
University of California, Irvine TechnoExpo, September Security Awareness for Web Developers Katya Sadovsky Administrative Computing.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.
Confidential Computer Systems Group HD Lock for Toshiba Notebook August 3rd, 2006.
The University of Kansas Medical Center Shadow Experience Training.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
Protected Health Information (PHI). Privileged Communication An exchange of information between two individuals in a confidential relationship. (Examples:
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Privacy and Encryption in eGovernment Dewey Landrum Technical Architect – CSO SLED West Sector CISSP August 11, 2008.
1 General Awareness Training Security Awareness Module 1 Overview and Requirements.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Storage & Revoking.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Databases and security continued CMSC 461 Michael Wilson.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 2 – Cryptographic.
Some Perspectives on Smart Card Cryptography
Middleware for Secure Environments Presented by Kemal Altıntaş Hümeyra Topcu-Altıntaş Osman Şen.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Software Security Seminar - 1 Chapter 10. Using Algorithms 조미성 Applied Cryptography.
Potential vulnerabilities of IPsec-based VPN
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Chapter 4: Laws, Regulations, and Compliance
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Confidentiality Annual Training. Board Policy JG Please follow the link below to access the board policy dealing with student discipline and confidentiality.
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
Chapter 5: Protecting Security of Assets. Classifying and Labeling Assets Defining sensitive data Defining classifications Defining data security requirements.
 Encryption provides confidentiality  Information is unreadable to anyone without knowledge of the key  Hashing provides integrity  Verify the integrity.
Over 18 yrs experience with SQL Server
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Security Protecting information data confidentiality
Web Applications Security Cryptography 1
Chapter 15: Security.
e-Health Platform End 2 End encryption
Student Confidentiality: The FERPA/HIPAA Facts
My First Template.
My First Template.
Security Awareness Training: Data Owners
Privileged Communications
Security.
Lesson 1: Introduction to HIPAA
Operating System Concepts
Evaluation and assessment
Student Confidentiality: The FERPA/HIPAA Facts
Presentation transcript:

Chapter 11 Privacy and Secrets

Chapter Outline Privacy and Regulation What to do about passwords Random Number generation Cryptography Secrets in Memory

What is Privacy?

An expectation of non-dissemination of information without consent. What about information?

What is Privacy? An expectation of non-dissemination of information without consent. What about information?  Confidential data about the program  Data users think is private  Data required by law to be kept as confidential

What is Privacy? An expectation of non-dissemination of information without consent. What about information?  Confidential data about the program  Data users think is private  Data required by law to be kept as confidential Social Security Numbers Account numbers/credit card numbers, DL numbers Security codes, access codes, PINs, passwords, etc. Grades

Which laws? California's SB /sb_1386_bill_ _chaptered.htmlhttp://info.sen.ca.gov/pub/01-02/bill/sen/sb_ /sb_1386_bill_ _chaptered.html Children's Online Protection Act (COPPA) Federal Information Security Management Act (FISMA) Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry (PCI) Data Security Standard Safe Harbor Privacy Framework Family Educational Rights and Privacy Act (FERPA):

Where does private data enter? Directly Persisting from a DB or other data store Indirectly

How to handle Private data Label it as such, don't hide it. Be aware at all times of which variables carry private data and which don't. “Privacy violations” stem, for the most part, from misplaced trust. Minimize exposure of private data. Private data should be kept out of logs. Be aware of threads and re-entrant code.

Outbound Passwords Keep Passwords out of the source code.  They are easy to find, even without the source code. Don't store Clear-text Passwords  Store them, encrypted, in a configuration file.  Store the encryption key in a different file.  This can be repeated a few times.

Random Numbers Necesary for:  Cryptography (key generation)‏  Password generation  Port randomization (for security)‏  Unique session identifiers  Etc. Need good entropy generators.

Some notes If there are N possible choices, there are log N bits of entropy Expect things to go wrong. Watch out for lack of independence Be conservative.

Cryptography Choose a good algorithm  Watch what the standards organizations (ISO, NIST, etc) say.  Researchers may publish attacks on certain codes: that does not invalidate the code.  At the present time, recommended are: AES RSA SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512)‏

Cryptography Don't roll your own Don't:  Invent your own algorithm  Create your own implementation  Concoct your own key exchange protocol. Security through obscurity is a delusion.

Secrets in Memory

How do attackers get secrets from memory? Remote exploits such as buffer overflow or format string attacks Physical attacks, such as stealing or discarded machines. Accidental leakage as in core dumps or page files.

How to control Information in Memory Minimize the time the secret is held in memory  Lock the memory Share secrets sparingly Erase secrets securely  Easier said than done: beware of optimizing compilers! Prevent unnecesary duplication.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.