Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone."— Presentation transcript:

1 1 December Security and Privacy

2 Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone gets access to your system Information in transit over a network e-commerce transactions, online banking, confidential e-mails, file transfers,...

3 Basic Components of Security Confidentiality Keeping data and resources secret or hidden Integrity Ensuring authorized modifications Both data and origin Availability Ensuring authorized access to data and resources when desired Accountability Ensuring that an action is traceable uniquely to the actor

4 Assurance How much to trust a system Requires Protection against unintentional errors Resistance to intentional penetration or by- pass

5 Info Security 20 Years Ago Physical security Information was primarily on paper Lock and key Safe transmission Administrative security Control access to materials Personnel screening Auditing

6 Information security today Emergence of the Internet and distributed systems Increasing system complexity Digital information needs to be kept secure Competitive advantage Protection of assets Liability and responsibility Financial losses FBI estimates that an insider attack results in an average loss of $2.8 million Estimates of annual losses: $5 billion - $45 billion National defense Protection of critical infrastructures Power grid Air transportation Interlinked government agencies Severe concerns regarding security management and access control measures (GAO report 2003) Grade F for most of the agencies

7 Attack Vs Threat A threat is a “potential” violation of security Violation need not actually occur Fact that the violation might occur makes it a threat The actual violation of security is called an attack

8 Common security attacks Interruption, delay, denial of receipt, denial of service, distributed denial of service System assets or information become unavailable or are rendered unavailable Interception or snooping Unauthorized party gains access to information by browsing through files or reading communications Modification or alteration Unauthorized party changes information in transit or information stored for subsequent access Fabrication, masquerade, or spoofing Spurious information is inserted into the system or network by making it appear as if it is from a legitimate source

9 Goals of Security Prevention Prevent someone from violating a security policy Detection Detect activities in violation of a security policy Verify the efficacy of the prevention mechanism Recovery Stop attacks Assess and repair damage Ensure availability in presence of an ongoing attack Fix vulnerabilities in order to prevent future attacks Deal with the attacker

10 Should We Protect Something? Cost-Benefit Analysis Benefits vs. total cost Is it cheaper to prevent or recover? Risk Analysis How much should we protect this thing? Risk depends on environment and changes with time Laws and Customs Are desired security measures illegal? Will people do them? (DNA for identity) Affects availability and use of technology

11 Human Issues Outsiders and insiders Insiders account for 80-90% of all security problems Social engineering How much do you disclose about security?

12 Network Security

13 Information Systems Security “ Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench ” – Gene Spafford (Purdue)

14 Network Security Model Trusted Third Party arbiter, distributor of secret information Opponent Secure Message Message Information channel SenderReceiver Secret Information Security related transformation Secret Information Message

15 Network Access Model Gate Keeper Opponent - hackers - software Access Channel Data Software firewall or equivalent, password-based login

16 Firewall Techniques Filtering Doesn’t allow unauthorized messages through Can be used for both sending and receiving Most common method Proxy The firewall actually sends and receives the information Sets up separate sessions and controls what passes in the secure part of the network

17 Key Technologies Encryption Authentication

18 Encryption All encryption algorithms from BCE till 1976 were secret key algorithms Also called classical cryptography or symmetric key algorithms Julius Caesar used a substitution cipher Widespread use in World War II (enigma) Public key algorithms were introduced in 1976 by Whitfield Diffie and Martin Hellman

19 Caesar Cipher Substitute the letter 3 ahead for each one Example: Et tu, Brute Hw wx, Euxwh Quite sufficient for its time High illiteracy New idea

20 Enigma Machine Simple Caesar cipher through each rotor But rotors shifted at different rates Roller 1 rotated one position after every encryption Roller 2 rotated every 26 times… http://www.trincoll.edu/depts/cpsc/cryptography/enigma.html Used by Germany in WW II Allies broke the code Major benefit to the war effort

21 Terminology Plaintexts – unencrypted text Ciphertexts – encrypted text Keys – used to encrypt and decrypt Encryption functions – algorithm to change plaintext to ciphertext Decryption functions – algorithm to change ciphertext to plaintext

22 Security Level of Encrypted Data Unconditionally Secure Unlimited resources + unlimited time Still the plaintext CANNOT be recovered from the ciphertext Computationally Secure Cost of breaking a ciphertext exceeds the value of the hidden information The time taken to break the ciphertext exceeds the useful lifetime of the information

23 Types of Attacks Ciphertext only adversary has only ciphertext goal is to find plaintext, possibly key Known plaintext adversary has plaintext and ciphertext goal is to find key Chosen plaintext adversary can get a specific plaintext enciphered goal is to find key

24 Attack Mechanisms Brute force Statistical analysis Knowledge of natural language

25 Classical Cryptography Sender, receiver share common key Keys may be the same, or trivial to derive from one another Two basic types Transposition ciphers (rearrange bits) Substitution ciphers Product ciphers Combinations of the two basic types

26 Advanced Encryption Standard (AES) Government adopted in 2001 A block cipher: encrypts blocks of 128 bits using at least a 128 bit key outputs 64 bits of ciphertext A product cipher performs both substitution and transposition (permutation) on the bits Computationally secure: no known successful attacks

27 Public Key Cryptography Two keys Private key known only to individual Public key available to anyone Keys are inverses Used for Confidentiality encipher using public key decipher using private key Used for integrity and authentication encipher using private key decipher using public one

28 Private Key Requirements Computationally easy to encipher or decipher Computationally infeasible to derive the private key from the public key Computationally infeasible to determine the private key from a chosen plaintext attack

29 RSA Public key algorithm described in 1977 by Rivest, Shamir, and Adelman Exponentiation cipher Basics Public key: (e, n); private key: d e, d and n computed from two large prime numbers Encipher: c = m e mod n Decipher: m = c d mod n Computationally secure with 2048 bit key

30 Summary Two main types of cryptosystems: classical and public key Classical cryptosystems encipher and decipher using the same key Public key cryptosystems encipher and decipher using different keys

31 Authentication Assurance of the identity of the party that you’re talking to Methods Digital Signature Kerberos

32 Digital Signature Authenticates origin, contents of message in a manner provable to a disinterested third party (“judge”) Sender cannot deny having sent message (service is “nonrepudiation”) Limited to technical proofs Inability to deny one’s cryptographic key was used to sign One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required Protocols based on both public and private key technologies

33 Kerberos Authentication system Central server plays role of trusted third party Ticket (credential) Issuer vouches for identity of requester of service Authenticator Identifies sender User must Authenticate to the system Obtain ticket to use a specific server Problems Relies on synchronized clocks Vulnerable to attack

34 Privacy

35 What is privacy? The right to have information that you don’t expect to be available to others remain that way On many sites, you give up your right to privacy

36 Some Views on Privacy “All this secrecy is making life harder, more expensive, dangerous …” Peter Cochran, former head of BT (British Telecom) Research “You have zero privacy anyway.” Scott McNealy, CEO Sun Microsystems “By 2010, privacy will become a meaningless concept in western society” Gartner report, 2000

37 Historical Basis of Privacy Justice of Peace Act (England 1361) Provides for arrest of Peeping Toms and eavesdroppers Universal Declaration of Human Rights (1948) European Convention on Human Rights (1970)

38 Legal Realities of Privacy Self-regulation approach in US, Japan Comprehensive laws in Europe, Canada, Australia European Union Limits data collection Requires comprehensive disclosures Prohibits data export to unsafe countries Or any country for some types of data

39 Aspects of Privacy Anonymity Security Transparency and Control: knowing what is being collected

40 Impediments to Privacy Surveillance Data collection and sharing Cookies Web site last year was discovered capturing cookies that it retained for 5 years Sniffing, Snarfing, Snorting All are forms of capturing packets as they pass through the network Differ by how much information is captured and what is done with it

41 P3P Platform for Privacy Preference Voluntary standard still in draft form Structures a web sites policies in a machine readable format Allows browsers to understand the policy and behave according to a user’s defined preferences

Download ppt "1 December Security and Privacy. Information Systems Security Systems Operating system, files, databases, accounting information, logs,... Issue if someone."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
“zone of inaccessibility” Edmund Byrne, 1998 “The right to be alone” Warren and Brandeis, 1890 COMP 381.

“zone of inaccessibility” Edmund Byrne, 1998 “The right to be alone” Warren and Brandeis, 1890 COMP 381.
22 November 2010. Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.

22 November Security and Privacy  Security: the protection of data, networks and computing power  Privacy: complying with a person's desires when.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
6 December Privacy. Presentations News: Tega Scott Peterson trial: Stephen.

6 December Privacy. Presentations News: Tega Scott Peterson trial: Stephen.
Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.

Computer and Network Security. Introduction Internet security –Consumers entering highly confidential information –Number of security attacks increasing.
Cryptographic Technologies

Cryptographic Technologies
1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.

1 Digital Signatures CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 12, 2004.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Encryption Methods By: Michael A. Scott 20140508.

Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Similar presentations

Ads by Google