Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption...
-
Upload
teresa-carroll -
Category
Documents
-
view
216 -
download
0
Transcript of Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption...
![Page 1: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/1.jpg)
Security & Privacy
DSC340
Mike Pangburn
![Page 2: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/2.jpg)
Agenda
Security Encrypted networking Types of encryption
Shared key Public key
Information privacy
![Page 3: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/3.jpg)
Networking security: where are the vulnerabilities?
ISP Internet
Recall our prior discussion… asusmeyou have a router and thus a private IP address.
ISP
24.48.0.1
192.168.0.1 12.6.1.3You Your BFF
![Page 4: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/4.jpg)
Network connections with encryption
ISP
192.168.0.1
Internet
12.6.1.3
YouYour BFF
Turn on router’s encryption feature to encrypt the wireless signal.
ISP
24.48.0.1
Eaves-dropping difficult on this wireless linkafter enabling encryption (e.g., WPA)
![Page 5: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/5.jpg)
Better: encryption now activated in your friend’s router
ISP Internet
Better to have wireless encryption at both ends, (but you may have no control over the receiving end).
ISP
24.48.0.1 12.6.1.3
192.168.0.1 192.168.0.1
You Your BFF
![Page 6: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/6.jpg)
But, what about all the miles between the small small routers?
ISP
192.168.0.1
Internet
You Your BFF
Even though both you and your BFF areusing encryption at your “ends,” this is not “end to end” encryption. End to end encryption refers to keeping the data encrypted while it travels over the internet.The standard Internet TCP/IP network protocols do not encrypt packet data. But, someapplications send data in encrypted form, and there are options (e.g., VPN) for creating end-to-end encryption.
ISP
24.48.0.1 12.6.1.3
192.168.0.1
V u l n e r a b l e !
![Page 7: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/7.jpg)
VPN client software
“End-to-end Encryption” via VPN
ISP
192.168.0.1
Internet ISP
24.48.0.1
The University of OregonVPN gateway.
UofO servers
VPN encryptionends at VPN server
128.223.3.201
VPN benefit: your PC gets a second IP address, this one assigned by the VPN server; makes it appear to UofO servers that your PC is on the UofO network.
![Page 8: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/8.jpg)
What is “encryption”?
Simply put, encryption is a scheme for scrambling data to make it difficult to decipher
Two encryption approaches The shared key approach
Already discussed, the most “obvious” case Like having a shared key to a padlock
The public key approach Not obvious! Give everyone the key to your lock? We will see how this work in a few minutes.
![Page 9: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/9.jpg)
Key value: 3
TREATY IMPOSSIBLE
WUHDWB LPSRVVLEOH
Shared Key example: the “Caesar” cipher
![Page 10: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/10.jpg)
Prior scenario was “shared key” (password)
Wireless hub encryption standards (such as WPA or WPA2) use the shared-key approach You define a password (the key)
within the wireless hub, The same password (key) must be
configured in your computer’s networking software
ISP
192.168.0.1
24.48.0.1
![Page 11: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/11.jpg)
Encrypt
ud5nh!ntD4go’bQa%tq
Decrypt
Jane Smith’s CCN is 4408 3380 7002 2652
Jane Smith’s CCN is 4408 3380 7002 2652
Plaintext
Plaintext
Cyphertext
How is the shared key established?By your computer initially sending
password information using the server’s “public key”
Shared key encryption also use when communicating with web servers
![Page 12: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/12.jpg)
Public/private key encryption
Two mathematically-related, yet separate keys The formula linking public and private key #’s is sufficiently complicated that
knowing one # doesn’t let you figure out the other In other words, the formula connecting the two #’s is more complex than:
public value + private value = 100 The couple guys who came up with the formula have earned 100’s of
million of $ using it to secure data for customers They also published the formula for everyone to see
Your Private Key: you keep this # secret
Your Public Key: you publicly disclose this #
Information encrypted by public key can only be decrypted by its own private key, and vice versa.
Private key
Public keyMathematically linked
![Page 13: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/13.jpg)
Public/private Key Encryption
Anyone can encrypt using the public key, but only the holder of the private key can decrypt. Security depends on the secrecy of the private key.
Source: Wikipedia.org
![Page 14: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/14.jpg)
Using a private key as a “digital signature”
Alice scrambles her message with her private key. If you can unscramble the message with Alice’s public key, then you know the message wasn’t tampered with since being scrambled by the holder of Alice’s public key.
But, how do you know that person is really Alice?Digital sig. proves message has not been tampered with, but to deal with the impersonation issue industry created “Certificate Authorities” (next slide)
Source: Wikipedia.org
![Page 15: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/15.jpg)
Obtaining a public/private key pair for your company?
You pay a “Certificate Authority” (CA) to generate and issue a key pair
Verisign (a big CA) or its competitors
Generally you enter into a 2 year service agreement
For the next 2 years, Verisign’s server sends all your site visitors a “Verisign digital certificate” that provides your firm’s name and public key for encrypted dialog with your webserver Browser (e.g., Firefox, IE) can show user that certificate
information which show
User can feel safe to the extent they trust in Verisign and public/private key encryption
![Page 16: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/16.jpg)
Summary: 3 diff. security purposes
Eavesdropping(Confidentiality)
Tampering(Integrity)
Impersonation(Authentication)
Encryption
Digital Signatur
e
Digital Certificate
![Page 17: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/17.jpg)
Agenda
Security Encrypted networking Types of encryption
Shared key Public key
Information privacy discussion
![Page 18: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/18.jpg)
Some Modern Threats to Info. Privacy
Electronic Surveillance
Hacker attacks (later) Phishing email
Look at these two sites: http://www.mailfrontier.com/forms/msft_iq_test.ht
ml http://www.sonicwall.com/furl/phishing/
Viruses SpyWare (“alien ware”)
e.g., keyloggers
Public records Fundrace example
![Page 19: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/19.jpg)
Personal Information in Databases
A Carnegie Mellon study showed that it doesn’t take much to find someone with a minimum of data. Simply by knowing gender, birth date, and postal zip code, 87 percent of people in the United States could be pinpointed by name.
![Page 20: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/20.jpg)
Personal Information in Databases
Companies have four standard approaches for tracking data about us:1. Accepting what we knowingly provide
2. Logging our “clickstream” data
3. Using cookies to store our session data on their site Site can thus “remembers us” when we return later (as per
our online advertising discussion)
4. Buying data from data aggregators.
![Page 21: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/21.jpg)
Data Aggregators: big business
Acxiom, a $1.3 billion a year business The firm holds data profiling some two hundred million
Americans. Combines public source data on real estate, criminal
records, and census reports, with private information from credit card applications, warranty card surveys, and magazine subscriptions.
ChoicePoint Accidentally in 2005 sold financial records on 145,000
people to a cybercrime identity theft ring. Fined $15M ($0.015B) dollars from the Federal Trade
Commission In February, 2008, Reed Elsevier acquired ChoicePoint for
$4.1 billion.
![Page 22: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/22.jpg)
Employee hiring survey
![Page 23: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/23.jpg)
![Page 24: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/24.jpg)
![Page 25: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/25.jpg)
Be careful about how your company handles privacy
For companies and government organizations, policies are evolving and becoming stricter
HIPAA (the U.S. Health Insurance Portability and Accountability Act) governs data use and privacy among healthcare providers, insurers, and employers.
The European Privacy Directive governs data use for firm’s operating in the EU
![Page 26: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/26.jpg)
Corporate “Code of Ethics”
Example: how your firm will treat customer information (“privacy code”) Opt-out Model Opt-in Model (friendlier)
Code of Ethics Should be documented /enforced
![Page 27: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/27.jpg)
Security is a management issue
In a fairly recent Computer Crime and Security Survey… 90% of large companies and government agencies
reported computer security breach 80% reported sizeable financial loss
Many companies, in addition to the Chief Information Officer (CIO), now have a Chief Information Security Officer (CISO).
![Page 28: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/28.jpg)
Conclusions
Networking and encryption technologies exist (e.g. encryption) to help protect you
Suspicion can protect youfrom many commonthreats Both high tech (e.g., phishing)
and low
Continue to learn about security threats over time
![Page 29: Security & Privacy DSC340 Mike Pangburn. Agenda Security Encrypted networking Types of encryption Shared key Public key Information privacy.](https://reader030.fdocuments.us/reader030/viewer/2022032801/56649ddb5503460f94ad2ccf/html5/thumbnails/29.jpg)
Conclusions
Managers need to identify new business opportunities
Example: car insurance SafeCo’s “teensurance” Progressive’s Snap Shot
How far should businesses take these trends? Pizza delivery scenario “Picture mining”… Microsoft Sea Dragon