1 / 10

Chapter 4 Security, Privacy, and Anonymity

Threats to Information (p.125) Disasters Employees and Consultants Business Partners Outsiders Virus. Chapter 4 Security, Privacy, and Anonymity. II. Security Controls 1. Confidentiality (against eavesdropping)

ova
Download Presentation

Chapter 4 Security, Privacy, and Anonymity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threats to Information (p.125) • Disasters • Employees and Consultants • Business Partners • Outsiders • Virus Chapter 4 Security, Privacy, and Anonymity

  2. II. Security Controls • 1. Confidentiality (against eavesdropping) • Eavesdropping: packet sniffing on net, in which attackers read transmitted information, including logon information and database contents. • Brute Force attack (P.135) • 1975 US National Bureau of Standard (NBS): Data Encryption Standard (DES) – a 56-bit key is no longer considered to be very secure. • 2001 US National Bureau of Standard (NBS): Advanced Encryption Standard (AES) – a choice of key length of 128, 192, or 256 bits.

  3. Single-Key (conventional) and Dual-Key (public-key) Encryption Algorithms • Single-key encryption is faster but key-distribution is difficult. • Dual-key encryption is slower but key-distribution is easy. • One common solution is to use the dual-key encryption for key-distribution and authentication while the single-key encryption is used to encrypt message.

  4. 2. Access Control (p.133) (Password, read, write, execute, and delete) • How does an attacker learn your password? • Try default passwords • Exhaustively try all short passwords • Try words in system’s online dictionary or a list of likely passwords. • Collect information about user. • Try user’s phone number. • Try user’s license plate numbers. • Use a Trojan horse. • Tap the line between a remote user and the host system. • * W. Stallings, 2000, Network Security Essentials, NJ: Prentice Hall.

  5. 3. Integrity, Non-repudiation and Digital Signature • Integrity: prevent user’s data and message from being modified. • Non-repudiation: prevent either sender or receiver from denying a transmitted message. • How can dual-key encryption be used to authenticate a message? • Digital signature is based on public-key cryptographic algorithm. • A one-way hash function takes a message and returns a small fixed-length string (hash value). The hash value is encrypted with sender’s private key that can be verified by recipient using the sender’s public key. Therefore, the recipient is certain that the message is indeed from the sender. • The hash value is also used to verify that the message was not altered in transit.

  6. If you buy books from Amazon.com, we want to know whether the Web site you are dealing with is really Amazon. You want Amazon Web server to authenticate itself to you and Amazon may want you to authenticate yourself to Amazon. What is the secure socket layer (SSL) protocol? The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. An SSL-enabled Web server can be linked with a URL starting with https (port 443) instead of http (port 80). Netscape patented SSL in 1997. * http://home.netscape.com/security/techbriefs/ssl.html 4. Authentication (Identity and Certificate)

  7. How does an SSL-enabled browser authenticate the server? • An SSL-enabled Web server should be certified by a trusted third party - Certifying Authority (CA p.138). • An SSL-enabled browser maintains a list of trusted CAs along with the public keys of the CAs. • When a client browser wants to communicate with an SSL-enabled Web server, the browser obtains the server’s certificate. The certificate is issued by a CA and digitally signed with this CA’s private key. • If the CA is in the browser’s list, the signature can be verified with this CA’s public key. If not, client’s browser issues a security alert.

  8. What are principle differences between SET and SSL? • The secure electronic transaction (SET) is a protocol specifically designed to secure payment-card transactions over Internet. The principle differences are • The SET is designed to encrypt specific kinds of payment-related messages. It cannot be used to encrypt arbitrary data as can SSL. • The SET protocol involves all three players on Internet, namely, the customer, the merchant, and the merchant’s bank. All sensitive information sent between the three parties is encrypted. • The SET requires all three players to have certificates. The customer’s and merchant’s certificates must be issued by their bank, thereby assuring that these players are permitted to make and receive payment-card purchases.

  9. What are … ? • Carnivore (p. 139): special software installed at an ISP to capture all Internet traffic from a specified person. • Echelon (p.139): an international system that intercepts a variety of communications, including faxes, email messages, international phone calls, and cellular phones in several nations. • Escrow Keys (p.140): Every encryption device can be broken with two special numbers (keys) that are held in escrow by judicial or governmental agencies.

  10. What are … ? • Firewall (p.141): a router that examines each data packet passing through it and block certain types to limit the interaction of the company network with the Internet. • Cookie (p.144): a cookie is a small text file that the server asks the browser to store on the user’s computer. Whenever the browser requests another page from that server, it returns the cookie file.

More Related