copyright © center for systems security and information assurance lesson four data privacy and...
TRANSCRIPT
Copyright © Center for Systems Security and Information Assurance
Lesson Four
Data Privacy and Encryption
Copyright © Center for Systems Security and Information Assurance
Lesson Objectives
• Define the term cryptology and discuss the types and applications of cryptology.
• Identify the components of a cryptography systems.• Identify and discuss common approaches to
cryptography.• Compare and contrast symmetric and asymmetric
encryption.• Define the term digital signature and explain its function.• Define the term Public-Key Infrastructure and explains it
uses.• List the most common secure applications and explain
there function.
Copyright © Center for Systems Security and Information Assurance
Protecting Your Personal Information
• Every day you share personal information about yourself with others
• It is so routine that you may not even realize you are doing itwrite a check at the grocery store, charge tickets to a ball game, rent a car, mail your tax returns, buy a gift online, call home on your cell phone, schedule a doctors appointment or apply for a credit card.
Copyright © Center for Systems Security and Information Assurance
Protecting Your Personal Information
Each transaction requires you to share personal information: your bank and credit card account numbersyour incomeyour Social Security number (SSN)or your nameaddress and phone numbers
Copyright © Center for Systems Security and Information Assurance
What happened with my personal information?
Its important to find out what happens to the personal information you and your children provide to companies, marketers and government agencies.
These organizations may use your information simply to process your order; to tell you about products, services, or promotions; or to share with others.
Copyright © Center for Systems Security and Information Assurance
Identity Theft – Fastest Growing Crime
Identity thieves, who want your information to commit fraud
Identity theft is the fastest-growing white-collar crime in America
Occurs when someone steals your personal identifying information to
open new charge accounts, order merchandise or borrow money
Consumers targeted by identity thieves usually don’t know they’ve been victimized.
Copyright © Center for Systems Security and Information Assurance
FTC Tips to Avoid Identity Theft
Before you reveal any personally identifying information, find out how it will be used and whether it will be shared with others
Read the privacy policy on any website directed to you or your children
Minimize the identification information and the number of cards you carry to what you’ll actually need
Copyright © Center for Systems Security and Information Assurance
FTC Tips to Avoid Identity Theft
Don’t put all your identifying information in one holder in your purse, briefcase, wallet or backpack
Keep items with personal information in a safe place
Protect yourself against dumpster diving
Use a secure browser when shopping online to guard
Employ encryption when transferring sensitive or confidential data
Copyright © Center for Systems Security and Information Assurance
Cryptography
• CryptographyThe art and science of keeping information secure from unintended audiences, of encrypting it
• Cryptanalysis The art and science of breaking encoded data
• CryptologyThe branch of mathematics encompassing both cryptography and cryptanalysis
• Cryptography Plays a crucial role in the transfer of confidential information across local networks and the Internet
Copyright © Center for Systems Security and Information Assurance
Cryptography Components• Encryption Algorithm
A set of mathematically expressed processes for encrypting information
• CiphertextEncrypted text
• Plaintext What you have before encryption, and ciphertext is the encrypted result
• Key Information used to change the operations performed in crypto-equipment for the purpose of encrypting or decrypting electronic signals.
Copyright © Center for Systems Security and Information Assurance
Applying Cryptography
• Encrypts data residing on storage devices or traveling through communication channels to ensure that any illegal access is not successful
• Secures the process of authenticating different parties attempting any function on the system
• Presents a party wishing be granted certain functionality on the system a way to prove that they indeed who they say they are
• Ensures that credentials are only used by their rightful owner
Copyright © Center for Systems Security and Information Assurance
Principles of Modern Cryptography
• Emphasis that security should not depend on the secrecy of the encryption method (or algorithm), only the secrecy of the keys
• Revelation of the secret keys must not occur when plaintext and ciphertext are compared, and no person should have knowledge of the key
• Execution of today's algorithms are by computers or specialized hardware devices, and in most cases are implemented in computer software
Copyright © Center for Systems Security and Information Assurance
Symmetric Encryption
• The message can be encrypted and decrypted using the same key
• Symmetric encryption is faster compared to asymmetric encryption
• Both the sender and the recipient must have an access to (same) encryption key (a disadvantage)
• Secure distribution of the (encryption) key between the parties is required
• The most commonly used symmetric encryption method is Data Encryption Standard
Copyright © Center for Systems Security and Information Assurance
Asymmetric Encryption
• Based on the usage of key pairs• Exchangeable keys• The recipient's private key is only in the recipient's
possession, no third party is able to decrypt the message encrypted with the recipient's public key
• Management of keys is a big advantage• Time-consuming• Referred to as public key encryption.
Copyright © Center for Systems Security and Information Assurance
Digitals Signatures
Extra data is appended to a message which identifies and authenticates the sender and message data using public-key encryption
The sender uses a one-way hash function to generate a hash-code of about 32 bits from the message data
The sender then encrypts the hash-code with his private key
The receiver re-computes the hash-code from the data and decrypts the received hash with the sender's public key
If the two hash-codes are equal, the receiver can be sure that data has not been corrupted and that it came from the given sender
Copyright © Center for Systems Security and Information Assurance
RSA
• A public key cipher which can be used both for encrypting messages and making digital signatures
• The company RSA Data Security Inc. takes its name from this algorithm, and has acquired the rights to the patents which cover it
Copyright © Center for Systems Security and Information Assurance
Public-key Infrastructure (PKI)
• Combine software, encryption technologies, and services to enable enterprises to protect the security of their communications and business transactions on the Internet
• Integrate digital certificates, public-key cryptography, and certificate authorities into a total, enterprise-wide network security architecture
Copyright © Center for Systems Security and Information Assurance
Virtual Private Network (VPNs)
• Connect a group of two or more computer systems to a private network with limited public-network access, that communicates securely over a public network, such as the internet
• Include encryption, authentication of remote users or hosts, and mechanisms for hiding or masking information about private network topology from potential attackers on the public network
Copyright © Center for Systems Security and Information Assurance
Secure Application Protocols
• Secure/MIME (S/MIME)
A version of the MIME protocol that supports encryption of messages. S/MIME is based on RSA's public-key encryption technology
• Secure Electronic Transaction (SET)
A standard that will enable secure credit card transactions on the Internet
• Secure Shell (SSH)
A program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another
Copyright © Center for Systems Security and Information Assurance
Secure Application Protocols
• SHTTPAn extension to the HTTP protocol to support sending data securely over the World Wide Web
• IP Security (IPSec)A set of protocols developed by the IETF to support secure exchange of packets at the IP layer
Copyright © Center for Systems Security and Information Assurance
Exercise 4.2
Using Token Generator
Copyright © Center for Systems Security and Information Assurance
Exercise 4.5
Viewing a Digital Certificate