copyright © center for systems security and information assurance lesson four data privacy and...

Copyright © Center for Systems Security and Information Assurance

Lesson Four

Data Privacy and Encryption


Lesson Objectives

• Define the term cryptology and discuss the types and applications of cryptology.

• Identify the components of a cryptography systems.• Identify and discuss common approaches to

cryptography.• Compare and contrast symmetric and asymmetric

encryption.• Define the term digital signature and explain its function.• Define the term Public-Key Infrastructure and explains it

uses.• List the most common secure applications and explain

there function.


Protecting Your Personal Information

• Every day you share personal information about yourself with others

• It is so routine that you may not even realize you are doing itwrite a check at the grocery store, charge tickets to a ball game, rent a car, mail your tax returns, buy a gift online, call home on your cell phone, schedule a doctors appointment or apply for a credit card.


Protecting Your Personal Information

Each transaction requires you to share personal information: your bank and credit card account numbersyour incomeyour Social Security number (SSN)or your nameaddress and phone numbers


What happened with my personal information?

Its important to find out what happens to the personal information you and your children provide to companies, marketers and government agencies.

These organizations may use your information simply to process your order; to tell you about products, services, or promotions; or to share with others.


Identity Theft – Fastest Growing Crime

Identity thieves, who want your information to commit fraud

Identity theft is the fastest-growing white-collar crime in America

Occurs when someone steals your personal identifying information to

open new charge accounts, order merchandise or borrow money

Consumers targeted by identity thieves usually don’t know they’ve been victimized.


FTC Tips to Avoid Identity Theft

Before you reveal any personally identifying information, find out how it will be used and whether it will be shared with others

Read the privacy policy on any website directed to you or your children

Minimize the identification information and the number of cards you carry to what you’ll actually need


FTC Tips to Avoid Identity Theft

Don’t put all your identifying information in one holder in your purse, briefcase, wallet or backpack

Keep items with personal information in a safe place

Protect yourself against dumpster diving

Use a secure browser when shopping online to guard

Employ encryption when transferring sensitive or confidential data


Cryptography

• CryptographyThe art and science of keeping information secure from unintended audiences, of encrypting it

• Cryptanalysis The art and science of breaking encoded data

• CryptologyThe branch of mathematics encompassing both cryptography and cryptanalysis

• Cryptography Plays a crucial role in the transfer of confidential information across local networks and the Internet


Cryptography Components• Encryption Algorithm

A set of mathematically expressed processes for encrypting information

• CiphertextEncrypted text

• Plaintext What you have before encryption, and ciphertext is the encrypted result

• Key Information used to change the operations performed in crypto-equipment for the purpose of encrypting or decrypting electronic signals.


Cryptography


Applying Cryptography

• Encrypts data residing on storage devices or traveling through communication channels to ensure that any illegal access is not successful

• Secures the process of authenticating different parties attempting any function on the system

• Presents a party wishing be granted certain functionality on the system a way to prove that they indeed who they say they are

• Ensures that credentials are only used by their rightful owner


Principles of Modern Cryptography

• Emphasis that security should not depend on the secrecy of the encryption method (or algorithm), only the secrecy of the keys

• Revelation of the secret keys must not occur when plaintext and ciphertext are compared, and no person should have knowledge of the key

• Execution of today's algorithms are by computers or specialized hardware devices, and in most cases are implemented in computer software


Symmetric Encryption

• The message can be encrypted and decrypted using the same key

• Symmetric encryption is faster compared to asymmetric encryption

• Both the sender and the recipient must have an access to (same) encryption key (a disadvantage)

• Secure distribution of the (encryption) key between the parties is required

• The most commonly used symmetric encryption method is Data Encryption Standard


Symmetric Encryption


Asymmetric Encryption

• Based on the usage of key pairs• Exchangeable keys• The recipient's private key is only in the recipient's

possession, no third party is able to decrypt the message encrypted with the recipient's public key

• Management of keys is a big advantage• Time-consuming• Referred to as public key encryption.


Asymmetric Encryption


Digitals Signatures

Extra data is appended to a message which identifies and authenticates the sender and message data using public-key encryption

The sender uses a one-way hash function to generate a hash-code of about 32 bits from the message data

The sender then encrypts the hash-code with his private key

The receiver re-computes the hash-code from the data and decrypts the received hash with the sender's public key

If the two hash-codes are equal, the receiver can be sure that data has not been corrupted and that it came from the given sender


Digitals Signatures


RSA

• A public key cipher which can be used both for encrypting messages and making digital signatures

• The company RSA Data Security Inc. takes its name from this algorithm, and has acquired the rights to the patents which cover it


Public-key Infrastructure (PKI)

• Combine software, encryption technologies, and services to enable enterprises to protect the security of their communications and business transactions on the Internet

• Integrate digital certificates, public-key cryptography, and certificate authorities into a total, enterprise-wide network security architecture


Virtual Private Network (VPNs)

• Connect a group of two or more computer systems to a private network with limited public-network access, that communicates securely over a public network, such as the internet

• Include encryption, authentication of remote users or hosts, and mechanisms for hiding or masking information about private network topology from potential attackers on the public network


Secure Application Protocols

• Secure/MIME (S/MIME)

A version of the MIME protocol that supports encryption of messages. S/MIME is based on RSA's public-key encryption technology

• Secure Electronic Transaction (SET)

A standard that will enable secure credit card transactions on the Internet

• Secure Shell (SSH)

A program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another


Secure Application Protocols

• SHTTPAn extension to the HTTP protocol to support sending data securely over the World Wide Web

• IP Security (IPSec)A set of protocols developed by the IETF to support secure exchange of packets at the IP layer


Exercise 4.1

Using PGP


Exercise 4.2

Using Token Generator


Exercise 4.3

VPN Demonstration


Exercise 4.4

Using SHTTP


Exercise 4.5

Viewing a Digital Certificate


Exercise 4.6

Protecting Word Documents

copyright © center for systems security and information assurance lesson four data privacy and...

Documents

personal information

identification information

systems security

information assurance

copyright center

cryptography systems

encryption slide

identity theft dont