NBA 600: Session 20Privacy and Security

3 April 2003

Daniel Huttenlocher

2

Today’s Class

Privacy and security in a networked world Terminology and definitions Importance for customers and for risk

management Some technology for information security

– Encryption, public key cryptosystems– Digital signatures– Digital certificates– How E Commerce security works on the Web

• SSL

3

Information Security

Widespread transmission and storage of information increases problems of– Privacy

• Freedom from unwanted intrusion, observation or disclosure

– Confidentiality• Discretion in keeping information private

Security: means of protecting privacy and confidentiality– Policies, set by management– Procedures, to be followed by employees– Safeguards, physical or electronic

4

Privacy and Confidentiality

Rights and expectations– Disclosure of certain information is protected

by law or contract• Personal: e.g., medical records, educational

records• Institutional: e.g., government secrets, corporate

secrets

– People in many societies expect information about them should• not be collected or used without their knowledge

or approval• not be used to harm them or their reputation• be accurate, verifiable and correctable

5

How Concerned Are You?

Privacy and confidentiality of your– Shopping transactions

• Behavior/likes• Spending• Credit/payment information

– Medical records– Educational records– Employment or military service records– Asset and tax information

How publicly available– Someone you didn’t authorize (who pays $300)– On the Internet for all to see

6

Impact on Behavior

Fear of stolen credit card information still a major reason for not shopping online– One of most cited in surveys of shoppers

Widespread suspicion of “cookies” in Web browsers– Although often not understood

Europeans much more sensitive than Americans to privacy of transaction history– E.g., shoppers clubs, credit card profiling– Their laws reflect this

• E.g., changes to Microsoft Passport

7

Scope of Security Problems

Generally believed to be under-reported– Breaches and financial impact both increasing

Highlights of annual CSI/FBI 2002 survey– Polled 503 US security experts/officers– 90% detected breaches in past 12 mos.– 80% acknowledge financial loss as result– 44% were willing to quantify loss

• Totaling $456 million

– 74% cited Internet as frequent point of attack (and 33% internal systems)

– 34% reported intrusions to law enforcement

8

Information Security Terms

Availability– What information is collected– How long it is kept

Authentication– Validation of who is accessing or creating info

• Verify not identify (easier problem to solve)

Authorization– Controlling access, creation or modification

Accountability– Tracking access, creation or modification

• Non-deniability

9

Information Security Controls

Management– Information security risk assessment

• E.g., think of in terms of insurance coverage

– Establishment of policies

Operational– Adherence to policies by those with (potential)

access to information

Technical– Computer or physical security systems

• E.g., locks, passwords, encryption

10

Kinds of Security Policies

What information is gathered How long to store information Anonymity of stored information Who has access (authorization) How access is authenticated Where can access from How or when information can be copied Integrity or validity of information Tracking creation, access and modification Training and awareness Choice of technologies

11

Technical Controls

Authentication (none foolproof)– Token based

• What you have; e.g., key, secureID card Can be copied or stolen

– Knowledge based• What you know; e.g., password

Can be gleaned

– Identity based• Who you are; e.g., signature, fingerprint

Can be wrong (statistical methods, experts)

– Multi-factor• Combination of two or more types

12

Technical Controls

Authorization– Generally based on preventing access to the

content without authentication and permission– Protecting content usually involves encryption

• Convert content to a form where it cannot easily be decoded

Cryptography– Techniques for encryption and decryption– Traditionally used primarily by governments

• For communication over insecure channels

– Now a cornerstone of electronic commerce

13

Corporate Network Security

Most companies rely primarily on “perimeter protection”– Password authentication for internal security– Firewalls to isolate corporate network from

public Internet– Stronger authentication such as secureID for

external access (token based)

Rapidly becoming more porous as access to networked resources more central– Employees need access from home or road– VPN (virtual private network)– Web-based access

14

Electronic Commerce Security

Transaction security– Ensuring transaction cannot be monitored by

third party– Knowing who you are transacting with– Ensuring transaction cannot be modified by

third party

Information security– Protecting privacy of information during and

after transaction• Credit card or payment data• Purchase history• Browsing history

15

Transaction Security

Cryptography can be used to ensure transaction– Not monitored– Not tampered with– Involves those who claim to be involved

Not foolproof– As with all security systems can be broken but

make it difficult• Should be at least as secure as good offline

transaction Physical rather than electronic security

16

Traditional Cryptography

Cryptographic algorithm or cipher– Mathematical function that converts plaintext

to ciphertext and vice versa• Ciphertext cannot be read by outside observers

– Encryption: key+plaintext -> ciphertext– Decryption: key+ciphertext -> plaintext– Sender encrypts, receiver decrypts

• Shared key(s) known to sender and receiver Sometimes called symmetric encryption

Used to protect information sent over un-trusted channels– E.g., Enigma used by Germans in WWII

17

Not Useful for E-Commerce

In principle could be used to ensure security of data sent over the Internet– Not monitored– Not tampered with– Sender and recipient authorized

However requires secret key(s) known to both parties– Not practical to exchange keys safely

• Via physical mail, telephone? • How installed on computer? • Using multiple or shared computers?

18

Public Key Cryptography

Invented by Diffie and Hellman, early ’70’s– Encryption key is public

• Known to anyone, but specific to recipient

– Decryption key is private• Known only to recipient

– Encryption and decryption keys come in pairs• Only private key can decrypt messages that

were encrypted with corresponding public key

– Knowing public key does not make it easy to determine private key• RSA, most widely used schemes depends on

difficulty of factoring large numbers

19

Illustration of Public Key

An integer and its factor can be used as pair of public and private keys

Say my public key is 224286607– My private key is a factor of this

• Public key divided by private key is an integer

– Still hard to determine my private key as long as I keep it secret

– This public key is actually small• Only 28 bits (smaller than 228)

9 decimal digits

• Keys used in Web transactions are 128 bits 39 decimal digits

11243

20

Public Key Encryption on Web

Secure Web sites– Data encrypted using SSL (Secure Socket

Layer)• Same data transfer but encrypted

– URL’s start with https:// rather than http://– Shows up with “padlock” in browser status bar

Hybrid scheme where public key encryption used to exchange shared keys– Traditional (symmetric) encryption

considerably faster than public key– Use public key as way of safely sending keys

for symmetric encryption

21

Still a Problem Though

Use of public key means recipient could be anyone – no way to validate just get key– Unlike traditional cryptography where shared

secret “identifies” parties as trusted

Some public key schemes, such as RSA, can be used to solve this– Generate what is called a digital signature

• These are beginning to be recognized in laws and contracts as binding

– Use digital signature to create authenticated certificate with recipient’s public key• Signed by a recognized certificate authority

22

Digital Signatures

Sender uses their private key to encrypt the message– Usually encrypt something short computed

from the message because its cheaper• Called a “hash”

– Sends to recipient

Recipient uses senders public key to decrypt in order to validate from sender– Get this key from someplace trusted– If they get the correct message or “hash” then

must have been sent with sender’s private key

23

Digital Certificates

Set of trusted authorities– Known to client software such as IE

• Stores public key of each authority

An authority issues a certificate to the operator of a Web site– Digitally signed (with authority’s private key)– Contains public key of Web site operator– For a fee: e.g., currently VeriSign charges

$900/yr for 128-bit certificate

When Web browser connects to a secure site it receives the certificate– Uses authority’s public key to validate

24

SSL Encryption Setup

Source: CacheFlow

Before “padlock” appears on browser:– Client contacts server gets certificate, validates it (1-3)– Client sends encrypted secret data, server decrypts, both

create shared keys (4-6)– Encrypted data transfer begins (7)

Generally takes under a second

25

Some Main Players in Security

VeriSign (VRSN)– Digital trust services– $1.2B/yr revenue, up 24% y-o-y (acquisition)– $2.3B market cap

CheckPoint Software (CHKP)– Firewalls– $427M/yr revenue, down 19% y-o-y– $3.9B market cap

RSA Security (RSAS)– E-Security solutions (e.g., secureID)– $230M/yr revenue, down 18% y-o-y– $420M market cap