nba 600: session 20 privacy and security 3 april 2003
DESCRIPTION
NBA 600: Session 20 Privacy and Security 3 April 2003. Daniel Huttenlocher. Today’s Class. Privacy and security in a networked world Terminology and definitions Importance for customers and for risk management Some technology for information security Encryption, public key cryptosystems - PowerPoint PPT PresentationTRANSCRIPT
NBA 600: Session 20Privacy and Security
3 April 2003
Daniel Huttenlocher
2
Today’s Class
Privacy and security in a networked world Terminology and definitions Importance for customers and for risk
management Some technology for information security
– Encryption, public key cryptosystems– Digital signatures– Digital certificates– How E Commerce security works on the Web
• SSL
3
Information Security
Widespread transmission and storage of information increases problems of– Privacy
• Freedom from unwanted intrusion, observation or disclosure
– Confidentiality• Discretion in keeping information private
Security: means of protecting privacy and confidentiality– Policies, set by management– Procedures, to be followed by employees– Safeguards, physical or electronic
4
Privacy and Confidentiality
Rights and expectations– Disclosure of certain information is protected
by law or contract• Personal: e.g., medical records, educational
records• Institutional: e.g., government secrets, corporate
secrets
– People in many societies expect information about them should• not be collected or used without their knowledge
or approval• not be used to harm them or their reputation• be accurate, verifiable and correctable
5
How Concerned Are You?
Privacy and confidentiality of your– Shopping transactions
• Behavior/likes• Spending• Credit/payment information
– Medical records– Educational records– Employment or military service records– Asset and tax information
How publicly available– Someone you didn’t authorize (who pays $300)– On the Internet for all to see
6
Impact on Behavior
Fear of stolen credit card information still a major reason for not shopping online– One of most cited in surveys of shoppers
Widespread suspicion of “cookies” in Web browsers– Although often not understood
Europeans much more sensitive than Americans to privacy of transaction history– E.g., shoppers clubs, credit card profiling– Their laws reflect this
• E.g., changes to Microsoft Passport
7
Scope of Security Problems
Generally believed to be under-reported– Breaches and financial impact both increasing
Highlights of annual CSI/FBI 2002 survey– Polled 503 US security experts/officers– 90% detected breaches in past 12 mos.– 80% acknowledge financial loss as result– 44% were willing to quantify loss
• Totaling $456 million
– 74% cited Internet as frequent point of attack (and 33% internal systems)
– 34% reported intrusions to law enforcement
8
Information Security Terms
Availability– What information is collected– How long it is kept
Authentication– Validation of who is accessing or creating info
• Verify not identify (easier problem to solve)
Authorization– Controlling access, creation or modification
Accountability– Tracking access, creation or modification
• Non-deniability
9
Information Security Controls
Management– Information security risk assessment
• E.g., think of in terms of insurance coverage
– Establishment of policies
Operational– Adherence to policies by those with (potential)
access to information
Technical– Computer or physical security systems
• E.g., locks, passwords, encryption
10
Kinds of Security Policies
What information is gathered How long to store information Anonymity of stored information Who has access (authorization) How access is authenticated Where can access from How or when information can be copied Integrity or validity of information Tracking creation, access and modification Training and awareness Choice of technologies
11
Technical Controls
Authentication (none foolproof)– Token based
• What you have; e.g., key, secureID card Can be copied or stolen
– Knowledge based• What you know; e.g., password
Can be gleaned
– Identity based• Who you are; e.g., signature, fingerprint
Can be wrong (statistical methods, experts)
– Multi-factor• Combination of two or more types
12
Technical Controls
Authorization– Generally based on preventing access to the
content without authentication and permission– Protecting content usually involves encryption
• Convert content to a form where it cannot easily be decoded
Cryptography– Techniques for encryption and decryption– Traditionally used primarily by governments
• For communication over insecure channels
– Now a cornerstone of electronic commerce
13
Corporate Network Security
Most companies rely primarily on “perimeter protection”– Password authentication for internal security– Firewalls to isolate corporate network from
public Internet– Stronger authentication such as secureID for
external access (token based)
Rapidly becoming more porous as access to networked resources more central– Employees need access from home or road– VPN (virtual private network)– Web-based access
14
Electronic Commerce Security
Transaction security– Ensuring transaction cannot be monitored by
third party– Knowing who you are transacting with– Ensuring transaction cannot be modified by
third party
Information security– Protecting privacy of information during and
after transaction• Credit card or payment data• Purchase history• Browsing history
15
Transaction Security
Cryptography can be used to ensure transaction– Not monitored– Not tampered with– Involves those who claim to be involved
Not foolproof– As with all security systems can be broken but
make it difficult• Should be at least as secure as good offline
transaction Physical rather than electronic security
16
Traditional Cryptography
Cryptographic algorithm or cipher– Mathematical function that converts plaintext
to ciphertext and vice versa• Ciphertext cannot be read by outside observers
– Encryption: key+plaintext -> ciphertext– Decryption: key+ciphertext -> plaintext– Sender encrypts, receiver decrypts
• Shared key(s) known to sender and receiver Sometimes called symmetric encryption
Used to protect information sent over un-trusted channels– E.g., Enigma used by Germans in WWII
17
Not Useful for E-Commerce
In principle could be used to ensure security of data sent over the Internet– Not monitored– Not tampered with– Sender and recipient authorized
However requires secret key(s) known to both parties– Not practical to exchange keys safely
• Via physical mail, telephone? • How installed on computer? • Using multiple or shared computers?
18
Public Key Cryptography
Invented by Diffie and Hellman, early ’70’s– Encryption key is public
• Known to anyone, but specific to recipient
– Decryption key is private• Known only to recipient
– Encryption and decryption keys come in pairs• Only private key can decrypt messages that
were encrypted with corresponding public key
– Knowing public key does not make it easy to determine private key• RSA, most widely used schemes depends on
difficulty of factoring large numbers
19
Illustration of Public Key
An integer and its factor can be used as pair of public and private keys
Say my public key is 224286607– My private key is a factor of this
• Public key divided by private key is an integer
– Still hard to determine my private key as long as I keep it secret
– This public key is actually small• Only 28 bits (smaller than 228)
9 decimal digits
• Keys used in Web transactions are 128 bits 39 decimal digits
11243
20
Public Key Encryption on Web
Secure Web sites– Data encrypted using SSL (Secure Socket
Layer)• Same data transfer but encrypted
– URL’s start with https:// rather than http://– Shows up with “padlock” in browser status bar
Hybrid scheme where public key encryption used to exchange shared keys– Traditional (symmetric) encryption
considerably faster than public key– Use public key as way of safely sending keys
for symmetric encryption
21
Still a Problem Though
Use of public key means recipient could be anyone – no way to validate just get key– Unlike traditional cryptography where shared
secret “identifies” parties as trusted
Some public key schemes, such as RSA, can be used to solve this– Generate what is called a digital signature
• These are beginning to be recognized in laws and contracts as binding
– Use digital signature to create authenticated certificate with recipient’s public key• Signed by a recognized certificate authority
22
Digital Signatures
Sender uses their private key to encrypt the message– Usually encrypt something short computed
from the message because its cheaper• Called a “hash”
– Sends to recipient
Recipient uses senders public key to decrypt in order to validate from sender– Get this key from someplace trusted– If they get the correct message or “hash” then
must have been sent with sender’s private key
23
Digital Certificates
Set of trusted authorities– Known to client software such as IE
• Stores public key of each authority
An authority issues a certificate to the operator of a Web site– Digitally signed (with authority’s private key)– Contains public key of Web site operator– For a fee: e.g., currently VeriSign charges
$900/yr for 128-bit certificate
When Web browser connects to a secure site it receives the certificate– Uses authority’s public key to validate
24
SSL Encryption Setup
Source: CacheFlow
Before “padlock” appears on browser:– Client contacts server gets certificate, validates it (1-3)– Client sends encrypted secret data, server decrypts, both
create shared keys (4-6)– Encrypted data transfer begins (7)
Generally takes under a second
25
Some Main Players in Security
VeriSign (VRSN)– Digital trust services– $1.2B/yr revenue, up 24% y-o-y (acquisition)– $2.3B market cap
CheckPoint Software (CHKP)– Firewalls– $427M/yr revenue, down 19% y-o-y– $3.9B market cap
RSA Security (RSAS)– E-Security solutions (e.g., secureID)– $230M/yr revenue, down 18% y-o-y– $420M market cap