Chapter 4 Security, Privacy, and Anonymity

1

• Chapter 4 Security, Privacy, and Anonymity

• Threats to Information (p.125)
• Disasters
• Employees and Consultants
• Business Partners
• Outsiders
• Virus

2

• II. Security Controls
• 1. Confidentiality (against eavesdropping)
• Eavesdropping packet sniffing on net, in which
  attackers read transmitted information, including
  logon information and database contents.
• Brute Force attack (P.135)
• 1975 US National Bureau of Standard (NBS) Data
  Encryption Standard (DES) a 56-bit key is no
  longer considered to be very secure.
• 2001 US National Bureau of Standard (NBS)
  Advanced Encryption Standard (AES) a choice of
  key length of 128, 192, or 256 bits.

3

• Single-Key (conventional) and Dual-Key
  (public-key) Encryption Algorithms
• Single-key encryption is faster but
  key-distribution is difficult.
• Dual-key encryption is slower but
  key-distribution is easy.
• One common solution is to use the dual-key
  encryption for key-distribution and
  authentication while the single-key encryption
  is used to encrypt message.

4
2. Access Control (p.133) (Password, read,
write, execute, and delete)

• How does an attacker learn your password?
• Try default passwords
• Exhaustively try all short passwords
• Try words in systems online dictionary or a
  list of likely passwords.
• Collect information about user.
• Try users phone number.
• Try users license plate numbers.
• Use a Trojan horse.
• Tap the line between a remote user and the host
  system.
• W. Stallings, 2000, Network Security
  Essentials, NJ Prentice Hall.

5
3. Integrity, Non-repudiation and Digital
Signature

• Integrity prevent users data and message from
  being modified.
• Non-repudiation prevent either sender or
  receiver from denying a transmitted message.
• How can dual-key encryption be used to
  authenticate a message?
• Digital signature is based on public-key
  cryptographic algorithm.
• A one-way hash function takes a message and
  returns a small fixed-length string (hash
  value). The hash value is encrypted with
  senders private key that can be verified by
  recipient using the senders public key.
  Therefore, the recipient is certain that the
  message is indeed from the sender.
• The hash value is also used to verify that the
  message was not altered in transit.

6
4. Authentication (Identity and Certificate)
If you buy books from Amazon.com, we want to know
whether the Web site you are dealing with is
really Amazon. You want Amazon Web server to
authenticate itself to you and Amazon may want
you to authenticate yourself to Amazon. What is
the secure socket layer (SSL) protocol? The SSL
security protocol provides data encryption,
server authentication, message integrity, and
optional client authentication for a TCP/IP
connection. An SSL-enabled Web server can be
linked with a URL starting with https (port 443)
instead of http (port 80). Netscape patented SSL
in 1997. http//home.netscape.com/security/techb
riefs/ssl.html
7

• How does an SSL-enabled browser authenticate the
  server?
• An SSL-enabled Web server should be certified by
  a trusted third party - Certifying Authority (CA
  p.138).
• An SSL-enabled browser maintains a list of
  trusted CAs along with the public keys of the
  CAs.
• When a client browser wants to communicate with
  an SSL-enabled Web server, the browser obtains
  the servers certificate. The certificate is
  issued by a CA and digitally signed with this
  CAs private key.
• If the CA is in the browsers list, the
  signature can be verified with this CAs public
  key. If not, clients browser issues a security
  alert.

8

• What are principle differences between SET and
  SSL?
• The secure electronic transaction (SET) is a
  protocol specifically designed to secure
  payment-card transactions over Internet. The
  principle differences are
• The SET is designed to encrypt specific kinds of
  payment-related messages. It cannot be used to
  encrypt arbitrary data as can SSL.
• The SET protocol involves all three players on
  Internet, namely, the customer, the merchant,
  and the merchants bank. All sensitive
  information sent between the three parties is
  encrypted.
• The SET requires all three players to have
  certificates. The customers and merchants
  certificates must be issued by their bank,
  thereby assuring that these players are permitted
  to make and receive payment-card purchases.

9

• What are ?
• Carnivore (p. 139) special software installed at
  an ISP to capture all Internet traffic from a
  specified person.
• Echelon (p.139) an international system that
  intercepts a variety of communications, including
  faxes, email messages, international phone calls,
  and cellular phones in several nations.
• Escrow Keys (p.140) Every encryption device can
  be broken with two special numbers (keys) that
  are held in escrow by judicial or governmental
  agencies.

10

• What are ?
• Firewall (p.141) a router that examines each
  data packet passing through it and block certain
  types to limit the interaction of the company
  network with the Internet.
• Cookie (p.144) a cookie is a small text file
  that the server asks the browser to store on the
  users computer. Whenever the browser requests
  another page from that server, it returns the
  cookie file.