Information Systems Security: Enabling Future Internet Applications through Cryptography

1
Information Systems SecurityEnabling Future
Internet Applications through Cryptography
STP-307 Business and the Internet
Mark Bayer - KSG Jamil Ghani - FAS Raghav
Chandra - KSG Nanthikesan - KSG Jaime Chambron -
FAS Angelina Ornelas - KSG Alex C. Snoeren -
MIT
2
Components of Security

• Physical Security
• Are computer locked up at night?
• Are the network cables exposed?
• Digital Security
• Is the electronic information protected?
• Privacy Policies
• What happens one the information is viewed?

3
A Definition of Digital Security

• Confidentiality
• Availability
• Authenticity
• Integrity
• Certifiability

4
Why Should You Care?

• Personal Privacy
• Your information is out there
• Credit and financial information
• Educational records
• Medical records
• Law Enforcement is Handcuffed
• Terrorists, drug traffickers, and pedophiles
• This is a trade issue!

5
Cryptographys Role

• Currently, an almost unique tool
• Complicated Math Tricks
• Encryption provides confidentiality
• Signatures provide authenticity, integrity
• Certificates provide certifiability
• What about availability?

6
Measuring Security

• Cryptographic Strength
• Key lengths
• Beyond Bits
• Different algorithms
• Provably secure crypto systems
• Implementation issues

7
How Much Security is Enough?

• Lack of incident information
• Difficulty in predicting future technologies
• Current levels seem unbreakable
• Brute-force attacks may take forever
• Consumers are uninformed about proper levels
• Strength is irrelevant if used improperly

8
Why Governments CareLegislative Landscape

• Global scale U.S. Congress, OECD, EU
• Export controls
• Key Management Infrastructure (KMI)
• Key Recovery - Clipper Titanic of the 90s?

9
Current Regulations (U.S.)

• Freedom to choose at home
• Export Administration Regulations (EAR)

10
Pending Legislation (U.S.)

• SAFE Act - 5 versions in the House
• Secure Public Networks Act - in the Senate
• The Presidents Plan

11
Presentation Road Map

• Digital security in the public sector
• Virtual university
• Digital security in the private sector
• Banks
• eShop Plaza
• Governments role
• Recommendations

12
The Public Sector
13
Digital Security and Virtual Learning

• Why virtual university?
• Layout of approach
• Analysis of the Universitat Oberta de Catalunya
• Current and Potential digital security issues in
  general Virtual Learning
• Next steps issues and approaches

14
UOC ARCHITECTURE
Interactive Book
Conferences
Campus Agenda
Campus Worksheet
Bulletin Board
Interactive Spreadsheet
Library
Cafe
Discussion Group
15
UOC ARCHITECTURE
Interactive Book
Conferences
Campus Agenda
Campus Worksheet
Bulletin Board
Interactive Spreadsheet
Library
Cafe
Discussion Group
16
Digital SecurityUOC Applications and Issues

• Administration
• Synchronous Knowledge Delivery
• Student Evaluation
• Maintaining Secure Data Banks
• Access to Resources
• Visitor Access
• Multiple-user Access
• Library Access
• Code of Ethics

17
Digital Security Current and Potential Issues

• Current Virtual Distance Learning Projects
• Public Sector
• Private Sector

18
Digital Security Potential Issues

• Disaggregation of University Functions
• Universal Student ID

19
Digital Security Potential Issues

• Standards of DS
• Strength of Encryption
• Authenticity, Certification
• Standards for Accreditation of DS International
  coordination Enforceability
• Keys Who owns them?
• Government?
• Universities?
• Virtual Registrar?

20
Digital SecurityNext Step - Approaches

• LEGAL AGENDA
• Legalization of Digital Signatures
• Standardization of Certification
• BUSINESS - GOVERNMENT
• PARTNERSHIP
• Promotion of Research Development
• Encryption Regulations
• Dynamic Legal Framework

21
The Private Sector
22
Growth of Electronic Commerce

• 327 Billion by 2002, according to Forrester
  Research

23
Field of Dreams Build It and They Will Come

• 77 have not shopped on the Internet
• 86 cite fear of credit card information stolen
  and misused as a result of Internet shopping
• 56 want government to pass laws protecting
  personal information collected on the Internet

24
eShop CybermallA Unique Business Model
25
Big Brother Is Watching

• A Study on Privacy over the Internet by The
  Federal Trade Commission Due June 1998

26
Taming the Wild Wild Web
Legal Issue Facing the Net
27
Big Business

• Dell Computers sells 1M daily in Internet sales
• GE, HP - Using Net for transactions - save 500M
  yearly
• HP Versecure
• Marketing, order, processing, fulfillment,
  payment, logistics performed on Internet
• EDI

28
Internet Banking

• Facilities offered
• Several banks have launched Internet
  banking-operations, e.g. ICICI-Infinity
• Advantages
• Experimental/Limited in scope

29
Lacunae

• Liability
• Legal framework
• Forgery/Impersonation
• Taxability
• Convenience
• Pervasiveness
• Confidentiality

30
Next Steps

• Availability of effective, trustworthy
  cryptography
• Flexible crypto architecture - keep pace with
  technology
• Suitable domestic legislation, tax policy
  framework
• Supportive technology institutions, legal
  framework
• Educating the consumer
• Encouraging banks

31
Governments Role
32
Government and Encryption

• Government policy is the hardware upon which
  future Internet applications will run
• Respond to market forces
• Facilitate progress
• Solve information asymmetries through consumer
  education
• Negotiate international agreements
• Encryption is currently an almost unique tool for
  digital security

33
Topics of Discussion

• Need for domestic encryption policy
• Potential models
• Why dumbing down does not work
• Why smartening up does work
• Next steps

34
Need for Domestic Encryption Policy

• Crime
• Terrible Triumvirate - terrorists, drug
  traffickers, pedophiles
• Realities of crime fighting
• Seamless world
• Work-arounds to the rules
• Applications are waiting

35
Potential Models

• Wild Wild Web - Safe Act
• Dumbing Down - EAR
• Technical Advisory Committee on Encryption
  Federal Information Processing Standard
  (TACEFIPS)
• National Electronic Technologies (NET) Center -
  amendment to Safe Act

36
Why Dumbing Down Does Not Work

• Key recovery
• Limits on key length
• Review committee

37
Why Smartening Up Works

• Permits the realization of the full potential of
  Internet applications
• Maintains the governments lead in encryption
• Responds to fundamental market motivations

38
Next Steps

• Adopt NET Center
• Standardize usage through collaborative efforts
• Baby steps

39
Recommendations

• Smarten up, dont dumb down.
• NET Center
• Alert the players in advance
• KMI exception
• EU Privacy Directive
• Keep talking (dialogue, not monologue)
• FIPS
• OECD

40
Recommendations (continued)

• Consumer awareness
• labeling
• seatbelts and airbags
• liability rules

41
Beyond Cryptography

• Cryptography is merely todays technology
• Detecting and legislating crypto is hard
• Difficult to identify plain-text
• Authentication Confidentiality?
• Other technologies are currently available
• Stenography can provide confidentiality
• Biometrics can provide authentication