Transcript Networks & Telecommunications

Chapter 4 Security, Privacy, and Anonymity
I.
Threats to Information (p.125)
•
•
•
•
•
Disasters
Employees and Consultants
Business Partners
Outsiders
Virus
II. Security Controls
1. Confidentiality (against eavesdropping)
• Eavesdropping: packet sniffing on net, in which
attackers read transmitted information, including
logon information and database contents.
• Brute Force attack (P.135)
• 1975 US National Bureau of Standard (NBS): Data
Encryption Standard (DES) – a 56-bit key is no
longer considered to be very secure.
• 2001 US National Bureau of Standard (NBS):
Advanced Encryption Standard (AES) – a choice of
key length of 128, 192, or 256 bits.
• Single-Key (conventional) and Dual-Key (public-key)
Encryption Algorithms
– Single-key encryption is faster but key-distribution
is difficult.
– Dual-key encryption is slower but key-distribution
is easy.
– One common solution is to use the dual-key
encryption for key-distribution and
authentication while the single-key encryption is
used to encrypt message.
2. Access Control (p.133)
(Password, read, write, execute, and delete)
How does an attacker learn your password?
• Try default passwords
• Exhaustively try all short passwords
• Try words in system’s online dictionary or a list of
likely passwords.
• Collect information about user.
• Try user’s phone number.
• Try user’s license plate numbers.
• Use a Trojan horse.
• Tap the line between a remote user and the host
system.
* W. Stallings, 2000, Network Security Essentials, NJ: Prentice Hall.
3. Integrity, Non-repudiation and Digital Signature
Integrity: prevent user’s data and message from being
modified.
Non-repudiation: prevent either sender or receiver from
denying a transmitted message.
How can dual-key encryption be used to authenticate a
message?
• Digital signature is based on public-key cryptographic algorithm.
• A one-way hash function takes a message and returns a small
fixed-length string (hash value). The hash value is encrypted with
sender’s private key that can be verified by recipient using the
sender’s public key. Therefore, the recipient is certain that the
message is indeed from the sender.
• The hash value is also used to verify that the message was not
altered in transit.
4. Authentication (Identity and Certificate)
If you buy books from Amazon.com, we want to know
whether the Web site you are dealing with is really
Amazon. You want Amazon Web server to authenticate
itself to you and Amazon may want you to authenticate
yourself to Amazon.
What is the secure socket layer (SSL) protocol?
The SSL security protocol provides data encryption,
server authentication, message integrity, and optional
client authentication for a TCP/IP connection. An SSLenabled Web server can be linked with a URL starting
with https (port 443) instead of http (port 80). Netscape
patented SSL in 1997.
* http://home.netscape.com/security/techbriefs/ssl.html
How does an SSL-enabled browser authenticate
the server?
• An SSL-enabled Web server should be certified by a
trusted third party - Certifying Authority (CA p.138).
• An SSL-enabled browser maintains a list of trusted CAs
along with the public keys of the CAs.
• When a client browser wants to communicate with an
SSL-enabled Web server, the browser obtains the
server’s certificate. The certificate is issued by a CA
and digitally signed with this CA’s private key.
• If the CA is in the browser’s list, the signature can be
verified with this CA’s public key. If not, client’s
browser issues a security alert.
What are principle differences between SET and
SSL?
The secure electronic transaction (SET) is a protocol
specifically designed to secure payment-card transactions
over Internet. The principle differences are
• The SET is designed to encrypt specific kinds of payment-related
messages. It cannot be used to encrypt arbitrary data as can SSL.
• The SET protocol involves all three players on Internet, namely,
the customer, the merchant, and the merchant’s bank. All
sensitive information sent between the three parties is encrypted.
• The SET requires all three players to have certificates. The
customer’s and merchant’s certificates must be issued by their
bank, thereby assuring that these players are permitted to make
and receive payment-card purchases.
What are … ?
• Carnivore (p. 139): special software installed at an ISP
to capture all Internet traffic from a specified person.
• Echelon (p.139): an international system that
intercepts a variety of communications, including
faxes, email messages, international phone calls, and
cellular phones in several nations.
• Escrow Keys (p.140): Every encryption device can be
broken with two special numbers (keys) that are held
in escrow by judicial or governmental agencies.
What are … ?
• Firewall (p.141): a router that examines each data
packet passing through it and block certain types to
limit the interaction of the company network with
the Internet.
• Cookie (p.144): a cookie is a small text file that the
server asks the browser to store on the user’s
computer. Whenever the browser requests another
page from that server, it returns the cookie file.