NBA%20600:%20Session%2020%20Privacy%20and%20Security%203%20April%202003

1
NBA 600 Session 20Privacy and Security3 April
2003

• Daniel Huttenlocher

2
Todays Class

• Privacy and security in a networked world
• Terminology and definitions
• Importance for customers and for risk management
• Some technology for information security
• Encryption, public key cryptosystems
• Digital signatures
• Digital certificates
• How E Commerce security works on the Web
• SSL

3
Information Security

• Widespread transmission and storage of
  information increases problems of
• Privacy
• Freedom from unwanted intrusion, observation or
  disclosure
• Confidentiality
• Discretion in keeping information private
• Security means of protecting privacy and
  confidentiality
• Policies, set by management
• Procedures, to be followed by employees
• Safeguards, physical or electronic

4
Privacy and Confidentiality

• Rights and expectations
• Disclosure of certain information is protected by
  law or contract
• Personal e.g., medical records, educational
  records
• Institutional e.g., government secrets,
  corporate secrets
• People in many societies expect information about
  them should
• not be collected or used without their knowledge
  or approval
• not be used to harm them or their reputation
• be accurate, verifiable and correctable

5
How Concerned Are You?

• Privacy and confidentiality of your
• Shopping transactions
• Behavior/likes
• Spending
• Credit/payment information
• Medical records
• Educational records
• Employment or military service records
• Asset and tax information
• How publicly available
• Someone you didnt authorize (who pays 300)
• On the Internet for all to see

6
Impact on Behavior

• Fear of stolen credit card information still a
  major reason for not shopping online
• One of most cited in surveys of shoppers
• Widespread suspicion of cookies in Web browsers
• Although often not understood
• Europeans much more sensitive than Americans to
  privacy of transaction history
• E.g., shoppers clubs, credit card profiling
• Their laws reflect this
• E.g., changes to Microsoft Passport

7
Scope of Security Problems

• Generally believed to be under-reported
• Breaches and financial impact both increasing
• Highlights of annual CSI/FBI 2002 survey
• Polled 503 US security experts/officers
• 90 detected breaches in past 12 mos.
• 80 acknowledge financial loss as result
• 44 were willing to quantify loss
• Totaling 456 million
• 74 cited Internet as frequent point of attack
  (and 33 internal systems)
• 34 reported intrusions to law enforcement

8
Information Security Terms

• Availability
• What information is collected
• How long it is kept
• Authentication
• Validation of who is accessing or creating info
• Verify not identify (easier problem to solve)
• Authorization
• Controlling access, creation or modification
• Accountability
• Tracking access, creation or modification
• Non-deniability

9
Information Security Controls

• Management
• Information security risk assessment
• E.g., think of in terms of insurance coverage
• Establishment of policies
• Operational
• Adherence to policies by those with (potential)
  access to information
• Technical
• Computer or physical security systems
• E.g., locks, passwords, encryption

10
Kinds of Security Policies

• What information is gathered
• How long to store information
• Anonymity of stored information
• Who has access (authorization)
• How access is authenticated
• Where can access from
• How or when information can be copied
• Integrity or validity of information
• Tracking creation, access and modification
• Training and awareness
• Choice of technologies

11
Technical Controls

• Authentication (none foolproof)
• Token based
• What you have e.g., key, secureID card
• Can be copied or stolen
• Knowledge based
• What you know e.g., password
• Can be gleaned
• Identity based
• Who you are e.g., signature, fingerprint
• Can be wrong (statistical methods, experts)
• Multi-factor
• Combination of two or more types

12
Technical Controls

• Authorization
• Generally based on preventing access to the
  content without authentication and permission
• Protecting content usually involves encryption
• Convert content to a form where it cannot easily
  be decoded
• Cryptography
• Techniques for encryption and decryption
• Traditionally used primarily by governments
• For communication over insecure channels
• Now a cornerstone of electronic commerce

13
Corporate Network Security

• Most companies rely primarily on perimeter
  protection
• Password authentication for internal security
• Firewalls to isolate corporate network from
  public Internet
• Stronger authentication such as secureID for
  external access (token based)
• Rapidly becoming more porous as access to
  networked resources more central
• Employees need access from home or road
• VPN (virtual private network)
• Web-based access

14
Electronic Commerce Security

• Transaction security
• Ensuring transaction cannot be monitored by third
  party
• Knowing who you are transacting with
• Ensuring transaction cannot be modified by third
  party
• Information security
• Protecting privacy of information during and
  after transaction
• Credit card or payment data
• Purchase history
• Browsing history

15
Transaction Security

• Cryptography can be used to ensure transaction
• Not monitored
• Not tampered with
• Involves those who claim to be involved
• Not foolproof
• As with all security systems can be broken but
  make it difficult
• Should be at least as secure as good offline
  transaction
• Physical rather than electronic security

16
Traditional Cryptography

• Cryptographic algorithm or cipher
• Mathematical function that converts plaintext to
  ciphertext and vice versa
• Ciphertext cannot be read by outside observers
• Encryption keyplaintext -gt ciphertext
• Decryption keyciphertext -gt plaintext
• Sender encrypts, receiver decrypts
• Shared key(s) known to sender and receiver
• Sometimes called symmetric encryption
• Used to protect information sent over un-trusted
  channels
• E.g., Enigma used by Germans in WWII

17
Not Useful for E-Commerce

• In principle could be used to ensure security of
  data sent over the Internet
• Not monitored
• Not tampered with
• Sender and recipient authorized
• However requires secret key(s) known to both
  parties
• Not practical to exchange keys safely
• Via physical mail, telephone?
• How installed on computer?
• Using multiple or shared computers?

18
Public Key Cryptography

• Invented by Diffie and Hellman, early 70s
• Encryption key is public
• Known to anyone, but specific to recipient
• Decryption key is private
• Known only to recipient
• Encryption and decryption keys come in pairs
• Only private key can decrypt messages that were
  encrypted with corresponding public key
• Knowing public key does not make it easy to
  determine private key
• RSA, most widely used schemes depends on
  difficulty of factoring large numbers

19
Illustration of Public Key

• An integer and its factor can be used as pair of
  public and private keys
• Say my public key is 224286607
• My private key is a factor of this
• Public key divided by private key is an integer
• Still hard to determine my private key as long as
  I keep it secret
• This public key is actually small
• Only 28 bits (smaller than 228)
• 9 decimal digits
• Keys used in Web transactions are 128 bits
• 39 decimal digits

11243
20
Public Key Encryption on Web

• Secure Web sites
• Data encrypted using SSL (Secure Socket Layer)
• Same data transfer but encrypted
• URLs start with https// rather than http//
• Shows up with padlock in browser status bar
• Hybrid scheme where public key encryption used to
  exchange shared keys
• Traditional (symmetric) encryption considerably
  faster than public key
• Use public key as way of safely sending keys for
  symmetric encryption

21
Still a Problem Though

• Use of public key means recipient could be anyone
  no way to validate just get key
• Unlike traditional cryptography where shared
  secret identifies parties as trusted
• Some public key schemes, such as RSA, can be used
  to solve this
• Generate what is called a digital signature
• These are beginning to be recognized in laws and
  contracts as binding
• Use digital signature to create authenticated
  certificate with recipients public key
• Signed by a recognized certificate authority

22
Digital Signatures

• Sender uses their private key to encrypt the
  message
• Usually encrypt something short computed from the
  message because its cheaper
• Called a hash
• Sends to recipient
• Recipient uses senders public key to decrypt in
  order to validate from sender
• Get this key from someplace trusted
• If they get the correct message or hash then
  must have been sent with senders private key

23
Digital Certificates

• Set of trusted authorities
• Known to client software such as IE
• Stores public key of each authority
• An authority issues a certificate to the operator
  of a Web site
• Digitally signed (with authoritys private key)
• Contains public key of Web site operator
• For a fee e.g., currently VeriSign charges
  900/yr for 128-bit certificate
• When Web browser connects to a secure site it
  receives the certificate
• Uses authoritys public key to validate

24
SSL Encryption Setup

• Before padlock appears on browser
• Client contacts server gets certificate,
  validates it (1-3)
• Client sends encrypted secret data, server
  decrypts, both create shared keys (4-6)
• Encrypted data transfer begins (7)
• Generally takes under a second

Source CacheFlow
25
Some Main Players in Security

• VeriSign (VRSN)
• Digital trust services
• 1.2B/yr revenue, up 24 y-o-y (acquisition)
• 2.3B market cap
• CheckPoint Software (CHKP)
• Firewalls
• 427M/yr revenue, down 19 y-o-y
• 3.9B market cap
• RSA Security (RSAS)
• E-Security solutions (e.g., secureID)
• 230M/yr revenue, down 18 y-o-y
• 420M market cap