Should The Cyberspace Electronic Security Act CESA Have Been Passed - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Should The Cyberspace Electronic Security Act CESA Have Been Passed

Description:

The Growth of the internet has excited both businesses and consumers with its ... Veiling- the use of veiling leads to transposition as veiled messages are ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 30
Provided by: jpiet
Category:

less

Transcript and Presenter's Notes

Title: Should The Cyberspace Electronic Security Act CESA Have Been Passed


1
Should The Cyberspace Electronic Security Act
(CESA) Have Been Passed?
  • By
  • John P. Pietrolaj

2
Before we talk about CESA, lets learn about
encryption.
3
What Is Encryption?
  • The Growth of the internet has excited both
    businesses and consumers with its promise of
    changing the way we live. A major concern has to
    be how secure is the internet? We send sensitive
    information through the web and to be honest
    there is a lot of information we do not want
    other people to see.
  • Such as
  • CREDIT CARD INFORMATION/ BANK ACCT INFO
  • SOCIAL SECURITY NUMBERS
  • PRIVATE CORRESPONDANCE
  • PERSONAL DETAILS
  • SENSITIVE COMPANY INFORMATION

4

The Definition of Encryption Encryption is the
conversion of data into a form, technically
called cipher text, that cannot be easily
understood by unauthorized people. Decryption is
the process of converting encrypted data back
into its original form so it can be easily
understood.
5
Classical Cryptographic Methods
  • Masking- the use of masking leads to
    substitution. Often the message is masked in such
    a way that the resulting message that goes out in
    an open communication channel seems harmless and
    inconspicuous
  • Veiling- the use of veiling leads to
    transposition as veiled messages are usually not
    masked at all but simply combined within other
    items regularly in such a way that the resulting
    message takes form of yet another message called
    acrostics

6
  • Translation table- each byte of data is used as
    an offset within a translation table and the
    resulting translated value from within the table
    is then written into the output stream. The
    encryption and decryption programs would each use
    a table that translates to and from the encrypted
    data.

7
Todays Encryption
  • Mathematical
  • Non-linear cryptosystems
  • Can take months or even years to break
  • Used by
  • Industry competitors
  • Groups and individuals
  • Internet shoppers
  • Terrorist groups
  • Criminals

8
Two Main Categories of Encryption
  • Symmetric-key encryption
  • Public key-encryption (asymmetrical key
    encryption)

9
Symmetric-Key Encryption
It is a traditional encryption technique that
relies on both the sender and the receiver of a
message knowing a particular secret key (or
code). Symmetric-Key Encryption requires that you
know which computers will be talking to each
other so the key can be installed on each one.
The sender encrypts the message with a particular
cryptosystem using the secret key and the
receiver decrypts the message with the same key.
It relies on no one else being able to find out
what the private key is.
10
Example
You create a coded message to send to a friend in
which each letter is substituted with the letter
that is two down from it in the alphabet. So A
becomes C and B becomes D. You have already
told a trusted friend that the code or key is
shift by two. Your friend gets the message and
decodes it. Anyone else who sees the message,
will only see nonsense.
11
  • This is fine if the other person is nearby. If
    not, then somehow the key must be sent. What are
    some ways you can send it?
  • Courier
  • Told over the phone
  • Send it separately from the actual message
  • All these methods involve trusting a third party
    not to divulge the secret key. Obviously, the
    receiver of the message has to be trusted because
    they could decrypt any message sent using the
    same key.
  • Lets try it!!!

12
The CODE is shift THREE UP QEFP FP QFJB
ZLKPRJFKD.
13
Answer is This is time consuming. It would be
time consuming unless you had a computer program
doing this for you.
14
Disadvantages
  • For use in anything other than private encryption
    of files, one cant determine the authenticity of
    the originator of the data. This lack of
    protection doesnt allow this method to verify
    electronic orders and financial transactions
  • The private key used now has to be transmitted in
    a very secure channel. Spontaneous transmission
    may not be feasible
  • When used across a network of users, there may
    have to be a large number of keys to facilitate
    one to one communication between each user

15
Think of it as a car key. The owner of a car has
the key. When the owner walks away from the car,
she locks it and keeps the key so it is securely
protected. No one can get into or use the car
without some sort of brute force. Responsibility
of protecting the key rests solely with the owner
of the car. If the owner puts the key in one of
those magnetized key holders underneath the car,
thats a very loose method of security. If the
owner always keeps the key around her neck,
thats a pretty good level of key security. Say
the owners friend needs to borrow the car. So
the owner, passes along an extra set of keys for
the friend to use. Both can now drive the car but
the security has been compromised because someone
else has a key. If the friend makes copies of the
key, (for others to use when the owner is out of
town for instance) the level of security becomes
even more diluted. Eventually, the original lock
key security will be lost entirely. In order to
recover it, the owner will have to have new locks
put on the car and have new keys made.
16

Keys used in encryption have the same problems as
conventional keys. They can be lost, stolen, or
even bought and sold. Some can even be discovered
by crackers through a method called social
engineering.
17
Public-key Encryption (Asymmetrical Encryption)
  • Invented in 1976
  • Public-key encryption uses a combination of a
    private key and a public key. The private key is
    known only to your computer. The owner of the
    private key should never share it with anyone.
    The public key is given by your computer to any
    computer that wants to communicate securely with
    it. To decode an encrypted message a computer
    must use the public key provided by the
    originating computer and its own private key.

18
  • The public and private keys of a particular user
    are related via complex mathematical structure in
    such a way that links one key with the other.
    This relationship is crucial to making
    public/private key based encryption work
  • The public key is used for encrypting the message
    while the private key is necessary for the
    recipient to decrypt the message. Even the person
    who did the encrypting cannot decrypt the message
    because he does not hold the private key

19
Here is an example http//computer.howstuffworks
.com/ encryption.htm/printable
20
  • In the study of cryptography, the length of keys
    are referred to by bits
  • The longer the key the more difficult it is to
    break the encrypted message
  • Most common method of breaking ciphers is by
    brute force attack
  • It is said that any university computer science
    major would have enough computer power available
    to be able to break most 56 bit key cryptosystems
    in less than one week

21
Guidelines for Choosing Appropriate Key Lengths

22
Why was CESA so controversial?
23
CESA Would Have
  • Ensured that law enforcement maintained its
    ability to access decryption information stored
    with third parties, while protecting such
    information from inappropriate release. Law
    enforcement would have been required to inform a
    person whose key was obtained using court
    process, and must destroy the keys after their
    use is complete and when Federal records laws
    permit. Law enforcement may only use decryption
    keys obtained from a key recovery agent for an
    explicitly authorized purpose. A key recovery
    agent may not disclose or use a decryption key,
    nor disclose the identity of a customer, except
    under explicit and limited circumstances.
    Individuals remain completely free to use or not
    to use the services of a recovery agent

24
  • Ensured that sensitive investigative techniques
    and industry trade secrets remained useful in
    current and future investigations by protecting
    them from unnecessary disclosure in litigation or
    criminal trials involving encryption. Orders
    protecting such techniques and trade secrets must
    be consistent with fully protecting defendants
    rights to a fair trial under the Constitutions
    Due Process clause and the Sixth Amendment. The
    protection of techniques requires a judicial
    finding in accordance with specified criteria.
    Firms competitive and liability positions would
    have been protected when lawfully assisting law
    enforcement through the sharing of trade secrets.

25
  • Authorized 80 million dollars over four years for
    the FBIs Technical Support Center, which would
    have served as a centralized technical resource
    for Federal, State, and local law enforcement in
    responding to the increasing use of encryption by
    criminals.
  • Established standards for courts to issue court
    orders for government access to escrowed keys or
    passwords.

26
Opposition Arguments to CESA
27
  • The standard proposed by the administration for
    government access to decryption keys falls far
    short of Fourth Amendment privacy protections.
  • A provision for foreign governments to access
    passwords and keys of US citizens or foreigners
    using US recovery agents raises multiple issues.
  • A provision allowing courts to cast a cloud of
    secrecy over government decryption methods and
    product vulnerabilities raises due process
    concerns, implicating the Sixth Amendment right
    of defendants to cross examine government
    witnesses.
  • By narrowly focusing only on access to keys and
    passwords, the legislation fails to address the
    much larger question of privacy for documents and
    information stored in the emerging networked
    environment.

28
  • That law enforcement officials could
    inadvertently modify or destroy a companys files
    as they recover encrypted information.
  • Innocent people could be punished mistakenly if
    they not able to comply with court orders for
    legitimate reasons such as they lost their key.
  • The emergency clause of the proposed bill leaves
    the door wide open to abuse by officials.

29
THE END
Write a Comment
User Comments (0)
About PowerShow.com