deliverables check list documentation: updated functional spec design doc user manuals test plan ...
TRANSCRIPT
![Page 1: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/1.jpg)
FINAL PRIVACY AND
SECURITY
![Page 2: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/2.jpg)
DeliverablesPresentations
![Page 3: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/3.jpg)
Deliverables check list Documentation: updated
Functional specDesign docUser manualsTest plan
CodeCommented source and how I get to itRunning code and instructions (where, what I need
installed, any ids needed) Contact information Team Evaluations – INC without
![Page 4: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/4.jpg)
Logistics
SN011 at 8 am Saturday, Dec 6 Will invite all clients (unlikely). Schedule will be posted and emailed to
clients and you. 13 minute presentations
1 minute warning, then cut Breakfast will be served Attendance is mandatory. Beyond 0 for
presentation, 1 full grade
![Page 5: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/5.jpg)
What is Expected
Overview of your projectReview what you did and whyBriefly explain how you did it
○ Architecture○ Technologies
Lessons learnedDevelopmentProcessTechnologies
Demo
![Page 6: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/6.jpg)
Presentation Basics
Speak loudly and clearly Speak, don’t read: you ARE the experts Look at the class, NOT the computer Everyone MUST speak
Approximately even
![Page 7: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/7.jpg)
Demo Basics
Set up and test demos on FridayLast minute “fixes” are often disasters
Script your demos And avoid a lot of typing
Will have document camera and Mac dongleIf you need more, send me an email
![Page 8: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/8.jpg)
Presentations Hints
Cover all topics, but they don’t need equal time!
Focus on what’s special and interesting about your project
Don’t try to cover too much Keep it light Give the audience something to look at
![Page 9: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/9.jpg)
Remember
You’re speaking for 13 minutes
Everyone is listening for 169 minutes
![Page 10: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/10.jpg)
PRIVACY AND SECURITY
![Page 11: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/11.jpg)
Security and Privacy
Security: the protection of data, networks and computing power
Privacy: complying with a person's desires when it comes to handling his or her personal information
![Page 12: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/12.jpg)
PRIVACY
When you walk into the store, the big-screen displays "Hello Tom," your shopping habits, and other information
from Minority Report
![Page 13: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/13.jpg)
Some Views on Privacy “All this secrecy is making life harder, more
expensive, dangerous …”Peter Cochran, former head of BT (British Telecom)
Research
“You have zero privacy anyway.”Scott McNealy, CEO Sun Microsystems
“By 2010, privacy will become a meaningless concept in western society”
Gartner report, 2000
![Page 14: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/14.jpg)
Legal Realities of Privacy Self-regulation approach in US, Japan Comprehensive laws in Europe,
Canada, Australia European Union
Limits data collectionRequires comprehensive disclosuresProhibits data export to unsafe countries
○ Or any country for some types of data
![Page 15: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/15.jpg)
Aspects of Privacy
Anonymity Security Transparency and Control: knowing
what is being collected
![Page 16: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/16.jpg)
Privacy and Trust Right of individuals to determine if, when,
how, and to what extent data about themselves will be collected, stored, transmitted, used, and shared with others
Includesright to browse the Internet or use applications
without being tracked unless permission is granted in advanced
right to be left alone True privacy implies invisibility Without invisibility, we require trust
![Page 17: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/17.jpg)
Technologies privacy aware technologies (reactive)
non-privacy-related solutions that enable users to protect their privacy
Examples○ password and file-access security programs○ unsubscribe○ encryption○ access control
privacy enhancing technologies (proactive) solutions that help consumers and companies protect
their privacy, identity, data and actions Examples
○ popup blockers○ anonymizers○ Internet history clearing tools○ anti-spyware software
![Page 18: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/18.jpg)
Impediments to Privacy Surveillance Data collection and sharing Cookies
Web site last year was discovered capturing cookies that it retained for 5 years
Sniffing, Snarfing, SnortingAll are forms of capturing packets as they pass
through the networkDiffer by how much information is captured and
what is done with it
![Page 19: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/19.jpg)
P3P (2002)
Platform for Privacy Preference (P3P)World Wide Web Consortium (W3C) project
Voluntary standard Structures a web site’s policies in a
machine readable formatAllows browsers to understand the policy
and behave according to a user’s defined preferences
![Page 20: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/20.jpg)
Do Not Track Opt out technology
HTTP header2012 pledge not honored
Mozilla issue
![Page 21: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/21.jpg)
Privacy and Wireless “Wardriver” program: scans for broadcast
SSIDsbroadcasting improves network access, but at a cost
once the program finds the SSIDobtains the IP addressobtains the MAC address…
Lowe’s was penetrated this wayStole credit card numbers
![Page 22: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/22.jpg)
Deep Web
Anything that can’t be indexed (estimate 97%!)
Accessible through secure browsers: TorAnonymityDifficulty in tracingOnion addresses
![Page 23: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/23.jpg)
Security
![Page 24: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/24.jpg)
Consider 1994: Vladimir Levin breaks into Citibank's
network and transfers $10 million dollars into his accounts
Mid 90’s: Phonemasters stole tens of thousands of phone card numbersfound private White House telephone lines
1996: Tim Lloyd, disgruntled employee inserts time bomb that destroys all copies of Omega Engineering machining code. Estimated lost: $10 million.
![Page 25: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/25.jpg)
Security “Gospel” The Morris Internet worm of 1988 cost $98
million to clean up The Melissa virus crashed email networks
at 300 of the Fortune 500 companies The Chernobyl virus destroyed up to a
million PCs throughout Asia The ExploreZip virus alone cost $7.6 billion
to clean up
![Page 26: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/26.jpg)
Security Reality The Morris Internet worm of 1988 cost $98
under $1 million to clean up The Melissa virus crashed scared executives
into disconnecting email networks at 300 of the Fortune 500 companies
The Chernobyl virus destroyed caused replacement of up to a million PCs throughout Asia
The ExploreZip virus alone could have cost $7.6 billion to clean up
![Page 27: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/27.jpg)
Information Systems Security Deals with
Security of (end) systems○ Operating system, files, databases,
accounting information, logs, ...Security of information in transit over
a network○ e-commerce transactions, online
banking, confidential e-mails, file transfers,...
![Page 28: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/28.jpg)
Basic Components of Security Confidentiality
Keeping data and resources secret or hidden Integrity
Ensuring authorized modifications Refers to both data and origin integrity
Availability Ensuring authorized access to data and resources when
desired Accountability
Ensuring that an entity’s action is traceable uniquely to that entity
Security assurance Assurance that all four objectives are met
![Page 29: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/29.jpg)
Info Security 20 Years Ago Physical security
Information was primarily on paperLock and keySafe transmission
Administrative securityControl access to materialsPersonnel screeningAuditing
![Page 30: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/30.jpg)
Information Security Today Increasing system complexity
Digital information security importance Competitive advantage Protection of assets Liability and responsibility
Financial losses FBI estimates that an insider attack results in an average loss of $2.8
million Estimates of annual losses: $5 billion - $45 billion (Why such a big
range?) Protection of critical infrastructures
Power grid Air transportation
Government agencies GAO report (03): “severe concerns” security mgmt & access control Grade F for most of the agencies Limkages accerbate
![Page 31: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/31.jpg)
Attack Vs Threat
A threat is a “potential” violation of securityViolation need not actually occurFact that the violation might occur makes it
a threat The actual violation (or attempted
violation) of security is called an attack
![Page 32: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/32.jpg)
Common security attacks Interruption, delay, denial of receipt or denial of service
System assets or information become unavailable or are rendered unavailable
Interception or snooping Unauthorized party gains access to information by browsing through
files or reading communications Modification or alteration
Unauthorized party changes information in transit or information stored for subsequent access
Fabrication, masquerade, or spoofing Spurious information is inserted into the system or network by making
it appear as if it is from a legitimate source Repudiation of origin
False denial that the source created something
![Page 33: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/33.jpg)
Denial of Service Attacks
explicit attempt to prevent legitimate users from using service
two types of attacks denial of service (DOS) distributed denial of service (DDOS)
asymmetric attack attacker with limited resource (old PC and slow
modem) may be able to disable much faster and more sophisticated machines or networks
methods Bots or Zombie machines Trojans or Smurf attack: distributed attack that sends
specified number of data packets to a victim
![Page 34: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/34.jpg)
Phishing (Spoofing)
use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal
financial data credit card numbersaccount usernames and passwordssocial security numbers
hijacking of trusted brands banksonline retailers credit card companies
able to convince up to 5% of recipients to respond http://www.antiphishing.org/
![Page 35: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/35.jpg)
Goals of Security Prevention
Prevent someone from violating a security policy Detection
Detect activities in violation of a security policyVerify the efficacy of the prevention mechanism
RecoveryStop attacksAssess and repair damageEnsure availability in presence of ongoing attackFix vulnerabilities to prevent future attacksDeal with the attacker
![Page 36: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/36.jpg)
Human Issues
Outsiders and insidersWhich is the real threat?
Social engineeringHow much should a company disclose
about security?Claim more or less security than exists
![Page 37: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/37.jpg)
Honeypots
Setting up a server to attract hackersUsed by corporations as early warning
systemUsed to attract spam to improve filtersUsed to attract viruses to improve
detection http://www.honeypots.net/
![Page 38: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/38.jpg)
ENCRYPTION
![Page 39: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/39.jpg)
Security Level of Encrypted Data
Unconditionally SecureUnlimited resources + unlimited timeStill the plaintext CANNOT be recovered
from the ciphertext Computationally Secure
Cost of breaking a ciphertext exceeds the value of the hidden information
The time taken to break the ciphertext exceeds the useful lifetime of the information
![Page 40: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/40.jpg)
Types of Attacks
Ciphertext only adversary has only ciphertext goal is to find plaintext, possibly key
Known plaintext adversary has plaintext and ciphertext goal is to find key
Chosen plaintext adversary can get a specific plaintext
enciphered goal is to find key
![Page 41: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/41.jpg)
Attack Mechanisms
Brute force Statistical analysis
Knowledge of natural languageExamples:
○ All English words have vowels○ There are only 2 1-letter words in English○ High probability that u follows q○ …
![Page 42: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/42.jpg)
PRIVATE KEY
![Page 43: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/43.jpg)
Caesar Cipher Substitute the letter 3 ahead for each
one Example:
Et tu, BruteHw wx, Euxwh
Quite sufficient for its timeHigh illiteracyNew idea
![Page 44: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/44.jpg)
Enigma Machine(Germany, World War II)
Simple Caesar cipher through each rotor
But rotors shifted at different ratesRoller 1 rotated one
position after every encryption
Roller 2 rotated every 26 times…
![Page 45: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/45.jpg)
Private Key Cryptography Sender, receiver share common key
Keys may be the same, or trivial to derive from one another
Sometimes called symmetric cryptography or classical cryptography
Two basic typesTransposition ciphers (rearrange bits)Substitution ciphers
Product ciphersCombinations of the two basic types
![Page 46: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/46.jpg)
DES (Data Encryption Standard) A block cipher:
encrypts blocks of 64 bits using a 64 bit keyoutputs 64 bits of ciphertextA product cipher
○ performs both transposition (permutation) and substitution on the bits
Considered weakSusceptible to brute force attack
![Page 47: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/47.jpg)
Cracking DES 1998: Electronic Frontier Foundation
cracked DES in 56 hrs using a supercomputer
1999: Distributed.net cracked DES in 22 hrs
With specialized hardware, DES can be cracked in less than an hour.
![Page 48: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/48.jpg)
History of DES IBM develops Lucifer for banking systems (1970’s )
NIST and NSA evaluate and modify Lucifer (1974) Modified Lucifer adopted as federal standard (1976)
Name changed to Data Encryption Standard (DES) Defined in FIPS (46-3) and ANSI standard X9.32
NIST defines Triple DES (3DES) (1999) Single DES use deprecated - only legacy systems.
NIST approves Advanced Encryption Std. (AES) (2001) AES (128-bit block) Attack published in 2009
Current state of the art is AES-256
![Page 49: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/49.jpg)
PUBLIC KEY
![Page 50: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/50.jpg)
Public Key Cryptography
Two keysPrivate key known only to individualPublic key available to anyone
○ Public key, private key inverses
Confidentialityencipher using public keydecipher using private key
Integrity/authenticationencipher using private key decipher using public one
![Page 51: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/51.jpg)
Public Key Requirements
1. Computationally easy to encipher or decipher a message given the appropriate key
2. Computationally infeasible to derive the private key from the public key
3. Computationally infeasible to determine the private key using a chosen plaintext attack
![Page 52: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/52.jpg)
RSA Public key algorithm described in 1977 by
Rivest, Shamir, and Adelman Exponentiation cipher Relies on the difficulty of factoring a large
integer RSA Labs now owned by EMC
![Page 53: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/53.jpg)
RSA Usage for Encryption Public key: (n,e); private key: (n,d)
Public key to encipherPrivate key to decipher
EncryptionEncipher: c = me mod nDecipher: m = cd mod n
![Page 54: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/54.jpg)
RSA Basics for choosing keys Choose two large primes p and q n = pq Choose e
Less than nRelatively prime to (p-1)(q-1)
Choose d(ed-1) divisible by (p-1)(q-1)
Public key: (n,e); private key: (n,d)
A Guide to RSA
![Page 55: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/55.jpg)
Summary Private key (classical) cryptosystems
encipher and decipher using the same key Public key cryptosystems
encipher and decipher using different keyscomputationally infeasible to derive one
from the other Both depend on keeping keys secret
Depend on computational difficultyAs computers get faster, …
![Page 56: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/56.jpg)
Photon Cryptography
Use photons for key distribution Prevents eavesdropping: reading a
photon changes its state
![Page 57: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/57.jpg)
AUTHENTICATION
![Page 58: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/58.jpg)
Authentication
Assurance of the identity of the party that you’re talking to
Primary technologiesDigital SignatureKerberos
![Page 59: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/59.jpg)
Digital Signature Authenticates origin, contents of message in a
manner provable to a disinterested third party (“judge”)
Sender cannot deny having sent message (service is “nonrepudiation”)Limited to technical proofs
○ Inability to deny one’s cryptographic key was used to sign
One could claim the cryptographic key was stolen or compromised○ Legal proofs, etc., probably required
Protocols based on both public and private key technologies
![Page 60: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/60.jpg)
RSA for Digital Signature
Public key: (n,e); private key: (n,d)Public key to signPrivate key to validate
Digital signatureSign: s = md mod n; send (s,m)Validate: m = se mod n
![Page 61: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/61.jpg)
Kerberos Authentication system
Central server plays role of trusted third party Ticket (credential)
Issuer vouches for identity of requester of service
Authenticator Identifies sender
User must1. Authenticate to the system2. Obtain ticket to use server S
Problems Relies on synchronized clocks Vulnerable to attack
![Page 62: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/62.jpg)
“Using encryption on the Internet is the equivalent of arranging
an armored car to deliver credit card information from someone
living in a cardboard box to someone living on a park bench”
– Gene Spafford (Purdue)
NETWORK SECURITY
![Page 63: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/63.jpg)
Firewall Techniques Filtering
Doesn’t allow unauthorized messages through Can be used for both sending and receivingMost common method
ProxyThe firewall actually sends and receives the
informationSets up separate sessions and controls what
passes in the secure part of the network
![Page 64: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/64.jpg)
DMZ: Demilitarized Zone
Arrangement of firewalls to form a buffer or transition environment between networks with different trust levels
Internet Firewall
Firewall
Internal resources
![Page 65: Deliverables check list Documentation: updated Functional spec Design doc User manuals Test plan Code Commented source and how I get to it Running](https://reader030.vdocuments.mx/reader030/viewer/2022032518/56649cc95503460f9499146c/html5/thumbnails/65.jpg)
Three Tier DMZ
Internet Firewall
Firewall
Firewall
Internal resources
WebServer
AppServer