csci-235 micro-computer in science privacy & security
TRANSCRIPT
CSCI-235CSCI-235Micro-Computer in ScienceMicro-Computer in Science
Privacy & Security Privacy & Security
© Prentice-Hall, Inc
Privacy in CyberspacePrivacy in Cyberspace
PrivacyPrivacy refers to an individual’s ability to refers to an individual’s ability to restrict the collection, use, and sale of restrict the collection, use, and sale of confidential personal informationconfidential personal information
The Internet is eroding privacy through the The Internet is eroding privacy through the selling of information collected through selling of information collected through Web sitesWeb sites
Few laws regulate selling personal Few laws regulate selling personal informationinformation
© Prentice-Hall, Inc
CookiesCookies CookiesCookies are small files that are written to an are small files that are written to an
individual’s hard drive whenever a Web site is visitedindividual’s hard drive whenever a Web site is visited Legitimate purposes of cookies include recording Legitimate purposes of cookies include recording
information for future use. Example: retail sites using information for future use. Example: retail sites using “shopping carts”“shopping carts”
Questionable practices include banner ad companies Questionable practices include banner ad companies tracking a user’s browsing actions and placing tracking a user’s browsing actions and placing banner ads on Web sites based on those actionsbanner ads on Web sites based on those actions
© Prentice-Hall, Inc
CookiesCookies
A small text file stored on your hard driveA small text file stored on your hard drive File is sent back to the server each time you File is sent back to the server each time you
visit that sitevisit that site Stores preferences, allowing Web site to be Stores preferences, allowing Web site to be
customizedcustomized Stores passwords, allowing you to visit multiple Stores passwords, allowing you to visit multiple
pages within the site without logging in to each onepages within the site without logging in to each one Tracks surfing habits, targeting you for specific Tracks surfing habits, targeting you for specific
types of advertisementstypes of advertisements
© Prentice-Hall, Inc
Example ofExample of CookiesCookies
© Prentice-Hall, Inc
SecuritySecurity HackerHacker – someone who attempts to gain access – someone who attempts to gain access
to computer systems illegallyto computer systems illegally Originally referred to as someone with a high degree Originally referred to as someone with a high degree
of computer expertiseof computer expertise
© Prentice-Hall, Inc
Definition of a HackerDefinition of a Hacker
Hacker Hacker noun (see Raymond, 1991)noun (see Raymond, 1991) A person who enjoys learning the details of A person who enjoys learning the details of
computer systems and how to stretch their computer systems and how to stretch their capabilities – as opposed to the most users of capabilities – as opposed to the most users of computers, who prefer to learn only the computers, who prefer to learn only the minimum amount necessaryminimum amount necessary
One who programs enthusiastically or who One who programs enthusiastically or who enjoys programming rather than just enjoys programming rather than just theorizing about programmingtheorizing about programming
© Prentice-Hall, Inc
Definition of a HackerDefinition of a Hacker
Person whoPerson who is an expert or enthusiastic of any kindis an expert or enthusiastic of any kind enjoys the intellectual challenge of creatively enjoys the intellectual challenge of creatively
overcoming or circumventing limitationsovercoming or circumventing limitations
Used as a compliment Used as a compliment
© Prentice-Hall, Inc
First Network Hack (Telephone)First Network Hack (Telephone)
John Draper (AKA Cap’n John Draper (AKA Cap’n Crunch)Crunch)
1970’s: 1970’s: Free long distance calls Free long distance calls
using a whistle found in a using a whistle found in a cereal boxcereal box
Whistle emits the same Whistle emits the same frequency as AT&T long frequency as AT&T long lines to indicate a line lines to indicate a line was ready to route a new was ready to route a new call (2600 Hz)call (2600 Hz)
© Prentice-Hall, Inc
First Network Hack (Telephone)First Network Hack (Telephone)
Flaw:Flaw: AT&T took cost cutting measuresAT&T took cost cutting measures The signaling and voice used the same circuitThe signaling and voice used the same circuit This flaw made the system vulnerable to This flaw made the system vulnerable to
anybody that can generate 2600 Hzanybody that can generate 2600 Hz Solution:Solution:
Now signaling takes place on a separate path Now signaling takes place on a separate path from the one you talk on from the one you talk on
© Prentice-Hall, Inc
Computer VirusesComputer Viruses
Computer virusesComputer viruses are malicious programs are malicious programs that infect a computer system causing that infect a computer system causing various problems with its usevarious problems with its use
Viruses replicate and attach themselves to Viruses replicate and attach themselves to programs in the systemprograms in the system
There are more than 20,000 different There are more than 20,000 different computer viruses with the number growing computer viruses with the number growing dailydaily
© Prentice-Hall, Inc
How Virus Infections SpreadHow Virus Infections Spread
Virus Infections spread by:Virus Infections spread by:Inserting a disk with an infected program and then Inserting a disk with an infected program and then
starting the programstarting the programDownloading an infected program from the InternetDownloading an infected program from the InternetBeing on a network with an infected computerBeing on a network with an infected computerOpening an infected e-mail attachmentOpening an infected e-mail attachment
© Prentice-Hall, Inc
Virus MythsVirus Myths
You cannot get infected by simply being You cannot get infected by simply being onlineonline If you download and execute an infected file, If you download and execute an infected file,
you can get infectedyou can get infected
Although most e-mail viruses (e.g., the Although most e-mail viruses (e.g., the MelissaMelissa virus) are in attachments that virus) are in attachments that must be opened, it is possible to get must be opened, it is possible to get infected by viewing an e-mailinfected by viewing an e-mail
© Prentice-Hall, Inc
Types of VirusesTypes of Viruses
File InfectorsFile Infectors Attach themselves to program filesAttach themselves to program files Spread to other programs on the hard driveSpread to other programs on the hard drive Are the most common type of virusAre the most common type of virus
Boot Sector VirusesBoot Sector Viruses Attach themselves to the boot sector of a hard Attach themselves to the boot sector of a hard
drivedrive Execute each time the computer is startedExecute each time the computer is started May lead to the destruction of all dataMay lead to the destruction of all data
© Prentice-Hall, Inc
More Rogue ProgramsMore Rogue Programs Time BombsTime Bombs
Also called Also called logic logic bombsbombs
Harmless until a Harmless until a certain event or certain event or circumstance circumstance activates the programactivates the program
WormsWorms Resemble a virusResemble a virus Spread from one Spread from one
computer to anothercomputer to another Control infected Control infected
computerscomputers Attack other Attack other
networked computersnetworked computers
Trojan HorsesTrojan Horses Disguise themselves as useful programsDisguise themselves as useful programs Contain hidden instructionsContain hidden instructions May erase data or cause other damageMay erase data or cause other damage
© Prentice-Hall, Inc
Identity TheftIdentity Theft Identity theftIdentity theft is one of the fastest growing crimes in the is one of the fastest growing crimes in the
United States and CanadaUnited States and Canada Identity theft occurs when enough information about an Identity theft occurs when enough information about an
individual is obtained to open a credit card account in individual is obtained to open a credit card account in their name and charge items to that accounttheir name and charge items to that account
Examples of information needed are name, address, Examples of information needed are name, address, social security number, and other personal informationsocial security number, and other personal information
Laws limit liability to $50 for each fraudulent chargeLaws limit liability to $50 for each fraudulent charge An individual’s credit report is affected by identity theftAn individual’s credit report is affected by identity theft
© Prentice-Hall, Inc
Using FirewallsUsing Firewalls FirewallsFirewalls are programs that are designed to are programs that are designed to
prohibit outside sources from accessing the prohibit outside sources from accessing the computer systemcomputer system
A A personal firewallpersonal firewall is designed to protect home is designed to protect home computers from unauthorized access while being computers from unauthorized access while being connected to the Internetconnected to the Internet
© Prentice-Hall, Inc
Using Antivirus ProgramsUsing Antivirus Programs
They use They use pattern-matchingpattern-matching techniques to techniques to examine program files for patterns of virus codeexamine program files for patterns of virus code
Two drawbacks:Two drawbacks: They cannot find viruses not in their databaseThey cannot find viruses not in their database They cannot find new viruses that alter They cannot find new viruses that alter
themselves to evade detectionthemselves to evade detection Use antivirus programs that offer frequent Use antivirus programs that offer frequent
updates and monitor system functionsupdates and monitor system functions Check disks that were used on another system Check disks that were used on another system
for virusesfor viruses
© Prentice-Hall, Inc
Backing Up DataBacking Up Data Back up programs and data regularlyBack up programs and data regularly Store backups away from the computer Store backups away from the computer
systemsystem Types of backups:Types of backups:
Full backupsFull backups – Back up everything stored on – Back up everything stored on the computer once a monththe computer once a month
Incremental backupsIncremental backups – Daily or weekly back – Daily or weekly back up of only those files that have changed since up of only those files that have changed since the last back upthe last back up
© Prentice-Hall, Inc
The Encryption DebateThe Encryption Debate
EncryptionEncryption is the coding and scrambling is the coding and scrambling process by which a message is made process by which a message is made unreadable except by the intended unreadable except by the intended recipientrecipient
Encryption is needed for electronic Encryption is needed for electronic commercecommerce
The Encryption DebateThe Encryption Debate
EncryptionEncryption is the coding and scrambling is the coding and scrambling process by which a message is made process by which a message is made unreadable except by the intended unreadable except by the intended recipientrecipient
Encryption is needed for electronic Encryption is needed for electronic commercecommerce
Simplified Data Simplified Data Communications ModelCommunications Model
Encryption BasicsEncryption Basics
A readable message is called A readable message is called plaintextplaintext
An An encryption algorithmencryption algorithm is a formula used to is a formula used to make plaintext unreadablemake plaintext unreadable
The coded message is called The coded message is called ciphertextciphertext
I LOVE YOU
V YBIR LBH
Encryption BasicsEncryption Basics Symmetric key encryptionSymmetric key encryption are encryption techniques that are encryption techniques that
use the same use the same keykey to encrypt and decrypt a message to encrypt and decrypt a message
Strong encryptionStrong encryption refers to encryption methods that are refers to encryption methods that are used by banks and military agencies and are nearly used by banks and military agencies and are nearly impossible to breakimpossible to break
Symmetric EncryptionSymmetric Encryption
or conventional / or conventional / private-keyprivate-key / single-key / single-key sender and recipient share a common keysender and recipient share a common key all classical encryption algorithms are all classical encryption algorithms are
private-keyprivate-key was only type prior to invention of public-was only type prior to invention of public-
key in 1970’skey in 1970’s
Basic TerminologyBasic Terminology
plaintextplaintext - the original message - the original message ciphertextciphertext - the coded message - the coded message ciphercipher - algorithm for transforming plaintext to ciphertext - algorithm for transforming plaintext to ciphertext keykey - info used in cipher known only to sender/receiver - info used in cipher known only to sender/receiver encipherencipher ((encryptencrypt) - converting plaintext to ciphertext ) - converting plaintext to ciphertext decipherdecipher ((decryptdecrypt) - recovering ciphertext from plaintext) - recovering ciphertext from plaintext cryptography cryptography - study of encryption principles/methods- study of encryption principles/methods cryptanalysis cryptanalysis ((codebreakingcodebreaking) - the study of principles/ ) - the study of principles/
methods of deciphering ciphertext methods of deciphering ciphertext withoutwithout knowing key knowing key cryptology cryptology - the field of both cryptography and - the field of both cryptography and
cryptanalysiscryptanalysis
Symmetric Cipher ModelSymmetric Cipher Model
RequirementsRequirements
two requirements for secure use of two requirements for secure use of symmetric encryption:symmetric encryption: a strong encryption algorithma strong encryption algorithm a secret key known only to sender / receivera secret key known only to sender / receiver
YY = E= EKK((XX))
XX = D= DKK((YY))
assume encryption algorithm is knownassume encryption algorithm is known implies a secure channel to distribute keyimplies a secure channel to distribute key
Classical Substitution CiphersClassical Substitution Ciphers
where where letters of plaintext are replaced by letters of plaintext are replaced by other letters or by numbers or symbolsother letters or by numbers or symbols
Caesar CipherCaesar Cipher
earliest known substitution cipherearliest known substitution cipher by Julius Caesar by Julius Caesar first attested use in military affairsfirst attested use in military affairs replaces each letter by replaces each letter by kk-th letter on-th letter on Example ( what is Example ( what is k k ? ):? ):
meet me after the toga partymeet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWBPHHW PH DIWHU WKH WRJD SDUWB
Caesar CipherCaesar Cipher can define transformation (with can define transformation (with kk = 3) as: = 3) as:
a b c d e f g h i j k l m n o p q r s t u v w x y za b c d e f g h i j k l m n o p q r s t u v w x y zD E F G H I J K L M N O P Q R S T U V W X Y Z A B CD E F G H I J K L M N O P Q R S T U V W X Y Z A B C
mathematically give each letter a numbermathematically give each letter a numbera b c d e f g h i j k l ma b c d e f g h i j k l m0 1 2 3 4 5 6 7 8 9 10 11 120 1 2 3 4 5 6 7 8 9 10 11 12n o p q r s t u v w x y Zn o p q r s t u v w x y Z13 14 15 16 17 18 19 20 21 22 23 24 2513 14 15 16 17 18 19 20 21 22 23 24 25
then have Caesar cipher as:then have Caesar cipher as:YY = E= EKK((XX) ) = (XX + k) mod 26XX = D= DKK((YY) ) = (Y Y – k) mod 26
EXAMPLE:EXAMPLE: Encrypt Encrypt “howdy”“howdy” using key using key kk = 5 = 5
Cryptanalysis of Caesar Cipher Cryptanalysis of Caesar Cipher
only have 26 possible ciphers only have 26 possible ciphers A maps to A,B,..Z A maps to A,B,..Z
could simply try each in turn could simply try each in turn
a a brute force searchbrute force search
given ciphertext, just try all shifts of lettersgiven ciphertext, just try all shifts of letters
© Prentice-Hall, Inc
Private-Key CryptographyPrivate-Key Cryptography
traditional private/secret/single key traditional private/secret/single key cryptography uses cryptography uses oneone key key
shared by both sender and receiver shared by both sender and receiver
if this key is disclosed communications are if this key is disclosed communications are compromised compromised
also is also is symmetricsymmetric, parties are equal , parties are equal
Public-Key CryptographyPublic-Key Cryptography
probably most significant advance in the probably most significant advance in the 3000 year history of cryptography 3000 year history of cryptography
uses uses twotwo keys – a public & a private key keys – a public & a private key asymmetricasymmetric since parties are since parties are notnot equal equal uses clever application of number uses clever application of number
theoretic concepts to functiontheoretic concepts to function complements complements rather thanrather than replaces private replaces private
key cryptographykey cryptography
Public-Key CryptographyPublic-Key Cryptography
public-key/two-key/asymmetricpublic-key/two-key/asymmetric cryptography involves the cryptography involves the use of use of twotwo keys: keys: a a public-keypublic-key, which may be known by anybody, and , which may be known by anybody, and
can be used to can be used to encrypt messagesencrypt messages, and , and verify verify signatures signatures
a a private-keyprivate-key, known only to the recipient, used to , known only to the recipient, used to decrypt messagesdecrypt messages, and , and signsign (create) (create) signaturessignatures
is is asymmetricasymmetric because because those who encrypt messages or verify signatures those who encrypt messages or verify signatures
cannotcannot decrypt messages or create signatures decrypt messages or create signatures
Public-Key CryptographyPublic-Key Cryptography
Public-Key CharacteristicsPublic-Key Characteristics
Public-Key algorithms rely on two keys Public-Key algorithms rely on two keys with the characteristics that it is:with the characteristics that it is: computationally infeasible to find decryption computationally infeasible to find decryption
key knowing only algorithm & encryption keykey knowing only algorithm & encryption key computationally easy to en/decrypt messages computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is knownwhen the relevant (en/decrypt) key is known
Digital Signatures and Digital Signatures and CertificatesCertificates
Digital signaturesDigital signatures are a technique used to are a technique used to guarantee that a message has not been guarantee that a message has not been tampered withtampered with
Digital certificatesDigital certificates are a technique used to are a technique used to validate one’s identityvalidate one’s identity