Information Systems Security: Enabling Future Internet Applications through Cryptography STP-307:...
-
Upload
willa-knight -
Category
Documents
-
view
220 -
download
0
Transcript of Information Systems Security: Enabling Future Internet Applications through Cryptography STP-307:...
Information Systems Security:Enabling Future Internet Applications
through Cryptography
STP-307: Business and the Internet
Mark Bayer - KSG Jamil Ghani - FASRaghav Chandra - KSG Nanthikesan - KSGJaime Chambron - FAS Angelina Ornelas - KSG
Alex C. Snoeren - MIT
Components of Security
• Physical Security– Are computer locked up at night?– Are the network cables exposed?
• Digital Security– Is the electronic information protected?
• Privacy Policies– What happens one the information is viewed?
A Definition of Digital Security
• Confidentiality
• Availability
• Authenticity
• Integrity
• Certifiability
Why Should You Care?
• Personal Privacy• Your information is out there
– Credit and financial information– Educational records– Medical records
• Law Enforcement is Handcuffed– Terrorists, drug traffickers, and pedophiles
• “This is a trade issue!”
Cryptography’s Role
• Currently, an almost unique tool
• Complicated Math Tricks– Encryption provides confidentiality– Signatures provide authenticity, integrity– Certificates provide certifiability
• What about availability?
Measuring Security
• Cryptographic Strength– Key lengths
• Beyond Bits– Different algorithms– “Provably secure” crypto systems– Implementation issues
How Much Security is Enough?
• Lack of incident information
• Difficulty in predicting future technologies
• Current levels seem “unbreakable”– Brute-force attacks may take forever– Consumers are uninformed about proper levels
• Strength is irrelevant if used improperly
Why Governments Care:Legislative Landscape
• Global scale: U.S. Congress, OECD, EU
• Export controls
• Key Management Infrastructure (KMI)
• Key Recovery - Clipper Titanic of the 90s?
Pending Legislation (U.S.)
• SAFE Act - 5 versions in the House
• Secure Public Networks Act - in the Senate
• The President’s Plan
Presentation Road Map
• Digital security in the public sector– Virtual university
• Digital security in the private sector– Banks– eShop Plaza
• Government’s role
• Recommendations
Digital Security and Virtual Learning
• Why virtual university?• Layout of approach
– Analysis of the Universitat Oberta de Catalunya – Current and Potential digital security issues in
general Virtual Learning– Next steps: issues and approaches
UOC ARCHITECTURE
Interactive BookCampus Agenda
Cafe Discussion Group
InteractiveSpreadsheet
CampusWorksheet
Library
Bulletin Board
Conferences
UOC ARCHITECTURE
Interactive BookCampus Agenda
Cafe Discussion Group
InteractiveSpreadsheet
CampusWorksheet
Library
Bulletin Board
Conferences
Digital Security:UOC Applications and Issues
• Administration
• Synchronous Knowledge Delivery
• Student Evaluation
• Maintaining Secure Data Banks
• Access to Resources• Visitor Access
• Multiple-user Access
• Library Access
• Code of Ethics
Digital Security: Current and Potential Issues
Current Virtual Distance Learning Projects• Public Sector• Private Sector
Digital Security: Potential Issues
• Standards of DS:• Strength of Encryption
• Authenticity, Certification
• Standards for Accreditation of DS: International coordination & Enforceability
• Keys: Who owns them?• Government?
• Universities?
• Virtual Registrar?
Digital Security:Next Step - Approaches
LEGAL AGENDA• Legalization of Digital Signatures• Standardization of Certification
BUSINESS - GOVERNMENT
PARTNERSHIP• Promotion of Research & Development• Encryption Regulations• Dynamic Legal Framework
Field of Dreams: “Build It and They Will Come”
• 77% have not shopped on the Internet
• 86% cite fear of credit card information stolen and misused as a result of Internet shopping
• 56% want government to pass laws protecting personal information collected on the Internet
Big Brother Is Watching
A Study on Privacy over the Internet by The Federal Trade Commission
Due June 1998
Big Business
• Dell Computers sells $1M daily in Internet sales• GE, HP - Using Net for transactions - save
$500M yearly • HP Versecure• Marketing, order, processing, fulfillment,
payment, logistics performed on Internet• EDI
Internet Banking
• Facilities offered• Several banks have launched Internet banking-
operations, e.g. ICICI-Infinity• Advantages
• Experimental/Limited in scope
Lacunae
• Liability
• Legal framework
• Forgery/Impersonation
• Taxability
• Convenience
• Pervasiveness
• Confidentiality
Next Steps
• Availability of effective, trustworthy cryptography• Flexible crypto architecture - keep pace with
technology • Suitable domestic legislation, tax policy framework • Supportive technology institutions, legal framework • Educating the consumer• Encouraging banks
Government and Encryption
• Government policy is the hardware upon which future Internet applications will run– Respond to market forces– Facilitate progress– Solve information asymmetries through consumer
education– Negotiate international agreements
• Encryption is currently an almost unique tool for digital security
Topics of Discussion
• Need for domestic encryption policy
• Potential models
• Why “dumbing down” does not work
• Why “smartening up” does work
• Next steps
Need for Domestic Encryption Policy
• Crime– Terrible Triumvirate - terrorists, drug
traffickers, pedophiles– Realities of crime fighting
• Seamless world– Work-arounds to the rules
• Applications are waiting
Potential Models
• “Wild Wild Web” - Safe Act
• “Dumbing Down” - EAR
• Technical Advisory Committee on Encryption Federal Information Processing Standard (TACEFIPS)
• National Electronic Technologies (NET) Center - amendment to Safe Act
Why “Smartening Up” Works
• Permits the realization of the full potential of Internet applications
• Maintains the government’s lead in encryption
• Responds to fundamental market motivations
Recommendations
• “Smarten up, don’t dumb down.”– NET Center
• Alert the players in advance– KMI exception– EU Privacy Directive
• Keep talking (dialogue, not monologue)– FIPS– OECD
Recommendations (continued)
• Consumer awareness– labeling– “seatbelts and airbags”– liability rules
Beyond Cryptography
• Cryptography is merely today’s technology
• Detecting and legislating crypto is hard– Difficult to identify “plain-text”– Authentication = Confidentiality?
• Other technologies are currently available– Stenography can provide confidentiality– Biometrics can provide authentication