SinghFarhat Privacy

Privacy Management Mechanisms
Course: Security and Privacy on the Internet
Instructor: Dr. A.K. Aggarwal
Presented By:
Rachita Singh
Fadi Farhat
Fall, 2007
1 564 Fall 2007 Security and Privacy on the Internet - Dr. A.K. Aggarwal
Table of Contents
 Introduction
 Security and Privacy
 Basic Security Services
 Privacy Mechanisms
 Proposed Techniques
- Centralization of Information
- Smart Card Technology using different keys
 What people should do to help their privacy?
 Conclusion
 References
 Questions
Introduction
Our paper has two major purposes:
1- Define some terms and concepts of basic
cryptographic methods by using the Privacy
Mechanisms.
2 - Present two useful strategies:
2.1- Centralization of Information.
2.2- Smart Card Technology using

different keys.
Security and Privacy
 Security can be defined as the “mechanisms

and techniques that control who may use or
modify the computer or the information stored
in it”
 Privacy can be defined as “the ability of an

individual (or organization) to decide whether,
when, and to whom personal (or
organizational) information is released.”
Elements of Cryptography
This figure The sender uses a key to

explains the cipher the message
operation of into a cipher text and
transferring a send it to the receiver
message who will uses a
from sender decryption key to
to receiver decipher it.
Basic Security Services
1. Authentication
It provides us the assurance that the communicating
entity is the one it claims to be
Two types of Authentication:
1.1 Peer entity authentication

It provides mutual confidence in the identities of the
parties involved in a connection.
1.2 Data origin authentication

It insures the assurance about the source of the
received data.
2. Access Control
The prevention of unauthorized use of a resource
(i.e. this service controls who can have access to a
resource, under what conditions access can occur,
and what those accessing the resource are allowed
to do).
3. Confidentiality
It is the protection of information from unauthorized
disclosure (against eavesdropping).
4. Traffic-flow confidentiality
The protection of information that might be derived
from observation of traffic flows.
5. Integrity
Data integrity is the assurance that the data is
consistent, correct and accessible. Assurance that
data received are exactly as sent by an authorized
sender i.e. no modification, insertion, deletion or
replay.
6. Non-repudiation
It is the concept of protection against denial by one
of the parties in a communication.
There are two types of non-repudiation:
6.1.Origin non-repudiation
It is the proof that the message was sent by the
specified party.
6.2. Destination non-repudiation

It is the proof that the message was received by the
specified party.
Privacy Mechanisms
1. Encryption (Encipherment)
It is the process of encoding information into a

secret code by using a special key.
To read an encrypted file, you must have the key of
the decoding that enables you to decrypt it.
By using an algorithm for encryption we can

protect our personal information that we don’t
want other people to see such as:
- Credit-card information
- Bank-account information
- Medical information
Privacy Mechanisms
Encryption
Mechanism
Privacy Mechanisms
The two main types of Encryption are:
 Asymmetric encryption (also called public-key

encryption)
 Symmetric encryption
Privacy Mechanisms
Public-key cryptography
 A user has a pair of cryptographic keys - a public

key and a private key. The private key is kept
secret, while the public key may be widely
distributed.
 A message encrypted with the public key

can be decrypted only with the
corresponding private key.
Privacy Mechanisms
Asymmetric
Encryption
This figure explains
while Bob is writing an
e-mail to Nancy, Bob
has the public key of
Nancy, public key of
Nancy is widely
distributed, he can
encrypt that message
and send it to Nancy,
Nancy with her private
key can decrypt the
message and no
intruder should be able
to decrypt the message.
Privacy Mechanisms
Private Key encryption
 Private Key means that each computer has a secret
key that it can use to encrypt a packet of information.
 It requires that you know which computers will talk to

each other and install the key on each one.
 If "A" becomes "C" and "B" becomes "D". You have

already told the other party that the code is "Shift by
2“
Privacy Mechanisms
Difference between Symmetric and Asymmetric
In a symmetric cryptosystem, the same key is

used for encryption and decryption while in an
asymmetric cryptosystem the key used for
decryption is different from the key used for
encryption.
Privacy Mechanisms
2. Digital Signature
A digital signature is basically a way to
ensure that an electronic document is
authentic. Authentic means that you know
who created the document and that it has
not been altered.
Privacy Mechanisms
This figure tells us 3. Hash Functions and
that a hash function Message Digest
creates a fixed
length string from
a block of data. It is
also called a
message digest
function.
These (fast)
functions analyze a
message and
produce a fixed
length digest which
is practically
unique. It is used to
create a signature
for a message
which can be used
to verify its integrity
Privacy Mechanisms
4. Access Control
Access control is way of talking about

controlling access to a web resource. Access
can be granted or denied based on a wide
variety of criteria, such as the network
address of the client, the time of day, or the
browser which the visitor is using.
Privacy Mechanisms
5. Traffic Padding
 It is the process of intercepting and examining
messages in order to deduce information from
patterns in communication.
 The attacker might not know what A and B were

talking but he could know that they were talking and
how much they talked.
 Padding messages is a way to make it harder to do

traffic analysis. A number of random bits are
appended to the end of the message.
Privacy Mechanisms
6. Routing control
Enables selection of a particular physically

secure route for certain data and allows
routing changes, especially when a breach of
security is suspected.
7. Notarization
It’s the use of a third party to assure the other

party.
Proposed Techniques
We will present two useful Techniques.
1- Centralization of Information.
2- Smart Card Technology using different

keys.
Centralization of Information
 The idea is to create a Passport account
with the detailed information that will be
saved in a central database and
protected by several security levels.
 Every user will have a unique identifier

for his account in addition to some
personal information like the e-mail
address, phone number and the first and
last name.
Objectives
 Authenticate users for participating sites.
 Secure sign-in.
 Log in to many websites using one account.
Two of the famous groups
 The Liberty Alliance Project:
It was established in September 2001 for more than 160 companies.
The goal of the group was to establish an open standard for federated
network identity.
 .NET Passport:
It is a unified-login service presented by Microsoft to allow users log in
to many websites using one account.
(MSN Messenger, MSN Hotmail, MSN Music, and other sites and
services )
Secure sign-in service
 To access a participating site, the browser will send an initial
HTTP request message.
 The site will return an HTTP redirect message for the co-
branded sign-in page on the Passport server.
 The site will add its unique ID and a return URL to the HTTP.
 Passport server will check the site ID and return URL before
displaying the authentication.
 The Passport server and the participating site server never

communicate users’ authentication and profile information
directly but over secure channels.
Security levels
Microsoft .NET Passport provides three

security levels:
 Standard sign-in
 Secure channel sign-in
 Strong credential sign-in
Standard sign-in security level

In standard sign-in, the SSL/TLS protocols
(Secure Sockets Layer /Transport Layer
Security) only secure the transmission of user
credentials between the browser and the
Passport server, not between the browser and
the participating sites. Sites that don’t require
a high level of security, such as Microsoft’s
Hotmail service, use standard sign-in.
Secure channel sign-in security level

In the secure channel sign-in, all communication
takes place over secure channels as HTTPS
(HTTP&SSL/TLS). With secure channel sign-in,
traffic is encrypted with an SSL/TLS session key
held only by legitimate participants and that will
be to ensure reasonable protection from
eavesdroppers and man in the middle attacks.
Strong credential sign-in security level
 If a user enters a password incorrectly five
consecutive times, .NET Passport automatically
blocks access to the account for two minutes,
making it difficult for an attacker to launch a
password cracker.
 Passport’s designers chose a two-stage sign-in

process for protecting participating sites with more
stringent security requirements. Stage one is
identical to secure channel sign-in. Stage two
involves a second sign-in page that requires the
user to enter a four-digit security key, or PIN.
Key management
 Key management is .NET Passport’s Achilles’ heel, as it is
for all cryptographic security systems. The Passport server
shares a Triple-DES key with each participating site, which it
uses to encrypt information it transfers to the participating
sites in HTTP redirect messages.
 The .NET Passport service must securely generate the keys

and assign them out of band—a difficult task requiring careful
attention. The server embeds each key in an installer
program, so not even the site administrator sees the key
value.
Suggestions for the centralization of Information
As most of the websites need a verification of our

personal id, and as we have to provide them with
it, and to prevent the disclose of that confidential
information we suggest that, the .NET Passport
expands its spread by increasing the limited
number of websites that it deals with to
authenticate us where ever needed and that will
be by playing the role of a notarized third party.
Smart Card Technology using different keys
 A smart card or chip card is defined as any

pocket-sized card with embedded memory
storage components, small processor and finger
print sensor. It can:
 Receive information.
 Process it.
 Deliver outputs.
By using of a special driver.
Objectives
 The Smart Card will store different personal information
such as Medical and Banking information.
 The protection of our personal information like credit

card information, social security number or bank
account information can be achieved using encryption,
which must be done using different keys depending on
the organization for which information from the smart
card will be released.
 Self protection (using processor) in the case of a none

authorized use (destroy the memory).
Example
For example the encryption key of the bank

account information for a certain person should be
different from the encryption key of the medical
information for the same person. This will impose
that the user provides each party with the special
private key to ensure that no one else can decrypt
other information pertaining to other organizations.
How to benefit from The Smart Card?
The Smart Card can be used for commercial

transactions over the Internet (using a special
driver) such that the user’s encrypted
information will be read thru a Smart Card
Reader by the merchant who in his turn,
transfers these encrypted information to the
related organization.
Security Issue
There is a security issue concerning the use of this

Smart Card for commercial transactions over the
Internet; a scenario could happen where the website
can use the encrypted information to process banking
transactions more than authorized.
Proposed Solution
The proposed solution is to let the user add to his

original encrypted information the number of times, that
information, is allowed to be used and the amount to
be paid to the merchant website at that specific
transaction (for bank issues), keeping in mind that the
new information will be encrypted by the same key of
the original encrypted information.
What people should do to help their privacy?
Internet privacy is the ability to control who will
access the information and what part of
information.
 The first and the most important advice is not to

give the personal information unless for trusted
parties.
 Read the Agreements provided by the websites

very well before accepting it because most of the
times it grants them the right to share your private
information with third parties and they are always
make these agreements as long as possible and
sometimes hard to be understood to push you for
accepting it without well understanding its terms
and conditions.
 Avoid answering the unnecessary questions

or fill the not required fields in the WebPages
that ask about that.
 Be careful about deploying your personal

information in social networks because you
have to put in mind that those WebPages are
constructed to share personal information
with everyone who wants to see them.
 Keep in mind that most of the WebPages that

provides free downloading and free services
ask for your personal information to use it for
business purposes and in an unauthorized
way.
Conclusion
 We presented the Security Services and there role
towards protecting information over the Internet.
 We described the Privacy Mechanisms and how they

can protect our information from attackers.
 We mentioned the more privacy we can benefit from

the Centralization of Information.
 We offered the Smart Card Technology using

different keys that can enhance our privacy over the
Internet.
 And at the end we suggested some important tips that

can help in supporting our privacy issues.
References
[1] Rolf Oppliger, “Microsoft .NET Passport”, IEEE
Computer Society, July 2003, pp. 29–35.
[2] Maryam N. Razavi and Lee Iverson, “A Grounded

Theory of Information Sharing Behavior in a Personal
Learning Space”, ACM Press, 2006, pp.459–468.
[3] Irene Pollach, “What’s wrong with online privacy

policies?”, ACM Press, Sep 2007, pp. 103–108.
[4] Jason I. Hong, Jennifer D. Ng, Scott Lederer and

James A. Landay, “Privacy Risk Models for Designing
Privacy-Sensitive Ubiquitous Computing Systems”,ACM
Press, 2004, pp.91-100.
Questions

SinghFarhat Privacy

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SinghFarhat Privacy

Hochgeladen von

Copyright:

Verfügbare Formate

Privacy Management Mechanisms

Course: Security and Privacy on the Internet

Instructor: Dr. A.K. Aggarwal

2 - Present two useful strategies:

2.1- Centralization of Information.

2.2- Smart Card Technology using

 Security can be defined as the “mechanisms

 Privacy can be defined as “the ability of an

This figure The sender uses a key to

Two types of Authentication:

1.1 Peer entity authentication

1.2 Data origin authentication

There are two types of non-repudiation:

6.2. Destination non-repudiation

It is the process of encoding information into a

By using an algorithm for encryption we can

The two main types of Encryption are:

 Asymmetric encryption (also called public-key

 A user has a pair of cryptographic keys - a public

 A message encrypted with the public key

 It requires that you know which computers will talk to

 If "A" becomes "C" and "B" becomes "D". You have

Difference between Symmetric and Asymmetric

In a symmetric cryptosystem, the same key is

Access control is way of talking about

 The attacker might not know what A and B were

 Padding messages is a way to make it harder to do

Enables selection of a particular physically

It’s the use of a third party to assure the other

We will present two useful Techniques.

2- Smart Card Technology using different

 Every user will have a unique identifier

 Authenticate users for participating sites.

 Log in to many websites using one account.

 The Passport server and the participating site server never

Microsoft .NET Passport provides three

Standard sign-in security level

Secure channel sign-in security level

 Passport’s designers chose a two-stage sign-in

 The .NET Passport service must securely generate the keys

As most of the websites need a verification of our

 A smart card or chip card is defined as any

By using of a special driver.

 The protection of our personal information like credit

 Self protection (using processor) in the case of a none

For example the encryption key of the bank

How to benefit from The Smart Card?

The Smart Card can be used for commercial

There is a security issue concerning the use of this

The proposed solution is to let the user add to his

 The first and the most important advice is not to

 Read the Agreements provided by the websites

 Avoid answering the unnecessary questions

 Be careful about deploying your personal

 Keep in mind that most of the WebPages that

 We described the Privacy Mechanisms and how they

 We mentioned the more privacy we can benefit from

 We offered the Smart Card Technology using

 And at the end we suggested some important tips that

[2] Maryam N. Razavi and Lee Iverson, “A Grounded

[3] Irene Pollach, “What’s wrong with online privacy

[4] Jason I. Hong, Jennifer D. Ng, Scott Lederer and

Das könnte Ihnen auch gefallen