View
230
Download
3
Category
Preview:
Citation preview
1
Computer & Web Security
Security Problems in Computer Use
Privacy-Protecting Techniques
Privacy-Protecting Technologies: cryptography, digital signatures & certificates, etc.
2
Computer Security: Basic Issues
Different dimensions of the security problem:Securing hardware (e.g. via locks or tags) vs. securing
softwarePreventing damage through system failure (software or
hardware) vs. preventing damage through malicious intentional actions (security attacks, theft)
We will mainly focus on preventing malicious intentional actions on the software level
3
Types of System Failure Hardware: power outage, corrupted disks, hard
drive crashes, etc. Software:
Software crashes – a common problem (have you noticed?)
Software does not perform as intended/desired; note that this could be caused by user errors
While these problems cannot be completely avoided, damage can be greatly reduced…
4
Avoiding Severe Damage: Backups
Types of backup:Level-zero backup: copy of the original system when
first installedFull backup: copy of every file on the computer Incremental backup: copy of all modified files
Possible security risks: with automatic backup systems, deleting a file does not put it out of existence
5
Intentional Security Attacks
Security risks have greatly increased due to the Internet; no computer is an island
We focus on security issues related to the Internet, but this will also include basic security for the user’s computer
6
What do attackers want?
Scan your system for confidential documents Corrupt information on your computer Modify your operating system by creating security
loopholes Steal credit card numbers Block access to your system (coordinated attack) Press coverage
7
Big Brother is watching you -traces you leave in the Web
I) User-provided information Setting up an account with an online shop, purchasing
tickets via the web What legal restrictions govern the use of the information
provided? (in the US: few) What privacy policy does the vendor have? (the vendor’s web
site should have some information about this!)
Note: even simple demographic information may be sufficient for identification (e.g. ZIP-code + birthday)
8
Further traces you leave
II) Log files Ubiquitous; lots of applications and network programs
create log files of various activities the user performs Web logs: files which are created on remote web server
when a page is downloaded; information stored includes: IP address of the computer that downloaded the web page, time of requrest, URL requested, username (sometimes), refer link, web browser used
Mail logs: created by mail servers, contain at least to: and from:
9
III) Cookies Text file left by a remote web server on your
computer; the cookie is sent to the web server every time a web page from that server is requested
Allows the user to maintain a certain state while requesting different pages; example: shopping cart
10
Where are cookies stored?Netscape Navigator: ~/.netscape/cookiesMicrosoft Explorer: folder Cookies
Browser preferences can be adjusted so that you can refuse cookies when they are sent
11
IV) Web Bugs Simple to program in HTML <img src=“http://…” width=1 height=1 border=0> This will alert the specified web server every time the
page is viewed; outsourced web site monitoring Useful for gathering web use statistics Can also be used to check when HTML e-mails are read,
or to send personal information encoded in URL (like Google puts search strings in URL)
12
Privacy-Protecting Techniques Picking a good password (and not writing it down) Passwords can be captured by password sniffers when
they are transmitted over the network; beware of protocols which do NOT use encryption: FTP (File Transfer Protocol) HTTP (Hypertext Transfer Protocol) POP (Post Office Protocol) TELNET (Remote Terminal Protocol) RLOGIN (Remote Login for UNIX machines)
13
More Privacy-Protecting Techniques
Avoiding Spam and Junk MailDon’t put your e-mail address on your home page, or
write “pauly (and now this strange symbol) csc.liv.ac in you know which country)”
Take your e-mail out of online directoriesDon’t post to public mailing listsPick an unusual usernameAddress Munging: pauly@csc.liv.ac.uk.nospam
14
Privacy-Protecting Technologies
Antispam Services: analyse your e-mail to check whether it is spam, using AI technology, whitelists + confirmation e-mails, etc.
Antispam Software: does the same, but runs on your computer; your mail stays where it belongs
Browsers allow you to refuse cookies
15
More Privacy-Protecting Technology
Anonymous Browsing – protecting your IP addressUse a public terminal (e.g. at a library)Use a proxy server of your internet service provider; in
this case, the proxy servers IP address is passed onUse anonymous web browsing services; they usually
work as proxy servers Secure E-mail: encrypt messages before sending
16
Secure Sockets Layer (SSL)
Uses a cryptographic protocol for sending information over the web
Main usage with web pageshttps://…
Browsers will usually tell you whether the current page/document is “secure”
Example: Booking a flight with a credit card…
18
Symmetric Key Algorithms The same key is used for both encryption and
decryption Sometimes also called private key algorithms Used for the bulk encryption of data Algorithms are very fast & easy to implement There are a large number of possible keys, hence
encryption is difficult to crack, hence high level of secrecy
19
Example: using an 80-bit key, and assuming that 1 million keys per second can be searched, it will take approx. 38 billion years to try all keys
Common algorithms: DES, Blowfish, RC2, RC4, RC5
Problems: parties have to share a secret & private keyBoth parties need to have a copy of the key I need a different key for every person I want to
communicate with; (N2-N)/2 keys for N different users
20
Asymmetric Key Algorithms Encryption and Decryption key differ For encrypted messaging, encryption key is public and
decryption key private Public key can be published on your web page (see e.g.
Benjamin Hirsch) Also called public key algorithms Algorithms are slower & more difficult to implement and
analyse Easier to attack than symmetric key algorithms Common algorithms: DSA/DSS, RSA
21
A further advantage: asymmetric keys can be used for digital signatures, simply make the encryption key private and the decryption key public
Most “secure” protocols will use a mixture of both symmetric and asymmetric key cryptography
Example: Use asymmetric key cryptography to exchange a symmetric key, and use that key for encrypting the main data
Recommended