Internet & Intranet Security Management - Risks & Solutions

More documents

Recommendations

Info

products created in the US cannot legally be exported unless they have in some way been significantly weakened in their level of security. Coincidentally, we have a community of interest in New Zealand and there are several products that have been created here. There is a firm in Christchurch that produces hardware cryptographic devices (SignalGuard by CES ). This system is useful for secure communications between branches of organisations and does not require any computing resources (for the encryption/decryption process) for its use. The unique feature of SignalGuard is that encryption does not take place on data but rather on the analogue signal instead. This fact neutralises many attack strategies. Two crypto systems have been developed independently in Auckland. The first by Peter Smith is called LUC and is a public key system. The second is produced by William Raike and is called RPK and is also a public key system. Each of these is based on difficult to solve problems associated with elliptic curve mathematics. Internationally, the most commonly used crypto system used in the world is called PGP (Pretty Good Privacy — a public key hybrid system) and was initially produced by Phil Zimmermann, however, there have been several others who have assisted with this project. PGP can easily be obtained from the Internet (free) as long as you don't try to download it from the US. There are a couple of products from Finland that hold a great deal of promise due to their very user friendly interface and the choice offered to users of a range of strong encryption algorithms. The first is TeamWare Crypto. The second is F-Secure Desktop produced by DataFellows. Each of these is based on a symmetric key system and the user can choose from a small selection of well known and proven symmetric algorithms. These products are a sample of what can be acquired easily and at a reasonable expense, however, the list should not be misconstrued as complete (as mentioned earlier there are more than 800 different cryptographic products that are currently available in the marketplace) nor as an endorsement of any product. Each, however, can provide strong encryption to users. The most cost-effective security measure is probably the use of good backup procedures. Everyone talks about backup and many actually do something about it. However, many do not. Backup systems like ZIP drives, Jaz drives and optical drives, CD writers and the Pereos tape, are inexpensive and pretty non-intrusive. The tapes for the Pereos System, for example, are small and easy to store and not really very expensive ($30) for storing a gigabyte of data. Secrecy vs. Privacy A discussion of this sort would not be complete without considering the notions of privacy and secrecy. Sissela Bok wrote an excellent book several years ago; however, the issues raised are still relevant today . It is often the perception that secrecy equates to guilt or is somehow threatening. The term secret merely describes the nature of the data or information being discussed and further that whatever is secret is being intentionally concealed. There is no rational way that any other attribute can be ascribed to data or information simply because it is deemed to be secret nor should it be considered awesome or worthy of respect. Privacy on the other hand deals with one's personal domain. Since that domain is proscribed by each of us it will differ. Nevertheless we each, to a greater or lessor degree, determine and control the flow of information about us. The kinds of information we are sensitive to are the natural elements of human autonomy: identity, plans, action, and property.
Everyone has heard the phrase ''if you're not doing anything wrong, you shouldn't have anything to hide". That's really Big Brother's DoubleSpeak for "if you're hiding something, then we can't watch you and protect everybody from everything". Privacy also includes being left alone - freedom from interference. Cryptography can offer a dimension of both privacy and secrecy. How it is used will dictate whether the USER is good or bad, not whether cryptography is good or bad. Conclusions The use of cryptography offers the opportunity to have real privacy of information and communications. It can be used to protect stored information (ideal for notebook computers and for files stored on any computer) as well as live or Internet communications. It can be used to protect business transactions that are communicated over the Internet (including the protection of credit card information). But only if it is available and only if it is "strong encryption". The First Amendment to the United States Constitution guarantees the right to communicate without government interference: "Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances." Encryption software and hardware simply enables one to speak in a language unknown to the government. The Constitution gives the government no blanket power to demand that we provide a translation. Speech in the dialect of IDEA should be free around the world. The important issue to remember is that there is a continuous assault on our privacy and that new techniques are being developed all the time. Technology using strong cryptographic algorithms properly implemented can provide real privacy - as long as we are allowed to use them. Legislation In the bad old days of ITAR, export of cryptographic products was treated the same way as munitions and there were very specific restrictions imposed. In the first instance the relative strength of the algorithm as measured by only one of its attributes was the deciding factor. Keys of forty bits or less were permitted to be exported, those greater than forty bits were not. With modern computing power this level of security is trivial to defeat and arguments came from all quarters to relax this deciding factor. Some movements were made and restrictions were relaxed to the point where products based on fifty-six bit, sixty-four bit and one hundred and twenty-eight bit algorithms could be exported but only under license and only to approved parties. There have been several Bills proposed, however, the two that appear to have some support are languishing in Congress. These would change the export regulations currently in force (sort of). The
Page 1 and 2:
Internet and Intranet Security Mana
Page 3 and 4:
Includes bibliographical references
Page 5 and 6:
Linda Lau, Longwood College/ISBN: 1
Page 7 and 8:
Part III: Cryptography and Technica
Page 9 and 10:
Three authors discuss issues relate
Page 11 and 12:
PART I— STATE OF THE ART Chapter
Page 13 and 14:
Security Policy Primarily, a securi
Page 15 and 16:
management, a visual cross-referenc
Page 17 and 18:
Firewalls A growing security concer
Page 19 and 20:
and a private key. The public key,
Page 21 and 22:
third party intermediary. Value add
Page 23 and 24:
Security policy responses were gene
Page 25 and 26:
I access the public Internet. 3.07
Page 27 and 28:
the number of individuals with that
Page 29 and 30:
Figure 1. Security Issues and Respo
Page 31 and 32:
http://www.infosecnews.com. This re
Page 33 and 34:
latest Internet Domain Survey (Inte
Page 35 and 36:
sensitive data such as credit card
Page 37 and 38:
2) Before connecting a local comput
Page 39 and 40:
There are several issues regarding
Page 41 and 42:
without confidentiality) to IPv6 pa
Page 43 and 44:
Hicks, Roger (1996). "Submission to
Page 45 and 46:
creates the perception in many peop
Page 47 and 48:
consumers and the supplier. With th
Page 49 and 50:
6. Trust needs touch and personal c
Page 51 and 52:
Confidence A number of researchers
Page 53 and 54:
Risk and Trust Risk is an essential
Page 55 and 56:
to interception and modification wh
Page 57 and 58:
trust (1.0) or complete distrust (.
Page 59 and 60:
A degree of uncertainty appears to
Page 61 and 62:
employees must be trusted to regula
Page 63 and 64:
transactions can be at various stag
Page 65 and 66:
electronic networks are secured in
Page 67 and 68:
• We trust, with cautious faith,
Page 69 and 70:
zones according to their products (
Page 71 and 72:
• Assigned tasks are non-routine
Page 73 and 74:
ased trust requires a move from kno
Page 75 and 76:
Web. WebTrust provides the framewor
Page 77 and 78:
London. Deutsch M. (1958) "Trust an
Page 79 and 80:
Zand D.E. (1972) "Trust and Manager
Page 81 and 82:
These techniques and methods operat
Page 83 and 84:
• The primary object of security
Page 85 and 86:
category. Only two systems in the w
Page 87 and 88:
• Evaluation of technical physica
Page 89 and 90:
• EAL2 - structurally tested •
Page 91 and 92:
Integration Principle Measures, pra
Page 93 and 94:
usiness or computing environment. M
Page 95 and 96:
A systematic approach would reduce
Page 97 and 98:
• General and specific responsibi
Page 99 and 100: ''Critical/Essential" to "No benefi
Page 101 and 102: must be prepared very carefully and
Page 103 and 104: O and M only are authorised to cont
Page 105 and 106: References Amoroso, E. (1994). Fund
Page 107 and 108: von Solms, R. (1999). ''The Informa
Page 109 and 110: Figure 1. Basic Web Client-Server M
Page 111 and 112: Communication or network security i
Page 113 and 114: activities. These log files must be
Page 115 and 116: Dependencies of Security Services c
Page 117 and 118: • User authentication. The users
Page 119 and 120: In a communication network (such as
Page 121 and 122: has not been altered during transmi
Page 123 and 124: S-HTTP is also more flexible than S
Page 125 and 126: The components of this set represen
Page 127 and 128: Figure 11. Directory-based Security
Page 129 and 130: distinguished names (RDNs) of the a
Page 131 and 132: Figure 14. User-Role and Role Permi
Page 133 and 134: • trust management. Figure 16 dep
Page 135 and 136: assignment are stored in the direct
Page 137 and 138: Microsoft Corporation (1999). Activ
Page 139 and 140: use. For the most part the many and
Page 141 and 142: Obtaining cryptographic tools depen
Page 143 and 144: honour and reputation. Everyone has
Page 145 and 146: Figure 1 Figure 2 send a secure mes
Page 147 and 148: data to be encrypted or decrypted.
Page 149: Figure 5. algorithm with a key spac
Page 153 and 154: Then the second would be: exactly w
Page 155 and 156: possible. 16 Cracking DES: Secrets
Page 157 and 158: Statements of this nature can be fo
Page 159 and 160: 2. The above assertion is only true
Page 161 and 162: As we have seen, non-repudiation re
Page 163 and 164: the host. Physical security would p
Page 165 and 166: A second paradigm shift occurred be
Page 167 and 168: etween A and B and if X is a messag
Page 169 and 170: of this list has to be protected by
Page 171 and 172: een evaluated to level E6 (UK ITSEC
Page 173 and 174: The foundations that anchor cryptog
Page 175 and 176: UK ITSEC Scheme. (1999). UK Certifi
Page 177 and 178: Scope of This Chapter However, desp
Page 179 and 180: The National Standards bodies (memb
Page 181 and 182: • SC17: Identification cards and
Page 183 and 184: those not appropriately authorised.
Page 185 and 186: and Pervasive security mechanisms,
Page 187 and 188: . Proprietary name(s) of algorithm.
Page 189 and 190: and hence P = dK(eK(P)). Electronic
Page 191 and 192: Encipherment operates as follows. F
Page 193 and 194: • Method 2 (also known as Ciphert
Page 195 and 196: More specifically, if the n-bit dat
Page 197 and 198: • A new (3rd) padding method has
Page 199 and 200: information. The output is the MAC
Page 201 and 202:
Overview The ISO/IEC 9796 standard
Page 203 and 204:
discarded. Finally the least signif
Page 205 and 206:
2. Message recovery. This step yiel
Page 207 and 208:
ISO/IEC 9796-2 was published in 199
Page 209 and 210:
• ISO/IEC 14888-1: 1998: General,
Page 211 and 212:
scheme are specified in the standar
Page 213 and 214:
If V = R then the signature is veri
Page 215 and 216:
Method 1 (Single Length Hash-Codes)
Page 217 and 218:
ISO/IEC 10118-4 (Modular arithmetic
Page 219 and 220:
To protect a message in a protocol,
Page 221 and 222:
These sequence numbers take the rol
Page 223 and 224:
The mechanism has two message passe
Page 225 and 226:
This example can be found in clause
Page 227 and 228:
protocol is used for time synchroni
Page 229 and 230:
• Non-repudiation of delivery, pr
Page 231 and 232:
We now consider the multi-part ISO/
Page 233 and 234:
Key establishment includes key agre
Page 235 and 236:
valid. This is typically done by me
Page 237 and 238:
combine them mean that neither enti
Page 239 and 240:
this implies that F(·,g) is one-wa
Page 241 and 242:
Other Standards A multi-part standa
Page 243 and 244:
ISO. (1994b). ISO/IEC 9798-2, Infor
Page 245 and 246:
ISO. (1999a). ISO/IEC DIS 9594-8, I
Page 247 and 248:
Regardless of what many employees m
Page 249 and 250:
State and local public employees al
Page 251 and 252:
wrongful discharge in violation of
Page 253 and 254:
one expert puts it, a hacker ''has
Page 255 and 256:
printing and saving the hard copies
Page 257 and 258:
protection in the event employee e-
Page 259 and 260:
Coie, Perkins. (1999). Does Your Em
Page 261 and 262:
G. David Garson. Idea Group Publish
Page 263 and 264:
Restuccia v. Burk Technologies, Inc
Page 265 and 266:
distinguished from the application
Page 267 and 268:
Electronic mail poses the most imme
Page 269 and 270:
interferences with individual priva
Page 271 and 272:
However, such restrictions are just
Page 273 and 274:
Principle 12 deals with unique iden
Page 275 and 276:
conceptual barrier, certain difficu
Page 277 and 278:
Another recommendation targets the
Page 279 and 280:
Privacy Commissioner's office, that
Page 281 and 282:
Finally the existing obligations re
Page 283 and 284:
16 See infra. 17 Several Internatio
Page 285 and 286:
Mark Sweat is a consultant and anal
Page 287 and 288:
Chapter 7 Dieter Gollmann was a sci
show all

Internet & Intranet Security Management - Risks & Solutions

Create successful ePaper yourself

Delete template?

Save as template?