Information Systems Security:Enabling Future Internet Applications

through Cryptography

STP-307: Business and the Internet

Mark Bayer - KSG Jamil Ghani - FASRaghav Chandra - KSG Nanthikesan - KSGJaime Chambron - FAS Angelina Ornelas - KSG

Alex C. Snoeren - MIT

Components of Security

• Physical Security– Are computer locked up at night?– Are the network cables exposed?

• Digital Security– Is the electronic information protected?

• Privacy Policies– What happens one the information is viewed?

A Definition of Digital Security

• Confidentiality

• Availability

• Authenticity

• Integrity

• Certifiability

Why Should You Care?

• Personal Privacy• Your information is out there

– Credit and financial information– Educational records– Medical records

• Law Enforcement is Handcuffed– Terrorists, drug traffickers, and pedophiles

• “This is a trade issue!”

Cryptography’s Role

• Currently, an almost unique tool

• Complicated Math Tricks– Encryption provides confidentiality– Signatures provide authenticity, integrity– Certificates provide certifiability

• What about availability?

Measuring Security

• Cryptographic Strength– Key lengths

• Beyond Bits– Different algorithms– “Provably secure” crypto systems– Implementation issues

How Much Security is Enough?

• Lack of incident information

• Difficulty in predicting future technologies

• Current levels seem “unbreakable”– Brute-force attacks may take forever– Consumers are uninformed about proper levels

• Strength is irrelevant if used improperly

Why Governments Care:Legislative Landscape

• Global scale: U.S. Congress, OECD, EU

• Export controls

• Key Management Infrastructure (KMI)

• Key Recovery - Clipper Titanic of the 90s?

Current Regulations (U.S.)

• Freedom to choose at home

• Export Administration Regulations (EAR)

Pending Legislation (U.S.)

• SAFE Act - 5 versions in the House

• Secure Public Networks Act - in the Senate

• The President’s Plan

Presentation Road Map

• Digital security in the public sector– Virtual university

• Digital security in the private sector– Banks– eShop Plaza

• Government’s role

• Recommendations

The Public Sector

Digital Security and Virtual Learning

• Why virtual university?• Layout of approach

– Analysis of the Universitat Oberta de Catalunya – Current and Potential digital security issues in

general Virtual Learning– Next steps: issues and approaches

UOC ARCHITECTURE

Interactive BookCampus Agenda

Cafe Discussion Group

InteractiveSpreadsheet

CampusWorksheet

Library

Bulletin Board

Conferences

UOC ARCHITECTURE

Interactive BookCampus Agenda

Cafe Discussion Group

InteractiveSpreadsheet

CampusWorksheet

Library

Bulletin Board

Conferences

Digital Security:UOC Applications and Issues

• Administration

• Synchronous Knowledge Delivery

• Student Evaluation

• Maintaining Secure Data Banks

• Access to Resources• Visitor Access

• Multiple-user Access

• Library Access

• Code of Ethics

Digital Security: Current and Potential Issues

Current Virtual Distance Learning Projects• Public Sector• Private Sector

Digital Security: Potential Issues

• Disaggregation of University Functions

• Universal Student ID

Digital Security: Potential Issues

• Standards of DS:• Strength of Encryption

• Authenticity, Certification

• Standards for Accreditation of DS: International coordination & Enforceability

• Keys: Who owns them?• Government?

• Universities?

• Virtual Registrar?

Digital Security:Next Step - Approaches

LEGAL AGENDA• Legalization of Digital Signatures• Standardization of Certification

BUSINESS - GOVERNMENT

PARTNERSHIP• Promotion of Research & Development• Encryption Regulations• Dynamic Legal Framework

The Private Sector

Growth of Electronic Commerce

$327 Billion by 2002, according to Forrester Research

Field of Dreams: “Build It and They Will Come”

• 77% have not shopped on the Internet

• 86% cite fear of credit card information stolen and misused as a result of Internet shopping

• 56% want government to pass laws protecting personal information collected on the Internet

eShop Cybermall:A Unique Business Model

Big Brother Is Watching

A Study on Privacy over the Internet by The Federal Trade Commission

Due June 1998

Taming the “Wild Wild Web”

Legal Issue Facing the Net

Big Business

• Dell Computers sells $1M daily in Internet sales• GE, HP - Using Net for transactions - save

$500M yearly • HP Versecure• Marketing, order, processing, fulfillment,

payment, logistics performed on Internet• EDI

Internet Banking

• Facilities offered• Several banks have launched Internet banking-

operations, e.g. ICICI-Infinity• Advantages

• Experimental/Limited in scope

Lacunae

• Liability

• Legal framework

• Forgery/Impersonation

• Taxability

• Convenience

• Pervasiveness

• Confidentiality

Next Steps

• Availability of effective, trustworthy cryptography• Flexible crypto architecture - keep pace with

technology • Suitable domestic legislation, tax policy framework • Supportive technology institutions, legal framework • Educating the consumer• Encouraging banks

Government’s Role

Government and Encryption

• Government policy is the hardware upon which future Internet applications will run– Respond to market forces– Facilitate progress– Solve information asymmetries through consumer

education– Negotiate international agreements

• Encryption is currently an almost unique tool for digital security

Topics of Discussion

• Need for domestic encryption policy

• Potential models

• Why “dumbing down” does not work

• Why “smartening up” does work

• Next steps

Need for Domestic Encryption Policy

• Crime– Terrible Triumvirate - terrorists, drug

traffickers, pedophiles– Realities of crime fighting

• Seamless world– Work-arounds to the rules

• Applications are waiting

Potential Models

• “Wild Wild Web” - Safe Act

• “Dumbing Down” - EAR

• Technical Advisory Committee on Encryption Federal Information Processing Standard (TACEFIPS)

• National Electronic Technologies (NET) Center - amendment to Safe Act

Why “Dumbing Down” Does Not Work

• Key recovery

• Limits on key length

• Review committee

Why “Smartening Up” Works

• Permits the realization of the full potential of Internet applications

• Maintains the government’s lead in encryption

• Responds to fundamental market motivations

Next Steps

• Adopt NET Center

• Standardize usage through collaborative efforts

• Baby steps

Recommendations

• “Smarten up, don’t dumb down.”– NET Center

• Alert the players in advance– KMI exception– EU Privacy Directive

• Keep talking (dialogue, not monologue)– FIPS– OECD

Recommendations (continued)

• Consumer awareness– labeling– “seatbelts and airbags”– liability rules

Beyond Cryptography

• Cryptography is merely today’s technology

• Detecting and legislating crypto is hard– Difficult to identify “plain-text”– Authentication = Confidentiality?

• Other technologies are currently available– Stenography can provide confidentiality– Biometrics can provide authentication