Lecture 9: Privacy and Security • Web Technologies in Organizations (ADM 4379)

  • Presented by: Prof. Dr. William Van Woensel

  • Institution: University of Ottawa

Learning Objectives

  • Understand the critical need for data privacy.

  • Recognize the need for network security and the ways in which it may be compromised.

  • Grasp the fundamentals of symmetric and asymmetric cryptography, including:
      - Basics of block ciphers.
      - Public key cryptography and its various applications.

  • Appreciate the necessity of digital certificates.

  • List various technologies that apply cryptography mechanisms.

  • Explain operational security and its primary components.

  • Recognize challenges in user authentication processes.

  • Understand potential software vulnerabilities.

Data Privacy

  • Definition: Privacy is defined as an individual's right to control personal data, which includes:
      - Profile information.
      - Web browsing behavior.

  • Issues of Privacy:
      1. Companies track web users to collect data.
      2. Data brokers aggregate and sell consumer data, acquiring information from:
         - Public records.
         - Purchase histories.
         - Social media activity.

  • Purpose of Data Collection: Used for marketing, facilitating people search services, and aiding fraud detection.

  • Economic Implication: Violating privacy constitutes a lucrative business opportunity for many companies.

Example: Google and Advertising Revenue

  • Google generates income primarily through advertisements:
      1. Advertisers pay Google to display ads.
      2. Google delivers targeted ads to users.
      3. Revenue model: Pay Per Click (PPC) - Google earns more when ads are appealing to users.

Data Brokers

  • List of Major Data Brokers:
      - Acxiom
      - BeenVerified
      - Intelius
      - Spokeo
      - Many others listed in the lecture notes, highlighting a wide array of data brokers.

Issues from Data Brokers

  • Worst Case Scenarios:
      - Receiving personalized advertisements or free services.
      - Price discrimination resulting in differential pricing based on:
         - Zip code.
         - Browsing history.
      - Risk of identity theft by compromising secret questions.
      - Manipulation of elections, exemplified by Cambridge Analytica's harvesting of 80M Facebook profiles without consent; used for political advertisement.
      - Vulnerability to hacks, citing incidents involving Acxiom and Epsilon.

Tracking Users: Third-Party Cookies

  • Definition: HTTP cookies are employed to track users within websites and across the internet.

  • Mechanism:
      - HTML pages consist of text with HTML elements, including image requests that create separate HTTP requests that may originate from a different domain.
      - This process leads to potential user tracking across different websites (as illustrated by a series of examples in the lecture).

Third-Party Cookies and Identifying Information

  • Tracking Mechanism: Engages with user identifying information; for instance, previously logged-in credentials might be sent along with ad requests, revealing users' personal browsing behaviors.

  • Browser Settings:
      - Modern browsers like Firefox have default settings to block third-party cookies, promoting user privacy.
      - Google proposes a "Privacy Sandbox" to track interests locally without compromising user identity (expected release by late 2024).

Consent Banners

  • The implementation of consent banners arises from regulations like GDPR, which governs how cookies are used and requires user consent for tracking.

  • General rise in annoying pop-ups on the internet can be attributed to this regulatory environment and the operational compliance many websites must adhere to.

Network Security

  • Inherent Insecurity of Computer Networks:
      - Network topologies (e.g., bus, star) predispose them to vulnerabilities by allowing messages to be broadcast.
      - Routers and client/server architectures present multiple points where compromise can occur.

Compromising Network Security

  • Methods of Compromise:
      1. Eavesdropping: intercepting message contents.
      2. Tampering: modification of messages.
      3. Impersonation: pretending to be a legitimate sender or receiver.
      4. Network attacks: mapping and overloading resources.

Ensuring Secure Communication

  • Strategies:
      1. Encryption: securing messages so only intended receivers can read them.
      2. Integrity confirmation: detecting alterations in messages.
      3. Authentication: confirming identities of communication parties.
      4. Implementing operational security using tools like firewalls and cryptography.

Cryptography

  • Role: Cryptography is essential for network security, handling encryption, integrity assurance, and authentication.

  • History: Cryptographic practices have evolved over 2000 years, with significant advancements occurring since the 1970s.

Key Participants

  • Stakeholders:
      - Alice and Bob: two communicating parties.
      - Trudy: any unauthorized intruder.

Message Encryption

  • Encryption serves to prevent eavesdropping, making messages unintelligible to anyone other than the intended receiver.

  • It relies on shared knowledge of techniques and a secret key.

Types of Cryptography

1. Symmetric Encryption

  • Identical keys are used for both encryption and decryption. This was the only available cryptographic method until the late 1970s.

2. Asymmetric Encryption

  • Utilizes key pairs (K1, K2) where one key is public and the other is private, thus allowing secure communication without the need to exchange secret keys.

Key Examples: Caesar Cipher

  • A substitution cipher that shifts letters by a fixed number (k) in the alphabet (e.g., k = 3). The security of this cipher is limited to 25 potential keys, making it vulnerable to brute-force attacks.

More Complex Ciphers: Monoalphabetic Ciphers

  • These assign unique substitutes to each letter, resulting in approximately 26! (or around 102610^{26}) potential keys, demonstrating much stronger security compared to basic ciphers.

Block Ciphers

  • A modern encryption standard in many secure protocols, where each k-bit block is encrypted using a unique substitute. Security improves with increasing k (e.g., k=64k = 64).

  • The complexity of the key space depends greatly on this k value; example given is 2k2^k for the number of possible keys.

Popular Block Ciphers

  • Examples include:
      - Data Encryption Standard (DES): 64-bit blocks with a 56-bit key.
      - Advanced Encryption Standard (AES): supports 128, 192, and 256-bit keys.

  • Security benchmark comparison: devices that can crack 56-bit DES in one second would take approximately 101810^{18} years to crack 128-bit AES.

Asymmetric Public Key Cryptography

  • Addresses limitations in symmetric cryptography regarding the secure exchange of keys. Also known as public key cryptography, where one key is public and the other private.
      - A public key is used for encryption while the private key is used for decryption.

Security Implications

  1. Guessing the private key from the public must be computationally infeasible (e.g., RSA relies on prime factorization difficulties).

  2. Authentication mechanisms are necessary to ascertain key ownership and to prevent man-in-the-middle attacks.

Authentication Methods

  • Digital Certificates: These are used to certify a public key and typically issued by a Certificate Authority (CA). The authority verifies identities and then signs the certificate with its own private key.

RSA Encryption Method

  • RSA is recognized for its widespread use within asymmetric encryption, being considerably slower than symmetric encryption.

  • Security implementation often involves generating a symmetric session key using asymmetric methods, followed by encrypting further communications using symmetric ciphers.

Security Protocols: SSL/TLS

  • Overview of SSL/TLS protocols: Facilitates secure web connections through a handshake process, which involves:
      1. Establishing a connection.
      2. Exchanging cryptographic information.
      3. Utilizing certificates in order to verify identities of communicating parties.
      4. Protecting the session key via encryption.

Virtual Private Networks (VPN)

  • VPNs allow users to connect to a private network over the public internet while ensuring the data is secure using protocols such as IPSec or TLS.
      - IPSec Datagram example: Combines a typical IP header with a payload that includes an IPSec header that secures the IP datagram, thus preventing unauthorized reading of the payload being sent.

Operational Security

  • Definition: Operative measures ensuring security on the network and delineating access levels between good and bad entities.
      - Components for Security include firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) which monitor and protect networks.