Documente Academic
Documente Profesional
Documente Cultură
Virginia Horniak
student at Department of Computer
Science and Engineering,
Mlardalen University
PO Box 883
721 23 Vsters, Sweden
vhk99001@student.mdh.se
ABSTRACT The privacy and security in computers has the last decades been a
Today there is a great concern among businesses and individuals hot topic to debate. There are many laws around the world
about privacy and security while using computers and the allowing governments to control the communication of the
Internet. The two topics, privacy and security, are closely related countrys citizens. There are organisations, which are not satisfied
in the computer-industry and on the Internet and there are many with the legislation and find that it violates the right to an
questions that overlap each other. individuals privacy. The fifth chapter describes the legislation in
United States and the directives that have been stated in the
Secure communication is in many cases a requirement assuring European Union. The freedom of individuals and the ethical
privacy and security for businesses and individuals. One of the questions are also described.
security techniques used in communication is data encryption,
which prevents unwanted users to gain access of the information
that is transmitted between computer networks or on the Internet.
2. PRIVACY AND SECURITY -
We will in this paper, among other things, look on the technique DEFINITIONS AND DIFFERENCES
of encrypting data, authentication of users in network systems and The two concepts privacy and security often overlap each other
on the ethical questions concerning privacy and security in since they are closely related; however there are some quite
computer networks. important differences between these two issues [1]. The privacy
on the Internet concerns the fact that users of the Internet are
1. INTRODUCTION often worried about loosing their personal information to
This paper treats the questions concerning ethical aspects of companies on the Internet that later on abuse the information. The
privacy and security in network systems. The security today is a security on the Internet and in computer networks is on the other
big issue in the use of the Internet and network systems and there hand an important issue concerning users who are afraid that the
are representatives in public and in private sectors, saying that communication they are having can be accessed and manipulated
there is a need of increasing the security or that the available by unauthorized intruders, who have no right to the information.
security can be enhanced. This paper will however concentrate on There are of course other concerns, besides the wire-tapping,
the existing computer security: the encryption of data and the dealing with the security on the Internet, like for example hacking
authentication of users in a computer network. and computer viruses attacking computer networks. This paper
As you will see there are many encryption algorithms and will however describe the security concerning the vulnerability to
authentication protocols; each of them has its own advantages and unauthorized access of data that is either placed in a computer
disadvatages. But the red thread throughout the topics in this system or that is transmitted through computer systems, like for
paper is the ethical aspect. The ethical aspects in computer example on the Internet.
security are many and the biggest aspect is a persons right to The main difference between the concepts security and privacy in
privacy. Throughout this paper these aspects will be considered, computer systems is that the information is secure if the owner
therefore it is good if the reader has them in the back of the head has control over it. The information is on the other hand private if
while reading this paper. the subject of the information has control over it [2].
The concepts privacy and security are often confused and overlap Security may be confused with privacy because of the fact that
each other in many contexts. These two concepts are described secure, or confidential, information is not open for unauthorized
and differentiated in the second chapter. There is also a parties, while private information is not revealed without
description of computer security and its goals. permission.
The third chapter describes cryptography, what the term Anonymity is a term that combines security and privacy by
cryptography includes and different encryption ciphers and guaranteeing privacy, since anonymous information has no
standards. To be able to encrypt and decrypt data there is a need subject, and requiring security so that the anonymous information
of a key distribution and there are many ways of distributing the proceeds being anonymous.
keys which are described. The three most important goals for the security are:
In the fourth chapter the authentication and its many protocols are
integrity, which means that information cannot be
described. Many of these described protocols have some kind of
changed during transmission
flaws where intruders can come in between two communicating
authentication, which occurs when an identity is
parties. In the section about authentication there is a description of
established between two users
these flaws and they are illustrated.
confidentiality, which means that the information stays possibilities the string can be written in and automatically the
confidential during transmission and intruder will have more difficulties in finding the right key. Keys
non repudiation, meaning that it is important to be able are most often as long as 256 bits but can be up to 1000 bits long.
to prove that a message has been sent. If the encryption- and decryption algorithms are secret there is no
need of keys since no one has the knowledge of the algorithms
To achieve the wanted security there are privacy-enhancing but if the algorithms are known the keys have to be secret. Most
technologies called PETs that protect the personal privacy [3]. often the algorithms are known to the public and to test whether
One of the oldest most effective PETs is the one that protects the an encryption algorithm is secure enough it is often publicized
content of the messages transmitted between two communicating and attempts are made by academic cryptologists to break the
users on the Internet, the technique called cryptography. algorithms. If years have passed and no one has managed to break
the system the algorithm can be assumed to be solid and then the
Cryptography is only a tool and does not guarantee security.
important aspect is to keep the keys secret.
There are several cryptographic tools such as hash values, public
key cryptography and private key cryptography. In the next There are two categories of encryption methods: substitution
section the different aspects and tools of cryptography will be ciphers and transposition ciphers.
described.
3.1.1 Substitution Ciphers
3. CRYPTOGRAPHY In a substitution cipher each letter, or each group of letters, gets
replaced by another letter or group of letters to disguise it.
3.1 Terminology and General Cryptography
Cryptology is the term including both the terms cryptography (i.e. There is a general encryption system called the monoalphabetic
encryption), which is the name of the science of creating substitution, where the key is a 26-letter string that corresponds to
cryptosystems, and cryptanalysis, which is the term of breaking the full alphabet.
cryptosystems. A cryptosystem, or an encryption system as it is plaintext: abcdefghijklmnopqrstuvwxyz
also called, is a system that provides confidentiality to the parties
cipher text: QWERTYUIOPASDFGHJKLZXCVB NM
that want to communicate with each other on the Internet [4].
The plaintext attack would after encryption with the key above
The message that is going to be encrypted is known as the
become the cipher text QZZQEA. At a first glance this seems to
plaintext, see figure 1. The output of the encryption is called
be a secure system since the variation of keys can be 26! ( 4 *
cipher text and it is the cipher text that later on is transmitted
between for example computer networks [5]. 1026), nevertheless the cipher can be broken easily. Languages
most often have a statistical property where certain letters are
Intruder more common than others and by making guesses at common
letters and likely patterns of vowel and consonants it is quite easy
for a cryptanalyst to build up a preliminary cipher text.
Encryption Decryption
3.1.2 Transposition Ciphers
Plaintext method method Plaintext While substitution cipher only substitutes the plaintext, the
transposition cipher does not disguise the letters but instead this
type of cipher changes the order of the letters. You can se an
example of a transposition cipher in figure 2.
Cipher text
Encryption Decryption
M E G A B U C K
key key
64 bit plaintext
{Bob, I am Alice}
A, B and Cs shared {Carol, I am Alice}
Initial transposition key
A, B and Cs shared
key
Iteration 1
Figure 4. A Replay Attack.
Alice Bob
Figure 5. A failure of a Replay Attack.
A
4. AUTHENTICATION
Authentication is the technique used when a process verifies that RB
the communication partner is who he is supposed to be [5]. To be
able to pass through the authentication without having permission KAB(RB)
to it is a difficult task. In this section there will be a short
description of the different authentication protocols that are used
in computer systems. RA
An authentication protocol starts with the event that a process, for
example a user Alice, wants to establish e secure connection with KAB(RA)
another user, Bob. Alice either sends a message directly to Bob or
to a trusted and honest key distribution centre (KDC). This Figure 6. A two-way authentication using the challenge
communication between Bob and Alice can be interrupted by an response-protocol.
intruder who replays, modifies or blocks the communication.
Nevertheless, when authentication is completed Alice and Bob Alice Bob
know they are talking to each other, not to an intruder, and there
is a secret session key established that is to be used in upcoming
conversations. This session key is established to reduce the A, RA
amount of traffic including the secret decryption key or the public
key and to reduce the amount of cipher text an intruder can get
hold of. If the process would crash and an intruder would get hold
of the core dump the damage is hopefully minimized since the RB, KAB(RA)
only obtainable key is the session key.
Authentication protocols often use public key cryptography to
establish the session key, while private key cryptography is used
to encrypt the data. KAB(RB)
The following sections are about authentication protocols that are
based on the sharing of a secret key between two users.
Figure 7. A shortened challenge-reponse protocol.
4.1 The Challenge-Response Protocol
The first protocol is called the challenge-response protocol. Let us The problem with the challenge-response protocol is that an
assume that Alice (A) and Bob (B) have exchanged a secret key intruder can easily break it with a reflection attack. The reflection
(KAB), to be sure that the authentication passes one party sends a attack can take place if Bob is able to accept simultaneous
random number to the other party, transforms it with the secret connections at once, and then the intruder can cheat Bob out of
key and sends it back. For an example see figure 6. the secret key Bob shares with Alice as you can see in figure 8.
In the example we can see the communication step by step. At The intruder starts first one session, receives a random number
first Alice sends a message with her identity to Bob, who does not from Bob (RB), which the intruder sends back in a new session as
know whether the message really comes from Alice, therefore his own random number. Bob encrypts RB in the second session
Bob sends a large number (RB) as plaintext to Alice as a
Alice picks x Bob picks y
and when the intruder receives the cipher text KAB(RB), the
intruder can finish the first session by sending KAB(RB) back to n, g, gx mod n
Bob.
The conclusion is that when designing an authentication protocol
it is important not to give away information that an intruder can
gy mod n
use and the two communicating parties have to use different keys.
Alice computes Bob computes
(gy mod n)x = (gx mod n)y =
Intruder Bob
gxy mod n gxy mod n
A, RT
First session
Figure 9. The Diffie-Hellman key exchange.
RB, KAB(RT)