When you send an email message, you're sending information from one computer to another. Have you ever thought about whether that message was secure? Will it only be received by the email account that you meant to send it to, or could anyone read that message? We've talked before about "digital ethics" by companies that may hold your online email accounts (if they host your account, can they look at your emails) but what about everyone else? Would you be upset if some person, unbeknownst to you, was looking through your emails? If so then security matters to you.
Well, maybe you don't care about your email. What else is there? Is there any information that you use online that you want to keep secure? What about your passwords to various accounts? ...your social security number or other identification information? ...your credit card numbers or bank accounts? That information is online, somewhere. Perhaps you care about keeping it securely kept away from any would-be theif.
In order to keep digital information secure there are many things we can do... and many things that other people can to to break that security. We'll get to some of those a bit later. Right now let's focus on the most basic step of security: a password. It's debatable just how much better or how much worse passwords make your digital lives, but right now they pop up everywhere. The idea is like having a digital version of a combination lock (as you might have had on a locker back in high school). Just because you've got a lock with a combination doesn't mean that someone can't figure out your combination. But some lock combinations are more secure than others.
We can think of the security of a lock combination - here, a password - by thinking of the number of possible combinations/passwords we could have chosen. Lets say that your password is just a single digit number, something in the range 0-9. Well, there are just 10 possibilities. A cracker or hacker (a brief mention about these terms will be made in lecture) that would want to find your password would only have to make at most 10 attempts to be able to log in to whatever system your password protected. Whenever they got in, they could assume that their last attempt was actually your password.
How can we have better passwords? How about more digits in our password. If we have a 3-digit password then that's 10 possibilities for each digit for 10*10*10 = 103 = 1000 possible combinations. That makes sense since we're dealing with numbers in the range 0-999. That's one way to do it, but we can also increase the number of possible passwords by having more character possibilities. What if we use alphabet letters as well as decimal digits? Then we have 26 + 10 = 36 possible characters. A 3-digit password now gives 363 = 46,656 possibilities. That's quite a few, so we should be safe, right?
Well, if we think just of 46,000 possibilities is too many for a cracker to try, then we're making the implicit assumption that he/she doesn't have enough time (or patience) to try all the possibilities. Remember that they could get lucky and guess our password on the first try. Or they could be very unlucky and not get it until the last attempt. In general, we can assume that probabilities will work out evenly and it will take about half of the total number of possibilities for them to guess our password. So, here, it would take about 23,000 attempts.
- example case of person looking at your email or password
- example case of good passwords (num chars * num positions = possible comb.)
- dictionary attacks for passwords
- the idea of encryption
- basic "letters replaced by numbers" scheme
- basic "letters replace by letters" scheme
- idea of the "one-time pad" for shifting letters over
- public key encryption
- idea of passing a locked box back and forth
(first one lock, then two, then remove the first and send it back with only the second lock)
(send out millions of locks and only you have the key. anyone can lock a box with
one of those locks and securely send it to you)
- RSA encryption
- security attacks
- computer break-ins (viruses, adware/spyware, trojan horses ?)
- network attacks
- man-in-the-middle attacks (wireless vs. landline internet connection ?)
- physical attacks (best scenario for stealing info like SSN's)
- denial of service attacks