Page 179 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 179
Unit 12: Security Metrics and Privacy
Security and privacy are intimately related technologies, though, there are significant differences Notes
that require to be understood so as to design new systems that address both. Privacy is regarding
informational self-determination—the capability to decide what information regarding you
goes where. Security provides the capability to be confident that those decisions are appreciated.
Example: We converse about GSM voice privacy—can somebody listen to my call? There
is a privacy objective, which is to permit me to say no, and a security technology, encryption,
that permits me to implement it.
In this example, the aims of security and privacy are the similar. But there are other times when
they may be orthogonal, and there are also times when they are in argument.
There is a security objective of authenticating a handset. In some cases this may be completed by
RF fingerprinting, which is not a privacy concern-we securely authenticate that the handset is
the one that is associated to an account, therefore ensuring that the correct person is billed. Here,
security and privacy are orthogonal.
Example: Caller presentation is an example of a position where security and privacy can
argument. I may want privacy, in not allowing anyone else see my number; while the caller
may would like the security of thinking they recognize who is calling. In this circumstances, in
most countries, a balance has been struck in favour of informational self-determination, permitting
the caller to select if caller information is obtainable.
In the area of location information, permitting disclosure of location information out on an
continuous basis generates a number of privacy concerns, but infrequently, when calling for
emergency services, it is functional to reveal. It is significant to design these system so that the
phone’s owner is in control and pleased, and to ensure that the security procedures in place
sustain the owner’s conclusion effectively.
SSL is often confused with privacy. SSL offers “privacy” against eavesdroppers, but this is better
called confidentiality. The well-publicized break-ins at CDNow and other retailers using SSL
show that privacy requires more than SSL. (The same issues apply to WTLS, although WTLS also
creates a problem with the decryption at the WTLS gateway, and a question of is that trustworthy?)
It requires minimizing the amount of information that is transmitted and stored.
So, in managing payments, one can achieve strong security by transferring around the electronic
equivalents of cheques, which are cleared, online. The cheque is signed, the bank is inquired if
there is sufficient money, and everything flows easily. Excellent privacy with the similar security
can be obtained by means of modern e-cash systems. E-cash with online verification permits the
money to be spent without enlightening the account number. Since the account number is never
given to the merchant, privacy is strongly conserved, even when there is a security lapse.
Private Credentials can facilitate a totally secure AND private environment for mobile payment
and signatures.
!
Caution Whether it is for payment, signature or location-dependent services, Privacy
protection technologies must be an essential part of future mobile infrastructure in order
for new mobile services to be adopted by customers.
Self Assessment
Fill in the blanks
11. ........................... provides the capability to be confident that those decisions are appreciated.
12. SSL offers “privacy” against eavesdroppers, but this is better called ........................... .
LOVELY PROFESSIONAL UNIVERSITY 173
