Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Electronic Portfolios

Published byLoreen Hoover Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Electronic Portfolios"— Presentation transcript:

1 Securing Electronic Portfolios
Patrick Lougheed, Robin Johnson, Mayo Jordanov, Brittney Bogyo, Vive Kumar, and Jane Fee 29 October 2004

2 What kinds of security? End-to-end security
Confidentiality of interactions Confidentiality of assessment Security of published portfolios Security of portfolio transfers Verification of artifact authenticity

3 End-to-end security Client <-> Server Server <-> Database
HTTP over SSL Server <-> Database Database connection over SSL (or SSH tunneled) Problem is now security at endpoints Client (unable to control) Server (able to control)

4 Database Security Largest vulnerability Therefore biggest target
Possibly tens of thousands of users Stores assessment data Successful attacker can: Harvest of data Change marks Change interactions Administrators shouldn’t have access to confidential data Therefore biggest target

5 Confidentiality of Interactions
In assessment systems, teacher/learner interactions should be considered private Private only between teacher and learner Possibly made public upon approval of both parties

6 Confidentiality of Assessment
Minimally two way, more likely three way; learner, teacher, person with responsibility for marks An overseer, such as a principal or teacher-in-charge Always private, never made public Marks need to be signed as well as encrypted Make sure they’re legitimate

7 Security of Published Portfolios
One person may have multiple published portfolios Presenting different material to different intended audiences for different purposes For example: one published version for a job application at Sun Microsystems; another for an application at Microsoft; a third for assessment purposes Need to make sure only certain audiences can access certain portions

8 Security of Portfolio Transfers
System-to-system direct transfers Easily secured Indirect transfers And archive of some sort is kept in someone’s possession for an indefinite period of time How do we know the portfolio hasn’t been tampered with? When do we care?

9 Verification of Artifact Authenticity
Hardest problem of this set to solve Can we determine if an artifact: Was in fact created by the portfolio creator? (or some portion of it, or they’re authorized for it….) Is an official document? Has been tampered with? Example: university transcript; off-line methods of verification may not work in the online world

10 How do we solve these problems?
End-to-end security SSL wrapping Database security Proper user authentication Database level encryption (not as easy as it sounds) SSL Security of published portfolios Username/password authentication

11 The SPARC System Focus so far on database security
Use of both public key encryption and symmetric encryption Keyed on user’s password, so they don’t need to remember anything new, and are less likely to forget Data is encrypted to multiple people simultaneously Everything encrypted with a master key, so recovery from a lost password is trivial

12 The SPARC System

13 What problems are we left with? Part 1
Multiple recipient encryption Portfolios are the inverse of most traditional encryption systems Not one-to-one or many-to-one Rather one-to-many RSA multiple-recipient public-key encryption Has been published academically - still potentially problems with it Left with encrypting a single message multiple times with multiple keys; does this pose a risk?

14 What problems are we left with? Part 2
Every user needs a key To encrypt data for a user, that user needs a key; teachers also need a signing key to sign marks Leads to the possibility of gaining knowledge about later keys if we know something about earlier keys, assuming the system generates all the keys

15 What problems are we left with? Part 3
Client verification For portfolio transfers… How do we find the people to transfer to? How do we know that the people we’re transferring to are correctly identifying themselves? For viewing portfolios… How do we know people are who they say they are or belong to the organization they say they do? Public Key Infrastructure! Downsides: expensive, many companies don’t have a PKI infrastructure, most employees have no access to company’s keys

16 What problems are we left with? Part 4
Verification of authenticity How do we trace an artifact's history? Can we verify it came from a particular source? Need to be able to: Verify a signed artifact Verify an artifact's origin Verify the artifact hasn’t been tampered with Single biggest problem: just because it’s signed, doesn’t mean it’s signed by the right people!

17 People Involved Patrick Lougheed Brittney Bogyo Robin Johnson
Brittney Bogyo Robin Johnson Mayo Jordanov Henry Ng Vive Kumar

Download ppt "Securing Electronic Portfolios"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.

Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Copyright © 1995-2003 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: 102088 March 10, 2001.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Configuring Directory Certificate Services Lesson 13.

Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Internet Security. 2 PGP is a security technology which allows us to send email that is authenticated and/or encrypted. Authentication confirms the identity.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.

Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.

Similar presentations

Ads by Google