INFORMATION SECURITY AND CONTRACTS

1
INFORMATION SECURITY AND CONTRACTS
2
Information Assurance and Contracts

• Policies, practices, and technology must be in
  place for an organization to transact business
  electronically via networks with a reasonable
  assurance of information security

3
Goals of Information Assurance and Security in
Contracts

• Confidentiality of information
• Authentication and Information Integrity
• Asset Protection
• Limitation of Liability Exposure

4
LAW OF ELECTRONIC CONTRACTS

• COMMON LAW OF CONTRACTS
• UCC - UNIFORM COMMERCIAL CODE
• UCITA UNIFORM COMPUTER INFORMATION TRANSACTIONS
  ACT

5
COMMON LAW OF CONTRACTS

• Foundation of US contract law
• State court decisions
• Governs a wide array of contracts services,
  land, business agreements, employment
  consulting

6
E-CONTRACTS GOVERNED BY THE COMMON LAW

• WEB DEVELOPMENT AGREEMENTS
• WEB LINKING AND ADVERTISING
• SERVICES CONTRACTS OVER THE INTERNET
• DISTRIBUTION ARRANGEMENTS

7
UNIFORM COMMERCIAL CODE

• ARTICLE 2
• Governs the sale of goods
• Goods - tangible personal property
• ARTICLE 2A
• Governs the lease of goods

8
E-CONTRACTS GOVERNED BY UCC SALES LAW

• SALES OF CONSUMER AND BUSINESS GOODS (BOOKS,
  CLOTHING, COMPUTERS) OVER THE INTERNET
• LICENSES OF MASS MARKETED COMPUTER SOFTWARE
• NOT ALL COURTS CONSIDER IT A SALE

9
UCITA UNIFORM CONSUMER INFORMATION TRANSACTIONS
ACT

• Governs computer information transaction
• Defined as an agreement to create, modify,
  transfer, or license computer information or
  rights in computer information

10
ELEMENTS OF ENFORCEABLE CONTRACT

• MUTUAL ASSENT OFFER AND ACCEPTANCE
• CONSIDERATION PRICE ELEMENT
• COMPETENT PARTIES
• LAWFUL PURPOSE
• REQUIRED FORM STATUTE OF FRAUDS

11
MUTUAL ASSENT

• SHRINKWRAP LICENSES
• CLICK AND ACCEPT AGREEMENTS
• BROWSE WRAP AGREEMENTS

12
Shrink Wrap

• Shrink-wrap agreements are agreements that
  accompany over the counter software sales
• Licenses to use the software with substantial
  restrictions on use

13
Shrink Wrap Terms

• Warranty disclaimers
• No copying, decompiling, altering, distributing
• Arbitration clauses and forum selection clauses

14
ELECTRONIC CONTRACTS

• CLICK AND ACCEPT AGREEMENTS
• Online user must affirmatively agree to the
  terms of use prior to transaction
• BROWSE WRAP AGREEMENTS
• Online user is advised of terms of use on home
  page

15
Typical Web Wrap Provisions

• Forum selection clauses
• if you sue me, do it in my home state
• Arbitration clauses
• dont sue me at all you must arbitrate
  disputes
• Warranty disclaimers
• the product you buy from me may not even work
• Liability limitations
• if it doesnt work, Ill only give your money
  back
• Use restrictions
• no spamming no robots

16
Warranties, Limitations and Remedies
17
Express Warranties

• Explicit promises about performance
• Methods to control exposure
• Document all important promises in writing
• Entire agreement (merger) clauses

18
Implied Warranties

• Merchantability
• Fitness for a particular purpose
• Title and against infringement

19
Common Law and Sales Law under UCC

• Common law- No implied guarantees/warranties of
  performance under the common law
• Sales Law UCC imposes implied warranties of
  merchantability in any sale by merchant and
  warranty of fitness in some sales unless
  disclaimed in the contract

20
Limitations on Warranties and Remedies under
Sales Law

• UCC allows disclaimers of implied warranties in
  the contract
• UCC allows the contract to limit remedies and
  damages for breach of contract, particularly
  consequential damages (indirect economic losses)

21
Electronic Signature/Contract Laws

• State digital signature laws
• UETA Uniform Electronic Transactions Act
• ESIGN Electronic Signatures in Global and
  National Commerce Act

22
UETA UNIFORM ELECTRONIC TRANSACTIONS ACT

• Governs enforceability of electronic signatures
  and electronic contracts
• Makes electronic signatures and contracts on a
  legal par with paper contracts and traditional
  signatures

23
ESIGN ELECTRONIC SIGNATURE SIN GLOBAL AND
NATIONAL COMMERCE ACT

• Federal Law (2000)
• A signature, contract or other record cannot be
  denied legal effect, validity or enforceability
  solely because it is in electronic form

24
Encryption

• Encryption Concepts
• Plaintext
• Encryption with encryption method and key
• Ciphertext, which is is transmitted
• Decryption with decryption method and decryption
  key
• Plaintext

25
Plaintext, Encryption, Ciphertext, and Decryption
Note Interceptor Cannot Read Ciphertext Without
the Decryption Key
Interceptor
Party A
Party B
26
KEY ENCRYPTION

• Symmetric key encryption uses a single key for
  both encryption and decryption in both directions
• Public key encryption uses four different keys
  for encryption and decryption in both directions

27
Symmetric Key Encryption
Symmetric Key
Note A single key is used to encrypt and
decrypt in both directions.
Plaintext Hello
Encryption Method Key
Ciphertext 11011101
Interceptor
Network
Same Symmetric Key
Ciphertext 11011101
Plaintext Hello
Decryption Method Key
Party A
Party B
28
Public Key Encryption

• Each party has a secret private key and a public
  key
• Sender uses the receivers public key to encrypt
  for confidentiality
• Receiver uses the receivers private key to
  decrypt messages

29
Public Key Encryption for
Encrypted Message
Encrypt with Party Bs Public Key
Decrypt with Party Bs Private Key
Party A
Party B
Decrypt with Party As Private Key
Encrypt with Party As Public Key
Encrypted Message
30
Digital Signatures

• Used in message-by-message authentication
• Applicant hashes plaintext message to produce a
  short message digest
• Applicant signs message digest (encrypts it with
  the Applicants private key) to produce the
  digital signature
• Verifier uses the true partys public key to test
  the digital signature

31
Digital Certificates

• Verifier uses the true partys public key to test
  the digital signaturenot the senders public key
• Where does the verifier get the true partys
  public key?
• Digital certificates give the true partys name
  and public key
• Both a digital signature and a digital
  certificate (to test the digital signature) are
  needed in authentication.

32
Digital Signature
To Create the Digital Signature 1. Hash the
plaintext to create a brief message digest this
is NOT the Digital Signature. 2. Sign (encrypt)
the message digest with the senders private key
to create the digital signature. 3. Transmit the
plaintext digital signature, encrypted
with symmetric key encryption.
Plaintext
Hash
MD
Sign (Encrypt) with Senders Private Key
DS
33
Digital Signature
4. Encrypted with Session Key
Sender
Receiver
34
Digital Signature
To Test the Digital Signature 5. Hash the
received plaintext with the same hashing
algorithm the sender used. This gives the message
digest. 6. Decrypt the digital signature with
the senders public key. This also should give
the message digest. 7. If the two match,
the message is authenticated.
5.
6.
Received Plaintext
DS
Decrypt with True Partys Public Key
Hash
MD
MD
7. Are they equal?
35
Public Key Infrastructure with a Certificate
Authority
Certificate Authority PKI Server
Verifier (Cheng)
6. Request Certificate Revocation List (CRL)
3. Request Certificate for Lee
7. Copy of CRL
5. Certificate for Lee
4. Certificate for Lee

• Create
• Distribute
• Private Key
• and
• (2) Digital Certificate

Applicant (Lee)
Verifier (Brown)