1 / 57

Computer System Security CSE 5339/7339

Computer System Security CSE 5339/7339. Session 28 (last) November 30, 2004. Contents. A7  in Tommy’s presentation Presentation evaluation  in Put-it-all-together Final Q/A Evaluation. Class Inputs. Researchers. Instructor. Students. Non-academic. CSE 5339/7339. System.

butch
Télécharger la présentation

Computer System Security CSE 5339/7339

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer System SecurityCSE 5339/7339 Session 28 (last) November 30, 2004

  2. Contents • A7  in • Tommy’s presentation • Presentation evaluation  in • Put-it-all-together • Final • Q/A • Evaluation

  3. Class Inputs Researchers Instructor Students Non-academic CSE 5339/7339

  4. System OS Networks Database Algorithms Math Background Decryption Encryption Security Issues

  5. Security

  6. Assets are accessed only by authorized people Security Goals Confidentiality Availability Integrity Assets can be modified only by authorized people Assets are accessible to authorized people

  7. sender Medium receiver Block it Intercept it Modify it Fabricate an authentic looking message Intruder

  8. Important Background

  9. Analysis of Algorithms • Sequential Algorithms • Time Complexity • Space Complexity • An algorithm whose time complexity is bounded by a polynomial is called a polynomial-time algorithm. An algorithm is considered to be efficient if it runs in polynomial time.

  10. Time Complexity • O(n) • O(log n) • O(nlogn) • O(n2) • … • O(nk) Polynomial • O(2n) Exponential • O(kn) • O(nn)

  11. OS -- Review OS – a program that acts as an intermediary between a user of a computer and the computer hardware. Users Applications OS Hardware

  12. OS -- Review OS Services Program Execution I/O Operation File System manipulation Communications Error detection Resource Allocation Accounting Protection

  13. Levels of Abstraction in a DBMS View 1 View 2 View n Conceptual Database Physical Database

  14. Important Concepts in Database • Data independence -- storage media; application • Schema -- record definition • Relation – table • Indexing – B trees • Entity/ Relationship model – entity, entity set, attributes, key, relationship • Relational Database – information for an enterprise  entities and relationships  relational database • SQL – Query language, programming language, embedded vs. interactive

  15. Computer Network Basics • Wide Area Networks (WAN) • Metropolitan Area Network (MAN) • Local Area Network (LAN) • System or Storage Area Network (SAN)

  16. Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Physical ISO OSI Network Model LAN LAN Internet

  17. TCP/IP Telnet ftp Mail Transmission Control Protocol (TCP) Internet Protocol (IP) Token ring Ethernet

  18. IP Protocol VERS HLEN Service Type TOTAL LENGTH IDENTIFICATION FLAGS FRAGMENT OFFSET • Unreliable packet delivery service • Datagram (IPv4) TIME TO LIVE PROTOCOL HEADER CHECKSUM SOURCE ADDRESS DESTINATION ADDRESS OPTIONS (IF ANY) PADDING DATA

  19. Encryption

  20. Encryption/Decryption Original plaintext ciphertext plaintext Encryption Decryption

  21. Ciphers • Substitution Ciphers Substitute a character or a symbol for each character of the original message • Transposition Ciphers The order of letters is rearranged

  22. Symmetric Encryption key Original plaintext plaintext ciphertext Encryption Decryption

  23. Asymmetric Encryption KE KD Original plaintext plaintext ciphertext Encryption Decryption

  24. M H H(M) = h Hash Functions

  25. Cryptographic Hash Functions • Message Digest Functions • Protect integrity • Users create a message digest or fingerprint of a digital document • Message Authentication Codes (MACs) • Protect both integrity and authenticity • MACs produce fingerprints based on both a given document and a secret key

  26. Getting a Message Digest from a document Hash Message Digest

  27. Generating Signature Message Digest Signature Encrypt using private key

  28. Appending Signature to document Append Signature

  29. Verifying Signature Hash Message Digest Message Digest Decrypt using public key

  30. Security in OS

  31. OS Functions users User interface Synchronization Concurrency control Deadlock management Communication Accounting OS Services Resource allocation Data CPU Memory I/O devices Tables Libraries

  32. In general O O O O O O Gate S S S S S S

  33. User Authentication • Knowledge-based techniques (passwords) • Token-based techniques (smart cards) • Biometric techniques (fingerprint) • Two-factor (Card + PIN)

  34. Security Policy A security policy is a statement of the security we expect the system to enforce. A system can be trusted only in relation to its security policy, that is, to the security needs the system is expected to satisfy.

  35. Military Security policy Unclassified Restricted Confidential Secret Top Secret

  36. Models of Security • Security models are used to • Test a particular policy for completeness and consistency • Document a policy • Help conceptualize and design an implementation • Check whether an implementation meets the requirements

  37. Kernel – OS part that performs lowest level functions User tasks OS OS Kernel Hardware

  38. User tasks Combined Security Kernel / OS System OS Kernel: - HW interactions - Access control OS OS Kernel Hardware OS: • Resource allocation • Sharing • Access control • Authentication functions Security activity

  39. Modules operating in Different Layers Least trusted code Most trusted code Data update Data comparison User ID lookup User interface User Authentication module

  40. Security in DB

  41. Sensitive Data • Data that should not be made public • Nothing sensitive and everything sensitive – can be handled by access control to the database itself • Some but not all are sensitive -- not only data elements but context and meaning • Factors that make data sensitive • Inherently sensitive • From a sensitive source • Declared sensitive • Part of a sensitive attribute or a sensitive record • Sensitive in relation to previously disclosed information

  42. Types of Disclosures • Exact data -- most serious disclosure • Bounds – sensitive data is between L and H • Negative result -- a value that is not a zero • Existence • Probable value -- probability that a certain element has a certain value A successful security strategy must protect against both direct and indirect disclosures

  43. Multilevel Database • Sensitivity is determined not only by attribute • element security • several grades of security • aggregate vs. individual elements

  44. Proposal for Multilevel security • Partitioning (Separation) • The database is divided into several databases, each at its own level of security • Encryption (Separation) • Sensitive data are encrypted • Each level of sensitive data can be stored in a table encrypted under a key unique to the level of sensitivity

  45. Network Security

  46. An Example of an Attack • Attacker send echo request message to broadcast address • Attacker also spoofs source address in the request Intermediary Victim Attacker

  47. attacker master master master master daemon daemon daemon daemon Large number of UDP packets to random ports

  48. Encryption • Link Encryption • End-to-End Encryption B N T S M E

  49. Link Encryption Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Physical B N T S M E

  50. End-to-End Encryption Application Application Presentation Presentation Session Session Transport Transport Network Network Data Link Data Link Physical Physical B N T S M E

More Related