chinese wall model in the internet environment n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chinese wall model in the internet Environment PowerPoint Presentation
Download Presentation
Chinese wall model in the internet Environment

Chinese wall model in the internet Environment

177 Vues Download Presentation
Télécharger la présentation

Chinese wall model in the internet Environment

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. ArabAcademy for Banking and Financial sciences PhD program Information System Security Chinese wall model in the internet Environment Prepared to :Dr.Lo’ai Tawalbeh Presented by :Marwan Al_Abed Abu_Zanona Selected Topics In IIS

  2. Agenda • Introduction • Chinese wall Model Policy • Simple security rule • Chinese wall in www . • Authentication . • Authorization . Selected Topics In IIS

  3. introduction • The goals most often specified in a security policy are : • confidentiality - prevention of unauthorized access and theft of information. • integrity - prevention of unauthorized modification of information. • availability - prevention of denial of service. Selected Topics In IIS

  4. introduction • Chinese Wall security describe how to reach these goals. • It’s a commercial security policy . • The Chinese Wall security policy focuses more on confidentiality . • The Chinese Wall security policy is perhaps as significant to some parts of the commercial world as Bell and LaPadula’s policies are to the military . Selected Topics In IIS

  5. introduction • It can be distinguished from Bell-LaPadula policies by the way that a user’s permitted accesses are constrained by the history of his previous accesses . • The Chinese Wall security policy was identified by Brewer and Nash. It is a real commercial policy which can be formally modelled. Its basic idea is to keep company information confidential and prevent it from unauthorized access of consulting services. Selected Topics In IIS

  6. Chinese wall Model Policy • All corporate information is stored in hierarchically arranged filling system. It consist of three levels : • At the lowest level , individual items of information (objects) is considered, each concerning a single corporation . • At the intermediate level , all objects which concern the same corporation are grouped into a company dataset . • At the highest level , all company datasets whose corporations are in competition are grouped together. Each group is referred as a conflict of interest class . Selected Topics In IIS

  7. Selected Topics In IIS

  8. Chinese wall Model Policy • Associated with each object is the name of the company dataset to which it belongs and the name of the conflict of interest class to which that company dataset belongs . Selected Topics In IIS

  9. Chinese wall Model Policy • If the system maintained information on Bank-A , Oil Company-A and Oil Company-B : • All objects would belong to one of three company dataset ( “bank-A”“oil company-A” or “oil company-B” ) , • There would be two conflict of interest classes , one for banks ( containing Bank-A’s dataset ) and one for petroleum companies ( containing Oil company-A’s and Oil company-B’s dataset . Selected Topics In IIS

  10. Selected Topics In IIS

  11. Chinese wall Model Policy • The basis of the Chinese Wall policy is that people are only allowed access to information which is not held to conflict with any other information that they already possess . Selected Topics In IIS

  12. Chinese wall Model Policy • Thus , in consideration of the Bank-A , Oil Company-A and Oil Company-B datasets , a new user may freely choose to access whatever datasets he likes ; as far as the computer is concerned a new user does not possess any information and therefore no conflict can exist . Selected Topics In IIS

  13. Chinese wall Model Policy • Suppose the user accesses the Oil Company-A dataset first . The user now possess information concerning the oil company-A dataset . • Later , he requests access to the Bank-A dataset • This is quite permissible since the Bank-A and Oil company-A datasets belong to different conflict of interest classes and therefore no conflict exists . Selected Topics In IIS

  14. Selected Topics In IIS

  15. Chinese wallModel Policy • However, if he requests access to the oil company-B dataset the request must be denied since a conflict does exist between the requested dataset ( Oil Company-B) and one already possessed (Oil Company-A) . Selected Topics In IIS

  16. Selected Topics In IIS

  17. Chinese wall Model Policy • It does not matter whether the oil company-A dataset was accessed before or after the Bank-A dataset . • However, were Oil Company-B to be accessed before the request to access the Oil Company-A dataset , the restrictions would be quite different . • In this case access to the Oil Company-A dataset would be denied and the user would possess { “Oil Company-B“ , “Bank-A” } ( as opposed to the request to access the oil Company-B dataset being denied and the user possessing { “Oil Company-A” , “Bank-A” } ) . Selected Topics In IIS

  18. Chinese Wall Model In www • To realize the Chinese Wall security policy we need user labels that contain information about the user’s identity and objects already accessed by him. We require mechanisms that reliably provide authentication and authorization by user profiles that support an interface to software run in the world wide web. Selected Topics In IIS

  19. Authentication in the world wide web • The Basic Authentication : is included in the HTTP protocol. It is based on the model that the user agent must authenticate himself with a user-ID and a password when requesting a protected document . • The server responds the request with a challenge for the authorization information of the user agent.. Now user identification and password information in the entity header are passed over the Internet in clear text as a BASE64 encoded string and the server send the requested document in response. • the Basic Authentication scheme is not a secure method of user authentication, or does it prevent the entity body from being transmitted in clear text across the physical network used as the carrier . • Basic Authentication is based on the assumption that the connection between the client and the server can be regarded as a trusted carrier. As this is generally not true on an open network . Selected Topics In IIS

  20. Basic Authentication Selected Topics In IIS

  21. Authentication in the world wide web • The Digest Access Authentication: is an extension to the HTTP protocol. It is developed to make up the Basic Authentication deficits. • The server answers the client request with an unauthorized header and the user is provided with a dialog box to type in the user’s username and password. • The Digest Authentication calculates a checksum of all relevant connection data along with a server generated and sends it back to the server. The server takes the unique connection data and also creates a checksum. If the two checksums match up the server allows access to the requested document. This way, authorization is completed without sending a password across the Internet. Selected Topics In IIS

  22. Digest Access Authentication • Digest Authentication does not provide the encapsulation of the message content . Selected Topics In IIS

  23. Authentication and Data Protection with SSL • The SSL protocol includes services for • server/client authentication. • encryption of data in transit, meaning privacy and data integrity. • Privacy is achieved by using symmetric cryptography. Data integrity is ensured by Message Authentication Check (MAC) and for authentication the Public Key Infrastructure is used. Selected Topics In IIS

  24. Authentication and Data Protection with SSL Selected Topics In IIS

  25. Authentication and Data Protection with SSL • SSL protocol takes messages to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, and transmits the result. Received data is decrypted, verified, decompressed, and reassembled, then delivered to higher level clients. • The SSL session is established by a handshake sequence between client and server . • The handshake sequence consists of messages that enable negotiation of cryptographic parameters, generation of shared secrets (session keys) between client and server at the beginning of their communication Selected Topics In IIS

  26. Authentication and Data Protection with SSL Selected Topics In IIS

  27. Authorization in the world wide web • To realize the Chinese Wall security policy within the WWW we need a flexible authorization mechanism. • It must provide a dynamic change of the user access rights, which is an essential element of the Chinese Wall security policy. Once a user accessed a company dataset in an untouched conflict of interest class the profile must deny access rights to all other companies in this COI class. Selected Topics In IIS

  28. Authorization in the world wide web Selected Topics In IIS

  29. Authorization Mechanisms • Authorization by user profiles • Authorization by certificates • The Open Profiling Standard Selected Topics In IIS