II.I Selected Database Issues: 1 - SecuritySlide 1/23 II. Selected Database Issues Part 1: Security Lecture 3 Lecturer: Chris Clack 3C13/D6.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
HIPAA Security Standards What’s happening in your office?
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Dale-Marie Wilson, Ph.D.. Why Database Security? Data Valuable resource Must be strictly controlled and managed Corporate resource Have strategic.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Chapter 8 Web Security.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Chapter 19 Security.
Chapter 19 Security Transparencies © Pearson Education Limited 1995, 2005.
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Chapter 19 Security Transparencies. 2 Chapter 19 - Objectives Scope of database security. Why database security is a serious concern for an organization.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Intranet, Extranet, Firewall. Intranet and Extranet.
ISOM MIS3150 Data and Info Mgmt Database Security Arijit Sengupta.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure Electronic Transaction (SET)
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Networks and Security Monday, 10 th Week. Types of Attacks/Security Issues  Viruses  Worms  Macro Virus  Virus  Trojan Horse  Phishing 
Secure Socket Layer (SSL)
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Web Security : Secure Socket Layer Secure Electronic Transaction.
Types of Electronic Infection
Chapter 21 Distributed System Security Copyright © 2008.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Section 3 Database Security. 3-2 CA306 Introduction Section Content 3.1 Security Overview 3.2 Security Controls 3.3 Views 3.4 Security in Oracle 3.5 Web.
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
1 Network and E-commerce Security Nungky Awang Chandra Fasilkom Mercu Buana University.
Information Security in Distributed Systems Distributed Systems1.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
1 6 Chapter 6 Implementing Security for Electronic Commerce.
Web Database Security Session 12 & 13 Matakuliah: Web Database Tahun: 2008.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Security and Administration Transparencies
Electronic Payment Security Technologies
Cryptography and Network Security
Presentation transcript:

II.I Selected Database Issues: 1 - SecuritySlide 1/23 II. Selected Database Issues Part 1: Security Lecture 3 Lecturer: Chris Clack 3C13/D6

II.I Selected Database Issues: 1 - SecuritySlide 2/23 1. Content 3.1 Objectives 3.2 DBMS and Web security Proxy servers Firewalls Message digest algorithms and digital signatures Digital certificates Kerberos Secure sockets layer and secure HTTP Secure electronic transactions and secure technology Java security ActiveX security Content

II.I Selected Database Issues: 1 - SecuritySlide 3/ Objectives Objectives In this Lecture you will learn: 1.Approaches for securing a DBMS on the Web

II.I Selected Database Issues: 1 - SecuritySlide 4/ DBMS and Web Security

II.I Selected Database Issues: 1 - SecuritySlide 5/ DBMS and Web security DBMS and Web security Internet communications rely on TCP/IP as the underlying protocol. These, along with HTTP were not designed with security in mind. Without special software all information is traveling ‘in the clear ’ (anyone monitoring it can read it) This form of attack is easy with freely available `packet sniffing’ software. Need to transmit and receive information while ensuring: 1.Privacy: it is inaccessible to anyone but the sender and receiver 2.Integrity: it has not been changed during transmission 3.Authenticity: the receiver can be sure it came from the sender 4.Non-fabrication: the sender can be sure the receiver is genuine 5.non-repudiation: the sender cannot deny he or she sent it

II.I Selected Database Issues: 1 - SecuritySlide 6/ DBMS and Web security DBMS and Web security Once information reaches the Web server, it needs to be protected Need to ensure secured access to and of the database, given the popular three-tier architecture in a Web environment. Need to watch executable content: HTML pages may contain ActiveX controls, JavaScript/ VBScript.

II.I Selected Database Issues: 1 - SecuritySlide 7/ DBMS and Web security DBMS and Web security Executables can perform the following malicious actions, measures need to be taken to prevent them: corrupt data or the execution state of a program reformat complete disks perform a total system shutdown collect and download confidential data, such as files or passwords to other sites usurp identity and impersonate the user or user’s computer to attack other targets on the network Lock up resources making them unavailable for legitimate users and programs cause non-fatal but unwelcome effects, especially on output devices

II.I Selected Database Issues: 1 - SecuritySlide 8/ DBMS and Web security Web Proxy Servers Web proxy server: in a Web environment it is a computer that sits between a Web browser and a Web server. It intercepts all requests to the Web server to see if it can fulfill them itself if not then it forwards them on. two main purposes: 1. Improve Performance: It saves the results of all requests for a certain amount of time. Much faster. 2. Filter requests: an organisation may want to prevent its employees from accessing a certain set of Web sites, a proxy server can do this.

II.I Selected Database Issues: 1 - SecuritySlide 9/ DBMS and Web security Fire Walls Firewall: A system designed to prevent unauthorized access or to form a private network. Can be implemented in hardware or software or both. Frequently used to stop unauthorized internet users accessing an intranet. All messages attempting to enter or leave the private network must pass its security criteria to pass through it. Standard security advice: Web servers are unconnected to any in-house networks and regularly backed up. Firewall technology can help prevent unauthorized access when the Web server has to be connected to an internal network.

II.I Selected Database Issues: 1 - SecuritySlide 10/ DBMS and Web security Fire Walls Several types of Firewall technique: Packet Filter: looks at each packet entering/leaving the network and accepts/rejects based on user defined rules. Fairly effective. Transparent to users. Difficult to configure. Susceptible to ‘IP spoofing‘. Can degrade performance. Application gateway: applies security mechanisms to specific applications, i.e. Telnet and FTP. Effective but can degrade performance. Circuit-level gateway: applies security mechanisms when a TCP or UDP (User Datagram Protocol) connection is established. Once connection is made, packets flow freely between hosts without further checking. Proxy server: intercepts all messages entering/leaving network. In effect hides the true network addresses. (cf. Web Proxy Server) In practice many firewalls provide more than one technique. First line of defense in protecting private information. For greater security, data should be encrypted.

II.I Selected Database Issues: 1 - SecuritySlide 11/ DBMS and Web security Message digest algorithms ‘Message digest algorithm’ or ‘one-way hash function’ : takes arbitrary sized string (message) and generates a fixed length string (the digest or hash). A digest has the following characteristics: it should be computationally infeasible to find another message that will generate the same digest. the digest reveals nothing about the message.

II.I Selected Database Issues: 1 - SecuritySlide 12/ DBMS and Web security Digital signatures ‘Digital signature’ consists of two parts: 1.a string of bits computed from the data that is being signed’ 2. the private key of the individual or organization giving the signature. The signature can be used to verify the data came from the individual or organization. Its useful properties are: its authenticity can be verified, using a computation based on the corresponding public key it cannot be forged (assuming the private key is kept secret) it cannot be claimed to be the signature for any other data the signed data cannot be changed, otherwise the signature will no longer verify the data as being authentic

II.I Selected Database Issues: 1 - SecuritySlide 13/ DBMS and Web security Digital Certificate Digital certificate: Attachment to electronic message used for security purposes (e.g. verify user sending message). Provides receiver with means to encode reply. 1.Sender applies for certificate from Certificate Authority (CA). 2.CA issues encrypted certificate containing applicants public key and other identification information. 3.CA makes its own public key readily available. 4.Recipient uses CA’s public key to decode certificate attached to message, verifies it as issued by CA. 5.Recipient obtains senders public key and identification information held within certificate. With this information, recipient can send an encrypted reply. CA’s role is critical, acting as go-between. As the clients and servers may not yet have established mutual trust yet both want to have a secure session.

II.I Selected Database Issues: 1 - SecuritySlide 14/ DBMS and Web security Kerberos ‘Kerberos’: A server of secured user names and passwords (named after the three-headed monster in Greek mythology that guarded the gates of hell). Provides one centralized security server for all data and resources on network: Database access, login, authorization control, and other security features. Has similar function to that of Certificate server: to identify and validate a user..

II.I Selected Database Issues: 1 - SecuritySlide 15/ DBMS and Web security Secure sockets layer (SSL) ‘Secure sockets layer (SSL)’: Encryption protocol for transmitting private documents. Designed to prevent eavesdropping, tampering, and message forgery. Works by using private key to encrypt data that is transferred over SSL connection. (see ) Layered between application-level protocols such as HTTP and TCP/IP transport-level protocol. Thus, may be used for other application-level protocols such as FTP and NNTP. Netscape and Internet Explorer support SSL. Used to gain credit card information by many Web sites

II.I Selected Database Issues: 1 - SecuritySlide 16/ DBMS and Web security secure HTTP ‘secure HTTP’: Protocol for securely transmitting individual messages over Web. A modified version of the standard HTTP protocol. SSL and S-HTTP use techniques such as encryption, digital signatures, and: allow browsers and servers to authenticate each other allow controlled access to Web site ensure data exchanged between browser and server is secure and reliable. SSL creates a secure connection over which any amount of data can be sent securely. S-HTTP transmits individual messages only. Complementary rather than competing technologies.

II.I Selected Database Issues: 1 - SecuritySlide 17/ DBMS and Web security ‘Secure Electronic Transactions (SET)’: Open, interoperable standard for processing credit card transactions over Internet, in simple and secure way. To address privacy concerns, the transaction is split such that: The merchant has access to information about: what is being purchased, how much it costs, whether payment is approved, But no information on what payment method customer is using. The card issuer (e.g. Visa) has access to purchase price, payment method But no information on type of merchandise involved. Secure Electronic Transactions (SET) Certificates are heavily used by SET, both for certifying cardholder and for certifying that merchant has relationship with financial institution.

II.I Selected Database Issues: 1 - SecuritySlide 18/ DBMS and Web security Secure Electronic Transactions (SET)

II.I Selected Database Issues: 1 - SecuritySlide 19/ DBMS and Web security Java security ‘The Java Sandbox’: ensures untrusted application cannot gain access to system resources. Involves three components: 1. class loader 2. bytecode verifier 3. security manager Safety features are provided by the language and the Java Virtual Machine (JVM), and enforced by compiler and runtime system.

II.I Selected Database Issues: 1 - SecuritySlide 20/ DBMS and Web security Java security 1. Classloader Allocates (hierarchically structured) namespace for each class. Never allows class from less protected namespace to replace class from more protected namespace. Thus, I/O primitives, defined in local Java class, cannot be invoked or overridden by classes from outside local machine. 2. Bytecode verifier JVM verifies bytecode instructions before allowing application/ applet to run. Typical checks include verifying: - Compiled code is correctly formatted. - Internal stacks will not overflow/underflow. - No illegal data conversions will occur. - Bytecode instructions are appropriately typed. - All class member accesses are valid.

II.I Selected Database Issues: 1 - SecuritySlide 21/ DBMS and Web security 3. The Security Manager Each Java application defines and implements its own security policy. A Java-enabled browser contains its own Security Manager, and any applets it downloads are subject to its policies. Generally, downloaded applets are prevented from: Reading and writing files on clients file system. Making network connections to machines other than host. Starting other programs on the client. Loading libraries. Defining method calls. Java security These restrictions apply to applets downloaded over Internet/intranet. Do not apply to applets on clients local disk and in directory on CLASSPATH. Local applets are loaded by file system loader and can read and write files, exit JVM, and are not passed through the bytecode verifier.

II.I Selected Database Issues: 1 - SecuritySlide 22/ DBMS and Web security The ActiveX security model: Considerably different from Java applets in that it places no restrictions on what a control can do. 1.Each ActiveX control can be digitally signed by its author using system called Authenticode. 2.Digital signatures are then certified by CA. This security model places responsibility for the computers security on the user. Before the browser downloads an ActiveX control that has not been signed or has been certified by an unknown CA it presents a dialog box warning the user the action may be unsafe. ActiveX

II.I Selected Database Issues: 1 - SecuritySlide 23/ Summary Summary 3.2 DBMS and Web security Proxy servers Firewalls Message digest algorithms and digital signatures Digital certificates Kerberos Secure sockets layer and secure HTTP Secure electronic transactions and secure technology Java security ActiveX security NEXT LECTURE: Selected Database Issues 2: Transaction Management: - Concurrency - Serializability - Protocols to prevent conflict.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.