Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

CIS 105 Concepts and Terminology Unit 11 CIS 105 Survey of Computer Information Systems Essential Concepts and Terminology Study Unit 11.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Public Key Management and X.509 Certificates
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Cyber Law & Islamic Ethics
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.
By: Piyumi Peiris 11 EDO. Swipe cards are a common type of security device used by many people. They are usually a business-card-sized plastic card with.
Chapter 10: Authentication Guide to Computer Network Security.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
Secure Electronic Transaction (SET)
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
10. Key Management. Contents Key Management  Public-key distribution  Secret-key distribution via public-key cryptography.
Introduction1-1 Data Communications and Computer Networks Chapter 6 CS 3830 Lecture 31 Omar Meqdadi Department of Computer Science and Software Engineering.
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Encryption / Security Victor Norman IS333 / CS332 Spring 2014.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
What is Digital Signature Building confidentiality and trust into networked transactions. Kishankant Yadav
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Copyright 1999 S.D. Personick. All Rights Reserved. Telecommunications Networking II Lecture 41b Cryptography and Its Applications.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
Electronic Commerce School of Library and Information Science PGP and cryptography I. What is encryption? Cryptographic systems II. What is PGP? How does.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
Digital Signatures and Digital Certificates Monil Adhikari.
Private key
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Fall 2006CS 395: Computer Security1 Key Management.
Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.
M2 Encryption techniques Gladys Nzita-Mak. What is encryption? Encryption is the method of having information such as text being converted into a format.
Information Systems Design and Development Security Precautions Computing Science.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
 Introduction  History  What is Digital Signature  Why Digital Signature  Basic Requirements  How the Technology Works  Approaches.
Grid Security.
Computer Communication & Networks
NET 311 Information Security
Pooja programmer,cse department
Chapter 8 roadmap 8.1 What is network security?
Presentation transcript:

Security & Privacy

Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different categories of user. Discuss the problem of maintaining confidentiality of data on an open network and how to address this problem. Explain the need for encryption, authorisation and authentication techniques.

Example of the need for restricting access 1 In a banking system, accounts must be updated with the day's transactions. While this is taking place users must not be able to access the database. While this is taking place users must not be able to access the database. Thus, at certain times of the day, users will not be able to use a cash point. One solution is to only use the database for querying prices and to create a transaction file of sales which can be used later to update the database. One solution is to only use the database for querying prices and to create a transaction file of sales which can be used later to update the database.

Example of the need for restricting access 2 While a database system is checking stock for re-ordering purposes, the POS terminals will not be able to use the database as each sale would change the stock levels. One solution is to only use the database for querying prices and to create a transaction file of sales which can be used later to update the database. One solution is to only use the database for querying prices and to create a transaction file of sales which can be used later to update the database.

Example of the need for restricted views of the database A large hospital has a large network of computers. There are terminals in reception, on the wards and in consulting rooms.

Example of the need for restricted views of the database Receptionists’ access rights: Check the patient's name and address when a patient registers Check the patient's name and address when a patient registers but not the drugs to be administered nor to the patient's medical history. the drugs to be administered nor to the patient's medical history.

Example of the need for restricted views of the database Nurses’ access rights: Same data as the receptionists and access to the information about the drugs to be given, so they can administer them Same data as the receptionists and access to the information about the drugs to be given, so they can administer them but not patients' medical histories. patients' medical histories.

Example of the need for restricted views of the database Consultants: Need to access all the data. Need to access all the data.

Usernames & Passwords To give levels of security: All three categories of user of the database, receptionist, nurse and consultant, must only be allowed to see the data that is needed by them to do their job.

Other example restrictions Consultants have the right to see all the data that is in the database but if the terminal is in a public place then patients and receptionists can see the screen. Solution: Restrict access in public locations irrespective of username and password. Restrict access in public locations irrespective of username and password.

Hardware method of preventing access All terminals have a unique address on their network cards. DBMS holds these addresses and their locations and restricts access to data accordingly.

Physical Methods of Restricting Access Physical precautions like locking doors / keyboards. Physical identifiers (fingerprints, iris recognition, biometrics, etc…).

Encryption Provides data security by scrambling (encrypting) data to make it unintelligible to anyone who intercepts it. This involves applying a mathematical function (cipher) to the data, using a key value. This involves applying a mathematical function (cipher) to the data, using a key value. N.B. N.B. The data could be anything including messages e.g. s etc.. Decrypt = to unscramble encrypted data in order to make it intelligible.

Public and Private Keys Each user has a public / private key pair usually created by a Certification Authority (CA). The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. The pair is based on prime numbers – see the link below for more information: The pair is based on prime numbers – see the link below for more information: Data encrypted with the public key can be decrypted only with the corresponding private key. A sender sends data / messages encrypted with the recipient’s public key. The recipient decrypts the message with their corresponding private key. The recipient is the only one with this corresponding private key so is the only one who can decrypt it. The recipient is the only one with this corresponding private key so is the only one who can decrypt it.

Analogy for public-key encryption A locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot. However, only the person who possesses the key can open the mailbox and read the message.

Sender Recipient Message encrypted with RPUK. RPUK RPRK SPUK SPRK Key: SPRK = Sender’s Private Key SPUK = Sender’s Public Key RPRK = Recipient’s Private Key RPUK = Recipients Public Key Message decrypted with RPRK. I am sure that I am the only one who can read this message but how can I be sure who sent this message as anyone can encrypt a message for me using my RPUK? I am sure that only the intended recipient can read the message as the intended recipient is the only one with the corresponding private key so is the only one who can decrypt it. Certification Authority Gives out Public & Private Key Paired Keys on request.

Digital signature A digital code sent with the data that uniquely identifies the sender and authenticates the data. This digital code is a mathematical summary of the data which is encrypted with sender’s private key and sent with the data. This digital code is a mathematical summary of the data which is encrypted with sender’s private key and sent with the data. The recipient will decrypt this digital code with the sender’s public key. This verifies the sender as he is the only one with the corresponding private key. This verifies the sender as he is the only one with the corresponding private key. The recipient also recalculates the digital code of the data received and if this is different to the digital code received from the sender then the data has been tampered with (as it is a mathematical summary of all the data). The recipient also recalculates the digital code of the data received and if this is different to the digital code received from the sender then the data has been tampered with (as it is a mathematical summary of all the data). Also helps combat repudiation, i.e. denial of involvement in a transaction. Since the owner keeps their private key secret, anything signed using that key can only have been signed by the owner. Also helps combat repudiation, i.e. denial of involvement in a transaction. Since the owner keeps their private key secret, anything signed using that key can only have been signed by the owner.

An analogy for digital signatures The sealing of an envelope with a personal wax seal or stamp which no one else has. The message can be opened by anyone, but the presence of the seal or stamp authenticates the sender.

Sender Recipient Message encrypted with RPUK. RPUK RPRK SPUK SPRK Key: SPRK = Sender’s Private Key SPUK = Sender’s Public Key RPRK = Recipient’s Private Key RPUK = Recipients Public Key Message decrypted with RPRK. I am sure that I am the only one who can read this message and that 1 unique sender sent it but how can I be sure this person is who they say they are (credentials e.g. qualifications, etc…)? I am sure that only the intended recipient can read the message as the intended recipient is the only one with the corresponding private key so is the only one who can decrypt it. Certification Authority Gives out Public & Private Key Paired Keys on request. Digital Signature encrypted with SPRK. Digital Signature decrypted with SPUK.

Verification of credentials However, a private/public key pair and a digital signature do not verify the credentials of the sender only that the sender is the one with the corresponding private key. i.e. A unique individual sent the message but are they who they say they are? i.e. A unique individual sent the message but are they who they say they are? Digital Certificates attempt to do this (next slide).

Digital certificates An electronic document which incorporates a digital signature from the CA (encrypted using the CA’s private key so proves the CA made it) to bind together a public key with identity information such as the name of a person or an organization, their address, and so forth. Given to you when you apply for a private / public key pair from a CA but only if you prove to them and they can prove for themselves that you are who you say you are. Verifies that the sender is who they say they are if you can verify the CA's signature (by decrypting the certificate using their public key) and trust the CA.

Sender Recipient Message encrypted with RPUK. RPUK RPRK SPUK SPRK Key: SPRK = Sender’s Private Key CAPRK = Certification Authority’s Private Key SPUK = Sender’s Public Key CAPUK = Certification Authority’s Public Key RPRK = Recipient’s Private Key RPUK = Recipients Public Key Message decrypted with RPRK. Certification Authority Investigate applicants before giving out a Digital Certificate and Public & Private Key Paired Keys. Digital Signature encrypted with SPRK. Digital Signature decrypted with SPUK. Digital Certificate encrypted with CAPRK. CAPRKCAPUK Digital Certificate encrypted by CA with CAPRK. Digital Certificate decrypted with CAPUK. I am sure that I am the only one who can read this message, that 1 unique sender sent it and of their credentials, as long as I trust the Certification Authority. I am sure that only the intended recipient can read the message as the intended recipient is the only one with the corresponding private key so is the only one who can decrypt it.

Visit the following websites for more information ptography ptography

Plenary Using, as an example, the database of student records in a school, Explain why different users should be given different access rights. Explain why different users should be given different access rights. Describe how these access rights can be implemented. Describe how these access rights can be implemented.

Plenary Different users require different information. Information is sensitive/confidential and should only be available to those who need it. Secretary may need contact information. College nurse may need medical information. Subject tutors may need academic information. Personal tutor needs social information. Principal can see all (but medical information) Students allowed RO access to their own record. Technician allowed to alter structure but not to see data.

Plenary Passwords arranged as hierarchy to verify user ID. User ID identifies areas available to user. Particular machines allow different access. Physical precautions like locking doors / keyboards. Encryption of information. Physical identifiers (fingerprints, iris recognition).

Plenary State the meanings of the terms: encryption, encryption, message authentication message authentication and explain how they are used to maintain confidentiality of messages.

Plenary Encryption Makes messages unintelligible Makes messages unintelligible Provides security for data by making it impossible to understand Provides security for data by making it impossible to understand Key used to encrypt data and another to decrypt it Key used to encrypt data and another to decrypt it Use of public and private keys Use of public and private keys

Plenary Message Authentication Method of ensuring that message is from the person it claims to be from Method of ensuring that message is from the person it claims to be from Use of digital signature created using private key which can only be done by owner of key Use of digital signature created using private key which can only be done by owner of key Digital certificate from authority to authenticate author of message. Digital certificate from authority to authenticate author of message.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.