Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different.

Published byAmy Harrington Modified over 9 years ago

Similar presentations

Presentation on theme: "Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different."— Presentation transcript:

1 Security & Privacy

2 Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different categories of user. Discuss the problem of maintaining confidentiality of data on an open network and how to address this problem. Explain the need for encryption, authorisation and authentication techniques.

3 Example of the need for restricting access 1 In a banking system, accounts must be updated with the day's transactions. While this is taking place users must not be able to access the database. While this is taking place users must not be able to access the database. Thus, at certain times of the day, users will not be able to use a cash point. One solution is to only use the database for querying prices and to create a transaction file of sales which can be used later to update the database. One solution is to only use the database for querying prices and to create a transaction file of sales which can be used later to update the database.

4 Example of the need for restricting access 2 While a database system is checking stock for re-ordering purposes, the POS terminals will not be able to use the database as each sale would change the stock levels. One solution is to only use the database for querying prices and to create a transaction file of sales which can be used later to update the database. One solution is to only use the database for querying prices and to create a transaction file of sales which can be used later to update the database.

5 Example of the need for restricted views of the database A large hospital has a large network of computers. There are terminals in reception, on the wards and in consulting rooms.

6 Example of the need for restricted views of the database Receptionists’ access rights: Check the patient's name and address when a patient registers Check the patient's name and address when a patient registers but not the drugs to be administered nor to the patient's medical history. the drugs to be administered nor to the patient's medical history.

7 Example of the need for restricted views of the database Nurses’ access rights: Same data as the receptionists and access to the information about the drugs to be given, so they can administer them Same data as the receptionists and access to the information about the drugs to be given, so they can administer them but not patients' medical histories. patients' medical histories.

8 Example of the need for restricted views of the database Consultants: Need to access all the data. Need to access all the data.

9 Usernames & Passwords To give levels of security: All three categories of user of the database, receptionist, nurse and consultant, must only be allowed to see the data that is needed by them to do their job.

10 Other example restrictions Consultants have the right to see all the data that is in the database but if the terminal is in a public place then patients and receptionists can see the screen. Solution: Restrict access in public locations irrespective of username and password. Restrict access in public locations irrespective of username and password.

11 Hardware method of preventing access All terminals have a unique address on their network cards. DBMS holds these addresses and their locations and restricts access to data accordingly.

12 Physical Methods of Restricting Access Physical precautions like locking doors / keyboards. Physical identifiers (fingerprints, iris recognition, biometrics, etc…).

13 Encryption Provides data security by scrambling (encrypting) data to make it unintelligible to anyone who intercepts it. This involves applying a mathematical function (cipher) to the data, using a key value. This involves applying a mathematical function (cipher) to the data, using a key value. N.B. N.B. The data could be anything including messages e.g. emails etc.. Decrypt = to unscramble encrypted data in order to make it intelligible.

14 Public and Private Keys Each user has a public / private key pair usually created by a Certification Authority (CA). The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. The pair is based on prime numbers – see the link below for more information: The pair is based on prime numbers – see the link below for more information: http://computer.howstuffworks.com/encryption5.htm Data encrypted with the public key can be decrypted only with the corresponding private key. A sender sends data / messages encrypted with the recipient’s public key. The recipient decrypts the message with their corresponding private key. The recipient is the only one with this corresponding private key so is the only one who can decrypt it. The recipient is the only one with this corresponding private key so is the only one who can decrypt it.

15 Analogy for public-key encryption A locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot. However, only the person who possesses the key can open the mailbox and read the message.

16 Sender Recipient Message encrypted with RPUK. RPUK RPRK SPUK SPRK Key: SPRK = Sender’s Private Key SPUK = Sender’s Public Key RPRK = Recipient’s Private Key RPUK = Recipients Public Key Message decrypted with RPRK. I am sure that I am the only one who can read this message but how can I be sure who sent this message as anyone can encrypt a message for me using my RPUK? I am sure that only the intended recipient can read the message as the intended recipient is the only one with the corresponding private key so is the only one who can decrypt it. Certification Authority Gives out Public & Private Key Paired Keys on request.

17 Digital signature A digital code sent with the data that uniquely identifies the sender and authenticates the data. This digital code is a mathematical summary of the data which is encrypted with sender’s private key and sent with the data. This digital code is a mathematical summary of the data which is encrypted with sender’s private key and sent with the data. The recipient will decrypt this digital code with the sender’s public key. This verifies the sender as he is the only one with the corresponding private key. This verifies the sender as he is the only one with the corresponding private key. The recipient also recalculates the digital code of the data received and if this is different to the digital code received from the sender then the data has been tampered with (as it is a mathematical summary of all the data). The recipient also recalculates the digital code of the data received and if this is different to the digital code received from the sender then the data has been tampered with (as it is a mathematical summary of all the data). Also helps combat repudiation, i.e. denial of involvement in a transaction. Since the owner keeps their private key secret, anything signed using that key can only have been signed by the owner. Also helps combat repudiation, i.e. denial of involvement in a transaction. Since the owner keeps their private key secret, anything signed using that key can only have been signed by the owner.

18 An analogy for digital signatures The sealing of an envelope with a personal wax seal or stamp which no one else has. The message can be opened by anyone, but the presence of the seal or stamp authenticates the sender.

19 Sender Recipient Message encrypted with RPUK. RPUK RPRK SPUK SPRK Key: SPRK = Sender’s Private Key SPUK = Sender’s Public Key RPRK = Recipient’s Private Key RPUK = Recipients Public Key Message decrypted with RPRK. I am sure that I am the only one who can read this message and that 1 unique sender sent it but how can I be sure this person is who they say they are (credentials e.g. qualifications, etc…)? I am sure that only the intended recipient can read the message as the intended recipient is the only one with the corresponding private key so is the only one who can decrypt it. Certification Authority Gives out Public & Private Key Paired Keys on request. Digital Signature encrypted with SPRK. Digital Signature decrypted with SPUK.

20 Verification of credentials However, a private/public key pair and a digital signature do not verify the credentials of the sender only that the sender is the one with the corresponding private key. i.e. A unique individual sent the message but are they who they say they are? i.e. A unique individual sent the message but are they who they say they are? Digital Certificates attempt to do this (next slide).

21 Digital certificates An electronic document which incorporates a digital signature from the CA (encrypted using the CA’s private key so proves the CA made it) to bind together a public key with identity information such as the name of a person or an organization, their address, and so forth. Given to you when you apply for a private / public key pair from a CA but only if you prove to them and they can prove for themselves that you are who you say you are. Verifies that the sender is who they say they are if you can verify the CA's signature (by decrypting the certificate using their public key) and trust the CA.

22 Sender Recipient Message encrypted with RPUK. RPUK RPRK SPUK SPRK Key: SPRK = Sender’s Private Key CAPRK = Certification Authority’s Private Key SPUK = Sender’s Public Key CAPUK = Certification Authority’s Public Key RPRK = Recipient’s Private Key RPUK = Recipients Public Key Message decrypted with RPRK. Certification Authority Investigate applicants before giving out a Digital Certificate and Public & Private Key Paired Keys. Digital Signature encrypted with SPRK. Digital Signature decrypted with SPUK. Digital Certificate encrypted with CAPRK. CAPRKCAPUK Digital Certificate encrypted by CA with CAPRK. Digital Certificate decrypted with CAPUK. I am sure that I am the only one who can read this message, that 1 unique sender sent it and of their credentials, as long as I trust the Certification Authority. I am sure that only the intended recipient can read the message as the intended recipient is the only one with the corresponding private key so is the only one who can decrypt it.

23 Visit the following websites for more information http://en.wikipedia.org/wiki/Public_key_cry ptography http://en.wikipedia.org/wiki/Public_key_cry ptography www.itsecurity.com www.verisign.com

24 Plenary Using, as an example, the database of student records in a school, Explain why different users should be given different access rights. Explain why different users should be given different access rights. Describe how these access rights can be implemented. Describe how these access rights can be implemented.

25 Plenary Different users require different information. Information is sensitive/confidential and should only be available to those who need it. Secretary may need contact information. College nurse may need medical information. Subject tutors may need academic information. Personal tutor needs social information. Principal can see all (but medical information) Students allowed RO access to their own record. Technician allowed to alter structure but not to see data.

26 Plenary Passwords arranged as hierarchy to verify user ID. User ID identifies areas available to user. Particular machines allow different access. Physical precautions like locking doors / keyboards. Encryption of information. Physical identifiers (fingerprints, iris recognition).

27 Plenary State the meanings of the terms: encryption, encryption, message authentication message authentication and explain how they are used to maintain confidentiality of messages.

28 Plenary Encryption Makes messages unintelligible Makes messages unintelligible Provides security for data by making it impossible to understand Provides security for data by making it impossible to understand Key used to encrypt data and another to decrypt it Key used to encrypt data and another to decrypt it Use of public and private keys Use of public and private keys

29 Plenary Message Authentication Method of ensuring that message is from the person it claims to be from Method of ensuring that message is from the person it claims to be from Use of digital signature created using private key which can only be done by owner of key Use of digital signature created using private key which can only be done by owner of key Digital certificate from authority to authenticate author of message. Digital certificate from authority to authenticate author of message.

Download ppt "Security & Privacy. Learning Objectives Explain the importance of varying the access allowed to database elements at different times and for different."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
CIS 105 Concepts and Terminology Unit 11 CIS 105 Survey of Computer Information Systems Essential Concepts and Terminology Study Unit 11.

CIS 105 Concepts and Terminology Unit 11 CIS 105 Survey of Computer Information Systems Essential Concepts and Terminology Study Unit 11.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,

Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Cyber Law & Islamic Ethics

Cyber Law & Islamic Ethics
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Similar presentations

Ads by Google