Computer System Security CSE 5339/7339 - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Computer System Security CSE 5339/7339

Description:

The database is divided into several databases, each at its ... At the US Air Force Summer Study on DB Security. Secret Agent. 10FB. TS. Data Item. Sensitivity ... – PowerPoint PPT presentation

Number of Views:14
Avg rating:3.0/5.0
Slides: 20
Provided by: Adm952
Category:

less

Transcript and Presenter's Notes

Title: Computer System Security CSE 5339/7339


1
Computer System SecurityCSE 5339/7339
Session 23 November 9, 2004
2
Contents
  • A6 Q/A
  • Database Security (cont.)
  • Security in Networks
  • Group Work
  • Wenyis presentation

3
Proposal for Multilevel security
  • Partitioning (Separation)
  • The database is divided into several databases,
    each at its own level of security
  • Encryption (Separation)
  • Sensitive data are encrypted
  • Each level of sensitive data can be stored in a
    table encrypted under a key unique to the level
    of sensitivity

4
Integrity Lock (Spray Paint)
  • The lock is a way to provide both integrity and
    limited access for a database
  • At the US Air Force Summer Study on DB Security

Data Item
Sensitivity
Checksum
Secret Agent
10FB
TS
5
Cryptographic Checksum
Data Item
Sensitivity
Checksum
Record number
Attribute name
Secret Agent
10FB
TS
Assignment
R07
Checksum
  • Data item ? plain text
  • Sensitivity ? unforgeable -- unique concealed
  • Checksum ? record number, attribute name, data
    item, sensitivity

6
Security Lock
  • Combination of a unique identifier (record
    number) and the sensitivity level
  • Graubert and Kramer

Data Item
Sensitivity
Sensitivity lock
Record number
Secret Agent
TS
R07
Encryption Function
Key
7
Short Term Solution
Users
Trusted Access Controller
Sensitive database
Untrusted DB manager
8
Trusted Front End
Users
Trusted Access Controller
Sensitive database
Trusted Front End
Untrusted DB manager
9
Commutative Filters
  • The filter screens the users request, reformats
    it so that only data of an appropriate
    sensitivity level are returned.
  • Retrieve NAME where ((OCCUP engineer) and (CITY
    WashDC)
  • retrieve NAME where ((OCCUP engineer) and (CITY
    WashDC)
  • from all records R where
  • (NAME-SEC-LEVEL (R ) ? USER-SEC-LEVEL) and
  • (OCCUP-SEC-LEVEL (R ) ? USER-SEC-LEVEL) and
  • (CITY-SEC-LEVEL (R ) ? USER-SEC-LEVEL)

10
Computer Network Basics
  • Wide Area Networks (WAN)
  • Metropolitan Area Network (MAN)
  • Local Area Network (LAN)
  • System or Storage Area Network (SAN)

11
Routing Schemes
  • Connection-oriented
  • The entire message follows the same path from
    source to destination.
  • Connectionless
  • A message is divided into packets. Packets may
    take different routes from source to destination
    Serial number

12
Network Performance
  • Gilders Law
  • George Gilder projected that the total bandwidth
    of communication systems triples every twelve
    months .
  • Ethernet 10Mbps ? 10Gbps (1000 times)
  • CPU clock frequency 25MHz ? 2.5GHz (100 times)
  • Metcalfe's Law
  • Robert Metcalfe projected that the value of a
    network is proportional to the square of the
    number of nodes
  • Internet

13
Internet
  • Internet is the collection of networks and
    routers that form a single cooperative virtual
    network, which spans the entire globe. The
    Internet relies on the combination of the
    Transmission Control Protocol and the Internet
    Protocol or TCP/IP. The majority of Internet
    traffic is carried using TCP/IP packets.

14
(No Transcript)
15
ISO OSI Network Model
LAN
LAN
Internet
16
TCP/IP
Telnet
ftp
Mail
Transmission Control Protocol (TCP)
Internet Protocol (IP)
Ethernet
Token ring
17
Addressing
  • MAC (Media Access Control) address
  • Every host connected to a network has a network
    interface card (NIC) with a unique physical
    address.
  • IP address
  • IPv4 ? 32 bits (129.16.48.6)
  • IPv6 ? 128 bits

18
IP Protocol
  • Unreliable packet delivery service
  • Datagram (IPv4)

Service Type
VERS
HLEN
TOTAL LENGTH
IDENTIFICATION
FLAGS
FRAGMENT OFFSET
TIME TO LIVE
PROTOCOL
HEADER CHECKSUM
SOURCE ADDRESS
DESTINATION ADDRESS
PADDING
OPTIONS (IF ANY)
DATA
19
Group Work
  • Discuss possible attacks on IP.
  • IP Spoofing
  • Teardrop attacks
Write a Comment
User Comments (0)
About PowerShow.com