Transcript Computer System Security CSE 5339/7339 Session 23 November 9, 2004

Computer System Security
CSE 5339/7339
Session 23
November 9, 2004
Computer Science and Engineering
Contents
 A6 Q/A
 Database Security (cont.)
 Security in Networks
 Group Work
 Wenyi’s presentation
Computer Science and Engineering
Proposal for Multilevel security
 Partitioning (Separation)
 The database is divided into several databases, each
at its own level of security
 Encryption (Separation)
 Sensitive data are encrypted
 Each level of sensitive data can be stored in a table
encrypted under a key unique to the level of sensitivity
Computer Science and Engineering
Integrity Lock (Spray Paint)
 The lock is a way to provide both integrity and limited
access for a database
 At the US Air Force Summer Study on DB Security
Data Item
Secret Agent
Sensitivity Checksum
TS
10FB
Computer Science and Engineering
Cryptographic Checksum
Record number Attribute name
R07
Data Item
Assignment
Sensitivity Checksum
Secret Agent
TS
10FB
Checksum
 Data item  plain text
 Sensitivity  unforgeable -- unique – concealed
 Checksum  record number, attribute name, data item, sensitivity
Computer Science and Engineering
Security Lock
 Combination of a unique identifier (record number) and
the sensitivity level
 Graubert and Kramer
Record number
R07
Key
Data Item
Sensitivity Sensitivity lock
Secret Agent
TS
Encryption
Function
Computer Science and Engineering
Short Term Solution
Users
Trusted Access
Controller
Sensitive database
Untrusted DB
manager
Computer Science and Engineering
Trusted Front End
Users
Trusted Access
Sensitive database
Controller
Trusted Front
End
Untrusted
DB
manager
Computer Science and Engineering
Commutative Filters
 The filter screens the user’s request, reformats it so that
only data of an appropriate sensitivity level are returned.
Retrieve NAME where ((OCCUP = engineer) and (CITY = WashDC)
retrieve NAME where ((OCCUP = engineer) and (CITY = WashDC)
from all records R where
(NAME-SEC-LEVEL (R )  USER-SEC-LEVEL) and
(OCCUP-SEC-LEVEL (R )  USER-SEC-LEVEL) and
(CITY-SEC-LEVEL (R )  USER-SEC-LEVEL)
Computer Science and Engineering
Computer Network Basics
 Wide Area Networks (WAN)
 Metropolitan Area Network (MAN)
 Local Area Network (LAN)
 System or Storage Area Network (SAN)
Computer Science and Engineering
Routing Schemes
 Connection-oriented
The entire message follows the same path from source to
destination.
 Connectionless
A message is divided into packets. Packets may take
different routes from source to destination Serial number
Computer Science and Engineering
Network Performance
 Gilder’s Law
George Gilder projected that the total bandwidth of
communication systems triples every twelve months .
Ethernet: 10Mbps  10Gbps (1000 times)
CPU clock frequency: 25MHz  2.5GHz (100 times)
 Metcalfe's Law
Robert Metcalfe projected that the value of a network is
proportional to the square of the number of nodes
Internet
Computer Science and Engineering
Internet
Internet is the collection of networks and routers
that form a single cooperative virtual network,
which spans the entire globe. The Internet relies on
the combination of the Transmission Control
Protocol and the Internet Protocol or TCP/IP. The
majority of Internet traffic is carried using TCP/IP
packets.
Computer Science and Engineering
Country
Internet Users
Latest Data
Population
( 2004 Est. )
% of Population
United States
209,518,183
294,540,100
71.1 %
China
79,500,000
1,327,976,227
6.0 %
Japan
63,884,205
127,944,200
49.9 %
Germany
45,315,166
82,633,200
54.8 %
United Kingdom
35,089,470
59,157,400
59.3 %
South Korea
29,220,000
47,135,500
62.0 %
France
22,534,967
59,494,800
37.9 %
Brazil
20,551,168
183,199,600
11.2 %
Italy
19,900,000
56,153,700
35.4 %
Canada
16,841,811
32,026,600
52.6 %
Computer Science and Engineering
ISO OSI Network Model
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
Data Link
Data Link
Physical
Physical
LAN
Internet
LAN
Computer Science and Engineering
TCP/IP
Mail
ftp
Telnet
Transmission Control
Protocol
(TCP)
Internet Protocol
(IP)
Ethernet
Token ring
Computer Science and Engineering
Addressing
 MAC (Media Access Control) address
Every host connected to a network has a network
interface card (NIC) with a unique physical address.
 IP address
IPv4  32 bits (129.16.48.6)
IPv6  128 bits
Computer Science and Engineering
IP Protocol
 Unreliable packet delivery service
 Datagram (IPv4)
VERS
HLEN
Service Type
IDENTIFICATION
TIME TO LIVE
TOTAL LENGTH
FLAGS
PROTOCOL
FRAGMENT OFFSET
HEADER CHECKSUM
SOURCE ADDRESS
DESTINATION ADDRESS
OPTIONS (IF ANY)
PADDING
DATA
Computer Science and Engineering
Group Work
 Discuss possible attacks on IP.
IP Spoofing
Teardrop attacks
Computer Science and Engineering