Documente Academic
Documente Profesional
Documente Cultură
E Asymmetric cryptosystems:
83
Cryptosystem
Hello,
This content is
confidential
...................
01000100..
.
+)>>
C"
..
Encryption
Decryption
K
E
K
D
Plaintext
Ciphertext
Encryption - Classification (2)
84
E Asymmetric cryptosystems
Also called Public-key cryptosystems.
Use two different keys for (en/de)cryption algorithms.
Public key & Private key.
More secure but expensive in terms of computational
costs.
E Symmetric cryptosystems
Use the same key for (en/de)cryption algorithms.
Symmetric key = Shared-secret-key.
Faster than encryption and decryption in public-key
cryptosystems.
Less security comparing to encryption and decryption in
public-key cryptosystems.
Encryption - Classification (3)
E Symmetric cryptosystems:
Stream ciphers: A5/1, RC4.
Block ciphers: DES, Triple DES, AES.
E Asymmetric cryptosystems:
RSA, DSA.
Secret Key Establishment.
Digital Signatures.
Digital Certificate.
85
Contents
86
E Encryption & Public Key Infrastructure (PKI)
Terminology
Classification
DES, AES, RSA
Digital Signatures
Public Key Infrastructure
Encryption - DES
87
E DES (Data Encryption Standard)
Published by the USAs National Bureau of Standards
(NBS).
Be used as the encryption standard for unclassified data
(information not concerned with national security).
A message is divided into 64-bit blocks.
Key: 56 bits Brute-force (exhaustive key search) attack
in some hours Today, its too small.
E Triple DES: run the DES algorithm a multiple number
of times using different keys
Encryption:
()))
Decryption:
()))
The triple DES can also use three different keys.
Encryption - AES
88
E AES (Advanced Encryption Standard / Rijndael)
Chosen and introduced by the National Institute of
Standards and Technology (NIST) (known as NBS before).
Be secure and can be implemented efficiently.
The new encryption standard to replace for DES and
multiple encryption (as Triple DES)
Reduce the cost of managing keys.
Simplify the design of security protocols and systems.
A block cipher with a variable block size and variable key
size.
The key size and the block size can be independently
specified to 128, 192 or 256 bits
The enlarged and variable key and data-block sizes can
accommodate a wide spectrum of security strengths for
various application needs.
Encryption - RSA
89
E RSA (named after 3 inventors Rivest, Shamir
and Adleman)
Public key is used for encrytion.
Private key is used for decrytion.
Encryption - Hybrid Scheme
90
E Hybrid scheme
Asymmetric technique: establish a symmetric key.
Symmetric technique: encrypt data by that
symmetric key.
Sender Receiver
Encrypted message
using a symmetric key
Use public key of receiver
to encrypt the message
encryption key
Contents
91
E Encryption & Public Key Infrastructure (PKI)
Terminology
Classification
DES, AES, RSA
Digital Signatures
Public Key Infrastructure
Digital Signatures (1)
92
E Digital Signature: a message signed with a user's
private key and can be verified by anyone who has
access to the user's public key.
E Thus:
Authentication: Anyone with the users public key can verify
his digital signature Easy to verify who is the owner of
the message.
Data integrity: The message cannot be modified without
being detected during decryption time Verify whether
the message is modified or not.
Non-repudiation: Only the holder of the private key can
digitally sign Prevent the sender from claiming that he
did not actually send the information.
Digital Signatures (2)
93
Simple Digital Signatures
Digital Signatures (3)
94
Secure Digital Signatures
Contents
95
E Encryption & Public Key Infrastructure (PKI)
Terminology
Classification
DES, AES, RSA
Digital Signatures
Public Key Infrastructure
Public Key Infrastructure (1)
96
E Public Key Infrastructure (PKI)
The sum total of everything required to securely use
public key crypto.
E Digital Certificate
Also called Identity Certificate, or Public Key
Certificate.
An electronic document which is used to verify that a
public key belongs to an individual.
Use a digital signature to bind a public key with an
identity.
In most situations the certificate must be signed by a
Certificate Authority (CA), which acts as a trusted
third party.
Public Key Infrastructure (2)
97
E Each digital certificate contains basic information:
The owners identity: information such as the name of a person or an
organization, their address or their server address, and so forth.
The owners public key.
The date of issue of the certificate.
Valid time (Valid From and Valid To dates).
Name and URL of the CA.
The digital signature of the issuing CA.
CA
Public Key Infrastructure (3)
98
Sender S Receiver R
Certificate Authority
(CA)
Encrypted message
using a symmetric key
Use Rs public key to
encrypt the message
encryption key
3 - Send data
4 - Receive
data &
decrypt it
TRUSTED
How does PKI work?
Public Key Infrastructure (4)
99
E A digital certificate can be revoked if:
E Its private key is compromised.
E The relationship of the public key and the
owner is changed.
E A certificate was issued in error.
Use the Certificate Revocation List.
E The largest commercial source for certificates
is VeriSign.
Contents
100
E Introduction to Database Security
E Discretionary Access Control (DAC)
E Mandatory Access Control (MAC)
E Role-Based Access Control (RBAC)
E Encryption & Public Key Infrastructure (PKI)
E Common Attacks on Databases
E SQL Injection
E Challenges of Database Security
Common Attacks on Databases
101
E Some of quite frequent attacks on databases:
Unauthorized Privilege Escalation.
Privilege Abuse.
Denial of Service (DOS attack).
Weak Authentication.
SQL Injection.
Contents
102
E Introduction to Database Security
E Discretionary Access Control (DAC)
E Mandatory Access Control (MAC)
E Role-Based Access Control (RBAC)
E Encryption & Public Key Infrastructure (PKI)
E Common Attacks on Databases
E SQL Injection
E Challenges of Database Security
SQL Injection (1)
103
E SQL Injection Attack
Web programs and applications that access a
database can send commands and data to the
database.
The attacker injects a string input through the
application, which changes or manipulates the
SQL statement to the attackers advantage.
Most commonly done directly through web forms, but
can be directed through URL hacking.
SQL Injection (2)
104
E SQL Injection
Exploit a security vulnerability in application.
Authentication bypass, information disclosure,
compromised data integrity.
Harm the database
Unauthorized manipulation of the database, or
retrieval of sensitive data.
Execute system level commands that may cause
the system to deny service to the application.
SQL Injection (3)
105
E Consider an embedded code:
$query = SELECT prodinfo FROM prodtable
WHERE prodname = $_INPUT(prod_search)
E User enters the following:
blah OR x = x
E SQL statement created:
SELECT prodinfo FROM prodtable WHERE
prodname = blah OR x = x;
SQL Injection (4)
106
E A more serious problem, a user enters:
blah'; DROP TABLE prodinfo;
E SQL statement created:
SELECT prodinfo FROM prodtable WHERE
prodname = blah; DROP TABLE prodtable;
E Another example:
SELECT * FROM Users WHERE username =
John and (PASSWORD = JohnPass or x = x);
Contents
107
E Introduction to Database Security
E Discretionary Access Control (DAC)
E Mandatory Access Control (MAC)
E Role-Based Access Control (RBAC)
E Encryption & Public Key Infrastructure (PKI)
E Common Attacks on Databases
E SQL Injection
E Challenges of Database Security
Challenges of Database Security (1)
108
E Data Quality
Need techniques and organizational solutions to
assess and attest the quality of data.
Need techniques providing more effective integrity
semantics verification.
Need tools for the assessment of data quality.
E Intellectual Property Rights
Digital watermarking techniques.
Challenges of Database Security (2)
109
E Database Survivability: Database systems
need to operate and continue their functions,
even with reduced capabilities, despite
disruptive events such as information warfare
attacks.
Confinement.
Damage assessment.
Reconfiguration.
Repair.
Fault treatment.
Q & A
110