Computer System Security CSE 5339/7339

1
Computer System SecurityCSE 5339/7339
Session 23 November 9, 2004
2
Contents

• A6 Q/A
• Database Security (cont.)
• Security in Networks
• Group Work
• Wenyis presentation

3
Proposal for Multilevel security

• Partitioning (Separation)
• The database is divided into several databases,
  each at its own level of security
• Encryption (Separation)
• Sensitive data are encrypted
• Each level of sensitive data can be stored in a
  table encrypted under a key unique to the level
  of sensitivity

4
Integrity Lock (Spray Paint)

• The lock is a way to provide both integrity and
  limited access for a database
• At the US Air Force Summer Study on DB Security

Data Item
Sensitivity
Checksum
Secret Agent
10FB
TS
5
Cryptographic Checksum
Data Item
Sensitivity
Checksum
Record number
Attribute name
Secret Agent
10FB
TS
Assignment
R07
Checksum

• Data item ? plain text
• Sensitivity ? unforgeable -- unique concealed
• Checksum ? record number, attribute name, data
  item, sensitivity

6
Security Lock

• Combination of a unique identifier (record
  number) and the sensitivity level
• Graubert and Kramer

Data Item
Sensitivity
Sensitivity lock
Record number
Secret Agent
TS
R07
Encryption Function
Key
7
Short Term Solution
Users
Trusted Access Controller
Sensitive database
Untrusted DB manager
8
Trusted Front End
Users
Trusted Access Controller
Sensitive database
Trusted Front End
Untrusted DB manager
9
Commutative Filters

• The filter screens the users request, reformats
  it so that only data of an appropriate
  sensitivity level are returned.
• Retrieve NAME where ((OCCUP engineer) and (CITY
  WashDC)
• retrieve NAME where ((OCCUP engineer) and (CITY
  WashDC)
• from all records R where
• (NAME-SEC-LEVEL (R ) ? USER-SEC-LEVEL) and
• (OCCUP-SEC-LEVEL (R ) ? USER-SEC-LEVEL) and
• (CITY-SEC-LEVEL (R ) ? USER-SEC-LEVEL)

10
Computer Network Basics

• Wide Area Networks (WAN)
• Metropolitan Area Network (MAN)
• Local Area Network (LAN)
• System or Storage Area Network (SAN)

11
Routing Schemes

• Connection-oriented
• The entire message follows the same path from
  source to destination.
• Connectionless
• A message is divided into packets. Packets may
  take different routes from source to destination
  Serial number

12
Network Performance

• Gilders Law
• George Gilder projected that the total bandwidth
  of communication systems triples every twelve
  months .
• Ethernet 10Mbps ? 10Gbps (1000 times)
• CPU clock frequency 25MHz ? 2.5GHz (100 times)
• Metcalfe's Law
• Robert Metcalfe projected that the value of a
  network is proportional to the square of the
  number of nodes
• Internet

13
Internet

• Internet is the collection of networks and
  routers that form a single cooperative virtual
  network, which spans the entire globe. The
  Internet relies on the combination of the
  Transmission Control Protocol and the Internet
  Protocol or TCP/IP. The majority of Internet
  traffic is carried using TCP/IP packets.

14
(No Transcript)
15
ISO OSI Network Model
LAN
LAN
Internet
16
TCP/IP
Telnet
ftp
Mail
Transmission Control Protocol (TCP)
Internet Protocol (IP)
Ethernet
Token ring
17
Addressing

• MAC (Media Access Control) address
• Every host connected to a network has a network
  interface card (NIC) with a unique physical
  address.
• IP address
• IPv4 ? 32 bits (129.16.48.6)
• IPv6 ? 128 bits

18
IP Protocol

• Unreliable packet delivery service
• Datagram (IPv4)

Service Type
VERS
HLEN
TOTAL LENGTH
IDENTIFICATION
FLAGS
FRAGMENT OFFSET
TIME TO LIVE
PROTOCOL
HEADER CHECKSUM
SOURCE ADDRESS
DESTINATION ADDRESS
PADDING
OPTIONS (IF ANY)
DATA
19
Group Work

• Discuss possible attacks on IP.
• IP Spoofing
• Teardrop attacks