Upload File

group 9 - digital signatures presentation

40
Introduction On one hand, databases are designed to promote open and flexible access to data. On the other hand, it’s this same open access that makes databases   vulnerable to many kinds of malicious activity.    

Upload: shubhamsidana

Post on 10-Oct-2015

6 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • Introduction

    On one hand, databases are designed to promote open and flexible access

    to data. On the other hand, its this same open access that makes databases

    vulnerable to many kinds of malicious activity.

  • Database Security IssuesSecurity of Databases can be described in the following categories.Authentication - A process used to ascertain the identity of a person or the integrity of specific information.

    Authorization - is the process through which of obtaining information about an authenticated user.

    Data Integrity ensuring that the data has not been altered during transmission to the application or database server.

  • Database Security Issues ContdAccess control methods - Access control methods are used to create subsets of the contents of information, so that the user can only see and access data that is relevant to their needs. E.g. a human resource personnel would be able to access an employee title and/or salary range, however he/she cannot access the salary deductions of an employee. Accountability and Auditing Facilities Allows the system to maintain an audit trail of events that occurred. As such, systems are able to monitor data access.

  • What are Digital SignaturesA digital signature is a piece of data that identifies the originator of adocument. It utilizes asymmetric encryption, where one key (private key) is used to create the signature code and a different but related key (public key) is used to verify it.

  • Digital SignaturesDigital signature creation: uses a hash result derived from and unique to both the signed message and a given private key. This hash value should be unique and impossible to obtain via a different message. This technique enables the protection of digital information (represented as a bit-stream) from undesirable modification.

  • Digital SignaturesDigital signature verification: is the process of checking the digital signature by reference to the original message and public key.

  • Digital SignaturesSigner Authentication: A signature should indicate who signed a document, message or record, and should be difficult for another person to produce without authorization.

    Message Authentication: The digital signature also identifies the signed message, typically with far greater certainty and precision than paper signatures. Verification reveals any tampering, since the comparison of the hash results

    Affirmation Act:- Signatures are legally binding

    Efficiency:- Allows for automation of modern Electronic Data Interchange (EDI).

  • Digital Signatures Promissory NoteI, Mary Smith, promise to pay to the order of First Western Bank five thousand dollars and no cents ($5,000) on or before June 10, 1998, with interest at the rate of fifteen per cent (15%) per annum. Mary Smith, Maker

    2AB3764578CC18946A29870F40198B240CD2302B2349802DE002342B212990BA5330249C1D20774C1622D39

  • Advantages of Digital SignaturesData integrity: Digital signatures provide proof that the document or message has not been altered or tampered with.

    Authentication of Identities: Digital signatures make it easier to verify the identity of senders and recipient.

    Concept of non-repudiation: This means that neither the sender nor the recipient can deny having sent or received the document.

    Includes an automatic date and time stamp, which is critical in business transactions.

    increase the speed and accuracy of transactions

  • Disadvantages of Digital SignaturesTechnological Compatibility - refers to standards and the ability of one digital signature system to "talk" to another. It is difficult to develop standards across a wide user base.

    Security Concerns - These efforts are perpetually hampered by lost or borrowed passwords, theft and tampering, and vulnerable storage and backup facilities.

    Legal Issues - There is clear consensus that digital signatures should be legally acceptable. However, many questions remain unanswered in the legal arena

  • Challenges and OpportunitiesChallenges :- Institutional overhead: The cost of establishing and utilizing certification authorities, repositories, and other important services, as well as assuring quality in the performance of their functions.

    Subscriber and relying Party Costs: A digital signature will require software, and will probably have to pay a certification authority some price to issue a certificate. Hardware to secure the subscribers private key also be advisable.

  • Challenges and OpportunitiesOpportunities:-Imposters: by minimizing the risk of dealing with imposters or persons who attempt to escape responsibility by claiming to have been impersonated;

    Message Integrity: by minimizing the risk of undetected message tampering and forgery, and of false claims that a message was altered after it was sent;

    Formal legal Requirements: by strengthening the view that legal requirements of form, such as writing, signature, and an original document, are satisfied, since digital signatures are functionally on a par with, or superior to paper forms; and

  • Challenges and Opportunities ContdOpportunities:-Open Systems: by retaining a high degree of information security, even for information sent over open, insecure, but inexpensive and widely used channels.

  • Case StudyP.E.B.E.S Database Failure

  • System DesignIn March of 1997, the Social Security Administration made its Personal Earnings and Benefit Estimate Statements (PEBES) database available over the Internet so that individuals could access their information online.

    To see your personal data over the Internet you filled in a form with your full name, your Social Security number, your date of birth, the state of your birth and your mother's maiden name. The PEBES system returned your earnings history and benefit estimates

  • Problems FacedThe system was so flooded with users that it was nearly impossible to get through.

    Insecurity of the system

    The system did not successfully prevent others from accessing your PEBES information and therefore from seeing some fairly personal financial information.

  • Problems FacedPersons were able to retrieved PEBES records for prominent public figures.

    The five pieces of information required by PEBES, while not obtainable from common sources like the phone book, are not terribly difficult to determine for any given individual.

  • The SolutionThe Main problem faced by the PEBES system was the idea of identity in cyberspace.

    The solution therefore lies in developing an infrastructure that would facilitate

    AuthenticationAuthorizationIntegrity and privacy of dataTransaction Management

  • SolutionCan digital signatures be used to solve the problems faced by the PEBES System?

    To answer this questions lets discuss how signatures can be integrated into the security framework of databases.

  • Digital Signatures in Relational Database Applications

  • IntroductionPublic Key Encryption and PKI Infrastructure form the basis of electronic security.

    These infrastructures solve security problems related to business applications

    Example :- Virtual Private Networks support signature and certificate based authentication and public key base key exchange

  • Digital Signatures in Relational DatabaseAuthentication

    Authorization

    Ensure data integrity

    Non repudiation

    Transaction Management

  • AuthenticationDigital Signatures (PKI) System are used in conjunction with the secret-key system.

    Private key is encrypted using a secret-key system.

    User uses simple password (like the PIN for his or her ATM card) that is used to decrypt the private key

  • AuthenticationEncrypted private keys could then be stored on servers, in smart cards, or on your credit card.

    Access to a database, for example, would only be permitted by sending a certain code encrypted with your private key.

    The encoded document is received by the user authentication program, it is decoded with your public key, and access is granted.

  • AuthorizationIn the authorization process the DBMS uses the authentication process to obtain information about the user

    Example :- DB2 uses authentication to obtain information on which database operations that user may perform and which data objects that user may access.

  • Transaction ManagementIn database applications transaction data is stored in a relational database.

  • AnalysisData Entry Signatures are used to validate data and regulate access to certain data entry screens.

    Transmission :- Transaction data is transferred across a network to a central application server and/or database server. Signatures are used to ensure data integrity and when used in conjunction with cryptographic mechanisms ensure privacy of data. Additionally theyre used to assurance that the data is being transmitted to the intended recipient

  • Analysis ContdAcceptance:- Accepting a transaction involve Data Validation IntegrityAuthenticationAuthorization:

    Storage :- Ensure that the stored data is not changed, destroyed or viewed by malicious or unauthorized users.

  • EfficiencyDigital signatures are typically used to implement a paperless process

  • EfficiencyIn each step, the users are using an application that allows them to view and modify data that is stored in a central database. Note that each time a document is created or modified within the application, it is digitally signed. Each time that data is used, its signature is verified. This allows the relying user to be confident that the data in the database is genuine and was originated by an authorized user

    Example:-Managing and shipping nuclear waste is a monumental paper producer. The digital signature process not only makes these waste management activities all but paperless, it also helps ensure the integrity of the information.

  • Documents in DatabasesDatabases store structured data as opposed to unstructured data

    A document is defined as the data in one or more rows from one or more columns of one or more tables in a relational database. That is, a document may span multiple database tables and may include only selected columns from those tables and may encompass more than one row per table

  • Signing Documents in Databases

  • Digital Signatures ApplicationUses , Benefits and Possible Weaknesses

  • Digital Signatures at WorkUsed to monitor anonymous communications such a email and other remote applications.

    Used In conjunction with Virtual Private Networks to ensure secure transfer of data.

    Used to manage transactions and other business propertiesExample:- Gradkell Systems

  • Digital Signatures at WorkForm the basis of interaction between secure intranets and demilitarized zones associated with the internet.

    Found in digital time stamping solutions and auditing infrastructures.

  • Digital Signatures at WorkUsed by banks and other financial institutions to secure point of sale and other financial transactions carried out via credit , debit and smart cards

  • Digital Signatures at WorkSQL Server 2005 method of ensuring that a particular resource such as a table or view can be accessed only via a designated module such as stored procedure. Additionally theyre used to restrict EXECUTE permissions.

    WS-Security in Oracle Application Server involves adding authentication tokens as the message leaves the client, digitally signing the message, and encrypting the message.

  • Problems with Digital SignaturesPrevention vs. Proof of Data integrityDigital signatures simply allow an application to prove two things about the data they protect: Integrity: the data has not been modified since it was signed, and Origin: the identity of the signer can be cryptographically proven.

    Digital signatures cannot prevent fraud from being attempted, they prevent attempted fraud from succeeding by giving applications the ability to detect fraudulent transactions.

    Signing of dynamic content. (Possible Solutions involve removing dynamic content, use of static file formats and/or use of XML)

  • Problems with Digital Signatures

    Security and confidentiality of private key, possible misuse and the legal implications which arise.


Validating Digital Signatures in Adobe - · PDF fileValidating Digital Signatures in Adobe Table of Contents Validating Digital Signatures in Adobe

Blind Digital Signatures, Group Digital Signatures and Revocable Anonymity

L13 - Digital Signatures

PDF Digital signatures

Digital Signatures - ETH Z · Digital Signatures Dennis Hofheinz (slides based on slides by Björn Kaidel and Gunnar Hartung) Digital Signatures 2020-05-19 1. Outline Waters signatures

Referat digital signatures

Hierarchical Group Signatures

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication

Digital Signatures (DSs)

digital signatures assignment

Digital signatures

Digital signatures - UNR

Digital Signatures Bearbetet

Authentication Digital Signatures

Digital signatures - unipi.it · Digital signatures April 10, 2016 Digital signatures 37 Non-repudiation vs authentication April 10, 2016 Digital signatures 38 • DEF. Non-repudiation

Digital Signatures 2

Blind Digital Signatures, Group Digital Signatures and ...web.engr.illinois.edu/~dhekne2/NetsecProjectReport.pdf · Blind Digital Signatures, Group Digital Signatures and Revocable

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication Protocols Digital Signature Standard

Short Group Signatures via Structure-Preserving Signatures

Blind Digital Signatures, Group Digital Signatures and

Digital Signatures 20130304

Digital Signatures 20120823

About Digital Signatures

1 Digital signatures Chapter 7: Digital signatures Digital signatures are one of the most important inventions/applications of modern cryptography. The