Data Management I

(CSC2308)

_______________________________________________
Zauwali S. Paki
Department of Computer Science
Yusuf Maitama Sule University, Kano
[email protected]
References
• The materials used in these slides are from the
slides of Dr Laurent Gomez of the course: Security
and Privacy 3.0 Application Security January 2018
of the Polytech Nice Sophia (Université Nice Sophia
Antipolis, France)

Data Management I 2
Information Security and Privacy

Data Management I 3
Why should we care about security?
„I use urlencode() to encrypt my messages...“

Data Management I 4
Principle of easiest penetration
“an intruder must be expected to use any available
means of penetration. This is not necessarily the
most obvious means, nor it is necessarily the one
against which the most solid defense has been
installed.”
Bad (buggy or hostile)programs
Bad (careless or hostile)people
giving instructions to good programs
Bad guy interfering with
communications
Bad guy using social engineering
Data Management I 5
Security fundamentals
what does security really mean?

Data Management I 6
The CIA triad
Basic security goals

Confidentiality
“the assets of a computing system are accessible only by the
authorized parties”
Prevent disclosure of information by unauthorized entities
Integrity
“assets can be modified only by the authorized parties or only
in authorized way”
Prevent alteration of information by unauthorized entities
Availability
“assets are accessible to authorized parties”
Prevent disruption of access to information to authorized
entities

Data Management I 7
Other security goals
Privacy
Equivalent to confidentiality
Nonrepudiation
Prevent false denial of involvement by either party in
a transaction
Non-repudiation with proof of origin; which gives to
the recipient of data the evidence that proves the
origin of the data.
Non-repudiation with proof of receipt; which
provides the originator of data with evidence that
proves the data was received.

Data Management I 8
Computing systems assets
A computing organization is a collection of assets
Hardware (e.g., laptops, mobile phones)
Software (e.g. HR system)
Storage media ( e.g., USB stick, database)
Data and
People

Computing security aims at protecting organizational computing

systems from malicious manipulation and forbidden operations.
In this course, we focus on software, storage, and data protection.
Data Management I 9
Definitions
A vulnerability is a lack of a
countermeasure or a
weakness in a
countermeasure.
A service running, unlocked
door, no visibility on access
control policy
A threat is any potential
danger that is associated with
the exploitation of a
vulnerability.
Default password of SQL
server vulnerability exploited
to gain access to employees
data
Data Management I 10
Definitions
A risk is the likelihood of
a threat agent exploiting
a vulnerability and the
corresponding business
impact
A control, or
countermeasure, is put
into place to mitigate
(reduce) the potential
risk.

Data Management I 11
Definitions
An exposure is an
instance of being
exposed to losses. A
vulnerability exposes an
organization to possible
damages
If password management
is lax and password rules
are not enforced or If a
company does not have
its wiring inspected and
does not put proactive
fire prevention steps into
place
Data Management I 12
Definitions
• A control, or
countermeasure, is put into
place to mitigate (reduce)
the potential risk. A
countermeasure may be a
software configuration, a
hardware device, or a
procedure that eliminates a
vulnerability or that
reduces the likelihood a
threat agent will be able to
exploit a vulnerability.
• strong password
management, firewalls, a
security guard, access
control mechanisms,
encryption, security-
awareness training.
Data Management I 13
Risk Management
Toward security policy definition

Data Management I 14
Risk assessment and analysis
Set a risk analysis team in charge of
• Identification of assets and their value to the
organization.
• Identification of vulnerabilities and threats.
• Quantification of the probability and business
impact of these potential threats.
• Provide an economic balance between the impact
of the threat and the cost of the countermeasure,
so called cost/benefit comparison

Data Management I 15
Risk assessment and analysis
Identification of vulnerability
Penetration test
A penetration test is a method of evaluating the security of a
computer system or network by simulating an attack from a
malicious source
The intent of a penetration test is to determine the feasibility
of an attack and the amount of business impact of a
successful exploit, if discovered
Any security issues that are found will be presented to the
system owner together with an assessment of their impact
and often with a proposal for mitigation or a technical
solution
Black box and white box approach
Threat modeling
Look at software component, and define set of possible
attacks

Data Management I 16
Risk assessment analysis
Identify countermeasures and associated cost
Selection of countermeasures
Evaluation of their effectiveness and functionality
Total risk vs residual risk

Total risk = vulnerability * asset value Residual risk =

total risk –countermeasures

Is it worth to buy a 3M€ firewall to protect a

database with 3k€ information?

Data Management I 17
Risk assessment overall

Data Management I 18
Security policy
Based on risk assessment
Security policy is a statement by the senior management which
define what role plays in the organization:
Driven by security governance (e.g., Personally Identified
Information)
Driven by security goals to be achieved (confidentiality of customer
data) With the support of guidelines and procedures

Security policy is enforced through security controls

Classification of information
Access controls
Security awareness and education
Certification and accreditation
Audit

Data Management I 19
Example of security policy
Keep everybody out
Isolation
Keep the bad guy out
Code signing, firewalls
Let him in, but keep him from doing damage
Sandboxing, access control

Data Management I 20
Security controls
How to implement security policy?

Data Management I 21
Four security control categories
• Physical controls e.g. fences, doors, locks and fire
extinguishers
• Procedural controls e.g. incident response
processes, management oversight, security
awareness and training, disaster management
• Technical controls e.g. user authentication (login)
and logical access controls, antivirus software,
firewalls, encryption
• Legal and regulatory or compliance controls e.g.
privacy laws, policies and clauses

Data Management I 22
Technical controls
Access control and encryption
Access control
Classification of data
Identification, Authentication and Authorization
Cryptography
Data encryption
Signature
Cryptographic protocol for identification and
authentication

Data Management I 23
Access control
Identification, Authentication, Authorization
Identification
Subject supply identification
information
Authentication
Verification of subject’s
identification information
Authorization
Take access control decision
based on subject authentication
Accountability
Audit log and monitoring to
track subject activities on
objects

Data Management I 24
Access control
Identification
Something you know
Password, passphrase
Something you have
Security token
• One time password
• Asynchronous
• Synchronous
• Certificate
Something you are
Biometry

Data Management I 25
Access control
Authentication
Default no access
Access criteria
Roles, Group membership Physical, logical location
Time
Need to know
Give access only to required information
Least privilege
Give minimum access rights

Data Management I 26
Access control
Authentication
One service, one Authentication Server
Single sign on
allow to authenticate ONCE and get access to ALL
resources
Bob authenticates himself to a Authentication
Server (AS). Bob then delegate his authentication to
services to the Authentication Server.

Data Management I 27
Access control
Password
• “Password” authentication
Cheap but weak authentication mean
Lack of user education
Bad software development
practices….
Password management
Password synchronization Self
service password reset Assisted
password reset

Data Management I 28
Access control
Password

Data Management I 29
Access control
Authorization
Access control matrix
Capability list (subject oriented) Access control list
(resource oriented)

Classification of data
Confidential, private, sensitive, public
Top secret, secret, confidential, sensitive but unclassified
Unclassified
Data Management I 30
Effectiveness of security controls
Awareness of the problem
End user, administrator, software developer should
agree on the need of security in computing system
Likelihood of use
Security should be easy-to-use for the security to be
effective.
Overlapping control
Periodic review

Data Management I 31
Cryptography as a toolbox

Data Management I 32
Cryptography terminology

Cryptography
Study of methods, mathematic technics related to
security concept
Cryptosystem
Set of algorithm, key and secured protocol
Cryptanalysis
Study of existing cryptosystem

Data Management I 33
Cryptography Basic

Data Management I 34
Cryptography Basic

Data Management I 35
Definition

Plaintext : An original text to be protected

Cipher : the encryption mechanism
Decipher: the decryption mechanism
Key : main tool for the encryption/decryption

Data Management I 36
Substitution ciphering:
Mono-alphabetic substitution

Data Management I 37
Substitution ciphering:
Mono-alphabetic substitution

Data Management I 38
Substitution ciphering:
Polyalphabetic substitution

Data Management I 39
Transposition
Columnar transposition

HELLO WORLD is encrypted as HORELLWDLO

Data Management I 40
Transposition
Columnar transposition

HELLO WORLD is encrypted as HORELLWDLO

Data Management I 41
Ciphering mode

Stream
Block

Data Management I 42
Stream ciphering
Stream ciphering is done bit per bit without waiting the
whole encryption of the message

Example
XOR
One-time pad

Data Management I 43
Block ciphering

The plain text is divided into blocks

A block cipher encrypts a group of plaintext symbols
in one block

Data Management I 44
Block ciphering

A strong cipher contains the right level of two main

attributes: confusion and diffusion. Confusion is
commonly carried out through substitution, while
diffusion is carried out by using transposition. For a
cipher to be considered strong, it must contain both
of these attributes to ensure that reverse-
engineering is basically impossible. The randomness
of the key values and the complexity of the
mathematical functions dictate the level of
confusion and diffusion involved.

Data Management I 45
EBC Mode
Electronic Book Code
Each block of 64 bits encode
Prone to Replay Attack

Data Management I 46
CBC Mode

Cipher Block Chaining

Use the last encrypted block
Need of a Initialization Vector

Data Management I 47
Encryption algorithms

One way function

Symmetric algorithm
Asymmetric algorithm
Hybrid algorithm

Data Management I 48
One-way function
Definition
A one-way function (OWF) is a function f such that for each x in the
domain of f,
• it is easy to compute f(x)
• but for essentially all y in the range of f, it is computationally infeasible
to find any x such that y = f(x).
• Anti collusion property: x has a single representation f(x).

Example
• Hash function
• Random sequences

Data Management I 49
Symmetric algorithm

Data Management I 50
Symmetric key

The same key is used for the encryption and

decryption Each part should be aware of the key.

Data Management I 51
Symmetric algorithms

Data Management I 52
Asymmetric algorithm

Data Management I 53
Asymmetric algorithm
K1 and k2 are respectively
Private key
Public key
The private key is not distributed
Keep it secret
Used to decrypt message encrypted with public key.
Public key is distributed
The public has to be distributed
Used to decrypt message encrypted with the private key

Data Management I 54
Public key encryption
Confidentiality

Data Management I 55
Private key encryption
Non Repudiation of origin
Authentication

Data Management I 56
Asymmetric algorithm
ElGamal
Diffie Hellman
RSA
DSA
McEliece
Merkle-Hellman
Chor-Rivest
Goldwasser-Micali
Blum-Goldwasser

Data Management I 57
Comparison between symmetric and
asymmetric algorithms
Symmetric cipher for confidentiality
+ Good performances
- Key delivery problems

Asymmetric cipher for confidentiality, integrity and

authentication
- Poor performances
+ No key delivery problems

Data Management I 58
Hybrid ciphering
Let’s combine symmetric and asymmetric
algorithms for secure communications
Asymmetric cipher for session key exchange
Secret key for fast message encryption/decryption

Data Management I 59
Hybrid cipher – scenario(1/5)

Data Management I 60
Hybrid cipher – scenario(2/5)

Data Management I 61
Hybrid cipher – scenario(3/5)

Data Management I 62
Hybrid cipher – scenario(4/5)

Data Management I 63
Hybrid cipher – scenario(5/5)

Data Management I 64