Security & Robustness Flashcards
What are the 4 pillars of security?
- Authentication
- Authorisation
- Integrity & Non-repudiation
- Confidentiality
Name 3 forms of authentication
- password controlled access
- pre-registration scheme
- self-registration scheme
Briefly describe 4 different types of authorisation (access control)
- Mandatory: for high security systems, permissions given by security manager for threads to touch certain data
- Discretionary - users set access rights to files
- Role-based - users are granted certain roles, which have certain access permissions
- Lattice-based - users mst exceed access level of object
What are the 5 security elements of the Java security manager?
- Permissions; actions code can perform
- Code sources; origins of code
- Protection domains; maps permissions to code sources
- Key stores; digital signatures
- Policy files; lists permissions
What are the main technolgoies associated with secure transmission of data?
- digital signatures
- digital certificates
- message digests (digital fingerprints)
What is a cryptographic hash?
- Function that converts a string into a limited length hashcode
- keyless algorithm; easy to compute
- hard to recover original message
- hard to obtain collisions (meesages that have same hashcode)
- discontinuous mapping; similar messages dont have similar hashcodes
Describe what happens during a simple message digest and its weakness
- sender sends message m and digest d = h(m)
- reciever computes d’=h(m) and then checks if d = d’
- if not message has been tampered
weakness is if d and m are both modified during transit
Describe what a message authentication code is? (complex message digest)
- users have shared password P
- sender computes digest d = h(p||m)
- sender computes mac = h(p||d)
- sends message m and mac
- reciever computes digest d’ = h(p||m)
- reciever checks mac’ = h(p||d’)
What is symmetric key encryption? What are its issues?
- both parties use same key for encryption and decryption
issues:
- key sharing
- key management
What is public/private key encryption? How does it solve issues of symmetric key encryption?
use 2 related prime keys
- sender encrypts with public key
- reciever decrypts with private key
- no key transmission issues
- no key management issues
What is a digital signature?
- comibination of message digest & extra encryption
- authenticates sender, and message integrity
- sender encrypts digest with own private key
- reciever decrypts digest with senders public key
What is a digital certificate?
Certifying authority vouches for a 3rd party by issuing a digital certificate
What do we look at to see if systems are robust?
- if a system is distributed & has redundancy
- available under stress
- failsafe transactions
- penetration resistant
What is meant by physical protection of data?
- multiple copies of database in speparate locations
- regular backups of whole dataset to remote locations
- data storage in the cloud
- use RAID architecture (redundant array of independent disks)
What is an SQL view?
- derived table; computed from other tables
- enhances usability and security in large databases
- can be inefficient as it hides a complex subquery
