Arab Academy for Banking and Financial sciences
PhD program Information System Security
4/11/2020 Selected Topics In IIS 1

4/11/2020






Selected Topics In IIS 2

4/11/2020 introduction



 confidentiality - prevention of unauthorized access and theft of information.
integrity - prevention of unauthorized modification of information.
availability - prevention of denial of service.
Selected Topics In IIS 3

introduction




Chinese Wall security describe how to reach these goals.
It ’ s a commercial security policy .
The Chinese Wall security policy focuses more on confidentiality .
The Chinese Wall security policy is perhaps as significant to some parts of the commercial world as
Bell and LaPadula ’ s policies are to the military .
4/11/2020 Selected Topics In IIS 4

introduction

It can be distinguished from Bell-LaPadula policies by the way that a user ’ s permitted accesses are constrained by the history of his previous accesses .
• The Chinese Wall security policy was identified by
Brewer and Nash. It is a real commercial policy which can be formally modelled. Its basic idea is to keep company information confidential and prevent it from unauthorized access of consulting services.
4/11/2020 Selected Topics In IIS 5

4/11/2020
Chinese wall Model Policy

All corporate information is stored in hierarchically arranged filling system. It consist of three levels :



At the lowest level , individual items of information (objects) is considered, each concerning a single corporation .
At the intermediate level , all objects which concern the same corporation are grouped into a company dataset .
At the highest level , all company datasets whose corporations are in competition are grouped together. Each group is referred as a conflict of interest class .
Selected Topics In IIS 6

4/11/2020 Selected Topics In IIS 7

Chinese wall Model Policy

Associated with each object is the name of the company dataset to which it belongs and the name of the conflict of interest class to which that company dataset belongs .
4/11/2020 Selected Topics In IIS 8

4/11/2020
Chinese wall Model Policy

If the system maintained information on Bank-A ,
Oil Company-A and Oil Company-B :

All objects would belong to one of three company dataset ( “ bank-A ” “ oil company-A ” or
“ oil company-B ” ) ,

There would be two conflict of interest classes
, one for banks ( containing Bank-A ’ s dataset ) and one for petroleum companies ( containing
Oil company-A ’ s and Oil company-B ’ s dataset .
Selected Topics In IIS 9

4/11/2020 Selected Topics In IIS 10

Chinese wall Model Policy

The basis of the Chinese Wall policy is that people are only allowed access to information which is not held to conflict with any other information that they already possess .
4/11/2020 Selected Topics In IIS 11

Chinese wall Model Policy

Thus , in consideration of the Bank-A , Oil
Company-A and Oil Company-B datasets , a new user may freely choose to access whatever datasets he likes ; as far as the computer is concerned a new user does not possess any information and therefore no conflict can exist .
4/11/2020 Selected Topics In IIS 12

Chinese wall Model Policy



Suppose the user accesses the Oil Company-A dataset first . The user now possess information concerning the oil company-A dataset .
Later , he requests access to the Bank-A dataset
This is quite permissible since the Bank-A and Oil company-A datasets belong to different conflict of interest classes and therefore no conflict exists .
4/11/2020 Selected Topics In IIS 13

4/11/2020 Selected Topics In IIS 14


Chinese wall Model Policy
However, if he requests access to the oil company-B dataset the request must be denied since a conflict does exist between the requested dataset ( Oil
Company-B) and one already possessed (Oil
Company-A) .
4/11/2020 Selected Topics In IIS 15

4/11/2020 Selected Topics In IIS 16

4/11/2020
Chinese wall Model Policy



It does not matter whether the oil company-A dataset was accessed before or after the Bank-A dataset .
However, were Oil Company-B to be accessed before the request to access the Oil Company-A dataset , the restrictions would be quite different .
In this case access to the Oil Company-A dataset would be denied and the user would possess {
“ Oil Company-B “ , “ Bank-A ” } ( as opposed to the request to access the oil Company-B dataset being denied and the user possessing { “ Oil
Company-A ” , “ Bank-A ” } ) .
Selected Topics In IIS 17


To realize the Chinese Wall security policy we need user labels that contain information about the user ’ s identity and objects already accessed by him. We require mechanisms that reliably provide authentication and authorization by user profiles that support an interface to software run in the world wide web.
4/11/2020 Selected Topics In IIS 18

Authentication in the world wide web




The Basic Authentication : is included in the HTTP protocol. It is based on the model that the user agent must authenticate himself with a user-ID and a password when requesting a protected document .
The server responds the request with a challenge for the authorization information of the user agent.. Now user identification and password information in the entity header are passed over the Internet in clear text as a BASE64 encoded string and the server send the requested document in response.
the Basic Authentication scheme is not a secure method of user authentication, or does it prevent the entity body from being transmitted in clear text across the physical network used as the carrier .
Basic Authentication is based on the assumption that the connection between the client and the server can be regarded as a trusted carrier. As this is generally not true on an open network .
4/11/2020 Selected Topics In IIS 19

4/11/2020 Selected Topics In IIS 20

Authentication in the world wide web
4/11/2020



The Digest Access Authentication: is an extension to the HTTP protocol. It is developed to make up the Basic Authentication deficits.
The server answers the client request with an unauthorized header and the user is provided with a dialog box to type in the user ’ s username and password.
The Digest Authentication calculates a checksum of all relevant connection data along with a server generated and sends it back to the server. The server takes the unique connection data and also creates a checksum. If the two checksums match up the server allows access to the requested document. This way, authorization is completed without sending a password across the Internet.
Selected Topics In IIS 21


Digest Authentication does not provide the encapsulation of the message content .
4/11/2020 Selected Topics In IIS 22

Authentication and Data Protection with SSL


The SSL protocol includes services for
 server/client authentication.
 encryption of data in transit, meaning privacy and data integrity.
Privacy is achieved by using symmetric cryptography.
Data integrity is ensured by Message Authentication
Check (MAC) and for authentication the Public Key
Infrastructure is used.
4/11/2020 Selected Topics In IIS 23

Authentication and Data Protection with SSL
4/11/2020 Selected Topics In IIS 24

Authentication and Data Protection with SSL



SSL protocol takes messages to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, and transmits the result. Received data is decrypted, verified, decompressed, and reassembled, then delivered to higher level clients.
The SSL session is established by a handshake sequence between client and server .
The handshake sequence consists of messages that enable negotiation of cryptographic parameters, generation of shared secrets (session keys) between client and server at the beginning of their communication
4/11/2020 Selected Topics In IIS 25

Authentication and Data Protection with SSL
4/11/2020 Selected Topics In IIS 26

Authorization in the world wide web


To realize the Chinese Wall security policy within the WWW we need a flexible authorization mechanism.
It must provide a dynamic change of the user access rights, which is an essential element of the Chinese Wall security policy. Once a user accessed a company dataset in an untouched conflict of interest class the profile must deny access rights to all other companies in this COI class.
4/11/2020 Selected Topics In IIS 27

Authorization in the world wide web
4/11/2020 Selected Topics In IIS 28




4/11/2020 Selected Topics In IIS 29