Chinese wall model in the internet Environment

1
Chinese wall model in the internet Environment
Arab Academy for Banking and Financial sciences
PhD program Information System Security
Prepared to Dr.Loai Tawalbeh Presented by
Marwan Al_Abed Abu_Zanona
2
Agenda

• Introduction
• Chinese wall Model Policy
• Simple security rule
• Chinese wall in www .
• Authentication .
• Authorization .

3
introduction

• The goals most often specified in a security
  policy are
• confidentiality - prevention of unauthorized
  access and theft of information.
• integrity - prevention of unauthorized
  modification of information.
• availability - prevention of denial of service.

4
introduction

• Chinese Wall security describe how to reach these
  goals.
• Its a commercial security policy .
• The Chinese Wall security policy focuses more on
  confidentiality .
• The Chinese Wall security policy is perhaps as
  significant to some parts of the commercial world
  as Bell and LaPadulas policies are to the
  military .

5
introduction

• It can be distinguished from Bell-LaPadula
  policies by the way that a users permitted
  accesses are constrained by the history of his
  previous accesses .
• The Chinese Wall security policy was identified
  by Brewer and Nash. It is a real commercial
  policy which can be formally modelled. Its basic
  idea is to keep company information confidential
  and prevent it from unauthorized access of
  consulting services.

6
Chinese wall Model Policy

• All corporate information is stored in
  hierarchically arranged filling system. It
  consist of three levels
• At the lowest level , individual items of
  information (objects) is considered, each
  concerning a single corporation .
• At the intermediate level , all objects which
  concern the same corporation are grouped into a
  company dataset .
• At the highest level , all company datasets whose
  corporations are in competition are grouped
  together. Each group is referred as a conflict of
  interest class .

7
(No Transcript)
8
Chinese wall Model Policy

• Associated with each object is the name of the
  company dataset to which it belongs and the name
  of the conflict of interest class to which that
  company dataset belongs .

9
Chinese wall Model Policy

• If the system maintained information on Bank-A ,
  Oil Company-A and Oil Company-B
• All objects would belong to one of three company
  dataset ( bank-A oil company-A or oil
  company-B ) ,
• There would be two conflict of interest classes ,
  one for banks ( containing Bank-As dataset )
  and one for petroleum companies ( containing Oil
  company-As and Oil company-Bs dataset .

10
(No Transcript)
11
Chinese wall Model Policy

• The basis of the Chinese Wall policy is that
  people are only allowed access to information
  which is not held to conflict with any other
  information that they already possess .

12
Chinese wall Model Policy

• Thus , in consideration of the Bank-A , Oil
  Company-A and Oil Company-B datasets , a new
  user may freely choose to access whatever
  datasets he likes as far as the computer is
  concerned a new user does not possess any
  information and therefore no conflict can exist .

13
Chinese wall Model Policy

• Suppose the user accesses the Oil Company-A
  dataset first . The user now possess information
  concerning the oil company-A dataset .
• Later , he requests access to the Bank-A dataset
• This is quite permissible since the Bank-A and
  Oil company-A datasets belong to different
  conflict of interest classes and therefore no
  conflict exists .

14
(No Transcript)
15
Chinese wall Model Policy

• However, if he requests access to the oil
  company-B dataset the request must be denied
  since a conflict does exist between the requested
  dataset ( Oil Company-B) and one already
  possessed (Oil Company-A) .

16
(No Transcript)
17
Chinese wall Model Policy

• It does not matter whether the oil company-A
  dataset was accessed before or after the Bank-A
  dataset .
• However, were Oil Company-B to be accessed before
  the request to access the Oil Company-A dataset ,
  the restrictions would be quite different .
• In this case access to the Oil Company-A dataset
  would be denied and the user would possess Oil
  Company-B , Bank-A ( as opposed to the
  request to access the oil Company-B dataset being
  denied and the user possessing Oil Company-A
  , Bank-A ) .

18
Chinese Wall Model In www

• To realize the Chinese Wall security policy we
  need user labels that contain information about
  the users identity and objects already accessed
  by him. We require mechanisms that reliably
  provide authentication and authorization by user
  profiles that support an interface to software
  run in the world wide web.

19
Authentication in the world wide web

• The Basic Authentication is included in the
  HTTP protocol. It is based on the model that the
  user agent must authenticate himself with a
  user-ID and a password when requesting a
  protected document .
• The server responds the request with a challenge
  for the authorization information of the user
  agent.. Now user identification and password
  information in the entity header are passed over
  the Internet in clear text as a BASE64 encoded
  string and the server send the requested document
  in response.
• the Basic Authentication scheme is not a secure
  method of user authentication, or does it prevent
  the entity body from being transmitted in clear
  text across
• the physical network used as the carrier .
• Basic Authentication is based on the assumption
  that the connection between the client and the
  server can be regarded as a trusted carrier. As
  this is generally not true on an open network .

20
Basic Authentication
21
Authentication in the world wide web

• The Digest Access Authentication is an
  extension to the HTTP protocol. It is developed
  to make up the Basic Authentication deficits.
• The server answers the client request with an
  unauthorized header and the user is provided with
  a dialog box to type in the users username
• and password.
• The Digest Authentication calculates a checksum
  of all relevant connection data along with a
  server generated and sends it back to the server.
  The server takes the unique connection data and
  also creates a checksum. If the two checksums
  match up the server allows access to the
  requested document. This way, authorization is
  completed without sending a password across the
  Internet.

22
Digest Access Authentication

• Digest Authentication does not provide the
  encapsulation of the message content .

23
Authentication and Data Protection with SSL

• The SSL protocol includes services for
• server/client authentication.
• encryption of data in transit, meaning privacy
  and data integrity.
• Privacy is achieved by using symmetric
  cryptography. Data integrity is ensured by
  Message Authentication Check (MAC) and for
  authentication the Public Key Infrastructure is
  used.

24
Authentication and Data Protection with SSL
25
Authentication and Data Protection with SSL

• SSL protocol takes messages to be transmitted,
  fragments the data into manageable blocks,
  optionally compresses the data, applies a MAC,
  encrypts, and transmits the result. Received data
  is decrypted, verified, decompressed, and
  reassembled, then delivered to higher level
  clients.
• The SSL session is established by a handshake
  sequence between client and server .
• The handshake sequence consists of messages that
  enable negotiation of cryptographic parameters,
  generation of shared secrets (session keys)
  between client and server at the beginning of
  their communication

26
Authentication and Data Protection with SSL
27
Authorization in the world wide web

• To realize the Chinese Wall security policy
  within the WWW we need a flexible authorization
  mechanism.
• It must provide a dynamic change of the user
  access rights, which is an essential element of
  the Chinese Wall security policy. Once a user
  accessed a company dataset in an untouched
  conflict of interest class the profile must deny
  access rights to all other companies in this COI
  class.

28
Authorization in the world wide web
29
Authorization Mechanisms

• Authorization by user profiles
• Authorization by certificates
• The Open Profiling Standard