Unit 5: Networking and Cryptography PDF
Document Details
Uploaded by ResoluteNickel9320
Marwadi University
Sheth Niraj
Tags
Summary
These lecture notes cover various aspects of computer security, including smart cards, zero-knowledge protocols, and enterprise application security. They provide an overview of these topics, explaining concepts, and potential applications.
Full Transcript
Unit#5 Other Security issues : Subject Department of Computer Application 05CS2101 Networking and Cryptography Subject: CRYPTOGRAPHY Unit#5...
Unit#5 Other Security issues : Subject Department of Computer Application 05CS2101 Networking and Cryptography Subject: CRYPTOGRAPHY Unit#5 Asst. Prof. Sheth Niraj Unit#5 Other Security issues : Smart Cards and Security Zero Knowledge Protocol Enterprise Application Security UNIT - 5 Biometric Authentication Database Access Control Security and Privacy Issues in RFIDs. Faculty of Computer Application 2 Unit#5 Other Security issues : Smart cards are small, plastic cards embedded with an integrated microchip, which can store and process data securely. These cards are widely used in various sectors for identification, secure payment, access control, and data storage. Smart Cards Unlike traditional magnetic stripe cards, smart cards and Security provide enhanced security due to their ability to process data directly on the card, often including cryptographic operations. With integrated cryptographic capabilities, smart cards enhance security in various applications by offering strong protection mechanisms. Department of Computer Application 3 Unit#5 Other Security issues : Types of Smart Cards Contact Smart Cards These cards require direct contact with a reader. The microchip is accessed when the card is inserted into a terminal. Smart Cards Contactless Smart Cards and Security These use radio frequency (RF) technology to communicate with readers without physical contact. They’re popular in transit systems and access control. Dual-Interface Smart Cards These combine both contact and contactless technologies, providing flexibility for multiple applications. Faculty of Computer Application 4 Unit#5 Other Security issues : Uses of Smart Cards Banking and Payments Credit and Debit Cards: Smart cards used as credit and debit cards offer secure transactions with chip-and-PIN (or chip-and-signature) technology, following EMV standards (Europay, MasterCard, and Visa). Stored Value Cards: Prepaid cards for public transit, vending Smart Cards machines, and toll booths allow secure payment without handling and Security cash. Identification and Authentication Government IDs and Passports: Many countries use smart card technology in passports and ID cards to securely store personal information and biometric data. Employee ID Cards: Companies issue smart ID cards that provide secure building access and enable employees to log in to computers Department of Computer Application securely. 5 Unit#5 Other Security issues : Healthcare. Health Insurance Cards: Smart health cards securely store patient information and insurance details, making it easier to verify eligibility and improve privacy. Patient Data Cards: Used to store medical history and emergency contact information, helping healthcare providers access critical information quickly. Smart Cards and Security Access Control Building and Room Access: Smart cards are widely used as access cards in office buildings, hotels, and other restricted areas, where they can be programmed to grant specific access permissions. Digital Access: Some smart cards allow secure access to computers and networks by acting as a physical form of Department of Computer Application two-factor authentication. 6 Unit#5 Other Security issues : Telecommunications. SIM Cards: Smart card technology is the basis of SIM (Subscriber Identity Module) cards, which store subscriber information securely in mobile phones. Smart Cards and Security Loyalty and Membership Programs Smart cards can store loyalty points or membership information for retail stores, airlines, and clubs, streamlining rewards programs and enhancing customer experience. Department of Computer Application 7 Unit#5 Other Security issues : Here’s an overview of how they provide security. 1. Authentication Two-Factor Authentication (2FA): Smart cards often require a PIN in addition to the physical card, creating a two-factor authentication process. Smart Cards Mutual Authentication: The card and the reader verify each other’s identities, reducing the risk of unauthorized and Security access. 2. Multi-Application Support Some smart cards, such as Java cards, can run multiple applications, allowing them to be used for various purposes securely (e.g., access control, payment, and healthcare information storage). Department of Computer Application 8 Unit#5 Other Security issues : 3. Encryption and Cryptography Public Key Infrastructure (PKI): Smart cards can store digital certificates, enabling them to use asymmetric encryption (e.g., RSA) for secure communications. Symmetric Encryption: Smart cards can also use symmetric encryption to securely store and transmit data. Digital Signatures: The card can generate digital signatures, ensuring Smart Cards data integrity and authenticity for sensitive operations. and Security 4. Anti-Fraud and Anti-Counterfeiting Chip Authentication Program (CAP): Developed for payment cards, CAP authenticates cardholders and detects potential fraud. EMV Standards: For payment cards, EMV (Europay, MasterCard, Visa) standards prevent unauthorized card replication by using dynamic data for each transaction. Department of Computer Application 9 Unit#5 Other Security issues : 5. Data Protection Secure Storage: Sensitive information, like biometric data or personal identifiers, is stored in the card’s secure memory. Access Control: Security features in the smart card's Smart Cards operating system ensure only authorized software and Security can read or write data. Tamper Resistance: Many smart cards have mechanisms to detect tampering attempts, like voltage monitoring and protection against side- channel attacks. Department of Computer Application 10 Unit#5 Other Security issues : Examples of Smart Card Applications Banking and Payments: Credit and debit cards with chips follow EMV standards for secure transactions. Government and Identification: Many government Smart Cards IDs, driver’s licenses, and passports use smart card technology to securely store personal data. and Security Healthcare: Smart health cards securely store patient information and insurance data. Access Control: Smart cards are commonly used for physical and logical access to restricted areas or computer systems. Department of Computer Application 11 Unit#5 Other Security issues : Smart Cards and Security Zero Knowledge Protocol Enterprise Application Security UNIT - 5 Biometric Authentication Database Access Control Security and Privacy Issues in RFIDs. Department of Computer Application 12 Unit#5 Other Security issues : Zero-Knowledge Protocols (ZKPs) are cryptographic methods that allow one party (the "prover") to prove to another party (the "verifier") that they know a piece of information without revealing the actual information itself. Zero Knowledge This means that the prover can confirm they have access Protocol to specific data or a solution without disclosing the data itself, maintaining privacy and security. Zero Knowledge Protocol (or Zero Knowledge Password Proof, ZKP) is a way of doing authentication where no passwords are exchanged, which means they cannot be stolen. Department of Computer Application 13 Unit#5 Other Security issues : This is cool because it makes your communication so secure and protected that nobody else can find out what you’re communicating about or what files you are sharing with each other. ZKP allows you proving that you know some secret (or Zero Knowledge many secrets) to somebody at the other “end” of Protocol communication without actually revealing it. The very term “zero knowledge” originates from the fact that no (“zero”) information about the secret is revealed, but the second party (called “Verifier”) is (rightfully) convinced that the first party (called “Prover”) knows the secret in question. Department of Computer Application 14 Unit#5 Other Security issues : Zero Knowledge Protocol Department of Computer Application 15 Unit#5 Other Security issues : Key Concepts of Zero-Knowledge Protocols For a protocol to be "zero-knowledge," it must satisfy three main properties: Completeness If the prover has the information and follows the protocol, Zero Knowledge the verifier will be convinced of this fact with high Protocol probability. Soundness If the prover does not possess the information, they cannot convince the verifier otherwise, except with very low probability. This prevents the prover from lying about their knowledge. Department of Computer Application 16 Unit#5 Other Security issues : Zero-Knowledge The verifier learns nothing other than the fact that the prover has the information. No extra information about the actual data is revealed. Zero Knowledge Protocol How Zero-Knowledge Protocols Work ZKPs typically involve several rounds of interactions where the prover provides evidence, often in a random way, that they know a piece of information. Here’s a simple outline: Department of Computer Application 17 Unit#5 Other Security issues : Setup Phase: The prover and verifier agree on specific parameters for the protocol. Challenge Phase: The verifier generates a random challenge. Zero Knowledge Response Phase: Protocol The prover responds in a way that “proves” they have the required knowledge without disclosing it. Verification Phase: The verifier checks the prover’s response to ensure it’s consistent with someone who actually has the knowledge. Department of Computer Application 18 Unit#5 Other Security issues : Example of a Zero-Knowledge Protocol. Let’s take a simple example to simplify the zero knowledge proof and how it works is the switching of two glasses of soda, one glass is filled with Pepsi and other with coke. Both of these glasses are identical Zero Knowledge manner in all ways, there is no way to distinguish the one that contains Pepsi other one has coke. Protocol However one party (Prover) claims they can distinguish which glass has Pepsi and which glass has coke perfectly but without revealing their conclusions. Thus they need to prove to other party (verifier) that they know which glass contains coke without actually telling you which glass it is. Department of Computer Application 19 Unit#5 Other Security issues : Zero Knowledge Protocol Department of Computer Application 20 Unit#5 Other Security issues : One way to do this would be to blindfold the verifier and you can then decide to switch the glasses or leave them as they were. Once the blindfold is off, ask if the glasses were switched or not. If they are able to distinguish if you switched the glasses or not then it Zero Knowledge means they know how to distinguish between the Protocol two. However, it may have been a lucky guess. Do it multiple times and the probability of ‘guessing’ the correct position of sodas will drop to 0.5. If they still get it correct successively, then it shows that the verifier actually knows how to distinguish the two without revealing how they did it. Department of Computer Application 21 Unit#5 Other Security issues : Lets take one other example. Let’s illustrate it Zero Knowledge with the help of Protocol Bob and Alice who got some chocolate bars for Halloween. Department of Computer Application 22 Unit#5 Other Security issues : They would like to know if they received the same amount of candy, without Zero Knowledge disclosing their number of Protocol chocolates because they don’t want to share. Department of Computer Application 23 Unit#5 Other Security issues : Let’s assume they can have exactly 10, 20, 30, or 40 Zero Knowledge chocolate bars in Protocol their trick-or-treat bags. Department of Computer Application 24 Unit#5 Other Security issues : To compare the number of chocolate bars they got without sharing the actual Zero Knowledge number, Bob gets Protocol 4 lockable boxes and puts a label in each that says 10, 20, 30 or 40 (chocolate bars). Department of Computer Application 25 Unit#5 Other Security issues : Then Bob throws away all the keys except for the key to the box that Zero Knowledge corresponds to Protocol the number of chocolate bars he’s got (let’s say he has 20 chocolate bars) and leaves. Department of Computer Application 26 Unit#5 Other Security issues : Alice takes 4 small pieces of paper and Zero Knowledge writes “+” on one of them Protocol and “-” on all the others. Department of Computer Application 27 Unit#5 Other Security issues : Then she slips the “+” piece through a slot into the box with the number that corresponds to the Zero Knowledge number of candies Protocol she’s got (let’s say she has 30 candy bars) and slips the pieces of paper with “-” on them into the rest of the boxes and also leaves. Department of Computer Application 28 Unit#5 Other Security issues : Bob returns and opens the one box he still has the key Zero Knowledge to—the one that corresponds to the Protocol amount of candy he’s got—and sees if it contains “+” or “- ”. Department of Computer Application 29 Unit#5 Other Security issues : If it is a “plus”, Alice has the same number of chocolate bars in her bag. If the slip of paper says “-”, it means that they have a different amount of candy (but still will not share with each other). Zero Knowledge We know that Bob’s bag contains 20 chocolate bars Protocol and Alice’s—30 chocolate bars. By opening the box and finding the piece of paper with a “minus” on it, Bob learns that he and Alice have different amount of candy. But he has no way of finding out whether Alice has more or fewer chocolate bars. Department of Computer Application 30 Unit#5 Other Security issues : Alice also returns and sees that Bob has a piece of paper with a “minus” on it. So he has a different amount of candy. But both Alice and Bob still don’t know how many chocolate bars each of them has. They only know that they don’t have the same amount. Applications of Zero-Knowledge Protocols Zero Knowledge Protocol Authentication ZKPs are used in password-free authentication, where a user can prove they know a password without revealing it, reducing the risk of interception or data leakage. Secure Voting Systems Voters can prove they have voted without revealing their choice, ensuring both privacy and verification. Department of Computer Application 31 Unit#5 Other Security issues : Blockchain and Cryptocurrencies Protocols like zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Arguments of Knowledge) are used in privacy-focused cryptocurrencies like Zcash, allowing users to prove transactions without revealing transaction details. Zero Knowledge Access Control Protocol Secure access to systems can use ZKP to verify a user’s access rights without transmitting sensitive information. Data Privacy in Compliance In regulatory compliance, companies can prove they meet certain standards or possess certain data without revealing confidential information. Department of Computer Application 32 Unit#5 Other Security issues : Smart Cards and Security Zero Knowledge Protocol Enterprise Application Security UNIT - 5 Biometric Authentication Database Access Control Security and Privacy Issues in RFIDs. Department of Computer Application 33 Unit#5 Other Security issues : Enterprise Application Security is the practice of protecting applications and the data they process from security threats, specifically in the context of large organizations. Enterprise With the rise of sophisticated cyber attacks, complex software ecosystems, and an increasing reliance on Application applications for critical business functions, enterprise Security application security has become essential. The goal is to safeguard applications across their lifecycle from development to deployment and maintenance against unauthorized access, data breaches, and other threats. Department of Computer Application 34 Unit#5 Other Security issues : Key Components of Enterprise Application Security Application Layer Security Ensures security measures are integrated into the application itself. This includes authentication mechanisms, encryption, input validation, and secure session Enterprise management. Protecting the application layer is crucial, as it Application directly interfaces with users and is often the primary target of attacks. Security Identity and Access Management (IAM) IAM solutions control who can access specific resources within applications. They implement multi-factor authentication (MFA), single sign-on (SSO), role-based access control (RBAC), and least-privilege access principles to limit user permissions based on roles. Department of Computer Application 35 Unit#5 Other Security issues : Data Security This involves protecting sensitive data within applications, often through data encryption, tokenization, and masking. Sensitive data, whether stored (data at rest) or transmitted (data in transit), must be safeguarded to prevent unauthorized access or theft. Enterprise Application Security Testing (AST) Application Static Application Security Testing (SAST): Scans application Security source code for vulnerabilities during development. Dynamic Application Security Testing (DAST): Tests applications in real-time, often in a staging environment, to simulate potential attacks. Interactive Application Security Testing (IAST): Analyzes applications while running to identify vulnerabilities that are Department of Computer Application difficult to detect through static or dynamic analysis alone. 36 Unit#5 Other Security issues : Vulnerability Management Continuously identifying, assessing, and mitigating vulnerabilities is crucial. This often involves routine scanning, regular patching of software, and updating Enterprise libraries and dependencies to address known security flaws. Application Threat Modeling and Risk Assessment Security Identifying potential threats, assessing risks, and developing strategies to mitigate or eliminate these risks is foundational. Threat modeling helps anticipate how an application might be attacked and plan accordingly. Department of Computer Application 37 Unit#5 Other Security issues : API Security APIs (Application Programming Interfaces) are common in modern enterprise applications, allowing components to communicate. API security ensures that APIs are designed to prevent unauthorized access and misuse, often through Enterprise secure coding practices, OAuth for access control, and API Application gateways. Security DevSecOps (Development, Security, and Operations) Integrates security into the DevOps pipeline to catch security issues early in the software development lifecycle. Automated testing and code analysis tools help developers catch vulnerabilities during development, while security policies and monitoring ensure secure deployment. Department of Computer Application 38 Unit#5 Other Security issues : Logging, Monitoring, and Incident Response Logging and monitoring application activities can detect unusual behavior that may indicate a security breach. Having a robust incident response plan allows Enterprise organizations to respond quickly and effectively to Application minimize the impact of security incidents. Security Security Awareness and Training Employees and developers need ongoing security training to recognize risks, follow secure coding practices, and understand their role in protecting enterprise applications. Department of Computer Application 39 Unit#5 Other Security issues : Common Threats to Enterprise Applications Injection Attacks SQL injection, cross-site scripting (XSS), and other injection attacks exploit application vulnerabilities to execute unauthorized commands or steal data. Enterprise Cross-Site Scripting (XSS) Application Attackers inject malicious scripts into web pages viewed Security by other users, allowing them to steal session cookies, credentials, and other sensitive information. Cross-Site Request Forgery (CSRF) This attack tricks a user into executing unwanted actions, like fund transfers or data changes, on a web application where they’re already authenticated. Department of Computer Application 40 Unit#5 Other Security issues : Malware and Ransomware Malware can infiltrate applications to exfiltrate data, disrupt operations, or encrypt data for ransom. Broken Authentication and Session Management Enterprise Insecure handling of authentication tokens and session Application data can allow attackers to impersonate users and Security access restricted areas of an application. API Vulnerabilities Unsecured APIs can expose sensitive data and functionality, making them a significant target for attackers. Department of Computer Application 41 Unit#5 Other Security issues : Benefits of Enterprise Application Security Data Protection and Privacy: Prevents unauthorized access and data breaches, ensuring compliance with data privacy regulations (e.g., Enterprise GDPR, HIPAA). Application Business Continuity: Minimizes the risk of Security cyberattacks that could disrupt business operations. Customer Trust: Demonstrates commitment to security and builds customer confidence. Compliance: Ensures alignment with regulatory and industry standards, reducing legal and financial risks. Department of Computer Application 42 Unit#5 Other Security issues : Smart Cards and Security Zero Knowledge Protocol Enterprise Application Security UNIT - 5 Biometric Authentication Database Access Control Security and Privacy Issues in RFIDs. Department of Computer Application 43 Unit#5 Other Security issues : Biometric Authentication is a security process that verifies a person’s identity based on unique biological characteristics. Unlike passwords or PINs, biometrics provide a higher level of security as they rely on Biometric physical attributes or behaviors that are difficult to Authentication replicate or steal. Biometric authentication is widely used in mobile devices, secure buildings, banking systems, and many other applications requiring strong, reliable identity verification. Department of Computer Application 44 Unit#5 Other Security issues : Biometric Authentication Department of Computer Application 45 Unit#5 Other Security issues : Types of Biometric Authentication Fingerprint Recognition Scans the unique patterns of ridges and valleys on a person’s finger. Fingerprint authentication is commonly used on smartphones, laptops, and access control systems. Biometric Facial Recognition Authentication Uses facial features (e.g., the distance between eyes, nose shape) to identify a person. Advanced algorithms ensure that the system is resistant to photos or videos. Hand Geometry Recognition Measures the size, shape, and proportions of a person’s hand. Though less unique than other biometrics, it’s Department of Computer Application used in certain access control systems. 46 Unit#5 Other Security issues : Iris and Retina ScanningIris Scanning: Analyzes the unique patterns in the colored part of the eye (the iris). It’s very precise and hard to duplicate. Retina Scanning: Biometric Maps the pattern of blood vessels in the retina. This is Authentication also very accurate but requires close proximity, making it less convenient. Voice Recognition Analyzes vocal characteristics like pitch, tone, and rhythm. This type is often used for phone-based authentication. Department of Computer Application 47 Unit#5 Other Security issues : Behavioral Biometrics Analyzes behavioral patterns, such as typing speed, gait, and smartphone usage. These methods are often combined with other biometrics in continuous authentication. Vein Recognition Biometric Maps the unique vein patterns in a person’s finger or hand. It’s highly accurate and more secure than fingerprints, as Authentication veins are located below the skin. Signature Recognition Analyzes the way a person writes their signature, including speed, pressure, and the order of strokes. Though commonly used, it’s less secure than physiological biometrics. Department of Computer Application 48 Unit#5 Other Security issues : How Biometric Authentication Works Enrollment The first time a user accesses the system, a biometric template is created. The biometric data is captured, processed, and stored as a mathematical representation. Verification and Matching Biometric During authentication, the system captures a new sample of the biometric trait and compares it with the stored template. Authentication If the samples match within an acceptable threshold, access is granted. Continuous Authentication (Optional) Some systems use behavioral biometrics to continuously verify a user’s identity. This ensures that unauthorized users are detected even if they gain initial access. Department of Computer Application 49 Unit#5 Other Security issues : Biometric Authentication Department of Computer Application 50 Unit#5 Other Security issues : Fingerprint Reorganization steps Department of Computer Application Unit#5 Other Security issues : Face reorganizatio n process Department of Computer Application Unit#5 Other Security issues : Iris identification steps Department of Computer Application Unit#5 Other Security issues : Vein Reorganization system Department of Computer Application Unit#5 Other Security issues : It Verifies following things while authentication: the angle at which the pen is held, Signature the number of times the pen is lifted, verification the time it takes to write the entire signature, process the pressure exerted by the person while signing, the variations in the speed with which different parts of the signature are written. Department of Computer Application 55 Unit#5 Other Security issues : Security and Privacy Concerns with Biometric Authentication Spoofing and Presentation Attacks Attackers may use fake fingerprints, photos, or voice recordings to trick the system. Advanced systems use Biometric anti-spoofing techniques, such as liveness detection, to Authentication counteract these attacks. Data Breach Risks Biometric data is sensitive and difficult to change if compromised. A breach of biometric templates could lead to severe privacy issues since, unlike passwords, biometrics can’t be easily reset. Department of Computer Application 56 Unit#5 Other Security issues : Privacy Concerns Some people are concerned about biometric data collection and misuse. Organizations must comply with privacy laws (e.g., GDPR) and limit biometric data usage Biometric to prevent abuse. Authentication Template Storage and Encryption Biometric data is typically stored as encrypted templates rather than raw images, making it harder to misuse if accessed. Storing data securely is critical to preventing leaks or theft. Department of Computer Application 57 Unit#5 Other Security issues : Applications of Biometric Authentication Mobile Devices Many smartphones use fingerprint, facial recognition, or even iris scanning for unlocking the device, securing apps, or authorizing payments. Biometric Banking and Financial Services Authentication Banks use biometric authentication to improve security for online banking, ATMs, and mobile applications, helping to prevent fraud. Workplace Access Control Biometric ID cards or access control systems secure buildings, data centers, and restricted areas, ensuring only authorized employees gain entry. Department of Computer Application 58 Unit#5 Other Security issues : Government and Border Control Biometrics like facial recognition, fingerprinting, and iris scanning are used for national IDs, passports, and border security. Healthcare Biometric Hospitals use biometrics for patient identification and access control, enhancing data security and ensuring Authentication accurate patient information. Continuous Authentication for Cyber security Behavioural biometrics are used for continuous monitoring in high-security environments to detect unusual user behaviour and prevent unauthorized access. Department of Computer Application 59 Unit#5 Other Security issues : Advantages of Biometric Authentication Enhanced Security Biometric traits are harder to replicate than passwords, making it more difficult for unauthorized users to gain access. Convenience and Ease of Use Biometric authentication is typically fast and doesn’t require users to Biometric remember passwords, reducing friction in the authentication process. Authentication Non-Transferable Biometric traits are unique to each individual, meaning they can’t be shared or forgotten like passwords. Reduced Risk of Identity Theft Biometrics minimize the risks of identity theft and fraud as they are much harder to replicate or steal than traditional credentials. Department of Computer Application 60 Unit#5 Other Security issues : Disadvantages of Biometric Authentication Privacy and Ethical Issues The storage and use of biometric data raise concerns about privacy, surveillance, and misuse of personal data. False Acceptance and Rejection Rates No biometric system is 100% accurate. False positives and Biometric false negatives may occur, potentially leading to Authentication unauthorized access or denial of legitimate access. High Implementation Cost Biometric systems require specialized hardware and software, making initial implementation costly. Security Risks in Case of Breaches If biometric data is stolen, it can’t be changed, unlike a password. This creates potential long-term risks. Department of Computer Application 61 Unit#5 Other Security issues : Best Practices for Biometric Authentication Implementation Use Multi-Factor Authentication (MFA) Pair biometric authentication with another factor (like Biometric a PIN or password) for added security, particularly in Authentication high-risk applications. Encrypt Biometric Data Store biometric templates as encrypted data to protect against data breaches and comply with privacy regulations. Department of Computer Application 62 Unit#5 Other Security issues : Regularly Update and Audit Systems Ensure that biometric systems are updated to detect new forms of spoofing and cyber threats, with regular audits to maintain security standards. Use Liveness Detection Biometric Techniques Incorporate liveness detection to verify Authentication that the biometric sample (e.g., fingerprint, face) is from a real, live person. Limit Data Retention and Ensure Compliance Comply with data privacy regulations (GDPR, CCPA) by minimizing data retention, obtaining consent, and providing transparency on data usage. Department of Computer Application 63 Unit#5 Other Security issues : The Future of Biometric Authentication With advancements in AI and machine learning, biometric authentication is expected to become more accurate, secure, and widespread. Emerging biometric methods like gait recognition, ear Biometric shape recognition, and heartbeat analysis could Authentication provide even more secure options, while continuous authentication through behavioral biometrics will play a key role in cyber security. While privacy and security challenges persist, biometrics are set to become an integral part of our everyday digital interactions, especially as more secure and privacy-conscious solutions emerge. Department of Computer Application 64 Unit#5 Other Security issues : Smart Cards and Security Zero Knowledge Protocol Enterprise Application Security UNIT - 5 Biometric Authentication Database Access Control Security and Privacy Issues in RFIDs. Department of Computer Application 65 Unit#5 Other Security issues : Database Access Control Security involves implementing mechanisms to protect databases from unauthorized access, data leaks, and tampering. This layer of security ensures that users can only access the Database data they are authorized to, protecting sensitive Access information and maintaining data integrity. Control A secure access control system enforces authentication, authorization, and auditing processes, establishing a secure environment for data storage and retrieval. Also we have to secure Biometrics data for unauthorized access. Department of Computer Application 66 Unit#5 Other Security issues : Best Practices for Database Access Control Security Adopt the Principle of Least Privilege Give users only the access they need to perform their jobs, minimizing the potential impact of compromised accounts. Database Regularly Review and Update Access Rights Access Conduct periodic audits of user permissions to ensure that only active employees have access and that they have the Control appropriate level of access. Enable Strong Authentication and Use MFA Enforce strong authentication measures and require multi- factor authentication for high-privilege accounts to reduce the likelihood of unauthorized access. Department of Computer Application 67 Unit#5 Other Security issues : Implement Robust Monitoring and Logging Log all access and modifications to the database and monitor for unusual activity, including data export patterns and login attempts from unfamiliar locations. Conduct Vulnerability Assessments and Penetration Database Testing Access Regularly assess the database for security vulnerabilities Control and conduct penetration tests to identify weaknesses in access control mechanisms. Encrypt Sensitive Data Use encryption to protect data at rest and in transit, ensuring that data remains secure even if access controls are bypassed. Department of Computer Application 68 Unit#5 Other Security issues : Regular Security Patching and Updates Keep database management systems and related Database software up to date to protect against newly discovered vulnerabilities and exploits. Access Employee Training and Awareness Control Educate employees on data access policies, potential threats, and secure handling practices, ensuring that users understand the importance of database security. Department of Computer Application 69 Unit#5 Other Security issues : Smart Cards and Security Zero Knowledge Protocol Enterprise Application Security UNIT - 5 Biometric Authentication Database Access Control Security and Privacy Issues in RFIDs Department of Computer Application 70 Unit#5 Other Security issues : RFID (Radio Frequency Identification) technology is widely used for tracking and identification in various sectors, including retail, healthcare, transportation, Security and and logistics. Privacy Issues Despite its advantages, RFID systems also pose in RFIDs significant security and privacy challenges. These issues are due to the technology’s wireless nature, enabling attackers to intercept, manipulate, or misuse data without physical contact. Department of Computer Application 71 Unit#5 Other Security issues : An RFID system typically has three main components: RFID Tag: Contains an embedded microchip and an antenna. The microchip stores information, while the antenna Security and transmits this information to the RFID reader. Privacy Issues RFID tags can be active, passive, or semi-passive: Passive tags: Don’t have a battery; they draw power from in RFIDs the reader’s signal to transmit data. These are cheaper but have a shorter range. Active tags: Have an internal battery to broadcast signals actively, giving them a longer range (often tens of meters). Semi-passive tags: Have a battery to power the chip but still rely on the reader’s signal to send data. Department of Computer Application 72 Unit#5 Other Security issues : RFID Reader The reader sends out a radio frequency signal that powers passive tags and communicates with active tags. When an RFID tag comes within range of the reader, the tag Security and transmits its data back to the reader. Readers can be stationary (mounted in fixed locations, such Privacy Issues as at doorways or entrances) or mobile (handheld devices). in RFIDs Backend System or Middleware The data collected by the reader is then sent to a backend system or database. This system processes the data, which might include item identification, location tracking, or inventory management. Department of Computer Application 73 Unit#5 Other Security issues : How RFID Works in Practice Tag Activation and Powering: For passive tags, the RFID reader sends out a low-level Security and radio frequency signal to power up the tag. Active tags Privacy Issues use their own battery for power. in RFIDs Data Transmission: Once the tag is powered (or is actively powered in the case of active tags), it transmits its unique identifier or other stored data back to the RFID reader through the radio frequency waves. Department of Computer Application 74 Unit#5 Other Security issues : Data Reception and Decoding The RFID reader receives this data, decodes it, and then sends it to the backend system or central database for Security and processing Privacy Issues Data Processing and Storage in RFIDs The backend system can store and interpret this data in a variety of ways, depending on the application. For instance, in a warehouse, it might be used to monitor inventory levels, or in a retail store, it can track a product's journey from manufacture to sale. Department of Computer Application 75 Unit#5 Other Security issues : Applications of RFID Technology Retail: Inventory management, automated checkouts, loss prevention, and supply chain management. Logistics and Supply Chain: Tracking goods from manufacturer to retail shelves, improving inventory visibility Security and and accuracy. Privacy Issues Access Control and Security: Employee badges, keyless entry in RFIDs systems, and tracking of valuable assets within secure environments. Healthcare: Tracking medical equipment, ensuring patient safety, and managing pharmaceutical inventories. Transportation: Toll collection, ticketing systems, and vehicle tracking. Department of Computer Application 76 Unit#5 Other Security issues : Privacy Issues in RFID Systems Location Privacy Description: RFID tags on personal items can be read at a distance, revealing the location of individuals as they move. Implications: This undermines individuals' privacy by Security and allowing third parties to monitor their whereabouts without Privacy Issues their knowledge or consent. in RFIDs Personal Data Exposure Description: Many RFID tags store personal information, especially in applications like healthcare and transportation. Implications: If this information is not properly secured, unauthorized parties could obtain sensitive personal data, such as medical history, transaction details, or personal identification numbers. Department of Computer Application 77 Unit#5 Other Security issues : Data Aggregation Risks Description: Multiple sources of RFID data can be combined to create comprehensive profiles of individuals. Implications: Data aggregation can lead to privacy Security and invasion, as companies or individuals can use this information to infer personal habits, preferences, or Privacy Issues routines, potentially infringing on personal privacy. in RFIDs Tracking of Consumer Behavior Description: Retailers may use RFID data to track consumer interactions with products. Implications: While this information can be valuable for businesses, consumers may feel that such monitoring is intrusive and a violation of privacy. Department of Computer Application 78 Unit#5 Other Security issues : UNIT- 5 Department of Computer Application 79
