diff --git a/20231005/dbs-20231005.tex b/20231005/dbs-20231005.tex index 5b64857b27588e345126f26e59112c77b54481eb..ff938d18847f7546ff553fd02616f792af56d5cf 100644 --- a/20231005/dbs-20231005.tex +++ b/20231005/dbs-20231005.tex @@ -1,4 +1,4 @@ -% dbs-20221005.pdf - Lecture Slides on Databases and Information Security +% dbs-20231005.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231012/dbs-20231012.tex b/20231012/dbs-20231012.tex index 418fc515517c108340d21900905d52d2145a567e..0fd7a102e182b7ec95b4a8b2a7357ac4981d4a8d 100644 --- a/20231012/dbs-20231012.tex +++ b/20231012/dbs-20231012.tex @@ -1,4 +1,4 @@ -% dbs-20221012.pdf - Lecture Slides on Databases and Information Security +% dbs-20231012.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231019/dbs-20231019.tex b/20231019/dbs-20231019.tex index e046e63c7f3719e64cf3f303acc1575f14244993..f2a6a6084fd057e3781a77565dcb5215b02b2e9d 100644 --- a/20231019/dbs-20231019.tex +++ b/20231019/dbs-20231019.tex @@ -1,4 +1,4 @@ -% dbs-20221019.pdf - Lecture Slides on Databases and Information Security +% dbs-20231019.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231026/dbs-20231026.tex b/20231026/dbs-20231026.tex index 8f32b157297165f9708965f95172caa0ccd30833..a2e9c53a2bbd82270f0dabd22c4e7b4ae0055afb 100644 --- a/20231026/dbs-20231026.tex +++ b/20231026/dbs-20231026.tex @@ -1,4 +1,4 @@ -% dbs-20221026.pdf - Lecture Slides on Databases and Information Security +% dbs-20231026.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231102/dbs-20231102.tex b/20231102/dbs-20231102.tex index 23f2fbec303b5a8f0b11468330fcf5703daab5e6..acb034d4eb3e3b364b3db77cfbac455c5e543907 100644 --- a/20231102/dbs-20231102.tex +++ b/20231102/dbs-20231102.tex @@ -1,4 +1,4 @@ -% dbs-20221102.pdf - Lecture Slides on Databases and Information Security +% dbs-20231102.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231109/dbs-20231109.tex b/20231109/dbs-20231109.tex index 5371e3709b6355785b2a966aff8bf4820edce7c4..66a7231e499354aa2fa5cd0634bb10545c0275fd 100644 --- a/20231109/dbs-20231109.tex +++ b/20231109/dbs-20231109.tex @@ -1,4 +1,4 @@ -% dbs-20221109.pdf - Lecture Slides on Databases and Information Security +% dbs-20231109.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231116/dbs-20231116.tex b/20231116/dbs-20231116.tex index 6a10877d712044c8cdb2c20d90b6514cedbac2aa..d56535d54f0cdaea0a3704dbb0cf0a2e9d5c259d 100644 --- a/20231116/dbs-20231116.tex +++ b/20231116/dbs-20231116.tex @@ -1,4 +1,4 @@ -% dbs-20221116.pdf - Lecture Slides on Databases and Information Security +% dbs-20231116.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231123/dbs-20231123.tex b/20231123/dbs-20231123.tex index bf9e093389a18ed58763628c991b85746797b99d..bb810c3dfdd5b0285757cb5f84e9435f4bcab66c 100644 --- a/20231123/dbs-20231123.tex +++ b/20231123/dbs-20231123.tex @@ -1,4 +1,4 @@ -% dbs-20221123.pdf - Lecture Slides on Databases and Information Security +% dbs-20231123.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231130/dbs-20231130.tex b/20231130/dbs-20231130.tex index 4a039d911b98ac1088d0707800db846ce3b97f45..e6f49ac93bc062553d06bdbbbb8bbb3ddc72d45e 100644 --- a/20231130/dbs-20231130.tex +++ b/20231130/dbs-20231130.tex @@ -1,4 +1,4 @@ -% dbs-20221130.pdf - Lecture Slides on Databases and Information Security +% dbs-20231130.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231207/dbs-20231207.tex b/20231207/dbs-20231207.tex index 2296ae2843ec63b2d755855dbfda23f9323fc86b..d72d88d149d27843dfc1e3dcb24aa68999c0cc76 100644 --- a/20231207/dbs-20231207.tex +++ b/20231207/dbs-20231207.tex @@ -1,4 +1,4 @@ -% dbs-20221207.pdf - Lecture Slides on Databases and Information Security +% dbs-20231207.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or diff --git a/20231214/dbs-20231214.pdf b/20231214/dbs-20231214.pdf index 39420b39457cf57c702e84338510468305a6980d..7a1b21a21f2b8ebb47b926d8e711373037804464 100644 Binary files a/20231214/dbs-20231214.pdf and b/20231214/dbs-20231214.pdf differ diff --git a/20231214/dbs-20231214.tex b/20231214/dbs-20231214.tex index 7198a1ee652368e02283dccb399c009eced16201..27d638b68501743d5ecedf1bda725370495131e7 100644 --- a/20231214/dbs-20231214.tex +++ b/20231214/dbs-20231214.tex @@ -1,4 +1,4 @@ -% dbs-20221214.pdf - Lecture Slides on Databases and Information Security +% dbs-20231214.pdf - Lecture Slides on Databases and Information Security % Copyright (C) 2023 Peter Gerwinski % % This document is free software: you can redistribute it and/or @@ -20,7 +20,7 @@ % Attribution-ShareAlike 3.0 Unported License along with this % document. If not, see <http://creativecommons.org/licenses/>. -% README: @@@ +% README: GUI-Zugriff, SQL Injection \documentclass[10pt,t]{beamer} @@ -61,18 +61,19 @@ \color{medgreen} \item[4.10] Funktionen und Trigger \item[4.11] GUI-Zugriff + \color{orange} \item[4.12] SQL Injection - \color{red} + \color{black} \item[4.13] Datensicherheit bei Datenbanken \item[4.14] Sonstige Datenbanken \end{itemize} \item[\textbf{5}] \textbf{Kryptographie} - \begin{itemize} - \color{red} - \item[5.1] Einführung - \vspace*{-\smallskipamount} - \item[\textbf{\dots}] - \end{itemize} +% \begin{itemize} +% \color{red} +% \item[5.1] Einführung +% \vspace*{-\smallskipamount} +% \item[\textbf{\dots}] +% \end{itemize} \vspace*{-\smallskipamount} \item[\textbf{\dots}] \end{itemize} @@ -183,14 +184,18 @@ Bessere Lösung: \newterm{Prepared Statements} \begin{itemize} - \item - \url{https://www.postgresql.org/docs/current/sql-prepare.html} - \item - \url{https://www.w3schools.com/php/php_mysql_prepared_statements.asp} + \arrowitem + nächstes Jahr +% \item +% \url{https://www.postgresql.org/docs/current/sql-prepare.html} +% \item +% \url{https://www.w3schools.com/php/php_mysql_prepared_statements.asp} \end{itemize} \end{frame} +\iffalse + \subsection{Datensicherheit bei Datenbanken} \begin{frame} @@ -255,4 +260,6 @@ \end{frame} +\fi + \end{document} diff --git a/20240111/Zeichen_123.pdf b/20240111/Zeichen_123.pdf new file mode 120000 index 0000000000000000000000000000000000000000..fdbc897227df059cfda790a16555e6e417682116 --- /dev/null +++ b/20240111/Zeichen_123.pdf @@ -0,0 +1 @@ +../common/Zeichen_123.pdf \ No newline at end of file diff --git a/20240111/dbs-20240111.pdf b/20240111/dbs-20240111.pdf new file mode 100644 index 0000000000000000000000000000000000000000..3f9616efe9f3278e1b8dc63ef26c0acb096a7d2f Binary files /dev/null and b/20240111/dbs-20240111.pdf differ diff --git a/20240111/dbs-20240111.tex b/20240111/dbs-20240111.tex new file mode 100644 index 0000000000000000000000000000000000000000..af10b15c0bdd95c887d21b2596222a814a0fc91e --- /dev/null +++ b/20240111/dbs-20240111.tex @@ -0,0 +1,438 @@ +% dbs-20240111.pdf - Lecture Slides on Databases and Information Security +% Copyright (C) 2023, 2024 Peter Gerwinski +% +% This document is free software: you can redistribute it and/or +% modify it either under the terms of the Creative Commons +% Attribution-ShareAlike 3.0 License, or under the terms of the +% GNU General Public License as published by the Free Software +% Foundation, either version 3 of the License, or (at your option) +% any later version. +% +% This document is distributed in the hope that it will be useful, +% but WITHOUT ANY WARRANTY; without even the implied warranty of +% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +% GNU General Public License for more details. +% +% You should have received a copy of the GNU General Public License +% along with this document. If not, see <http://www.gnu.org/licenses/>. +% +% You should have received a copy of the Creative Commons +% Attribution-ShareAlike 3.0 Unported License along with this +% document. If not, see <http://creativecommons.org/licenses/>. + +% README: Datensicherheit bei Datenbanken, sonstige Datenbanken, Kryptographie + +\documentclass[10pt,t]{beamer} + +\usepackage{pgslides} + +\newcommand{\vfilll}{\vspace{0pt plus 1filll}} + +\newcommand{\underconstruction}{% + \begin{picture}(0,0) + \put(11,1.2){\makebox(0,0)[b]{\includegraphics[width=1.5cm]{Zeichen_123.pdf}}} + \put(11,0.9){\makebox(0,0)[t]{\shortstack{Änderungen\\vorbehalten}}} + \end{picture}} + +\title{Datenbanken und Datensicherheit} +\author{Prof.\ Dr.\ rer.\ nat.\ Peter Gerwinski} +\date{11.\ Januar 2024} + +\begin{document} + +\maketitleframe + +\nosectionnonumber{\inserttitle} + +\begin{frame} + + \shownosectionnonumber + + \begin{itemize} + \item[\textbf{1}] \textbf{Einführung} + \hfill\makebox(0,0)[br]{\raisebox{2.25ex}{\url{https://gitlab.cvh-server.de/pgerwinski/dbs}}}% + \item[\textbf{2}] \textbf{Kurzeinführung Unix} + \item[\textbf{3}] \textbf{Kurzeinführung TCP/IP} + \item[\textbf{4}] \textbf{Relationale Datenbanken} + \begin{itemize} + \vspace*{-\smallskipamount} + \item[\textbf{\dots}] + \item[4.9] Indizierung + \color{medgreen} + \item[4.10] Funktionen und Trigger + \item[4.11] GUI-Zugriff + \color{orange} + \item[4.12] SQL Injection + \color{red} + \item[4.13] Datensicherheit bei Datenbanken + \item[4.14] Sonstige Datenbanken + \end{itemize} + \item[\textbf{5}] \textbf{Kryptographie} + \begin{itemize} + \color{red} + \item[5.1] Einführung + \vspace*{-\smallskipamount} + \item[\textbf{\dots}] + \end{itemize} + \vspace*{-\smallskipamount} + \item[\textbf{\dots}] + \end{itemize} + + \vfilll + \underconstruction + +\end{frame} + +\setcounter{section}{3} +\section{Relationale Datenbanken} +\setcounter{subsection}{9} +\subsection{Funktionen und Trigger} + +\begin{frame} + + \showsection + \showsubsection + + Funktionen: + \begin{itemize} + \item + \lstinline[style=cmd]{PROCEDURE} entspricht einer \lstinline{void}-Funktion in C. + \item + \url{https://www.postgresql.org/docs/15/sql-createprocedure.html} + \end{itemize} + + \bigskip + + Trigger: + \begin{itemize} + \item + \url{https://www.sqltutorial.org/sql-triggers/} + \item + \url{https://www.postgresqltutorial.com/postgresql-triggers/creating-first-trigger-postgresql/} + \end{itemize} + +\end{frame} + +\subsection{GUI-Zugriff} + +\begin{frame} + + \showsection + \showsubsection + + \begin{itemize} + \item + Anwendung nutzt DBMS-Client-Bibliothek\\ + GUI-Programmierung: wie gewohnt + \item + Spezialfall: Web-Anwendung + \end{itemize} + + \bigskip + + Beispiel: Programmiersprache PHP + \begin{itemize} + \item + Integration in HTML-Quelltext: \lstinline{<?php ... ?>} + \item + Objekt zur Kommunikation mit Datenbanken: \lstinline{PDO} + \end{itemize} + + \bigskip + + Literatur: + \begin{itemize} + \item + \url{https://www.postgresqltutorial.com/postgresql-php/connect/} + \item + \url{https://www.phptutorial.net/php-pdo/pdo-connecting-to-postgresql/} + \end{itemize} + +\end{frame} + +\subsection{SQL Injection} + +\begin{frame}[fragile] + + \showsection + \showsubsection + + Problem: + \begin{itemize} + \item + Ein böswilliger Benutzer gibt über eine Benutzerschnittstelle + (z.\,B.\ ein Web-Interface) Daten ein (z.\,B.\ einen "`Namen"'), + die Sonderzeichen enthalten, damit sie als SQL-Befehle ausgeführt werden. + \item + Literatur: \url{https://xkcd.com/327/} + \end{itemize} + + \medskip + + Lösung: Die Benutzerschnittstelle prüft die Daten auf Sonderzeichen\\ + und ersetzt diese durch geeignete Escape-Sequenzen + \begin{itemize} + \item + \lstinline[style=cmd]{'} durch \lstinline[style=cmd]{''} ersetzen + \item + Funktion \lstinline[style=cmd]{CHR()} + \item + Viele DBMS verstehen ein vorangestelltes \lstinline[style=cmd]{\}. + \end{itemize} + + \medskip + + Bessere Lösung: \newterm{Prepared Statements} + \begin{itemize} + \item + \url{https://www.postgresql.org/docs/current/sql-prepare.html} + \item + \url{https://www.w3schools.com/php/php_mysql_prepared_statements.asp} + \end{itemize} + +\end{frame} + +\subsection{Datensicherheit bei Datenbanken} + +\begin{frame} + + \showsection + \showsubsection + + \begin{itemize} + \item + kein direkter Zugriff von außen auf die Datenbank + \item + feingranulare Benutzerrechte + \item + Software aktuell halten + \item + Prepared Statements + \item + Transportverschlüsselung + \end{itemize} + +\end{frame} + +\subsection{Sonstige Datenbanken} + +\begin{frame} + + \showsection + \showsubsection + + \begin{itemize} + \item + Eingebettete Datenbanken:\\ + Berkeley DB, SQLite\\ + Software-Bibliothek, keine Client-Server-Struktur + \item + Nicht-relationale Datenbanken:\\ + dokumentenorientierte Datenbanken, noSQL\\ + Performanz wichtiger als Konsistenz\\ + \textarrow\ Applikationen stärker in Konsistenzprüfung eingebunden + \end{itemize} + +\end{frame} + +\section{Kryptographie} +\subsection{Einführung} + +\begin{frame} + + \showsection + \showsubsection + + \textbf{Was ist Datensicherheit?} + + \smallskip + + \begin{minipage}[t]{0.24\textwidth} + \begin{itemize} + \item[] \strut + \item Vertraulichkeit + \item Integrität\\\strut + \item Verfügbarkeit + \end{itemize} + \end{minipage}% + \begin{minipage}[t]{0.25\textwidth} + \begin{itemize} + \item[] (CIA) + \item[] (confidentiality) + \item[] (integrity)\\\strut + \item[] (availability) + \end{itemize} + \end{minipage}\quad + \begin{minipage}[t]{0.45\textwidth} + \begin{itemize} + \item[] \strut + \arrowitem {\only<2->{\color{red}}Verschlüsselung} + \arrowitem Konsistenzprüfungen,\\ + Prüfwerte, {\only<2->{\color{red}}Signaturen} + \arrowitem Backups, Ausfallsicherheit + \end{itemize} + \end{minipage} + + \bigskip + + \begin{itemize} + \item + Identifizierbarkeit + (Authentizität, Nichtabstreitbarkeit, Zurechenbarkeit)\\ + \textarrow\ {\only<2->{\color{red}}Passwörter}, + {\only<2->{\color{red}}Signaturen}\\[\smallskipamount] + bzw. + \item + Anonymität + (plausible Abstreitbarkeit, Nichtzurechenbarkeit)\\ + \textarrow\ Pseudonymisierung, Anonymisierung,\\ + \phantom{\textarrow\ }{\only<2->{\color{red}}Verschlüsselung}, Steganographie + \pause\hfill\textcolor{red}{\textarrow\ Kryptographie} + \end{itemize} + +\end{frame} + +\subsection{Symmetrische Verschlüsselung} + +\begin{frame} + + \showsection + + \textbf{Kryptographie} + \begin{itemize} + \item + Verschlüsselung: symmetrisch, asymmetrisch, hybrid + \item + Hashes: Einwegfunktionen, Salt + \item + Signaturen, Zertifikate + \item + Schlüsselaustausch + \end{itemize} + + \bigskip + + \showsubsection + + \vspace{-\medskipamount} + + \begin{itemize} + \item + Derselbe Schlüssel zum Ver- und Entschlüsseln + \item + Beispiele: + {\only<6->{\color{red}}Cäsar-Chiffre}, + {\only<6->{\color{red}}Monoalphabetische Substitution}\pause,\\ + One Time Pad\visible<4->{,}\\ + \visible<4->{% + \only<5->{\emph{spezielle }}Pseudozufallszahlengenerator\only<5->{en}, + Startwert als Schlüssel\only<5->{:}\\ + \visible<5->{ + {\only<6->{\color{red}}Enigma}, + {\only<6->{\color{red}}DES}, + {\only<6->{\color{orange}}3DES}, + {\only<6->{\color{orange}}RC4}, + IDEA, + Blowfish, + TwoFish, + CAST, + AES, + \dots + } + } + \pause + \item + Problem: Schlüsselaustausch + \pause[7] + \item + Lösung: \newterm{asymmetrische Verschlüsselung} + \end{itemize} + +\end{frame} + +\subsection{Asymmetrische Verschlüsselung} + +\begin{frame} + + \showsubsection + + \vspace{-\medskipamount} + + \begin{itemize} + \item + verschiedene Schlüssel zum Ver- und Entschlüsseln:\\ + öffentlicher und privater Schlüssel + \item + Prinzip: mathematische Operation,\\ + einfach durchzuführen, schwer rückgängig zu machen + \medskip + \item + Beispiel: $N = p \cdot q$ -- einfacher als Primfaktorzerlegung von $N$ + \textarrow\ RSA\\[\smallskipamount] + $73 \cdot 97 = 7081$: geht notfalls noch im Kopf\\ + Primfaktorzerlegung von $7081$: mindestens schriftlich, besser mit Rechner + \medskip + \item + Beispiel: $c = b^a$ -- einfacher als $a = \log_b c$ + \textarrow\ Diffie-Hellman, ElGamal\\[\smallskipamount] + $7^5 = 16807$: geht notfalls noch im Kopf\\ + $\log_7 16807$: mindestens schriftlich, besser mit Rechner + \medskip + \arrowitem + Details: Algorithmen und Datenstrukturen + \pause + \bigskip + \item + Nachteil: wesentlich aufwendiger und daher langsamer\\ + als symmetrische Verschlüsselung + \arrowitem + \newterm{hybride Verschlüsselung}: nur Schlüsselaustausch asymmetrisch,\\ + eigentliche Vrschlüsselung symmetrisch + \end{itemize} + +\end{frame} + +\subsection{Signaturen} + +\begin{frame} + + \showsubsection + + \vspace{-\medskipamount} + + \begin{itemize} + \item + \newterm{kryptographische Hash-Funktion\/}: + leicht auszurechnen, schwer zu manipulieren + \item + asymmetrisch: \newterm{Signatur}\\ + Hash-Wert mit privatem Schlüssel verschlüsseln,\\ + mit öffentlichem Schlüssel entschlüsseln + \item + symmetrisch: \newterm{Message Authentication Code\/} (MAC)\\ + z.\,B.\ Hash-Wert über Nachricht + geheimer Schlüssel + \end{itemize} + + \pause + \bigskip + + Angriffsmöglichkeit: \newterm{Man-in-the-middle\/}-Angriff\\ + Beim Schlüsselaustausch anderen Schlüssel unterschieben\\ + \textarrow\ Sorgfalt beim Schlüsselaustausch + + \pause + \bigskip + + \textbf{Praxis-Beispiele} + \begin{itemize} + \item + SSH + \item + HTTPS + \item + OpenPGP + \end{itemize} + +\end{frame} + +\end{document} diff --git a/20240111/logo-hochschule-bochum-cvh-text-v2.pdf b/20240111/logo-hochschule-bochum-cvh-text-v2.pdf new file mode 120000 index 0000000000000000000000000000000000000000..4aa99b8f81061aca6dcaf43eed2d9efef40555f8 --- /dev/null +++ b/20240111/logo-hochschule-bochum-cvh-text-v2.pdf @@ -0,0 +1 @@ +../common/logo-hochschule-bochum-cvh-text-v2.pdf \ No newline at end of file diff --git a/20240111/logo-hochschule-bochum.pdf b/20240111/logo-hochschule-bochum.pdf new file mode 120000 index 0000000000000000000000000000000000000000..b6b9491e370e499c9276918182cdb82cb311bcd1 --- /dev/null +++ b/20240111/logo-hochschule-bochum.pdf @@ -0,0 +1 @@ +../common/logo-hochschule-bochum.pdf \ No newline at end of file diff --git a/20240111/pgslides.sty b/20240111/pgslides.sty new file mode 120000 index 0000000000000000000000000000000000000000..5be1416f4216f076aa268901f52a15d775e43f64 --- /dev/null +++ b/20240111/pgslides.sty @@ -0,0 +1 @@ +../common/pgslides.sty \ No newline at end of file