Database Security

1
Database Security

• Database Management Systems CSE530A
• Nov 10, 2004

2
Outline

• Threats
• Countermeasures
• Authorization
• Access Controls
• Views
• Backup and Recovery
• Integrity
• Encryption
• RAID
• DBMS and Web Security
• Proxy Servers
• Firewalls
• Message Digest Algorithms and Digital Signatures
• Digital Certificates
• Kerberos
• Secure Sockets Layer and Secure HTTP
• Secure Electronic Transactions and Secure
  Transaction Technology
• Java Security
• ActiveX Security

3
Database Security

• The mechanisms that protect the DB against
  intentional or accidental threats
• Security situations to consider
• theft and fraud
• loss of confidentiality (secrecy)
• loss of privacy
• loss of integrity
• loss of availability.

4
Threats

• Any situation or event, whether intentional or
  accidental, that may adversely affect a system
  and consequently the organization
• Organizations should
• identify threats
• initiate plans and countermeasures
• focus resources on threats that could have
  significant impact

5
Countermeasures Authorization

• Authentication - A mechanism which determines
  whether a user is who they claim to be.
• Goals
• To authenticate subjects requesting access to a
  databases resources.
• Standard Implementation
• Very similar to OS model of authentication
• An administrator creates individual user
  accounts, with associated passwords
• Each account is given a unique identifier by
  which the system can determine who they are
• When a user attempts to log on, the system does a
  basic lookup to verify that the information
  provided is correct and that the account is
  enabled.

6
Countermeasures Access Controls

• Developed to provide more fine-grained access
• Beyond the basic all or nothing access to a
  system, users can be granted or restricted access
  to particular resources
• Examples relations, views, indices or running
  certain utilities

7
Access Controls contd

• Discretionary Access Control (DAC)
• Part of the ISO SQL Standard
• Provided by virtually all commercial DBMSs
• Based upon GRANT/REVOKE commands
• Example
• GRANT ALL PRIVILEGES
• ON Staff
• TO Manager WITH GRANT OPTION
• Has some known flaws
• An unauthorized user can trick an authorized user
  into disclosing restricted information
• Mandatory Access Control (MAC)
• Based on system-wide policies that cannot be
  changed by individual users.
• Each database resource and user is assigned a
  security class and clearance
• Biggest drawback is rigidity of these
  restrictions.

8
Special Topics Bell-LaPadula Model

• A MAC of military origins governed by strict
  access rules
• no read up, no write down
• Users can only create content at or above their
  security level
• Secret researchers can create secret or
  top-secret files but not public files.
• Users can only view content at or below their
  security level
• Secret researchers can view public or secret
  files, but may not view top-secret files.

9
Countermeasures Views

• View - a dynamic result of one or more
  relational operations operating on the base
  relations to produce another relation
• Hide parts of database from certain users
• The user is not aware of any attribute or rows
  that are missing from the view
• More restrictive than giving users access to the
  base relations.

10
Countermeasures Backup Recovery

• Backup copies
• Log File/ journal
• Contains information of all updates to database
• Keep changes that are made after the last backup

11
Countermeasures Integrity

• Prevent information from becoming invalid
• Avoid misleading/ incorrect results

12
Countermeasures Encryption
Source CS 505A Website
13
Countermeasures Encryption

• Cryptosystem
• Encryption key
• Encryption algorithm
• Plaintext to ciphertext with encryption key
• Decryption key
• Decryption algorithm
• Ciphertext to plaintext with decryption key

14
Countermeasures Encryption

• Techniques
• Symmetric encryption
• Encryption key Decryption key
• Examples DES, AES
• Asymmetric encryption
• Encryption key ? Decryption key
• Examples public key cryptosystems, RSA

15
Special Topics Encryption with RSA

• By Rivest, Shamir, and Adleman
• N pq (N, is public key p,q are private
  keys)
• Suppose that person A wants to make a public key,
  and that person B wants to use that key to send A
  a message.
• Person A selects the prime number (private key)
• Person A multiplies the prime number (private
  key) and tells Person B
• Person A chooses another number e relatively
  prime to (p-1)(q-1) and tells Person B

16
Special Topics Encryption with RSA

• Person B starts encoding original message M
• Use C Memod(N)
• Send that encoded message C to Person A
• Person A decodes message
• Find d such that ed 1(mod(p-1)(q-1))
• Decrypt by Cdmod(N)

17
Countermeasures Encryption

• Database security characteristics
• No person should be able to directly read, write,
  destroy, or modify data in unauthorized manner
• Impossible to infer value of any data item by
  manipulating data
• Flexible security mechanism
• Accessibility of system not reduced
• Encryption and decryption should be fast

18
Countermeasures Encryption

• Database security characteristics (continue)
• Stored data is not largely expanded
• Reasonable security implementation cost
• System secure or require extremely high work
  factor to break
• Encipherment must be record oriented
• Support Subschema
• Prevent pattern matching
• Prevent substitution of encrypted values

19
Special Topics Encryption Standard Controversies

• Data Encryption Standard (DES)
• Government Standard in 1977
• Designer IBM
• Block size 64 bits
• Key size 56 bits
• Advanced Encryption Standard (AES)
• Intend to replace DES
• Block size of 128 bits
• Key sizes 128, 192 and 256 bits
• Designers Vincent Rijmem and Joan Daemen

20
Countermeasures RAID

• Redundant Array of
• Independent/ Inexpensive Disk
• Improve performance
• use disk array to read/write data in parallel
  thus improving the speed
• Improve fault tolerance
• use disk array in which part of the storage
  capacity is used to store redundant information
  about the data stored in the remainder of the
  storage capacity

21
Countermeasures RAID

• Raid 0 Striping (without parity)
• Data striping (spreading out blocks of each file
  across multiple disks)
• No redundancy
• Drive Requirement 2

22
Countermeasures RAID

• Raid 0 Striping (without parity)

• Advantages
• Increase I/O performance
• No overhead
• Simple design
• Easy to implement

• Disadvantages
• No fault tolerant
• Any failure will result lost data

23
Countermeasures RAID

• Raid 1 Mirroring or Duplexing
• Utilize 50 of the drive capacity to store a copy
  of the data
• Drive requirement 2

RAID 1 - Mirroring
Source MIM 505A
24
Countermeasures RAID

• Raid 1 Mirroring or Duplexing

• Advantages
• One write, two reads
• Rebuild not required

• Disadvantages
• High overhead
• 50 failure will result lost data

RAID 1 - Mirroring
Source MIM 505A
25
Countermeasures RAID

• Raid 01
• Data striping redundancy
• Drive requirement 4

26
Countermeasures RAID

• Raid 2 - 5
• Use parity/ error correcting code instead of
  mirroring
• Save Storage Cost

• XOR
• A B xor (A xor B)
• B A xor (A xor B)

Source MIM 505A
27
Countermeasures RAID

• Raid 2 Bit level striping with Hamming code
• Each bit of data word is store on disk
• Each word has its Hamming Code ECC word on ECC
  disk
• Verify and correct on read
• If ECC Disk and other disk drive fail, all fails
• High Ratio of ECC Disk space/Data Disk required

28
Countermeasures RAID

• Raid 2 Bit level striping with Hamming code

• Advantages
• Fast data correction

• Disadvantages
• Inefficient
• high ratio of ECC disks to data disks with
  smaller word sizes

29
Countermeasures RAID

• Raid 3 Bit level striping with dedicated parity
• Disk Requirement 3

30
Countermeasures RAID

• Raid 3 Bit level striping with dedicated parity

• Advantages
• Fast read/ write
• Insignificant impact on disk failure
• High efficiency

• Disadvantages
• Multiple disk Parity disk failure

31
Countermeasures RAID

• Raid 4 Block level striping with dedicated
  parity
• Disk requirement 4
• Raid 5 Block level striping with distributed
  parity
• Disk requirement 3

RAID 4 Data Guarding
RAID 5 Distributed Data Guarding
Source MIM 505A
32
Countermeasures RAID

• Raid 6 PQ redundancy
• Use error correcting code instead of parity
• Protect against multiple disk failure
• Disk Requirement N2

33
Special Topics DATUM

• Disk Arrays with Optimal Storage, Uniform
  declustering Multiple failure tolerance
• Allow up to (n-1) failures of n disks array
• Data Striping
• User Data/ redundant data
• Information Dispersal Algorithm (IDA)

34
Databases and the Web

• Web integration with database systems in
  e-Commerce and e-Business
• Examples Amazon, Bank of America
• TCP/IP protocol not designed for security
• Packet Sniffing software
• Additional security measures necessary

35
Proxy Servers

• DEFINITION
• Computer that sits between server and
• browser
• FUNCTION
• Intercept requests to the server
• PURPOSE
• Improve Performance and filter requests

36
Firewalls

• DEFINITION
• System that prevents unauthorized access
• to and from a private network
• DESIGN
• Implemented in both hardware and software or both
• TECHNIQUES
• Packet Filter
• Application Gateway
• Circuit-Level Gateway
• Proxy Server

37
Message Digest Algorithms

• DEFINITION
• One way hash function
• FUNCTION
• Takes an arbitrarily sized string and generates a
  fixed-length string (digest)
• PROPERTIES
• Infeasible to find another message that will
  generate the same digest
• Digest reveals nothing about the message

38
Digital Signature

• DEFINITION
• Consists of data as a string of bits and private
  key of individual requesting signature
• FUNTION
• Signature that verifies data is coming from a
  particular individual or organization
• PROPERTIES
• Authenticity can be verified
• Cannot be forged
• Function of the data that is signed
• Signed data cannot be changed

39
Digital Certificates

• DEFINITION
• Attachment to an electronic message
• FUNCTION
• Verifies that a user sending message is who
  he/she claims to be
• Provides receiver with a way to encode reply
• HOW TO
• User applies for a certificate from Certificate
  Authority
• CA issues certificate makes public key available
  on internet
• Receiver uses public key to decode message and
  send an encrypted message back

40
Kerberos

• DEFINITION
• Server of secured user authentication and access
  information
• FUNCTION
• Centralized security server for all data and
  resources on a network, including
• Login/password info
• Database access privileges
• Authorization control privileges
• Similar in function to a Certificate server

41
Secure Sockets Layer

• DEFINITION
• Cryptographic protocol which resides between the
  application-level protocols (e.g. HTTP) and
  transport-level protocols (e.g. TCP)
• FUNCTION
• Designed to prevent eavesdropping, tampering, and
  message forgery
• Creates secure connection between a client and a
  server, over which any amount of data can be sent
• Can be used underneath application level
  protocols (HTTP, FTP, SMTP, NNTP) to make them
  more secure
• Requires slight modification to application level
  protocols which use it, and transport layer
  interface
• Basis for Transport Layer Security protocol

42
S-HTTP

• DEFINITION
• Security-enhanced version of HTTP resides in
  application layer
• FUNCTION
• Designed to transmit individual messages securely
• Individual documents can be marked as private or
  signed
• URL begins with https instead of http
• Is therefore complementary to SSL

43
SSL and S-HTTP

• FUNCTION
• Heavily utilize cryptography and certificates
• Allow clients and servers to authenticate each
  other
• Permit site owners to control access to
  particular resources
• Allow sensitive information to be shared securely
• Ensure data that is exchanged is reliable (unable
  to be corrupted accidentally or intentionally)

44
Secure Electronic Transactions

• DEFINITION
• Open, interoperable standard for processing
  credit card transactions over the Internet
• FUNCTION
• Goal is simplicity and security matching that in
  retail stores
• Merchant has access to product info, price,
  payment approval but not payment method
• Card issuer has access to price but not product
  info
• Heavy utilization of certificates for certifying
  cardholder and merchants relationship with
  financial institution
• Application-level security

45
Secure Electronic Transactions
Database Systems - Figure 19.11, p. 567
46
Secure Transaction Technology

• DEFINITION
• Protocol to handle secure bank payments over the
  Internet
• FUNCTION
• Uses DES to encrypt payment information
• Uses RSA to encrypt bankcard info
• Application-level security

47
Java Security

• Java Virtual machine sandbox model ensures that
  possibly malicious applications do not get access
  to system resources
• Model has three components
• Class loader
• Bytecode verifier
• Security Manager
• Security built on top of Languages safety
  features
• Strong typing
• Automatic garbage collection

48
Java Class Loader

• Loads required classes and checks format
• Additionally, ensures applet/application does not
  violate system security
• Allocates a namespace hierarchical grouping
  based on origin of class (local/remote)
• Never allows a class from a less protected
  namespace to replace a class from a more
  protected namespace

49
Java Bytecode Verifier

• JVM verifies code by assuming that all code is
  meant to crash or violate system security, then
  performing checks to ensure that this is not the
  case
• Compiled code correctly formatted
• Internal stacks will not overflow/underflow
• No illegal data conversions
• Bytecode instructions properly typed
• Class member accesses are valid

50
Java Security Manager

• Each Java application defines and implements its
  own security policy via Security Manager
• Generally prevent downloaded applets from
• Reading and writing local files
• Making network connections other than to
  providing host
• Starting other local programs
• Loading libraries
• Defining method calls

51
Enhanced Applet Security

• Sandbox model does not account for authentication
  of applets
• Java Security API introduces APIs for
• Digital signatures
• Message digests
• Key management
• Encryption/decryption

52
ActiveX Security

• ActiveX - a component-based Microsoft technology
  for enabling cross-software communication
• Places no restriction on what an ActiveX control
  can do
• Instead, controls are digitally signed by author
  using Authenticode system
• Signatures are verified by CA
• Places responsibility for security on user
• Warn user when unsigned ActiveX controls are
  encountered

53
Security in MS Access

• Setting a password for opening a database
• User-level security and MAC

54
Security in MS Access
55
Security in MS SQL Server

• Login required to connect to each SQL Server
  instance
• Windows authentication mode
• vs. SQL Server mode
• User accounts specific to each database

56
Security in MS SQL Server

• Stored Procedures for security
• sp_addlogin Creates a new login that allows
  users to connect to SQL Server using SQL Server
  authentication
• sp_grantlogin Allows a Windows NT/2000 user
  account or group to connect to SQL Server using
  Windows authentication
• sp_droplogin Drops a SQL Server login
• sp_revokelogin Drops a Windows NT/2000
  login/group from SQL Server
• sp_denylogin Prevents a Windows NT/2000
  login/group from connecting to SQL Server

57
Security in MS Access

• More stored procedures
• sp_password Adds or changes the password for an
  SQL Server login
• sp_helplogins Provides information about logins
  and their associated users in each database
• sp_defaultdb Changes the default database for a
  login
• sp_grantdbaccess Adds an associated user account
  in the current database for an SQL Server login
  or Windows NT/2000 login
• sp_revokedbaccess Drops a user account from the
  current database
• sp_helpuser Reports information about the
  Microsoft users and roles in the current database
  

58
Security in MS SQL Server

• Helpful web resources
• http//www.sql-server-performance.com/vk_sql_secur
  ity.asp
• www.SQLSecurity.com
• http//www.windowsecurity.com/articles/Secure_SQL_
  Server.html
• http//www.mssqlcity.com/Articles/Adm/SQL7SecMode/
  SQL70SecurityModes.htm

59
Active Research Areas

• Secret Sharing Scheme
• Intrusion Detection
• Steganographic File System/DBMS
• Secret-Sharing DBMS
• Authenticating Query Results in Edge Computing

60
Conclusions

• Threats
• Countermeasures
• Authorization
• Access Controls
• Views
• Backup and Recovery
• Integrity
• Encryption
• RAID
• DBMS and Web Security
• Proxy Servers
• Firewalls
• Message Digest Algorithms and Digital Signatures
• Digital Certificates
• Kerberos
• Secure Sockets Layer and Secure HTTP
• Secure Electronic Transactions and Secure
  Transaction Technology
• Java Security
• ActiveX Security

61
References

• Database Systems, by Thomas Connolly and Carolyn
  Begg
• A Database Encryption System with Subkeys, by
  George I Davida, David L Wells and John B Kam
• Tolerating Multiple Failures in RAID
  Architectures with Optimal Storage and Uniform
  Declustering by Guillermo A. Alvarez, Walter A.
  Burkhard and Flaviu Cristian
• http//www.acnc.com/04_00.html
• http//mathcircle.berkeley.edu/BMC3/rsa/node4.html
  
• Internet Security Firewalls and Beyond, by Rolf
  Oppliger
• Database Security, by S. Castano, M. Fugini, G.
  Martella, and P. Samarati

62
Questions?