On one hand, databases are designed to promote open and flexible access

1
Introduction

• On one hand, databases are designed to promote
  open and flexible access
• to data. On the other hand, its this same
  open access that makes databases
• vulnerable to many kinds of malicious
  activity.

2
Database Security Issues

• Security of Databases can be described in the
  following categories.
• Authentication - A process used to ascertain the
  identity of a person or the integrity of specific
  information.
• Authorization - is the process through which of
  obtaining information about an authenticated
  user.
• Data Integrity ensuring that the data has not
  been altered during transmission to the
  application or database server.

3
Database Security Issues Contd

• Access control methods - Access control methods
  are used to create subsets of the contents of
  information, so that the user can only see and
  access data that is relevant to their needs.
• E.g. a human resource personnel would be able to
  access an employee title and/or salary range,
  however he/she cannot access the salary
  deductions of an employee.
• Accountability and Auditing Facilities Allows
  the system to maintain an audit trail of events
  that occurred. As such, systems are able to
  monitor data access.

4
What are Digital Signatures

• A digital signature is a piece of data that
  identifies the originator of a
• document. It utilizes asymmetric encryption,
  where one key (private key) is
• used to create the signature code and a different
  but related key (public key) is
• used to verify it.

5
Digital Signatures

• Digital signature creation uses a hash result
  derived from and unique to both the signed
  message and a given private key. This hash value
  should be unique and impossible to obtain via a
  different message. This technique enables the
  protection of digital information (represented as
  a bit-stream) from undesirable modification.

6
Digital Signatures

• Digital signature verification is the process of
  checking the digital signature by reference to
  the original message and public key.

7
Digital Signatures

• Signer Authentication A signature should
  indicate who signed a document, message or
  record, and should be difficult for another
  person to produce without authorization.
• Message Authentication The digital signature
  also identifies the signed message, typically
  with far greater certainty and precision than
  paper signatures. Verification reveals any
  tampering, since the comparison of the hash
  results
• Affirmation Act- Signatures are legally binding
• Efficiency- Allows for automation of modern
  Electronic Data Interchange (EDI).

8
Digital Signatures
ltSigned SigID1gt
Promissory Note I, Mary Smith, promise to pay to
the order of First Western Bank five thousand
dollars and no cents (5,000) on or before June
10, 1998, with interest at the rate of fifteen
per cent (15) per annum.
Mary Smith,
Maker lt/SignedgtltSignature SigID1
PsnIDsmith082gt 2AB3764578CC18946A29870F40198B240C
D2302B2349802DE002342B212990BA5330249C1D20774C1622
D39lt/Signaturegt
9
Advantages of Digital Signatures

• Data integrity Digital signatures provide proof
  that the document or message has not been altered
  or tampered with.
• Authentication of Identities Digital signatures
  make it easier to verify the identity of senders
  and recipient.
• Concept of non-repudiation This means that
  neither the sender nor the recipient can deny
  having sent or received the document.
• Includes an automatic date and time stamp, which
  is critical in business transactions.
• increase the speed and accuracy of transactions

10
Disadvantages of Digital Signatures

• Technological Compatibility - refers to standards
  and the ability of one digital signature system
  to "talk" to another. It is difficult to develop
  standards across a wide user base.
• Security Concerns - These efforts are perpetually
  hampered by lost or borrowed passwords, theft and
  tampering, and vulnerable storage and backup
  facilities.
• Legal Issues - There is clear consensus that
  digital signatures should be legally acceptable.
  However, many questions remain unanswered in the
  legal arena

11
Challenges and Opportunities

• Challenges -
• Institutional overhead The cost of establishing
  and utilizing certification authorities,
  repositories, and other important services, as
  well as assuring quality in the performance of
  their functions.
• Subscriber and relying Party Costs A digital
  signature will require software, and will
  probably have to pay a certification authority
  some price to issue a certificate. Hardware to
  secure the subscribers private key also be
  advisable.

12
Challenges and Opportunities

• Opportunities-
• Imposters by minimizing the risk of dealing with
  imposters or persons who attempt to escape
  responsibility by claiming to have been
  impersonated
• Message Integrity by minimizing the risk of
  undetected message tampering and forgery, and of
  false claims that a message was altered after it
  was sent
• Formal legal Requirements by strengthening the
  view that legal requirements of form, such as
  writing, signature, and an original document, are
  satisfied, since digital signatures are
  functionally on a par with, or superior to paper
  forms and

13
Challenges and Opportunities Contd

• Opportunities-
• Open Systems by retaining a high degree of
  information security, even for information sent
  over open, insecure, but inexpensive and widely
  used channels.

14
Case Study

• P.E.B.E.S Database Failure

15
System Design

• In March of 1997, the Social Security
  Administration made its Personal Earnings and
  Benefit Estimate Statements (PEBES) database
  available over the Internet so that individuals
  could access their information online.
• To see your personal data over the Internet you
  filled in a form with your full name, your Social
  Security number, your date of birth, the state of
  your birth and your mother's maiden name. The
  PEBES system returned your earnings history and
  benefit estimates

16
Problems Faced

• The system was so flooded with users that it was
  nearly impossible to get through.
• Insecurity of the system
• The system did not successfully prevent others
  from accessing your PEBES information and
  therefore from seeing some fairly personal
  financial information.

17
Problems Faced

• Persons were able to retrieved PEBES records for
  prominent public figures.
• The five pieces of information required by PEBES,
  while not obtainable from common sources like the
  phone book, are not terribly difficult to
  determine for any given individual.

18
The Solution

• The Main problem faced by the PEBES system was
  the idea of identity in cyberspace.
• The solution therefore lies in developing an
  infrastructure that would facilitate
• Authentication
• Authorization
• Integrity and privacy of data
• Transaction Management

19
Solution

• Can digital signatures be used to solve the
  problems faced by the PEBES System?
• To answer this questions lets discuss how
  signatures can be integrated into the security
  framework of databases.

20
Digital Signatures in Relational Database
Applications
21
Introduction

• Public Key Encryption and PKI Infrastructure form
  the basis of electronic security.
• These infrastructures solve security problems
  related to business applications
• Example - Virtual Private Networks support
  signature and certificate based authentication
  and public key base key exchange

22
Digital Signatures in Relational Database

• Authentication
• Authorization
• Ensure data integrity
• Non repudiation
• Transaction Management

23
Authentication

• Digital Signatures (PKI) System are used in
  conjunction with the secret-key system.
• Private key is encrypted using a secret-key
  system.
• User uses simple password (like the PIN for his
  or her ATM card) that is used to decrypt the
  private key

24
Authentication

• Encrypted private keys could then be stored on
  servers, in smart cards, or on your credit card.
• Access to a database, for example, would only be
  permitted by sending a certain code encrypted
  with your private key.
• The encoded document is received by the user
  authentication program, it is decoded with your
  public key, and access is granted.

25
Authorization

• In the authorization process the DBMS uses the
  authentication process to obtain information
  about the user
• Example - DB2 uses authentication to obtain
  information on which database operations that
  user may perform and which data objects that user
  may access.

26
Transaction Management

• In database applications transaction data is
  stored in a relational database.

27
Analysis

• Data Entry Signatures are used to validate data
  and regulate access to certain data entry
  screens.
• Transmission - Transaction data is transferred
  across a network to a central application server
  and/or database server. Signatures are used to
  ensure data integrity and when used in
  conjunction with cryptographic mechanisms ensure
  privacy of data. Additionally theyre used to
  assurance that the data is being transmitted to
  the intended recipient

28
Analysis Contd

• Acceptance- Accepting a transaction involve
• Data Validation
• Integrity
• Authentication
• Authorization
• Storage - Ensure that the stored data is not
  changed, destroyed or viewed by malicious or
  unauthorized users.

29
Efficiency

• Digital signatures are typically used to
  implement a paperless process

30
Efficiency

• In each step, the users are using an application
  that allows them to view and modify data that is
  stored in a central database. Note that each time
  a document is created or modified within the
  application, it is digitally signed. Each time
  that data is used, its signature is verified.
  This allows the relying user to be confident that
  the data in the database is genuine and was
  originated by an authorized user
• Example-
• Managing and shipping nuclear waste is a
  monumental paper producer. The digital signature
  process not only makes these waste management
  activities all but paperless, it also helps
  ensure the integrity of the information.

31
Documents in Databases

• Databases store structured data as opposed to
  unstructured data
• A document is defined as the data in one or
  more rows from one or more columns of one or more
  tables in a relational database. That is, a
  document may span multiple database tables and
  may include only selected columns from those
  tables and may encompass more than one row per
  table

32
(No Transcript)
33
Signing Documents in Databases
34
Digital Signatures Application

• Uses , Benefits and Possible Weaknesses

35
Digital Signatures at Work

• Used to monitor anonymous communications such a
  email and other remote applications.
• Used In conjunction with Virtual Private Networks
  to ensure secure transfer of data.
• Used to manage transactions and other business
  properties
• Example- Gradkell Systems

36
Digital Signatures at Work

• Form the basis of interaction between secure
  intranets and demilitarized zones associated with
  the internet.
• Found in digital time stamping solutions and
  auditing infrastructures.

37
Digital Signatures at Work

• Used by banks and other financial institutions to
  secure point of sale and other financial
  transactions carried out via credit , debit and
  smart cards

38
Digital Signatures at Work

• SQL Server 2005 method of ensuring that a
  particular resource such as a table or view can
  be accessed only via a designated module such as
  stored procedure. Additionally theyre used to
  restrict EXECUTE permissions.
• WS-Security in Oracle Application Server involves
  adding authentication tokens as the message
  leaves the client, digitally signing the message,
  and encrypting the message.

39
Problems with Digital Signatures

• Prevention vs. Proof of Data integrity
• Digital signatures simply allow an application
  to prove two things about the data they
  protect
• Integrity the data has not been modified
  since it was signed, and
• Origin the identity of the signer can be
  cryptographically proven.
• Digital signatures cannot prevent fraud
  from being attempted, they prevent attempted
  fraud from succeeding by giving applications the
  ability to detect fraudulent transactions.
• Signing of dynamic content. (Possible Solutions
  involve removing dynamic content, use of static
  file formats and/or use of XML)

40
Problems with Digital Signatures

• Security and confidentiality of private key,
  possible misuse and the legal implications which
  arise.