157337 Database Development

1
157337 Database Development

• Security
• Week 10

2
Content

• Scope of database security why take threats
  seriously?
• Situations related to database security
• Threats
• Countermeasures computer-based controls (BRAVE)
• Backup and recovery
• RAID technology
• Authorization
• Views
• Encryption

3
Objectives

• In this Lecture you will learn
• The scope of database security
• Why database security is a serious concern for
  any organization
• The types of threat that can affect a database
  system
• Which computer-based controls to use for
  protection

4
Scope of database security why take threats
seriously?

• Database security
• The mechanisms that protect the database
  against intentional or accidental threats.
• Includes
• hardware
• software
• people
• data

5
Situations related to database security

• theft or fraud
• loss of
• confidentiality secrecy related to organizations
  critical data. Breach may lead to loss of
  competitiveness
• privacy secrecy related to personal data. Breach
  may lead to legal action against organization
• integrity invalid or corrupted data. Breach
  affects operation of organization
• availability affects so called 24 x 7
  availability, affects financial performance,
  occasionally causes data corruption

6
Threats

• Threat
• any situation or event (intentional or
  accidental) that may adversely affect a system
  and thus the organization.
• Tangible threat
• loss of hardware, software or data.
• Intangible threat
• loss of credibility or client confidence.

7
Threats and Damage

• Extent of damage depends on the existence of
• countermeasures, and
• contingency plans.
• Example A hard disk crash all processing must
  stop until the problem is solved. Recovery time
  depends on factors such as
• when the last back-ups were taken, and
• how easy it is to restore the system.
• Organization needs to
• identify types of threats and their
  significance.
• develop appropriate, cost-effective plans and
  countermeasures.

8
Threats
9
Countermeasures computer-based controls
BRAVE countermeasures
10
Countermeasures computer-based controls

• BRAVE
• B ackup and recovery
• R AID technology
• A uthorization
• V iews
• E ncryption

• Types of countermeasures range from
• Physical controls to
• Administrative procedures

NB despite the wide range of controls, generally
a DBMS is only as secure as its operating system!
11
Backup and recovery

• Backup the process of periodically (at frequent
  and regular intervals) taking a copy of the
  database and log files (and possibly programs) on
  to offline storage media kept in a secure
  location, suitable for rapid recovery from a
  fault.
• Journaling the process of keeping and
  maintaining online a log file (journal)
  containing all the changes made to the database
  to enable recovery to be undertaken effectively
  in the event of failure.
• Archiving the process of periodically taking a
  copy of the database and possibly programs on to
  offline secondary storage media, suitable for
  infrequent reference.
• DBMSs provide backup facilities to assist with
  recovery of the database in the event of failure.

12
Backup and recovery

• In the event of a failure, the database can be
  recovered to its last known consistent state
  using either
• The log file created by the journaling facility,
  or
• The database backup file, or
• Both.
• Without a log file the database would have to be
  recovered solely from the database backup. This
  means that any changes made after the last backup
  to the database will be lost.

13
Integrity

• Integrity constraints contribute to maintaining a
  secure database by preventing the data from
  becoming invalid and giving misleading or
  incorrect results.
• Integrity constraints were discussed in previous
  weeks

14
RAID Technology

• DBMS hardware needs to be fault tolerant
• Disk drives, disk controllers, CPU, power
  supplies and cooling fans.
• Disk drives are the most vulnerable.
• RAID (Redundant Array of Independent Disks)
• several independent unreliable disks look like
  one big reliable disk
• organized to increase performance and improve
  reliability.
• Performance is increased through data striping
• Data is segmented into equal-size partitions (the
  striping unit).
• These are spread across multiple disks
• Striping improves overall I/O performance via
  parallelism.

15
RAID Technology

• Reliability is increased through storing
  redundant information across disks using a parity
  or error-correcting scheme, such as Reed-Solomon
  codes (Pless, 1989).
• Parity schemes
• each byte may have a parity bit associated with
  it that records whether the number of bits set to
  1 is even or odd.
• If the number of bits get corrupted, the new
  parity bit will not match the stored parity.
  Similarly, if the stored parity bit gets
  corrupted.
• Error-correcting schemes
• store two or more additional bits, and can
  reconstruct the original data if a single bit
  gets corrupted. These schemes can be used through
  striping bytes across disks.

16
RAID Technology

• RAID 0 Non redundant. Maintains no redundant
  data. Has the best write performance since
  updates do not have to be replicated. Data
  striping performed at level of blocks.
• RAID 1 -Mirrored. Maintains two identical copies
  of the data across different disks (mirrors).
  Writes not performed simultaneously to maintain
  consistency in the event of disk failure. Most
  expensive and slowest storage solution, but very
  safe.
• RAID 01 Non redundant and Mirrored. combines
  striping and mirroring.
• RAID 2 -Memory-Style Error-Correcting Codes. The
  striping unit is a single bit, redundancy scheme
  used are hamming codes.
• RAID 3 -Bit-Interleaved Parity. Redundancy
  provided by storing parity information on a
  single disk. This can be used to recover the data
  on the other disks should they fail. Parity disk
  can become a bottleneck though the overall level
  uses less storage space than RAID 1.
• RAID 4 -Block-Interleaved Parity. Striping unit
  is a disk block. A parity block is maintained on
  a separate disk for corresponding blocks from a
  number of other disks. If one of the disks fails,
  the parity block is used with the corresponding
  blocks from other disks to restore the blocks on
  the failed disk.
• RAID 5 -Block-Interleaved Distributed Parity.
  Parity data for redundancy is used similarly to
  RAID 3. The parity data is striped across all
  disks. Alleviating the bottleneck.
• RAID 6 -PQ Redundancy. Similar to RAID 5.
  Additional redundant data is maintained to
  protect against multiple disk failures.
  Error-correcting codes are used instead of
  parity.

17
Authorization

• Authorization the granting of a right or
  privilege that enables a subject to have
  legitimate access to a system or a systems
  object.
• Authorization controls (access controls) are
  built into the software. They govern
• what systems or objects a specified user can
  access (e.g. database tables, views, procedures,
  triggers) and
• what the user may do with them.
• Authorization involves authentication of the
  subjects (potential user or program) requesting
  access to objects.
• Authentication a mechanism that determines
  whether a user is who he or she claims to be. A
  system administrator is usually responsible for
  allowing users access by creating user accounts.
  Each user is given a unique identifier The
  identifier has a password associated with it,
  chosen by the user and known to the operating
  system.

18
Authorization
Procedure allows access to the computer system
but not necessarily to the DBMS or other
applications. A separate but similar procedure
may be associated with gaining access to these
further applications. The database
administrator (DBA) is responsible for
authorizing users. The DBA sets up individual
user accounts and passwords using the DBMS
itself. Some DBMSs maintain a list of user
identifiers and password distinct from those in
the operating systems list. Others have entries
which are validated against the operating systems
list based on the current user's identifier.
This prevents a user logging on to the DBMS with
a different name to that used when logging on to
the operating system.
19
AuthorizationPrivileges
Certain Privileges may be associated with
Permission to use a DBMS. For example, the right
to access or create certain database objects or
relations or to run certain DBMS utilities.
Privileges are granted specific to the
requirements of the users job. Excessive
granting of privileges can compromise
security. Closed systems though authorized to
use the DBMS, authorization is needed to access
specific objects, granted by either the DBA or
the owners of the specific objects. Open
systems users are allowed complete access to all
objects within the database. Privileges will have
to be explicitly removed to control access.
20
AuthorizationOwnership Privileges

• The DBMS owns some objects, usually in the form
  of a specific superuser such as the DBA.
• Ownership gives the owner all appropriate
  privileges on the object owned.
• The creator of an object owns the object, and can
  assign the appropriate privileges.
• For example though the owner owns a view they
  may be only authorized to query it. (owners set
  the privileges allowed, and are also subjected to
  them). Privileges can be passed on to other
  authorized users.
• In SQL, when a user passes on a privilege, they
  can indicate whether the recipient can pass it
  on.

21
AuthorizationOwnership Privileges

• Different types of identifier may have different
  associated priorities. For example a DBMS may
  permit both individual and group user
  identifiers, and the individual user may have
  higher priority than the group.
• Privileges (Select, Update, Insert, Delete or
  All) usually have a binary value associated with
  them (differs from one system to another)
• e.g. Select 0100, Update 0010, All 1111.
  Summing them, for a particular object, indicates
  the privileges for that user type.
• The different privileges for the different types
  of user specific to each database object are
  stored in an access control matrix.

22
AuthorizationOwnership Privileges
Example User group identifiers Access
Control Matrix
23
Views

• View a view is the dynamic result of the
  interaction of one or more relational operations
  with the base relations, which produce another
  relation. It is a virtual relation in that it
  does not exist in the database but is produced
  upon request by a given user at a particular
  time.
• The view is a powerful and flexible security
  mechanism as it hides parts of the databases from
  certain users.

24
Summary

• The Scope of database security
• Why take threats seriously?
• Situations related to database security
• The different types of threat
• Countermeasures computer-based controls
• Backup and recovery
• RAID technology
• Authorization
• Views
• Encryption will be covered in the next lecture
• NEXT
• Encryption
• Security in (i) Microsoft Access DBMS and (ii)
  Oracle DBMS
• DBMS and Web security (SSL, SHTTP, Certificates,
  etc.)

25
Encryption

• Encryption the encoding of the data by a special
  algorithm that renders the data unreadable by any
  program without the decryption key.
• Encode data of a sensitive nature as a precaution
  against possible external threats.
• The DBMS can access the data after decoding
  it, although there is a degradation in
  performance as it takes time to decode.
• Encryption protects data transmitted over
  communication lines.
• There are a number of techniques for encoding
  data

26
Encryption

• Irreversible encryption
• Does not permit the original data to be known.
• However, the encrypted data can be used to obtain
  valid statistical information.
• Reversible encryption
• More common.
• To transmit data securely over an insecure
  network requires the use of a cryptosystem.

27
Encryption

• Cryptosystem Includes
• Encryption key to encrypt the data (plaintext).
• Encryption algorithm that, with the encryption
  key, transforms the
• plaintext into cipher text
• Decryption key to decrypt the cipher text
• Decryption algorithm that, with the decryption
  key, transforms the ciphertext back into
  plaintext.

text
text
cipher text
encryption algorithm
decryption algorithm
encryption key
decryption key
28
Encryption

• Symmetric Encryption
• Uses the same key for encryption and decryption.
• Requires a secure communication line for
  exchanging the key. Most users don't have a
  secure line.
• To be really secure the key should be as long as
  the message, most however use shorter keys.
• Asymmetric Encryption
• Uses different keys.
• Symmetric Example DES (Data Encryption
  Standard)
• Developed by IBM.
• Not universally regarded as being secure. Some
  authors say a larger key is required.
• PGP Pretty Good Privacy uses a 128-bit symmetric
  algorithm for bulk encryption of the data it
  sends.

29
Encryption

• Keys with 64-bits are now considered breakable by
  major governments, though at substantial cost.
• This technology will be within the reach of
  organized criminals, major organizations and
  smaller governments either already or very soon
• It is probable that keys with 128-bits will
  remain unbreakable for the foreseeable future.
• The terms strong authentication and weak
  authentication are sometimes used to distinguish
  between algorithms that cannot be broken with
  existing technologies and knowledge (strong) and
  those that can (weak).

30
Encryption

• Asymmetric Example Public key systems. Two keys
  are used. One is public and one is private. The
  encryption algorithm may also be public. Anyone
  can send an encoded message using the public key
  and algorithm given by the owner. But only the
  owner of the private key may decipher the
  message.
• A digital signature can also be used to prove the
  message came from the person who claimed to have
  sent it (see later lecture).
• RSA is the most well known asymmetric encryption
  (the name derives from the initials of the
  algorithm designers).
• Generally, asymmetric algorithms are much slower
  to execute. In practice the two types of
  encryption are used together.

31
Authentication and authorisation in Microsoft
Access DBMS
32
Authentication and authorisation in Microsoft
Access DBMS

• Instead of GRANT and REVOKE statements, Access
  provides
• system security setting a password for opening
  a database (authentication)
• data security user-level security, which
  limits the parts of the database a user can read
  or update (authorisation)

33
Authentication in Microsoft Access DBMS
2.2 Authentication authorisation in Microsoft
Access DBMS
Example (Password)
Password set from Tools, Security menu
Secure. Access encrypts password
34
Authorisation in Microsoft Access DBMS
Example (user-level security)
Within the Microsoft Access workgroup information
File users are identified as belonging to a
group.

• Default groups
• administrator (Admin group)
• - users (Users group).

35
Authorisation in Microsoft Access DBMS
Example (user-level security Permissions)

• Permissions granted to groups and users
• Dialog box used to regulate how they can work
  with given objects
• No. of possible permissions Open/Run, Read
  Design, Modify Design, Update Data, Read Data,
  Delete Data etc...

36
Authorisation in Oracle DBMS
37
Authorisation in Oracle DBMS Privileges

• Privilege the right to execute a particular type
  of SQL statement or to access another users
  objects.
• Some examples of Oracle privileges are
• connect to the database (create a session)
• create a table
• select rows from another users table

38
Authorisation in Oracle DBMS Privileges

• There are two distinct categories of privileges
  in Oracle
• 1. System privileges the right to perform a
  particular action, or to perform an action on
  schema objects of a certain type. Control
  privileges associated with some schema objects
  (clusters, indexes and triggers).
• Example creation of table spaces or of
  users in a database.
• Privileges granted or revoked in two ways
• Grant System Privileges/Roles dialog box and
  Revoke System Privileges/Roles dialog box of
  Oracle Security Manager.
• SQL GRANT and REVOKE statements.

39
Authorisation in Oracle DBMS Privileges
2. Object privileges the right to perform a
particular action on a specific table, view,
sequence, procedure, function or package.
Example the privilege to delete rows from the
Staff table. A user automatically has all
object privileges for schema objects contained in
their schema. They can grant object privileges
on any schema object owned. The inclusion in
the grant of the WITH GRANT OPTION (of the GRANT
statement) allows the user to further grant the
object privileges to other users.
40
Authorisation in Oracle DBMS Privileges

• A user can receive a privilege in two different
  ways
• Privileges can be granted to users explicitly.
• Example GRANT INSERT ON PropertyForRent TO
• Beech, means the object privilege insert rows
  has
• been granted to Mr Beech on the said table.
• 2. Privileges can be granted to a role.
• The role can then be granted to one or more
• users.
• Example the object privileges insert, delete
• and update could be granted to the role
• Assistant User Beech can then be granted the
• role Assistant.

Role a named group of privileges A user can
access several roles and several users can be
assigned the same role. This is a better and
easier way to manage privileges.
41
Summary - Questions
2.4 Summary

• The final BRAVE countermeasure
• Encryption
• Authentication and authorisation in Microsoft
  Access DBMS
• Setting a password
• User-level security
• Authorisation in Oracle DBMS
• Privileges

NEXT DBMS and Web Security - Firewalls -
Signatures - Certificates
42
Objectives

• In this Lecture you will learn
• Approaches for securing a DBMS on the Web

43
3.2 DBMS and Web security
DBMS and Web security

• Internet communications rely on TCP/IP as the
  underlying protocol.
• These, along with HTTP were not designed with
  security in mind.
• Without special software all information is
  traveling in the clear (anyone monitoring it
  can read it)
• This form of attack is easy with freely available
  packet sniffing software.
• Need to transmit and receive information while
  ensuring
• Privacy it is inaccessible to anyone but the
  sender and receiver
• Integrity it has not been changed during
  transmission
• Authenticity the receiver can be sure it came
  from the sender
• Non-fabrication the sender can be sure the
  receiver is genuine
• non-repudiation the sender cannot deny he or she
  sent it

44
DBMS and Web security
Once information reaches the Web server, it needs
to be protected Need to ensure secured access
to and of the database, given the popular
three-tier architecture in a Web environment.
Need to watch executable content HTML pages
may contain ActiveX controls, JavaScript/
VBScript.
45
DBMS and Web security

• Executables can perform the following malicious
  actions, measures need to be taken to prevent
  them
• corrupt data or the execution state of a program
• reformat complete disks
• perform a total system shutdown
• collect and download confidential data, such as
  files or passwords to other sites
• usurp identity and impersonate the user or users
  computer to attack other targets on the network
• Lock up resources making them unavailable for
  legitimate users and programs
• cause non-fatal but unwelcome effects, especially
  on output devices

46
Web Proxy Servers
Web proxy server in a Web environment it is a
computer that sits between a Web browser and a
Web server. It intercepts all requests to the Web
server to see if it can fulfill them itself if
not then it forwards them on. two main
purposes 1. Improve Performance It saves the
results of all requests for a certain amount of
time. Much faster. 2. Filter requests an
organisation may want to prevent its employees
from accessing a certain set of Web sites, a
proxy server can do this.
47
Fire Walls
Firewall A system designed to prevent
unauthorized access or to form a private network.
Can be implemented in hardware or software or
both. Frequently used to stop unauthorized
internet users accessing an intranet. All
messages attempting to enter or leave the private
network must pass its security criteria to pass
through it. Standard security advice Web
servers are unconnected to any in-house networks
and regularly backed up. Firewall technology
can help prevent unauthorized access when the Web
server has to be connected to an internal
network.
48
Fire Walls

• Several types of Firewall technique
• Packet Filter looks at each packet
  entering/leaving the network and accepts/rejects
  based on user defined rules. Fairly effective.
  Transparent to users. Difficult to configure.
  Susceptible to IP spoofing . Can degrade
  performance.
• Application gateway applies security mechanisms
  to specific applications, i.e. Telnet and FTP.
  Effective but can degrade performance.
• Circuit-level gateway applies security
  mechanisms when a TCP or UDP (User Datagram
  Protocol) connection is established. Once
  connection is made, packets flow freely between
  hosts without further checking.
• Proxy server intercepts all messages
  entering/leaving network. In effect hides the
  true network addresses. (cf. Web Proxy Server)
• In practice many firewalls provide more than one
  technique. First line of defense in protecting
  private information. For greater security, data
  should be encrypted.

49
Message digest algorithms

• Message digest algorithm
• or one-way hash function
• takes arbitrary sized string (message) and
  generates a fixed length string (the digest or
  hash).
• A digest has the following characteristics
• it should be computationally infeasible to find
  another message that will generate the same
  digest.
• the digest reveals nothing about the message.

50
Digital signatures

• Digital signature consists of two parts
• a string of bits computed from the data that is
  being signed
• 2. the private key of the individual or
  organization giving the signature.
• The signature can be used to verify the data came
  from the individual or
• organization. Its useful properties are
• its authenticity can be verified, using a
  computation based on the corresponding public key
• it cannot be forged (assuming the private key is
  kept secret)
• it cannot be claimed to be the signature for any
  other data
• the signed data cannot be changed, otherwise the
  signature will no longer verify the data as being
  authentic

51
Digital Certificate

• Digital certificate Attachment to electronic
  message used for security purposes (e.g. verify
  user sending message). Provides receiver with
  means to encode reply.
• Sender applies for certificate from Certificate
  Authority (CA).
• CA issues encrypted certificate containing
  applicants public key and other identification
  information.
• CA makes its own public key readily available.
• Recipient uses CAs public key to decode
  certificate attached to message, verifies it as
  issued by CA.
• Recipient obtains senders public key and
  identification information held within
  certificate. With this information, recipient can
  send an encrypted reply.
• CAs role is critical, acting as go-between. As
  the clients and servers may
• not yet have established mutual trust yet both
  want to have a secure session.

52
Kerberos
Kerberos A server of secured user names and
passwords (named after the three-headed monster
in Greek mythology that guarded the gates of
hell). Provides one centralized security server
for all data and resources on network Database
access, login, authorization control, and other
security features. Has similar function to that
of Certificate server to identify and validate
a user.
53
Secure sockets layer (SSL)

• Secure sockets layer (SSL)
• Encryption protocol for transmitting private
  documents.
• Designed to prevent eavesdropping, tampering, and
  message
• forgery.
• Works by using private key to encrypt data that
  is transferred over SSL
• connection.
• Layered between application-level protocols such
  as HTTP and TCP/IP
• transport-level protocol. Thus, may be used for
  other application-level
• protocols such as FTP.
• Internet Explorer supports SSL. Used to gain
  credit card
• information by many Web sites

54
secure HTTP

• secure HTTP Protocol for securely transmitting
  individual
• messages over Web. A modified version of the
  standard HTTP
• protocol.
• SSL and S-HTTP use techniques such as encryption,
  digital signatures, and
• allow browsers and servers to authenticate each
  other
• allow controlled access to Web site
• ensure data exchanged between browser and server
  is secure and reliable.
• SSL creates a secure connection over which any
  amount of data can be
• sent securely. S-HTTP transmits individual
  messages only. Complementary
• rather than competing technologies.

55
Secure Electronic Transactions (SET)

• Secure Electronic Transactions (SET) Open,
  interoperable
• standard for processing credit card transactions
  over Internet, in simple
• and secure way.
• To address privacy concerns, the transaction is
  split such that
• The merchant has access to information about
• what is being purchased,
• how much it costs,
• whether payment is approved,
• But no information on
• what payment method customer is using.
• The card issuer (e.g. Visa) has access to
• purchase price, payment method
• But no information on
• type of merchandise involved.

Certificates are heavily used by SET, both for
certifying cardholder and for certifying that
merchant has relationship with financial
institution.
56
Secure Electronic Transactions (SET)
57
Java security
The Java Sandbox ensures untrusted application
cannot gain access to system resources. Involves
three components 1. class loader 2. bytecode
verifier 3. security manager Safety features
are provided by the language and the Java Virtual
Machine (JVM), and enforced by compiler and
runtime system.
58
Java security

• Classloader
• Allocates (hierarchically structured) namespace
  for each class.
• Never allows class from less protected namespace
  to replace class from more protected
  namespace.
• Thus, I/O primitives, defined in local Java
  class, cannot be invoked or overridden by classes
  from outside local machine.
• Bytecode verifier
• JVM verifies bytecode instructions before
  allowing application/ applet to run. Typical
  checks include verifying
• - Compiled code is correctly formatted.
• - Internal stacks will not overflow/underflow.
• - No illegal data conversions will occur.
• - Bytecode instructions are appropriately typed.
• - All class member accesses are valid.

59
Java security

• The Security Manager
• Each Java application defines and implements its
  own security policy.
• A Java-enabled browser contains its own Security
  Manager, and any applets it downloads are subject
  to its policies.
• Generally, downloaded applets are prevented from
• Reading and writing files on clients file system.
• Making network connections to machines other than
  host.
• Starting other programs on the client.
• Loading libraries.
• Defining method calls.

These restrictions apply to applets downloaded
over Internet/intranet. Do not apply to applets
on clients local disk and in directory on
CLASSPATH.
Local applets are loaded by file system loader
and can read and write files, exit JVM, and are
not passed through the bytecode verifier.
60
ActiveX

• The ActiveX security model Considerably
  different from Java applets in that it places no
  restrictions on what a control can do.
• Each ActiveX control can be digitally signed by
  its author using system called Authenticode.
• Digital signatures are then certified by CA.
• This security model places responsibility for the
  computers security on the user.
• Before the browser downloads an ActiveX control
  that has not been
• signed or has been certified by an unknown CA it
  presents a dialog
• box warning the user the action may be unsafe.

61
Summary - Questions
3.3 Summary

• DBMS and Web security
• Proxy servers
• Firewalls
• Message digest algorithms and digital signatures
• Digital certificates
• Kerberos
• Secure sockets layer and secure HTTP
• Secure electronic transactions and secure
  technology
• Java security
• ActiveX security