Lecture

Lecture
6
6
Database Security
Database Security
Faculty of Science and Technology Advanced Database 2/52
Outlines
Outlines
Introduction
Access Control Methods
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Role Based Access Control
Introduction to Statistical Database Security
Reference: Chapter 24
Faculty of Science and Technology Advanced Database 3/52
Introduction to Database Security Issues Introduction to Database Security Issues
Security issues
Legal and ethical: the right to access certain information. Some
information may be deemed to be private and cannot be
accessed legally by unauthorized persons.
Policy: at the governmental, institutional, or corporate level as
to what kinds of information should not be made publicly
available
System-related: system levels. The physical hardware level, the
operating system level, or the DBMS level
The need to identify multiple security levels: top secret, secret,
confidential, and unclassified.
Faculty of Science and Technology Advanced Database 4/52
Introduction to
Introduction to

(3)
(3)
To protect databases against these types of threats four
kinds of countermeasures can be implemented:
Access control
creating user accounts and passwords to control login process by
the DBMS
Inference control
The countermeasures to statistical database security problem
Flow control
Prevents information from flowing in such a way that it reaches
unauthorized users
Encryption
protect sensitive data that is being transmitted via some type
communication network.
Faculty of Science and Technology Advanced Database 5/52
Access Control
Access Control
Subject: active entity that requests access to an object
e.g., user or program
Object: passive entity accessed by a subject
e.g., record, relation, file
Access right (privileges): how a subject is allowed to access
an object
e.g., subject s can read object o
Faculty of Science and Technology Advanced Database 6/52
Database Security and the DBA
Database Security and the DBA
The database administrator (DBA) is the central
authority for managing a database system.
The DBAs responsibilities include
granting privileges to users who need to use the
system
classifying users and data in accordance with the policy
of the organization
The DBA is responsible for the overall security of the
database system.
Faculty of Science and Technology Advanced Database 7/52
DBA
DBA
The DBA has a DBA account in the DBMS
Sometimes these are called a system or superuser account
These accounts provide powerful capabilities such as:
1. Account creation
2. Privilege granting
3. Privilege revocation
4. Security level assignment
Action 1 is access control, whereas 2 and 3 are discretionarym
and 4 is used to control mandatory authorization
Faculty of Science and Technology Advanced Database 8/52
Access Protection, User Accounts,
Access Protection, User Accounts,
and Database Audits
and Database Audits
Whenever a person or group of persons need to access a
database system, the individual or group must first apply for a
user account.
The DBA will then create a new account id and password for
the user if he/she thinks there is a legitimate need to access the
database
The user must log in to the DBMS by entering account id
and password whenever database access is needed.
Faculty of Science and Technology Advanced Database 9/52
Access Protection, User Accounts,
Access Protection, User Accounts,
and Database Audits
and Database Audits
(2)
(2)
The database system must also keep track of all
operations on the database that are applied by a
certain user throughout each login session.
To keep a record of all updates applied to the database
and of the particular user who applied each update, we
can modify system log, which includes an entry for each
operation applied to the database that may be required for
recovery from a transaction failure or system crash.
Faculty of Science and Technology Advanced Database 10/52
Access Protection, User Accounts,
Access Protection, User Accounts,
and Database Audits
and Database Audits
(3)
(3)
If any tampering with the database is suspected, a
database audit is performed
A database audit consists of reviewing the log to examine
all accesses and operations applied to the database
during a certain time period.
A database log that is used mainly for security purposes
is sometimes called an audit trail.
Faculty of Science and Technology Advanced Database 11/52
Access Control Methods
Access Control Methods
The typical method of enforcing discretionary access
control in a database system is based on the granting
and revoking privileges.
Discretionary Access Control (DAC)
grants privileges to users, including the capability to
access specific data files, records, or fields in a specific
mode (such as read, insert, delete, or update).
Mandatory Access Control (MAC)
classifies users and data into multiple levels of security,
and then enforces appropriate rules
Role-Based Access Control (RBAC)
Faculty of Science and Technology Advanced Database 12/52
DAC
DAC

Discretionary Access Control

Discretionary Access Control
The typical method of enforcing discretionary access
control (DAC) in a database system is based on the
granting and revoking privileges
Has two levels:
Account level
Create objects (table, view, index, Triggers, Procedures, etc)
Alter objects
Drop objects
Table level
MODIFY privilege, to insert, delete, or update tuples; and the
SELECT privilege
REFERENCES privilege
Faculty of Science and Technology Advanced Database 13/52
DAC
DAC
(2)
(2)
The privileges at the account level apply to the
capabilities provided to the account itself and can
include
the CREATE SCHEMA or CREATE TABLE privilege, to
create a schema or base relation;
the CREATE VIEWprivilege;
the ALTER privilege, to apply schema changes such
adding or removing attributes from relations;
the DROP privilege, to delete relations or views;
the MODIFY privilege, to insert, delete, or update tuples;
and the SELECT privilege, to retrieve information from the
database by using a SELECT query.
Faculty of Science and Technology Advanced Database 14/52
DAC
DAC
(3)
(3)
The second level of privileges applies to the relation
level
This includes base relations and virtual (view) relations.
The granting and revoking of privileges generally follow
an authorization model for discretionary privileges
known as the access matrix model where
The rows of a matrix M represents subjects (users,
accounts, programs)
The columns represent objects (relations, records,
columns, views, operations).
Each position M(i,j) in the matrix represents the types of
privileges (read, write, update) that subject i holds on
object j.
Faculty of Science and Technology Advanced Database 15/52
DAC
DAC
(4)
(4)
To control the granting and revoking of relation
privileges, each relation R in a database is assigned and
owner account, which is typically the account that was
used when the relation was created in the first place.
The owner of a relation is given all privileges on that
relation.
In SQL2, the DBA can assign and owner to a whole
schema by creating the schema and associating the
appropriate authorization identifier with that schema, using
the CREATE SCHEMA command.
The owner account holder can pass privileges on any of
the owned relation to other users by granting privileges to
their accounts.
Faculty of Science and Technology Advanced Database 16/52
Specifying Privileges Using Views
Specifying Privileges Using Views
The mechanism of views is an important discretionary
authorization mechanism in its own right. For example,
If the owner A of a relation R wants another account B to
be able to retrieve only some fields of R, then A can
create a view V of R that includes only those attributes
and then grant SELECT on V to B.
The same applies to limiting B to retrieving only certain
tuples of R; a view V can be created by defining the view
by means of a query that selects only those tuples from R
that A wants to allow B to access.
Faculty of Science and Technology Advanced Database 17/52
Propagation of Privileges using the
Propagation of Privileges using the
GRANT OPTION
GRANT OPTION
Whenever the owner A of a relation R grants a privilege on R
to another account B, privilege can be given to B with or
without the GRANT OPTION.
If the GRANT OPTION is given, this means that B can also
grant that privilege on R to other accounts.
Suppose that B is given the GRANT OPTION by A and that B
then grants the privilege on R to a third account C, also with
GRANT OPTION. In this way, privileges on R can propagate to
other accounts without the knowledge of the owner of R.
If the owner account A now revokes the privilege granted to B,
all the privileges that B propagated based on that privilege
should automatically be revoked by the system.
Faculty of Science and Technology Advanced Database 18/52
Revoking Privileges
Revoking Privileges
In some cases it is desirable to grant a privilege to a
user temporarily. For example,
The owner of a relation may want to grant the
SELECT privilege to a user for a specific task and
then revoke that privilege once the task is completed.
Hence, a mechanism for revoking privileges is
needed. In SQL, a REVOKE command is included for
the purpose of canceling privileges.
Faculty of Science and Technology Advanced Database 19/52
Problems with DAC
Problems with DAC
Brown (owner)
Black
Red
White
GRANT SELECT ON Employee
TO Red
GRANT SELECT ON Employee
TO Black
WITH GRANT OPTION
?
Brown revokes grant
given to Black
?
Brown does not want
Red to access the
Employee relation
GRANT UPDATE(Salary) ON
Employee TO White
Faculty of Science and Technology Advanced Database 20/52
Techniques to limit the propagation
Techniques to limit the propagation
of privileges
of privileges
Limiting horizontal propagation to an integer
number i means that an account B given the GRANT
OPTION can grant the privilege to at most i other
accounts.
Vertical propagation is more complicated; it limits
the depth of the granting of privileges.
They have not yet been implemented in most
DBMSs and are not a part of SQL.
Faculty of Science and Technology Advanced Database 21/52
Mandatory Access Control (MAC)
Mandatory Access Control (MAC)
The discretionary access control techniques of granting and
revoking privileges on relations has traditionally been the
main security mechanism for relational database systems.
This is an all-or-nothing method:
A user either has or does not have a certain privilege.
In many applications, and additional security policy is
needed that classifies data and users based on security
classes.
This approach as mandatory access control, would typically
be combined with the discretionary access control
mechanisms (DAC).
Faculty of Science and Technology Advanced Database 22/52
MAC
MAC
(2)
(2)
Typical security classes are top secret (TS), secret (S),
confidential (C), and unclassified (U), where TS is the highest
level and U the lowest: TS S C U
The commonly used model for multilevel security, known as
the Bell-LaPadula model, classifies each subject (user,
account, program) and object (relation, tuple, column, view,
operation) into one of the security classifications, T, S, C, or
U:
Clearance (classification) of a subject S as class(S) and to the
classification of an object O as class(O).
Faculty of Science and Technology Advanced Database 23/52
Restriction of Bell
Restriction of Bell
-
-
LaPadula
LaPadula
model
model
Two restrictions are enforced on data access based
on the subject/object classifications:
Simple security property: A subject S is not allowed
read access to an object O unless class(S)
class(O).
Star property (or * property): A subject S is not
allowed to write an object O unless class(S) !
class(O).
Faculty of Science and Technology Advanced Database 24/52
Bell Bell- -LaPadula model: Write Up/Read Down LaPadula model: Write Up/Read Down
(2) (2)
Faculty of Science and Technology Advanced Database 25/52
Comparing Discretionary Access Control Comparing Discretionary Access Control
and Mandatory Access Control and Mandatory Access Control
Discretionary Access Control (DAC) policies are
characterized by a high degree of flexibility, which
makes them suitable for a large variety of
application domains.
The main drawback of DAC models is their
vulnerability to malicious attacks, such as Trojan
horses embedded in application programs.
Faculty of Science and Technology Advanced Database 26/52
Comparing Discretionary Access Control Comparing Discretionary Access Control
and Mandatory Access Control and Mandatory Access Control (2) (2)
By contrast, mandatory (MAC) policies ensure a
high degree of protection in a way, they prevent any
illegal flow of information.
Mandatory policies have the drawback of being too
rigid and they are only applicable in limited
environments.
In many practical situations, discretionary policies
are preferred because they offer a better trade-off
between security and applicability.
Faculty of Science and Technology Advanced Database 27/52
Role
Role
-
-
Based Access Control
Based Access Control
Role-based access control (RBAC) emerged rapidly in the
1990s as a proven technology for managing and enforcing
security in large-scale enterprisewide systems.
Its basic notion is that permissions are associated with roles,
and users are assigned to appropriate roles.
Roles can be created using the CREATE ROLE and
DESTROY ROLE commands.
The GRANT and REVOKE commands discussed under DAC
can then be used to assign and revoke privileges from roles.
Faculty of Science and Technology Advanced Database 28/52
RBAC
RBAC
(2)
(2)
RBAC appears to be a viable alternative to
traditional discretionary and mandatory access
controls; it ensures that only authorized users are
given access to certain data or resources.
Many DBMSs have allowed the concept of roles,
where privileges can be assigned to roles.
Role hierarchy in RBAC is a natural way of
organizing roles to reflect the organizations lines of
authority and responsibility.
Faculty of Science and Technology Advanced Database 29/52
RBAC
RBAC
(3)
(3)
Another important consideration in RBAC systems is the
possible temporal constraints that may exist on roles,
such as time and duration of role activations, and timed
triggering of a role by an activation of another role.
Using an RBAC model is highly desirable goal for
addressing the key security requirements of Web-based
applications.
In contrast, discretionary access control (DAC) and
mandatory access control (MAC) models lack
capabilities needed to support the security
requirements emerging enterprises and Web-based
applications.
Faculty of Science and Technology Advanced Database 30/52
Access Control Policies for
Access Control Policies for
E
E
-
-
Commerce and the Web
Commerce and the Web
E-Commerce environments require elaborate
policies that go beyond traditional DBMSs.
In an e-commerce environment the resources to be
protected are not only traditional data but also
knowledge and experience.
The access control mechanism should be flexible
enough to support a wide spectrum of heterogeneous
protection objects.
A related requirement is the support for content-
based access-control.
Faculty of Science and Technology Advanced Database 31/52
Access Control Policies for
Access Control Policies for
E
E
-
-
Commerce and the Web
Commerce and the Web
(2)
(2)
Another requirement is related to the heterogeneity
of subjects, which requires access control policies
based on user characteristics and qualifications.
A possible solution, to better take into account user
profiles in the formulation of access control policies, is
to support the notion of credentials.
A credential is a set of properties concerning a user
that are relevant for security purposes
For example, age, position within an organization
It is believed that the XML language can play a key
role in access control for e-commerce applications.
Faculty of Science and Technology Advanced Database 32/52
Hierarchical Privilege / Role Management Hierarchical Privilege / Role Management
Roles provide privilege management hierarchially by
job titles and applications
Users
User
Roles
Application
Roles
DWentz
Billing Clerk
Role
Marketing Rep
Role
JKline JWilson JMorgan JKline
Manager
Role
Manager
Role
Marketing
Role
Billing
Role
Faculty of Science and Technology Advanced Database 33/52
Steps In Creating Roles
Steps In Creating Roles
Create a ROLE by Job or Application Privileges
Create ROLE Market;
Create ROLE Billing;
Create ROLE Market;
Create ROLE Billing;
DWentz
works in
Marketing
JMorgan
works in
Billing
Faculty of Science and Technology Advanced Database 34/52
Steps In Creating
Steps In Creating
Roles (2)
Roles (2)
Grant privileges to the role
Grant Select On Companies To Market;
Grant Select On Products to Market;
Grant Select On Orders To Market;
Grant Select On LineItems To Market;
Grant Select On Companies To Market;
Grant Select On Products to Market;
Grant Select On Orders To Market;
Grant Select On LineItems To Market;
Example of granting a
role to a user
Faculty of Science and Technology Advanced Database 35/52
Steps In Creating
Steps In Creating
Roles (3)
Roles (3)
Grant the ROLE to the user
Grant Market to JMorgan;
Grant Market to JMorgan;
Example of
granting a role
to a user
JMorgan
works in
Billing
Faculty of Science and Technology Advanced Database 36/52
Introduction to Statistical Database
Introduction to Statistical Database
Security
Security
Statistical databases are used mainly to produce
statistics on various populations.
The database may contain confidential data on
individuals, which should be protected from user
access.
Users are permitted to retrieve statistical
information on the populations, such as averages,
sums, counts, maximums, minimums, and
standard deviations.
Faculty of Science and Technology Advanced Database 37/52
Introduction to Statistical Database
Introduction to Statistical Database
Security
Security
(2)
(2)
A population is a set of tuples of a relation (table)
that satisfy some selection condition.
Statistical queries involve applying statistical
functions to a population of tuples.
Faculty of Science and Technology Advanced Database 38/52
Encryption and Public Key
Encryption and Public Key
Infrastructures
Infrastructures
Encryption is a means of maintaining secure data
in an insecure environment.
Encryption consists of applying an encryption
algorithm to data using some prespecified
encryption key.
The resulting data has to be decrypted using a
decryption key to recover the original data.
Faculty of Science and Technology Advanced Database 39/52
The Data and Advanced Encryption
The Data and Advanced Encryption
Standards
Standards
The Data Encryption Standard (DES) is a system
developed by the U.S. government for use by the
general public.
It has been widely accepted as a cryptographic
standard both in the United States and abroad.
DES can provide end-to-end encryption on the
channel between the sender A and receiver B.
Faculty of Science and Technology Advanced Database 40/52
The Data and Advanced Encryption
The Data and Advanced Encryption
Standards
Standards
(2)
(2)
DES algorithm is a careful and complex combination
of two of the fundamental building blocks of
encryption:
substitution and permutation (transposition).
The DES algorithm derives its strength from
repeated application of these two techniques for a
total of 16 cycles.
Plaintext (the original form of the message) is
encrypted as blocks of 64 bits.
Faculty of Science and Technology Advanced Database 41/52
The Data and Advanced Encryption
The Data and Advanced Encryption
Standards
Standards
(3)
(3)
After questioning the adequacy of DES, the National
Institute of Standards (NIST) introduced the
Advanced Encryption Standards (AES).
This algorithm has a block size of 128 bits and thus
takes longer time to crack.
Faculty of Science and Technology Advanced Database 42/52
Public Key Encryption
Public Key Encryption
In 1976 Diffie and Hellman proposed a new kind of
cryptosystem, which they called public key encryption.
Public key algorithms are based on mathematical
functions rather than operations on bit patterns.
They also involve the use of two separate keys
in contrast to conventional encryption, which uses only one key.
The use of two keys can have profound consequences in the
areas of confidentiality, key distribution, and authentication.
Faculty of Science and Technology Advanced Database 43/52
Public Key Encryption
Public Key Encryption
(2)
(2)
The two keys used for public key encryption are
referred to as the public key and the private key.
the private key is kept secret, but it is referred to as
private key rather than a secret key (the word used in
conventional encryption to avoid confusion with
conventional encryption).
Faculty of Science and Technology Advanced Database 44/52
Public Key Encryption
Public Key Encryption
(3)
(3)
A public key encryption scheme, or infrastructure, has six
ingredients:
Plaintext: This is the data or readable message that is fed into
the algorithm as input.
Encryption algorithm: The encryption algorithm performs
various transformations on the plaintext.
Public and private keys: These are pair of keys that have
been selected so that if one is used for encryption, the other is
used for decryption.
The exec transformations performed by the encryption algorithm
depend on the public or private key that is provided as input.
Faculty of Science and Technology Advanced Database 45/52
Public Key Encryption
Public Key Encryption
(4)
(4)
A public key encryption scheme, or infrastructure, has six
ingredients (contd.):
Ciphertext:
This is the scrambled message produced as output. It depends on
the plaintext and the key.
For a given message, two different keys will produce two different
ciphertexts.
Decryption algorithm:
This algorithm accepts the ciphertext and the matching key and
produces the original plaintext.
Faculty of Science and Technology Advanced Database 46/52
Public Key Encryption
Public Key Encryption
(5)
(5)
Public key is made for public and private key is
known only by owner.
A general-purpose public key cryptographic
algorithm relies on
one key for encryption and
a different but related key for decryption.
Faculty of Science and Technology Advanced Database 47/52
Public Key Encryption
Public Key Encryption
(6)
(6)
The essential steps are as follows:
1. Each user generates a pair of keys to be used for the
encryption and decryption of messages.
2. Each user places one of the two keys in a public register or
other accessible file. This is the public key. The companion
key is kept private (private key).
3. If a sender wishes to send a private message to a receiver,
the sender encrypts the message using the receivers public
key.
4. When the receiver receives the message, he or she decrypts
it using the receivers private key.
No other recipient can decrypt the message because only the
receiver knows his or her private key.
Faculty of Science and Technology Advanced Database 48/52
Public Key Encryption (7)
Public Key Encryption (7)
Faculty of Science and Technology Advanced Database 49/52
Public Key Encryption
Public Key Encryption
(8)
(8)
The RSA Public Key Encryption algorithm, one of
the first public key schemes was introduced in 1978
by Ron Rivest (R), Adi Shamir (S), and Len Adleman
(A) at MIT and is named after them.
The RSA encryption algorithm incorporates results
from number theory, such as the difficulty of
determining the large prime factors of a large number.
The RSA algorithm also operates with modular
arithmetic mod n, where n is the product of two
large prime numbers.
Faculty of Science and Technology Advanced Database 50/52
Public Key Encryption
Public Key Encryption
(9)
(9)
Two keys, d and e, are used for decryption and encryption.
An important property is that d and e can be interchanged.
n is chosen as a large integer that is a product of two large distinct
prime numbers, a and b.
The encryption key e is a randomly chosen number between 1 and n
that is relatively prime to (a-1) x (b-1).
The plaintext block P is encrypted as Pe mod n.
Because the exponentiation is performed mod n, factoring Pe to
uncover the encrypted plaintext is difficult.
However, the decryption key d is carefully chosen so that
(Pe)d mod n = P.
The decryption key d can be computed from the condition that
d x e= 1 mod ((a-1)x(b-1)).
Thus, the legitimate receiver who knows d simply computes
(Pe)d mod n = P and recovers P without having to factor Pe .
Faculty of Science and Technology Advanced Database 51/52
Digital Signatures
Digital Signatures
A digital signature is an example of using encryption
techniques to provide authentication services in e-
commerce applications.
A digital signature is a means of associating a mark
unique to an individual with a body of text.
The mark should be unforgettable, meaning that others
should be able to check that the signature does come
from the originator.
A digital signature consists of a string of symbols.
Signature must be different for each use.
This can be achieved by making each digital signature a function of the
message that it is signing, together with a time stamp.
Public key techniques are the means creating digital signatures.
Faculty of Science and Technology Advanced Database 52/52
Digital Signatures
Digital Signatures
(2)
(2)
Using a digital signature to validate data integrity
Faculty of Science and Technology Advanced Database 53/52