Published on

Navate Database Management system

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 2. <ul><li>Database Security </li></ul><ul><li>And </li></ul><ul><li>Authorization </li></ul>Chapter 23
  2. 3. <ul><li>Introduction to Database Security Issues </li></ul><ul><li>Discretionary Access Control Based on Granting and Revoking Privileges </li></ul><ul><li>Mandatory Access Control and Role-Based Access Control for Multilevel Security </li></ul><ul><li>Introduction to Statistical Database Security </li></ul><ul><li>Introduction to Flow Control </li></ul><ul><li>Encryption and Public Key Infrastructures </li></ul>Chapter Outline
  3. 4. <ul><li>Database security considers the following types of security: </li></ul><ul><ul><li>Legal and ethical issues regarding the right to access certain information </li></ul></ul><ul><ul><li>Policy issues (e.g., personal medical records should not be made public). </li></ul></ul><ul><ul><li>System-related issues (e.g., whether a security function should be handled at the physical hardware level, the operating system level, or the DBMS level). </li></ul></ul><ul><ul><li>Classification of security levels (e.g., top secret, secret, confidential, and unclassified). </li></ul></ul>Database Security Issues
  4. 5. <ul><li>A DBMS includes a database security and authorization subsystem . </li></ul><ul><li>Two types of database security mechanisms: </li></ul><ul><ul><li>Discretionary security mechanism: these are used to grant privilege to users (e.g., the capability to access specific data files, records, or fields). </li></ul></ul><ul><ul><li>Mandatory security mechanism: these are used to enforce multilevel security by classifying the data and users into various security classes. </li></ul></ul><ul><li>A common security problem is that of preventing unauthorized persons from accessing the system itself. </li></ul>Database Security Issues
  5. 6. <ul><li>Threats to Databases: </li></ul><ul><ul><li>Loss of integrity: information must be protected from improper modification. </li></ul></ul><ul><ul><li>Loss of availability: information must be available to users/programs to which they have a legitimate right. </li></ul></ul><ul><ul><li>Loss of confidentiality: information must be protected from unauthorized disclosure. </li></ul></ul><ul><li>Protection of databases against the above threats can be achieved by employing: access control, flow control, inference control, and encryption. </li></ul>Database Security Issues
  6. 7. <ul><li>The DBA is responsible for the overall security of the database system. </li></ul><ul><li>The DBA has a DBA account in the DBMS, which can be used to perform the following types of actions (not available to regular users): </li></ul><ul><ul><li>Account creation: creates a new account and password for a user or a group of users. </li></ul></ul><ul><ul><li>Privilege granting: permits the DBA to grant certain privileges to certain accounts. </li></ul></ul><ul><ul><li>Privilege revocation: permits the DBA to revoke (cancel) certain privilege that were previously given to certain accounts. </li></ul></ul><ul><ul><li>Security level assignment: assigning user accounts to the appropriate security classification level. </li></ul></ul>Database Security and the DBA
  7. 8. <ul><li>In order to access the system, users must obtain (from the DBA) a user-name and a password . </li></ul><ul><li>The user must log in to the DBMS whenever database access is needed. </li></ul><ul><li>The DBMS keeps track of all operations on the database that are applied by a certain user. If any tampering with the database is suspected, a database audit is performed. </li></ul><ul><li>A database log that is used mainly for security purposes is sometimes called an audit trail . </li></ul>Access Protection and Database Audits
  8. 9. <ul><li>This mechanism is based on granting and revoking of privileges . </li></ul><ul><li>There are two levels for assigning privileges: </li></ul><ul><ul><li>The account level: the DBA specifies the particular privileges that each account holds independently of the relations in the database (CREATE TABLE, CREATE VIEW, DROP, and ALTER). </li></ul></ul><ul><ul><li>The relation/table level: the DBA can control the privilege to access each individual relation or view in the database. </li></ul></ul>Discretionary Access Control
  9. 10. <ul><li>To control the granting and revoking of relation privileges, each relation R in a database is assigned an owner account . </li></ul><ul><li>In SQL the following types of privileges can be granted on each individual relation R: </li></ul><ul><ul><li>SELECT privilege: Gives the account retrieval privilege </li></ul></ul><ul><ul><li>Modify privilege: Gives the account the capability to modify tuples of R. </li></ul></ul><ul><ul><li>References privilege: Gives the account the capability to reference relation R. </li></ul></ul>Discretionary Access Control
  10. 11. <ul><li>The mechanism of VIEWS is an important discretionary authorization mechanism. </li></ul><ul><li>Whenever the owner A of a relation R grants a privilege on R to another account B, the privilege can be given to B with or without the GRANT OPTION. </li></ul><ul><li>The GRANT OPTION enables the propagation of privileges (e.g., user B can propagate the privilege to other accounts without the knowledge of the user A) </li></ul>Discretionary Access Control
  11. 12. <ul><li>An Example: Suppose that the DBA creates four accounts (A1, A2, A3, and A4), and issues </li></ul><ul><li>GRANT CREATETAB TO A1; </li></ul><ul><li>Now A1 can create tables. Let A1 creates the two base relations EMPLOYEE and DEPARTMENT. </li></ul>Discretionary Access Control
  12. 13. <ul><li>Next, A1 can issue </li></ul><ul><li>GRANT INSERT, DELETE, ON EMPLOYEE, DEPARTMENT TO A2; </li></ul><ul><li>Now A2 can perform insert/delete operation on these two tables, but cannot propagate these privileges. </li></ul><ul><li>Next, suppose that A1 issues </li></ul><ul><li>GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION ; </li></ul><ul><li>Now A3 can issue </li></ul><ul><li>GRANT SELECT ON EMPLOYEE TO A4; </li></ul>Discretionary Access Control
  13. 14. <ul><li>Now suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation from A3, </li></ul><ul><li>REVOKE SELECT ON EMPLOYEE FROM A3; </li></ul><ul><li>The DBMS now automatically revokes the SELECT privilege on EMPLOYEE from A4, too. </li></ul><ul><li>Next, suppose A1 wants to give A3 a limited capability to SELECT from EMPLOYEE relation. </li></ul><ul><li>The limitation is to retrieve only the NAME, BDATE, and ADDRESS attributes and only for the tuples with DNO=5. </li></ul>Discretionary Access Control
  14. 15. <ul><li>Hence, A1 creates the following view: </li></ul><ul><li>CREATE VIEW A3EMPLOYEE AS </li></ul><ul><li>SELECT NAME, BDATE, ADDRESS </li></ul><ul><li>FROM EMPLOYEE </li></ul><ul><li>WHERE DNO = 5; </li></ul><ul><li>After the view is created, A1 issues </li></ul><ul><li>GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION; </li></ul><ul><li>Finally, suppose A1 wants to allow A4 to update only the SALARY attribute from EMPLOYEE; </li></ul><ul><li>GRANT UPDATE ON EMPLOYEE (SALARY) TO A4; </li></ul>Discretionary Access Control
  15. 16. <ul><li>This mechanism provides multilevel security which is desirable in government, military, and intelligence applications. </li></ul><ul><li>Typical security classes are: </li></ul><ul><ul><li>Top secret (TS) </li></ul></ul><ul><ul><li>Secret (S), </li></ul></ul><ul><ul><li>Confidential (C), and </li></ul></ul><ul><ul><li>Unclassified (U). </li></ul></ul><ul><ul><li>Where TS ≥ S ≥ C ≥ U. </li></ul></ul>Mandatory Access Control
  16. 17. <ul><li>A commonly used model for multilevel security, known as the Bell-Lapadual model, classifies each subject (user, account, program) and object (relation, tuple, column, view, operation) into one of the security classes TS, S, C, or U. </li></ul><ul><li>Two restricyions on data access based on the subject/object (S/O) classifications are: </li></ul><ul><ul><li>A subject S is not allowed read access to an object O unless class (S) ≥ class (O). This is known as the simple security property. </li></ul></ul><ul><ul><li>A subject S is not allowed to write an object O unless class (S) ≤ class (O). This is known as the star property (or *-property). </li></ul></ul>Mandatory Access Control
  17. 18. <ul><li>Incorporation of multilevel security notions with relational databases requires that each attribute A be associated with a classification attribute C in the schema. In some relational models, a tuple classification attribute TC is added to the relation attributes. Hence a multilevel relation schema R would be represented as: </li></ul><ul><li> R(A 1 ,C 1 ,A 2 ,C 2 , … A n , C n , TC) </li></ul><ul><li>The apparent key of a multilevel relation is the set of attributes that would have formed the primary key in a regular (single-level) relation. </li></ul>Mandatory Access Control
  18. 19. <ul><li>It is possible to store a single tuple in the relation at a higher classification level and produce the corresponding tuples at a lower classification level through a process known as filtering . </li></ul><ul><li>Sometimes, it is necessary to store two or more tuples at different classification levels with the same value for the apparent key. </li></ul><ul><li>This leads to the concept of polyinstantiation , where several tuples can have the same apparent key value but have different attribute values for users at different classification levels. </li></ul>Mandatory Access Control
  19. 20. <ul><li>FIGURE 23.2 </li></ul><ul><li>A multilevel relation to </li></ul><ul><li>illustrate </li></ul><ul><li>multilevel security. </li></ul><ul><li>The original </li></ul><ul><li>EMPLOYEE tuples. </li></ul><ul><li>(b) Appearance of </li></ul><ul><li>EMPLOYEE after </li></ul><ul><li>filtering for </li></ul><ul><li>classification C users. </li></ul><ul><li>(c) Appearance of </li></ul><ul><li>EMPLOYEE after </li></ul><ul><li>filtering for classification </li></ul><ul><li>U users. </li></ul><ul><li>(d) Polyinstantiation of </li></ul><ul><li>the Smith tuple: A C </li></ul><ul><li>user updates </li></ul><ul><li>JobPerformance </li></ul><ul><li>to Excellent </li></ul>Mandatory Access Control
  20. 21. <ul><li>Role-based access control (RBAC) is a technology for managing an enforcing security in large-scale enterprisewide systems. </li></ul><ul><li>Permissions are associated with roles, and users are assigned to appropriate roles. </li></ul><ul><li>Roles can be created using the CREATE ROLE and DESTROY ROLE commands ( GRANT and REVOKE commands can then be used to assign and revoke privileges from roles.) </li></ul>Role-Based Access Control
  21. 22. <ul><li>A statistical database may contain confidential data on individuals, but users are permitted to retrieve statistical information on the population. </li></ul><ul><li>A population is a set of tuples of a relation that satisfy some selection condition. </li></ul><ul><li>Statistical database security techniques must prevent the retrieval of individual data. </li></ul><ul><li>In some cases it is possible to infer the values of individual tuples from a sequence of statistical queries ― this must be prevented by the statistical database security mechanism. </li></ul>Statistical Databases Security
  22. 23. <ul><li>FIGURE 23.3 </li></ul><ul><li>The PERSON relation schema for illustrating statistical database security. </li></ul>Statistical Database Security <ul><li>An example: </li></ul><ul><li>Q1: SELECT COUNT (*) FROM PERSON </li></ul><ul><li>WHERE <CONDITION>; </li></ul><ul><li>Q2: SELECT AVG (INCOME) FROM PERSON </li></ul><ul><li>WHERE <CONDITION>; </li></ul><ul><li>Now suppose that we know ‘Jane Smith’ is the only female that has a Ph.D. degree and lives in Bellaire, Texas. So, the following query returns her salary: </li></ul><ul><li>Q3: SELECT AVG (INCOME) FROM PERSON </li></ul><ul><li>WHERE LAST_DEGREE = ‘Ph.D.’ AND Sex = ‘F’ AND </li></ul><ul><li>CITY = ‘Bellaire’ AND STATE = Texas’; </li></ul>
  23. 24. <ul><li>A flow between object X and object Y occurs when a program reads values from X and writes values into Y. </li></ul><ul><li>Flow controls must prevent any information leakage (a user cannot get indirectly in Y what s/he cannot get directly from X). </li></ul><ul><li>A flow policy specifies the channels along which information is allowed to move. It specifies two classes of information: confidential (C) and nonconfidential (N), and allows all flows except those from class C to class N. </li></ul>Introduction To Flow Control
  24. 25. <ul><li>A covert channel allows a transfer of information that violates the security or the policy, that is, it allows information to pass from a higher classification level to a lower classification level through improper means. </li></ul><ul><li>Covert channels can be classified into: </li></ul><ul><ul><li>Timing channels: the information is conveyed by the timing of events or processes Example: influence system load -> time task execution </li></ul></ul><ul><ul><li>Storage channels: information conveyed through variables and attributes other than time Example: cause resource exhaustion ->request resources </li></ul></ul>Introduction To Flow Control
  25. 26. <ul><li>Encryption consists of applying an encryption algorithm to data using some prespecified encryption key . The resulting data ( cryptogram ) has to be decrypted using a decryption key to recover the original data. </li></ul><ul><li>Cryptographic algorithms can be classified into tow main categories: </li></ul><ul><ul><li>Private key (symmetric) algorithms: knowledge of one of the encryption/decryption keys is sufficient to learn the other key. </li></ul></ul><ul><ul><li>Public key (asymmetric) algorithms: knowledge of one of the encryption/decryption keys gives no idea about the other key. </li></ul></ul>Encryption and Public Key Infrastructures
  26. 27. <ul><li>A public key algorithm has six ingredients: </li></ul><ul><ul><li>Plaintext: the data or readable message, </li></ul></ul><ul><ul><li>Encryption algorithm: performs transformation on the plaintext and generates the ciphertext, </li></ul></ul><ul><ul><li>Public key: one of the keys (encryption key) which is made public (applies to encryption algorithm), </li></ul></ul><ul><ul><li>Private/secret key: the other key (decryption key), which is kept secure (applies to decryption algorithm), </li></ul></ul><ul><ul><li>Ciphertext: the scrambled message produced as output of the encryption algorithm, </li></ul></ul><ul><ul><li>Decryption algorithm: accepts the ciphertext and and the decryption key and produces the original plaintext. </li></ul></ul>Encryption and Public Key Infrastructures
  27. 28. <ul><li>The RSA public key system introduced in 1978. It operates with modular arithmetic mode n , </li></ul><ul><li>n = p * q </li></ul><ul><li>where p and q are large and distinct primes. </li></ul><ul><li>The encryption key, e , is chosen such that </li></ul><ul><li>gcd (e,  (n)) = 1 </li></ul><ul><li>where  (n) = (p-1) * (q-1). </li></ul><ul><li>The decryption key, d , then is calculated such that </li></ul><ul><li>e * d = 1 mod  (n) </li></ul><ul><ul><li>The owner of the system makes (e, n) public, but keeps d secret (destroys p and q). </li></ul></ul>Encryption and Public Key Infrastructures
  28. 29. <ul><li>Encryption of the message, M, is possible by anyone who knows the public key, e,: </li></ul><ul><li>C = M e mod n </li></ul><ul><li>Decryption of the ciphertext, C, requires to knowledge of the secret key, d,: </li></ul><ul><li>M = C d mod n </li></ul><ul><li>The owner of the private key can sign a message M, </li></ul><ul><li>S = M d mod n </li></ul><ul><li>S is the digital signature of the owner of the system (nobody can generate this, since they do not know d), but everybody can verify that this is the signature of message M, using S and e, as: </li></ul><ul><li>S e = M mod n </li></ul>Encryption and Public Key Infrastructures