Database Security

7. Database Security

The data stored in the database need to be protected from unauthorized access, malicious destruction and alteration of data. To protect the database, we must take security measures at several levels.

v  Physical : The site or sites containing the computer systems must be physically secured against armed or surreptitious entry by intruders.

v Human: Users must be authorized carefully to reduce the chance of any such user giving access to an intruder in exchange for a bribe of other favours.

v Operating System: No matter how secure the database system is, Weakness in operating system security may serve as a means of unauthorized access to the database.

v Network: Since most all database systems allow remote access through terminals or networks, software level security within the network software is as important as physical security, both the internet and in networks private to an enterprise.

v Database System: Some database system users may be authorized to access only a limited portion of the database. Other users may be allowed to issue queries, but may be forbidden to modify the data.

 

7.1 SQL Access for database Security

Database Security and the DBA

The database administrator (DBA) is the central authority for managing a database system. The DBA's responsibilities include granting privileges to users who need to Use the system and classifying users and data in accordance with the policy of the organization. The DBA has a DBA account in the DBMS, sometimes called a system or superuser account, which provides powerful capabilities that are not made available to regular database accounts and users. DBA privileged commands include commands for granting and revoking privileges to individual accounts, users, or user groups and for performing the following types of actions:

1.         Account creation: This action creates a new account and password for a user or a group of users to enable them to access the DBMS.

2.         Privilege granting: This action permits the DBA to grant certain privileges to certain accounts.

3.         Privilege revocation: This action permits the DBA to revoke (cancel) certain privileges that were previously given to certain accounts.

4.         Security level assignment: This action consists of assigning user accounts to the appropriate security classification level.

The DBA is responsible for the overall security of the database system.

GRANT and REVOKE

The view mechanism allows the database to be conceptually divided up into pieces in var­ious ways so that sensitive information can be hidden from unauthorized users. However, it does not allow for the specification of the operations that authorized users are allowed to execute against those pieces is performed by the GRANT statement.

Note first that the creator of any object is automatically granted all privileges that make sense for that object. For example, the creator of a base table T is automatically granted the SELECT, INSERT, UPDATE, DELETE, and REFERENCES privileges on T

The SQL commands used by DBA for security are as follows.

Creating user:

Create user supriya identified by s;

This sql commands creates user supriya whose password is s. The privileges which can be granted to supriya by DBA on any table employee (suppose the table employee is already created) are SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER and REFERENCE.

The privileges can be granted by DBA to user supriya as follows.

Grant SELECT on employee to supriya;

Similarly INSERT,UPDATE,DELETE,INDEX,ALTER and REFERENCE can be granted to any user.

Grant all on employee to supriya;

Grant SELECT,UPDATE on employee to supriya;

The REFERENCE Privilege allows the grantee to create integrity constraints that reference that table.

Similarly the privileges can be revoked using revoke command as follows.

Revoke all on employee from supriya;

Revoke UPDATE on employee from supriya;

The current SQL standard supports discretionary access control only. Two more or less in­dependent SQL features are involved-the view mechanism, which  can be used to hide sensitive data from unauthorized users, and the authorization subsystem itself, which allows users having specific privileges selectively and dynamically to grant those privileges to other users, and subsequently to revoke those privileges, if de­sired. Both features are discussed below.

Views and Security

To illustrate the use of views for security purposes in SQL:

     CREATE VIEW LS AS

       SELECT S.S#, S.SNAME, S.STATUS S.CITY

       FROM S

       WHERE S,CITY = 'London' ;

The view defines the data over which authorization is to be granted. The granting it­self is done by means of the GRANT statement--e.g.:

GRANT SELECT, UPDATE , DELETE

ON LS

TO Dan, Misha ;

7.2 ACCESS CONTROL

The access to the database is controlled by defining user to the database, assigning passwords to each user, assigning access privileges such as read, write, delete privileges, by physical access control such as secured entrances, password protected workstations, voice recognition technology etc.  and by using DBMS utilities access control such as auditing and log file features. Some used access control methods are Discretionary and Mandatory control.

Discretionary Access Control Based on Granting/Revoking of Privileges

The typical method of  enforcing discretionary access control in a database system is based on the granting and revoking of privileges. Let us consider privileges in the context of a relational DBMS.

Informally there are two levels for assigning privileges to use the database system.

1.                     The account level: At this level, the DBA specifies the particular privileges that each account holds independently of the relations in the database.

2.                     The relation( or table) level: At this level, we can control the privilege to access each individual relation or view in the database.

The privileges at the account levels include CREATE TABLE  to create table,  CREATE VIEW  to       create view, CREATE SYNONYM to create synonym and all the privileges are granted by DBA to individual user  or account.

The privileges at the relation levels include SELECT, UPDATE, REFERENCES, DELETE for particular relations and are granted by DBA.

 In SQL2, the DBA can assign an owner to a whole, schema by creating the schema and associating the appropriate authorization identifier with that schema using the CREATE SCHEMA command. The owner account holder can pass privileges on any of the owned relations to other users by granting privileges to their accounts. In SQL the following types of privileges can be granted on each individual relation R:­

n  SELECT (retrieval or read) privilege on R: Gives the account retrieval;  privilege In SQL this gives the account the privilege to use the SELECT statement to retrieve, tuples from R.

n  MODIFY privileges on R:. This gives the account the capability to modify tuples of R. In SQL this privilege is further divided into UPDATE, DELETE, and INSERT Privilege to apply the corresponding SQL command to R. In addition, both the INSERT and UPDATE privileges can specify that only certain attributes of R can be updated by the account.

n  REFERENCES privilege on R: This gives the account the capability to reference relation R when specifying integrity constraints. This privilege can also be restricted to          specific attributes of R.

Notice that to create a view the account must have SELECT privilege on all the involved in the view definition.

Specifying Privileges Using Views

The mechanism of views is an important discretionary authorization mechanism in its own right. For example, if the owner A of a relation R wants another account B to be able to retrieve only some fields of R, then A can create a view V of R that includes only that ' attributes and then grant SELECT on V to B. The same applies to limiting B to retrieving only certain tuples of R; a view V can be created by defining the view by means of a query that selects only those tuples from R that A wants to allow B to access.

Revoking Privileges

In some cases it is desirable to grant some privilege to a user temporarily. For example, the owner of a relation may want to grant the SELECT privilege to a user for a specific task and then revoke that privilege once the task is completed. Hence, a mechanism for revoking privileges is needed. In SQL a REVOKE command is included for the purpose of canceling privileges.

Propagation of Privileges Using the GRANT OPTION

Whenever the owner A of a relation R grants a privilege on R to another account B, the privilege can be given to B with or without the GRANT OPTION. If the GRANT OPTION is given, this means that B can also grant that privilege on R to other accounts.

Specifying Limits on Propagation of Privileges

Techniques to limit the propagation of privileges have been developed, although they have not yet been implemented in most DBMSs and are not a part of SQL. Limiting hori­zontal propagation to an integer number i means that an account B given the GRANT OPTION can grant the privilege to at most i other accounts. Vertical propagation is more complicated; it limits the depth of the granting of privileges. Granting a privilege with vertical propagation of zero is equivalent to granting the privilege with no GRANT OPTION. If account A grants a privilege to account B with vertical propagation set to an integer number j > 0, this means that the account B has the GRANT OPTION on that priv­ilege, but B can grant the privilege to other accounts only with a vertical propagation less than j. In effect, vertical propagation limits the sequence of grant options that can be given from one account to the next based on a single original grant of the privilege.

Mandatory Access Control for Multilevel Security

The discretionary access control technique of granting and revoking privileges on rela­tions has traditionally been the main security mechanism for relational database systems. This is an all-or-nothing method: a user either has or does not have a certain privilege. In many applications, an additional security policy is needed that classifies data and users based on security classes. This approach-known as mandatory access control-would typi­cally be combined with the discretionary access control mechanisms. It is important to note that most commercial DBMSs currently provide mechanisms only for discretionary access control. However, the need for multilevel security exists in government, military, and intelligence applications, as well as in many industrial and cor­porate application.

Typical security classes are top secret (TS), secret (S), confidential (C), and unclas­sified (U), where TS is the highest level and U the lowest Other more complex security classification schemes exist, in which the security classes are organized in a lattice. For simplicity,  four security classification levels, where TS ³ S ³ C ³ U are used in the system. The commonly used model for multilevel security known as the Bell-LaPadula model, classifies each subject (user, account, program) and object (relation, tuple, column, view, operation) into one of the security classifications TS, S, C, or U. We will refer to the clearance (classification) of a subject S as class (S) and to the classification of an object O as class (O). Two restrictions are enforced on data access based on the subject/object classifications:               '

1.         A subject S is not allowed read access to an object O unless class(S) ³ class(O).

             This is known as the simple security property.

2.         A subject S is not allowed to write an object O unless class(S) £ class(O). This is, known as the *property (or star property).

The first restriction is intuitive and enforces the obvious rule that no subject can read an object whose security classification is higher than the subject's security clearance. The second restriction is less intuitive. It prohibits a subject from writing an object at a lower security classification than the subject's security clearance. Violation of this rule would allow information to flow from higher to lower classifications, which violates a basic tenet of multilevel security. For example, a user (subject) with TS clearance may make a copy' of an object with classification TS and then write it back as a new object with classification U,  thus making it visible throughout the system.

To incorporate multilevel security notions into the relational database model, it is common to consider attribute values and tuples as data objects. Hence, each attribute A is associated with a classification attribute C in the schema, and each attribute value in a tuple is associated with a corresponding security classification,- In addition, in some mod­els, a tuple classification attribute TC is added to the relation attributes to provide a clas­sification for each tuple as a whole. Hence, a multilevel relation schema R with n attributes would be represented as

R(A₁, C₁, A₂, C₂, ..., A_n, C_n, TC)

   where each C_i represents the classification attribute associated with attribute A_i.

The value of the TC attribute in each tuple t-which is the highest of all attribute classification values within t-provides a general classification for the tuple itself, whereas each c_i provides a finer security classification for each attribute value within the tuple. The apparent key of a multilevel relation is the set of attributes that would have formed the primary key in a regular (single-level) relation. A multilevel relation will appear to contain different data to subjects (users) with different clearance levels. In some cases, it is possible to store a single tuple in the relation at a higher classification level and produce the corresponding tuples at a lower level classification through a process known as filter­ing. In other cases, it is necessary to store two or more tuples at different classification lev­els with the same value for the apparent key, This leads to the concept of poly­instantiation, where several tuples can have the same apparent key value but have dif­ferent attribute values for users at different classification levels.

Assume that the Name attribute is the apparent key, and consider the query  SELECT * FROM EMPLOYEE. A user with security clearance S would see the same relation shown below in fig.a, since all tuple classifications are less than or equal to S. However a user with security clearance C would not be allowed to see values for salary of Shyam and job performance for Ram as shown below in fig. b .

a.       EMPLOYEE

   Name                                    Salary                    JobPerformance                                                 TC

   Ram       U                             5000       C             Fair        S                                                              S

   Shyam  C                             5000       S              Good     C                                                             S

                                                   Fig. The original Employee tuples

b.       EMPLOYEE

   Name                                    Salary                    JobPerformance                                                 TC

   Ram       U                             5000       C             Null       C                                                             C

   Shyam  C                             null        C             Good     C                                                             C

                                                   Fig. Appearance of EMPLOYEE after filtering for classification C users

7.3 ENCRYPTION

Access control is only applied to the established avenues of access to the database. Clever people using clever instruments may be able to access the data by circumventing the controlled avenues of access. Also, innocent people who passively stumble upon an avenue of access may be unable to resist the temptation 'to look at and pet misuse the data so acquired. To counteract the possibility that either active or passive intruders obtain unauthorized access to sensitive data, it is desirable to obscure or hide the meaning of the data accessed.

Encryption is any sort of transformation applied to data (or text) prior to transmis­sion or prior to storage, which makes it more difficult to extract information content or meaning. Decryption is method of retrieving the original message(text) from the encrypted message. The word 'cryptography' comes from the Greek meaning 'hidden or secret. Cryptography includes both  encryption and decryption.

Encryption techniques complement access controls. Access controls are ineffective if

n  A user leaves a listing in the work area or in the trash.

n  Passwords are written down and found.

n  Offline backup files are stolen.

n  Confidential data is left in main memory after a job has completed.

n  Someone taps in on a communication line.

When a data system' is geographically dispersed, physical security measures be come less practical and less effective against intrusion because the system is more open and vulnerable to penetration at more points. If the computer system and all the sensitive data are maintained in a single, isolated environment into which a user must be admitted before access to data is permitted, little need for encryption exists. An increased need for encryption comes with the increased tendency for systems to reach out into the using environment and become 'more available to the users.

The basic encryption scheme is shown in Figure . Original plaintext is trans­formed by an encryption algorithm using an encryption key to produce ciphertext. An inverse decryption algorithm transforms the ciphertext using the same (or related) key to reconstruct the plaintext.

Figure  Basic Encryption/ Decryption System.

An encryption algorithm (T). transforms a sender's plaintext message (M) using a key (K) to produce ciphertext. Plaintext'is in a form recognizable by humans (or computers). The encrypted message or data can be transmitted through an insecure channel or stored in an insecure area since a potential intruder would only see a scrambled message. Using the same (or related) key, the decryption algorithm applies an in years transformation (T^-1) to the ciphertext to reconstruct the original message (M). Transmission of the key to the decryption must be kept secure, since knowing the decryption key and the encryption algorithm makes it easy to decrypt or decipher a message, thereby disclosing sensitive information.

In a database environment, encryption techniques can be applied to:

n  Transmitted data sent over communication lines between computer systems, or to and from remote terminals (1).

n  Stored data:

Ü  remote backup data on removable media (2)

Ü  active data on secondary storage devices (3)

Ü  tables and buffers in internal main memory (4)

The figure below indicates the points where encryption can be used to protect data from unauthorized access during transmission between the user and the system. With a remote database, encryption can be used to protect the stored data from unauthorized access.

Fig Encryption in a Database Environment.

Encryption techniques can be used in the transmission or storage of data. The stored data may be remote backup data on removable media, active (updated) data on secondary storage devices, or tables and buffers in internal memory. Sensitive data outside of secured area is more exposed to unauthorized disclosure and therefore encryption can contribute significantly to greater security.

Encryption methods can be classified according to:

1. The nature of the algorithm:

n  Transposition, or permutation in general.

n  Substitution, either mono-alphabetic or polyalphabetic.

n  Product, combining permutations and substitutions.

Cryptographic techniques have been widely used in military and government intel­ligence activities for centuries but due to the secretive nature of the subject.

The increased potential for more sophisticated encryption and cryptanalysis through the use of computers, coupled with the increased concern for data privacy, has generated a great surge of interest in the past decade or two. There has been substantial published literature on the use of encryption in computerized database systems. The U:S. Government has adopted a data encryption standard(DES).

 Choosing an encryption method depends upon the cost, what is available, and the level of user need. The object of any particular method is to raise the work factor high enough to discourage anyone from breaking the code. The cost of the chosen method must be commensurate with the level of risk and the degree of security desired. Even fairly modest and simple encryption methods can render transmitted messages and stored data secure from all but the most persistent penetrators.

Traditional Methods: Transposition and Substitution

Historically, transposition and substitution have been the two major classes of encryption techniques. They were applied manually to encrypt streams of text prior to transmission. Permutations and substitutions serve as the basis for some present-day computerized methods.

Transposition techniques permute the ordering of characters in the data stream according to some rule. For example, if the transposition pattern or rule is to transpose each consecutive pair of characters, the phrase

database

 would appear as

          ADATABES

obviously not very secure. An example of a general permutation would be to form blocks of, say, four characters and permute, 1234 to 3124. The phrase would now appear as:

TDAASBAE

With a correct guess of the length of the permutation block, only a few trials are needed to break the code.

Substitution techniques retain the relative position of the characters in the original plaintext but hide their identity in the ciphertext. By contrast, transposition techniques retain the identity of the original characters but change their position.

A simple example is the Caesar Cipher which substitutes the nth letter away from ..the plaintext character in the alphabet. This is applied 'modulo 27' (includes a blank), that is, if you count past the end of the alphabet, cycle back to the beginning. The plaintext message in Fig. was encrypted using a Caesar Cipher. The n is the key indicating the alphabet shift.

A general mono-alphabetic substitution cipher replaces characters in the plain­text with characters from some other alphabet, called a cipher alphabet, which be­comes the key. For example:

Plaintext alphabet:                       abcdefghijklmnopqrstuvwxyz

Ciphertext alphabet:                    GORDNCHALESZYXWVUTQPMKJIFB

Transforms the Plaintext:           database management system

Into the Ciphertext:                       DGPGOGQN YGXGHNYNXP QFQPNYQ

Assuming that the plaintext message is written in natural English using 26 letters, mono-alphabetic substutions are susceptible to frequency analysis of single let­ters, letter pairs, and reversals. The analysis is increasingly accurate for larger mes­sages the letter frequencies in the message would approach the 'characteristic letter frequencies for the language. In English the most frequently occurring letters are E,T,A,O,N,R,I,S,H. Some people can' even read such ciphertext directly Some com­puters have built-in machine instructions to perform substitutions between two alpha­bets (needed for A_CII-EBCDI_ code conversion), thus enabling faster exhaustive analysis of mono-alphabetic' substitutions.

Polyalphabetic substitution uses multiple alphabets cyclically according to some rule. Each character of the plaintext is replaced' with a character from a different Ciphertext alphabet, thereby obscuring the frequency characteristics of the characters in the plaintext alphabet.