Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Paper-1 Implementing I&a in Multilayer Checkpoints for DB Security

Paper-1 Implementing I&a in Multilayer Checkpoints for DB Security

Ratings: (0)|Views: 62|Likes:
Published by Rachel Wheeler
Multilayer Checkpoints for DB Security (MLC-DBS) is an application to protect sensitive data. Database (DB) has different vulnerabilities, but peoples still have no choice to store their own data in DB systems, so the need to secure DB systems remains a live area of research due to the significant role of DB on modern life and progresses of malicious techniques to crack the DB.
Although many methods of I&A exist, the tradition method (e.g., password) stills the most common method for I&A due to its easiness and familiarity. On the other hand, users practice insecure behaviors in using of PW. Thus, PW considers the weakest link in authentication mechanism, but it could be efficient if selected intelligently and managed properly. Therefore, we should improving PW characteristics and combing it with other methods. However, a PW should be both easy to remember but difficult to guess. Practically most users do not understand security issues. To obtain secure system, information systems should help users implementing techniques for improving techniques.
MLC-DBS is differs from multilevel security for DB; the first is general and the second is concerned only with authorization layer. For most security systems, Identification and Authentication (I&A) are in the first layer of defense. In this paper I applied two methods of I&A layer in MLC-DBS. The result shows that the utilized I&A method is flexible and could be configured based on the implementing circumstances. The power of MLC-DBS is, it could be the best choices for securing some DB (e.g., Flash memory DB, small DB, NoSQL DB, Serverless DB).
Multilayer Checkpoints for DB Security (MLC-DBS) is an application to protect sensitive data. Database (DB) has different vulnerabilities, but peoples still have no choice to store their own data in DB systems, so the need to secure DB systems remains a live area of research due to the significant role of DB on modern life and progresses of malicious techniques to crack the DB.
Although many methods of I&A exist, the tradition method (e.g., password) stills the most common method for I&A due to its easiness and familiarity. On the other hand, users practice insecure behaviors in using of PW. Thus, PW considers the weakest link in authentication mechanism, but it could be efficient if selected intelligently and managed properly. Therefore, we should improving PW characteristics and combing it with other methods. However, a PW should be both easy to remember but difficult to guess. Practically most users do not understand security issues. To obtain secure system, information systems should help users implementing techniques for improving techniques.
MLC-DBS is differs from multilevel security for DB; the first is general and the second is concerned only with authorization layer. For most security systems, Identification and Authentication (I&A) are in the first layer of defense. In this paper I applied two methods of I&A layer in MLC-DBS. The result shows that the utilized I&A method is flexible and could be configured based on the implementing circumstances. The power of MLC-DBS is, it could be the best choices for securing some DB (e.g., Flash memory DB, small DB, NoSQL DB, Serverless DB).

More info:

Published by: Rachel Wheeler on Apr 07, 2014
Copyright:Traditional Copyright: All rights reserved

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/29/2014

pdf

text

original

 
International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823
 
4
Implementing I&A in Multilayer Checkpoints for DB Security
Nooruldeen Nasih Qader
University of Sulaimani, Computer Science Department nnq@yahoo.co.uk
Abstract
Multilayer Checkpoints for DB Security (MLC-DBS) is an application to protect sensitive data. Database (DB) has different vulnerabilities, but peoples still have no choice to store their own data in DB systems, so the need to secure DB systems remains a live area of research due to the significant role of DB on modern life and  progresses of malicious techniques to crack the DB. Although many methods of I&A exist, the tradition method (e.g., password) stills the most common method for I&A due to its easiness and familiarity. On the other hand, users practice insecure behaviors in using of PW. Thus, PW considers the weakest link in authentication mechanism, but it could be efficient if selected intelligently and managed properly. Therefore, we should improving PW characteristics and combing it with other methods. However, a PW should be both easy to remember but difficult to guess. Practically most users do not understand security issues. To obtain secure system, information systems should help users implementing techniques for improving techniques. MLC-DBS is differs from multilevel security for DB; the first is general and the second is concerned only with authorization layer. For most security systems, Identification and Authentication (I&A) are in the first layer of defense. In this paper I applied two methods of I&A layer in MLC-DBS. The result shows that the utilized I&A method is flexible and could be configured based on the implementing circumstances. The power of MLC-DBS is, it could be the best choices for securing some DB (e.g., Flash memory DB, small DB, NoSQL DB, Serverless DB).
Keywords:
 database, security, Identification, Authentication, Multilevel, Layer, Encryption, Password.
1. Introduction
MLC-DBS is an application to protect sensitive data. DB has different vulnerabilities, but peoples still have no choice to store their own data in DB systems, so the need to secure DB systems becomes an important issue. DB security remains a live area of research due to the significant role of DB on modern life and progress of malicious techniques to crack the DB. Different approaches adopted to secure DB. An MLC - DBS system may  be the best under specific circumstances [9]. MLC-DBS is differs from multilevel security for DB in logical viewpoint and in the mechanism. MLC-DBS Addresses applying different security layers to prevent unauthorized user to access the DB, But multilevel security for DB addresses the natural expectation that users at different levels should be able to use the same DB, with each seeing only that data for which he has appropriate authorization, and users with different authorizations sharing some data [17]. Thus, multilevel security is a forcing special arrangement between subjects and objects; the work area of multilevel security is the authorization layer, while MLC-DBS is using general techniques of information security and forcing lawyers to prevent intruder [2, 13, 18]. The established MLC-DBS implies following layers: I&A, encryption, decryption, digital signature (i.e., digests) and data type validation have been used to maintain DB integrity, audit trail, intrusion detection system, notification system, and DB backup. As well as MLC-DBS involve the creation and manipulation of DB. Manipulations include encryption and decryption of data, tables' names, and fields' names [9]. Although there are currently many forms of authentication methods, the most common method for authentication is the combination of user ID (identification) and password (authentication). A recent study shows that users practice insecure behaviors in the utilization of passwords (PW). Therefore, most systems enforce users to select strength PW [4]. In this paper, we focus on I&A layer starting from some diagrams illustrate the design of MLC-DBS system, including the general MLC-DBS diagram, and authentication diagram. Here, I use two methods of authentication: the first I&A method is based on something that user knows (i.e., PW), the second I&A is based on something that user has, where the Serial Number (SN) of USB Flash memory and CPU (also, SN, of BIOS, mother board, and hard disk could be used) are utilized. Once the authentication test procedure result is
 
International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823
 
5 "authenticated user" then the user will granted access, which is extracted from the SN of the user USB flash memory key. The rest of this paper is organized as follows: I discussed Identification and Authentication (I&A) techniques and objective. And then, I suggested some techniques for improving PW characteristics and increase PW entropy. I proposed the design method and presented the results in the context of MLC-DBS. Finally, I discussed conclusions and suggestion for future works.
2. IDENTIFICATION AND AUTHENTICATION (I&A)
I&A is the basic mechanism for authorization, confidentiality and auditing. For most security systems, I&A are in the first line of defense. They are technical measures that prevents unauthorized people (or unauthorized  processes) from entering a computer system. I&A is a critical building block of computer security since it is the  basis for most types of access control and for establishing user accountability (the means of identifying and tracing who has had access to the system, and to what data on the system so they can be held accountable for their actions). Access control often requires that the system be able to identify and differentiate among users. For example, access control is often based on least privilege, which refers to the granting to users only those accesses required to perform their duties. User accountability requires the linking of activities on a computer system to specific individuals and, therefore, requires the system to identify users [2, 12]. Identification is the means by which a user provides a claimed identity to the system. Identification is the  process by which a subject professes an identity and Accountability is initiated. A user, providing a username, a logon ID, a Personal Identification Number (PIN), or a smart card represents the identification process. Providing a process ID number also represents the identification process. Once a subject has identified itself, the identity is accountable for any further actions of that subject. Information Technology (IT) systems track activity  by identities, not by the subjects themselves. A computer does not know one human from another, but it does know that your user account is different from all other user accounts. Authentication is the means of establishing the validity of the provided identity. It is an attempt to prevent unauthorized use by requiring users to validate their authorization to access the system. Authentication is the  process of determining if a user or entity is who he claims to be. Authentication is the process of verifying or testing that the claimed identity is valid. It requires that the subject provides additional information that must exactly correspond to the identity indicated. Identification is a fairly straightforward concept. A subject must provide an identity to a system to start the authentication, authorization, and accountability processes. Providing an identity can be typing in a username, swiping a smart card, waving a token device, speaking a phrase, or positioning your face, hand, or finger for a camera or scanning device. Without an identity, a system has no way to correlate an authentication factor with the subject. A subject’s identity is typically considered to be public information. Authentication verifies the identity of the subject by comparing one or more factors against the DB of valid identities (i.e., user accounts). The authentication factor used to verify identity is typically considered to be private information. The ability of the subject and a system to maintain the secrecy of the authentication factors for identities directly reflects the level of security of that system. I&A are always applied together as a single two-step process. Providing an identity is step one and providing the authentication factor(s) is step two. Without both, a subject cannot gain access to a system; either element alone is not useful. The primary objective of an authentication system is to prevent unauthorized user from gaining access to a  private computer system. Much like with a normal door lock, authorized users are given a key to the system thus keeping unauthorized user out. This does not mean, however, that unauthorized users are unable to gain access to the system. It has become quite common for authorized user to be lax in the protection of their access key. That is, unauthorized users are able to access the system by using another person's key and appearing to be an authorized user. This is possible because the system does not authenticate the identity of the user, only who the key holder claims to be. Since the authentication system cannot verify the user's true identity, methods must be  put in place to reduce the opportunity for an unauthorized user to appear as an authorized user and access the system. This is accomplished with one or more of the numerous authentication methods.
3. Authentication Methods
A computer system may employ different types of authentication methods; these methods can be used alone or in combination: 1. Something the individual knows (or information key, a secret): the user should provide specific information to access the system (e.g., a PW, pass phrases, questionnaires, PIN, or cryptographic key).
 
International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823
 
6 2. Something the individual possesses (or physical keys, a token): they are objects that a user must have to access the system (e.g., magnetic cards, an ATM card or a smart card). 3. Something the individual is (a biometric) relies on user's physical attributes to grant or deny access (e.g., voice pattern, handwriting dynamics, or a fingerprint) [3, 7, 14]. 4. Something you do, such as writing a signature, typing out a pass phrase (keyboard dynamics), or how you say a phrase. Something you do is often included in the “something you are” category. 5. Somewhere you are, such as a specific computer terminal, dialing up from a specific phone number identified by caller ID, or dialing up from a specific country identified by your IP address. "Somewhere you are" is often included in the “something you have” category. Two-factor authentication occurs when two of the above mentioned factors are used to provide authentication. For example, when cashing a check at the grocery store, the driver often has to provide his driver’s license (something you have) and his phone number (something you know). Once the logon credentials of the offered identity and the authentication factor(s) are provided to the system, they are checked against the DB of identities on the system. If the identity is located and the correct authentication factor(s) are provided, then the subject will be authenticated [1, 15].
4. I&A Based on Something the User Knows
The most common form of I&A is a user ID coupled with a PW. This technique is based solely on something the user knows. In general, PW systems work by requiring the user to enter a user ID and PW (or pass  phrase or PIN). The system compares the PW to a previously stored PW for that user ID. If there is a match, then the user is authenticated and granted access [5]. PW have been successfully providing security for computer systems for a long time. They integrate into many operating systems, and users and system administrators are familiar with them. When properly managed in a controlled environment, they can provide effective security. The security of a PW system is dependent upon keeping it secret. Unfortunately, there are many ways that the secret may be divulged. The problems are discussed below can be mitigated by improving PW security. However, there is no solution for the problem of electronic monitoring, except to use more advanced authentication (e.g., based on cryptographic techniques or tokens) [6]. PW considers being the weakest form of protection. PW is poor security mechanisms for several reasons, including the following: 1. Guessing or finding PW: If users select their own PW, they tend to make them easy to remember. That often makes them easy to guess. The names of people's children, pets, or favorite sports teams are common examples. On the other hand, assigned PW may be difficult to remember, so users are more likely to write them down. Another method of learning PW is to observe someone entering a PW. The observation can be done by someone in the same room or by someone some distance away using binoculars. Also, PW can be stolen through many means, including recording and playback, and security DB theft. Short PW can be discovered quickly in  brute force attacks. 2. Giving PW away: Users may share their PW. They may give their PW to a co-worker in order to share files, also PW are easily written down and forgotten. 3. Electronic monitoring: PW are often transmitted in clear text or with easily broken encryption protocols. When PW are transmitted to a computer system, they can be electronically monitored. This can happen on the network used to transmit the PW or on the computer system itself. Simple encryption of a PW that will be used again does not solve this problem because encrypting the same PW will create the same cipher text; the cipher text becomes the PW. 4. Accessing the PW file: PWDBs are often stored in publicly accessible online locations. If the PW file is not protected by strong access controls, the file can be downloaded. PW files are often protected with one-way encryption so that plain-text PW are not available to system administrators or hackers (if they successfully  bypass access controls). Even if the file is encrypted, brute force can be used to learn PW if the file is downloaded (e.g., by encrypting English words and comparing them to the file).
5. I&A Based On Something the User Possesses
Physical keys are items that a user must have in their possession to access the system. Much like a key that is required to enter a locked room, a special key may be required to access a computer system or network. Along with user name or PW, the user must present, or insert, their personal key to gain access. If the key and

Activity (3)

You've already reviewed this. Edit your review.
Nnq Qadir added this note
good job
1 hundred reads
Nnq Qadir liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->