CHAPTER ONE INTRODUCTION

Database securityensuresthat onlyauthorized users can perform authorized Activitiesat authorized times.Database Security is the mechanism that protect thedatabase againstintentional or accidental threats.Threat is any intentional or accidental event that may adversely affect the system.

Over the years, the database security community has developed a number of different techniques and approaches to assure data confidentiality,integrity, andavailability. However, despite such advances, the database security area faces several new challenges. Factors such as the evolution of thedisintermediation ofaccess to data, new applications,such as grid-based computing and securityconcerns,

computing paradigms and on demand business, have

introduced both new security requirements and new contexts in which to apply and possibly extend current approaches.

CHAPTER TWO SECURITY ISSUES

There are three types ofsecurity issues. 1. Legal and Ethical Issues: These are regarding the right to access certain information. some information may be deemed to be private and can not be accessed legally by unauthorized persons . 2. Policy Issues: Policy issues at the governmental ,institutional or corporate level as to what kinds of information should not be made publicly available. for example credit ratings and personal medical records. 3. System Related Issues: System related issues such as the system levels at which various security function should be enforced .for example whether a security function

should be handled at the physical hardware level, the operating system level or the DBMS level.

CHAPTER THREE THREATS

The meaning of threat is that it is any intentional or accidental event that may adversely affect the system. Because of these threats ,there is loss of

degradation of commonly accepted security goals integrity , availability and confidentiality .

1. Loss of Integrity: Database integrity refers to the requirement that information be protected from improper modification . Modification of data includes creation , insertion ,modification ,changing status of data, and deletion. Integrity is lost if unauthorized changes are made to the data by either intentional or accidental acts. 2. Loss of Availability: Database availability refers to making objects available to a human user or a program to which they have legitimate right. 3. Loss of Confidentiality : Database confidentiality refers to the protection of data from unauthorized disclosure. Unauthorized , unanticipated or unintentional disclosure could result in loss of public confidence ,embarrassment or legal action against the organization.

CHAPTER FOUR DATABASE SECURITY MECHANISMS

A database management system (DBMS) includes a database security and authorization subsystem that is responsible for ensuring the security portions of a database against unauthorized access. There are two types of database security mechanisms. 1. Discretionary Security Mechanisms: These are used to grant privileges to users , including the capability to access specific data files ,records ,or fields in a specified mode. (such as read ,insert , delete , or update) 2. Mandatory Security Mechanisms: These are used to enforce multilevel security by classifying the data and users into various security classes or levels and then appropriate security policy. Role-based security is an extension of mandatory access control, which enforce policies and privileges on the concept of roles. . implement the

Fig4.1: Multiple Access Control Policies DAC, MAC and RBAC are not mutually exclusive.

CHAPTER FIVE CONTROL MEASURES

The control measures are used to provide security for data in databases . It must include provisions forrestricting access for the database system as a whole. It must prevent access to detailed confidential information about specific

individuals in Statistical databases. It must prevent information from flowing in such way that it reaches to

unauthorized users through what is called covert channels. It must protect sensitive data that is transmitted via some type of communications network. There are four control measures that are used to provide security of data in databases.

1. Access control 2. Inference control 3. Flow control 4. Data encryption

1. Access Control: The security mechanism of a DBMS must include provisions forrestricting accessto the database system asa wholeeither to obtain information or make malicious changes to database This function is calledaccess controland it is handled by creating user accounts and passwordsto control login process by the DBMS .

2. Inference Control: The security problem associated with databases is that of controlling the access to astatistical database, which is used to provide statistical information or summaries of values based on various criteria. The security for statistical databases must ensure that information about individuals can not be accessed . The inference control is used to provide the databases. security in the statistical

3. Flow Control: Another security issue is that offlow control, which prevents information from flowing in such a way that itreaches unauthorized users. Channels that are pathways for information to flow implicitly in ways that violate the security policy of an organization are calledcovert channels. Countermeasure can be implemented as Allow all flows of information except from class confidential (C) to class nonconfidential (N).

4.

Data Encryption:

A final security issue isdata encryption, which is used to protect sensitive data (such as credit card numbers) that is being transmitted via some type of communication network.

The data isencodedusing someencoding algorithmin such way that o An unauthorized user who access encoded data will have difficulty deciphering it. o An authorized users are given decoding or decrypting algorithms (or keys) to decipher the data.

CHAPTER SIX FUNCTION OF DBA

The database administrator (DBA) is the central authority for managing a database system. DBAs responsibilities include: o granting privileges to users who need to use the system. o classifying users and data in accordance with the policy of the organization

The DBA is responsible for the overall security of the database system. The DBA has a DBA account in the DBMS o Sometimes these are called a system or super user account. o These accounts provide powerful capabilities such as: 1. Account creation 2. Privilege granting 3. Privilege revocation 4. Security level assignment

1. Account Creation: This action creates a new account and password for a user or a group of users to enable access to the DBMS. 2. Privilege Granting: This action permits the DBA to grant certain privileges to certain accounts. 3. Privilege Revocation: This action permits the DBA to revoke (cancel) certain privileges that were previously given to certain accounts. 4. Security Level Assignment: This action consists of assigning user accounts to the appropriate security classification level.

Action 1 is used to control access to the DBMS as a whole, whereas actions 2 and 3 are used to control discretionary database authorization and action 4 is used to control mandatory authorization.

CHAPTER SEVEN TYPES OF ACCESS CONTROL

1. Discretionary Access Control (DAC): The typical method of enforcing discretionary access controlin a database system is based on thegrantingandrevokingprivileges. o Many current relational DBMS use some variation of this technique. o The main idea to include statements in the query language that allow DBA and selected users to grant and revoke privileges. Types of Discretionary Privileges: 1. TheAccount Level : At this level, the DBA specifies the particular privileges that each account holds independently of the relations in the database. 2. The Relation Level (or Table Level) : At this level, the DBA can control the privilege to access each individual relation or view in the database. The privileges at theaccount level apply to the capabilities provided to the account itself and can include o TheCREATE SCHEMAorCREATE TABLEprivilege, to create a schema or base relation; o TheCREATE VIEW privilege; o TheALTER privilege, to apply schema changes such adding or removing attributes from relations; o TheDROPprivilege, to delete relations or views; o TheMODIFYprivilege, to insert, delete, or update tuples; o And theSELECTprivilege, to retrieve information from the database by using aSELECTquery. The second level of privileges applies to therelation level o This includes base relationsand virtual (view) relations The granting and revoking of privileges generally follow an authorization model for discretionary privileges known as theaccess matrix modelwhere
9

o The rowsof a matrix M representssubjects (users, accounts, programs) o Thecolumnsrepresent operations) o Each positionM(i,j) in the matrix represents the types of privileges (read, write, update) thatsubject i holds onobject j objects (relations, records, columns, views,

To control the granting and revoking of relation privileges, each relation R in a database is assigned anowner account, which is typically the account that was used when the relation was createdin the first place o Theowner of a relation is given all privileges on that relation o DBA canassign an owner to a whole schema by creating the schema and associating the appropriate authorization identifier with that schema, using theCREATE SCHEMAcommand o The owner account holder canpass privileges on any of the owned relation to other users bygrantingprivileges to their accounts

10

In SQL the following types of privileges can be granted on each individual relation R: o SELECT (retrieval or read) privilege on R: Gives the account retrieval privilege Gives the account the privilege to use theSELECTstatement to retrievetuples from R o MODIFY privileges on R: Gives the account the capability to modify tuples of R This privilegeis further divided intoUPDATE, DELETE, and INSERT privileges to apply the corresponding SQL command to R In addition, both the INSERTandUPDATEprivileges can specify that only.certain attributes can be updated by the account o REFERENCES privilege on R: This gives the account the capability toreferencerelation R when specifying integrity constraints The privilege can also berestrictedto specific attributes of R

Please notice that to create aview, the account must haveSELECTprivilege on all relations involved in the view definition

11

An Example :

Suppose that the DBA creates five accounts A1, A2, A3, A4, A5 And wants only A1 to be able to create base relations Then the DBA must issue the following GRANT command in SQL GRANTCREATETAB TO A1;

The same effect can be accomplished by DBA issuing aCREATE SCHEMA command as follows: CREATESCHEMA EXAMPLESCHEMA AUTHORIZATION A1;

User accountA1 can create tablesunder the schema called EXAMPLESCHEMA Suppose that A1 createsthe two base relationsEMPLOYEEand DEPARTMENT A1 is thenowner of these two relations and hence all the relation privileges on each of them

Suppose that A1 wants to grant A2 the privilege to insert and delete tuples in both of these relations, but A1 does not want A2 to be able to propagate these privileges to additional accounts: GRANTINSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;

Suppose that A1 wants to grant A5 the privilege to insert and delete tuples in both of these relations, and A1 wants A5 to be able to propagate these privileges to additional accounts: GRANT INSERT, DELETE ON EMPLOYEE, WITH GRANT OPTION; DEPARTMENTTO A5

A5 then can propagate the acquired privileges to others

12

Supposethat A1 wants to allow A3 to retrieve informationfrom either of the two tablesand also to beable to propagate the SELECT privilege toother accounts A1 can issue the command: GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;

A3cangranttheSELECTprivilege on theEMPLOYEErelation to A4 by issuing: GRANT SELECTONEMPLOYEETOA4; Pleasenotice that A4 cant propagate the SELECT privilege because GRANT OPTION was not given to A4

Suppose that A1 decides to revoke the SELECTprivilege on the EMPLOYEE relation from A3;A1 can issue: REVOKE SELECT ONEMPLOYEE FROM A3;

TheDBMSmust now automatically revoke theSELECT privilege on EMPLOYEE from A4, too, because A3 granted that privilege to A4 and A3 doesnot have the privilege any more

Suppose that A1 wants to give back to A3 a limited capability to SELECT from the EMPLOYEE relation and wants to allow A3 to be able topropagate the privilege The limitation is to retrieve onlytheNAME,BDATE,and ADDRESS

attributesandonlyfor thetuples with DNO=5

A1 thencreatethe view: CREATE VIEW A3EMPLOYEEAS SELECTNAME,BDATE, ADDRESS

13

FROMEMPLOYEE WHEREDNO = 5; After the view is created, A1 can grantSELECTon the view A3EMPLOYEE to A3 as follows: GRANT SELECT ONA3EMPLOYEETO A3 WITH GRANT OPTION; Finally, suppose that A1 wants to allow A4 to update only the SALARY attribute of EMPLOYEE; A1 can issue: GRANT UPDATE ONEMPLOYEE(SALARY) TO A4; TheUPDATEorINSERT privilege can specify particular attributesthat may be updated or inserted in a relation Other privileges (SELECT, DELETE)are not attribute specific

14

2. Mandatory Access Control (MAC) :

The discretionary access controltechniques of granting and revoking privileges on relations has traditionally been the main security mechanism for relational database systems

This is an all-or-nothingmethod: A user either has or does not have a certain privilege

In many applications, and additional security policyis needed that classifies data and users based on security classes This approach asmandatory access control, would typically be combined with the discretionary access control mechanisms

Typical security classesare top secret (TS), secret (S), confidential (C), and unclassified (U), where TS is the highest level and U the lowest: TS S C U The commonly used model for multilevel security, known as the BellLaPadulamodel, classifies each subject(user, account, program) and object (relation, tuple, column, view, operation) into one of the security classifications, T, S, C, or U: o Clearance (classification) of a subject S asclass(S) and to the classificationof an object O as class(O)

15

Comparing Discretionary Access Control and Mandatory Access Control:

Discretionary Access Control (DAC)policies are characterized by a high degree of flexibility, which makes them suitable for a large variety of application domains

The main drawback ofDAC models is theirvulnerability to malicious attacks, such as Trojan horses embedded in application programs DAC does not impose any control on how information is propagated and used once it has been accessed by users authorized to do so Mandatory access control (MAC) policies ensure a high degree of protection MAC prevents any illegalflow of information MAC has the drawback of being too rigid and they are only applicable in limited environments Discretionary policies are preferred in many cases because they offer a better trade-off between security and applicability

16

3. Role Based Access Control (RBAC) :

Role-based access control emerged rapidly in the 1990s o A proven technology for managing and enforcing security in large-scale enterprise wide systems

Its basic notion is that permissions are associated with roles then users are assigned to appropriate roles.

Fig 7.1: Role Based Access Control

Roles can be created using the CREATE ROLE and DESTROY ROLE commands The GRANT and REVOKE commands discussed under DAC can then be used to assign and revoke privileges from roles

RBAC appears to be a viable alternative to traditional discretionary and mandatory access controls
17

o RBAC ensures that only authorized users are given access to certain data or resources Many DBMSs have allowed the concept of roles, where privileges can be assigned to roles Role hierarchy in RBAC is a natural way of organizing roles to reflect the organizations lines of authority and responsibility Another important consideration in RBAC systems is the possible temporal constraints that may exist on roles, such as o Time and duration of role activations o Timed triggering of a role by an activation of another role Using an RBAC model is highly desirable goal for addressing the key security requirements of Web-based applications In contrast DAC and MAC models lack capabilities needed to support the security requirements emerging enterprises and Web-based applications RBAC becomes a superset model that can run, mimic the behavior of DAC and MAC RBAC works well for DBMS.

18

CHAPTER EIGHT ENCRYPTION AND PUBLIC KEY INFRASTRUCTURES

Encryption is a mean of maintaining secure data in an insecure environment Encryption consists of applying an encryption algorithm to data using some prespecified encryption key The resulting data has to be decrypted using a decryption key to recover the original data.

Fig 8.1: Encryption process 1. Data Encryption Standard (DES) :

The Data Encryption Standard (DES) is a system developed by the U.S. government in 1976 for use by the general public It has been widely accepted as a cryptographic standard both in the United States and abroad DES can provide end-to-end encryption on the channel between the sender A and receiver B

19

DES algorithm is a careful and complex combination of two of the fundamental building blocks of encryption:

o Substitution and permutation (transposition) The DES algorithm derives its strength from repeated application of these two techniques for a total of 16 cycles Plaintext (the original form of the message) is encrypted as blocks of 64 bits o Only 56 of these are actually used by the algorithm After questioning the adequacy of DES, the National Institute of Standards (NIST) introduced the Advanced Encryption Standards (AES) This algorithm has a block size of128 bits and thus takes longer time to crack. AES-192 and AES-256,Keysizes of192 and256bitsrespectively.

Fig 8.2 : Data Encryption Technique

2. Public Key Encryption :

Diffie and Hellman In 1976 proposed a new kind of cryptosystem, which they called public key encryption Public key algorithms are based on mathematical functions rather than operations on bit patterns o They involve the use of two separate keys o Conventional encryption uses only one key o The use of two keys can have profound consequences in the areas of confidentiality, key distribution, and authentication

20

The two keys used for public key encryption are referred to as the public key and the private key o The private key is kept secret, but it is referred to as private key rather than a secret key (to avoid confusion with conventional encryption) o The public key of the pair is made public for others to use

A public key encryption scheme, or infrastructure, has six ingredients: 1. Plaintext: This is the data or readable message that is fed into the algorithm as input 2. Encryption algorithm: The encryption algorithm performs various transformations on the plaintext 3 & 4 Public and private keys: These are pair of keys that have been selected 5. Cipher text: This is the scrambled message produced as output. It depends on the plaint ext and the key Fora given message, two different keys will produce two different cipher texts 6. Decryption algorithm: This algorithm accepts the cipher text and the matching key and produces the original plaintext.

Public key is made for public and private key is known only by owner. A general purpose public key cryptographic algorithm relies on one key for encryption and a different but related key for decryption

The essential steps are as follows: Each user generates a pair of keys to be used for the encryption and decryption of messages Each user places one of the two keys in a public register or other accessible file. This is the public key. The companion key is kept private (private key) If a sender wishes to send a private message to a receiver, the sender encrypts the message using the receivers public key
21

 When the receiver receives the message, he or she decrypts it using the receivers private key No other recipient can decrypt the message because only the receiver knows his or her private key

3. Digital Signatures :

A digital signature is an example of using encryption techniques to provide authentication services in e-commerce applications A digital signature is a mean of associating a mark unique to an individual with a body of text The mark should be unforgettable, meaning that others should be able to check that the signature does come from the originator

A digital signature consists of a string of symbols Signature must be different for each use This can be achieved by making each digital signature a function of the message that it is signing, together with a time stamp Public key techniques are the means creating digital signatures..

22

CONCLUSION

o There are different threats to databases and the corresponding control measures to deal with these problems such as access control, inference control , flow control and data encryption. o There are various types of access controls such as discretionary access control, mandatory access control and role based access control. o There are different encryption techniques such as encryption of data, including the public key infrastructure and digital signatures.

23

REFERENCES

1) http://databasesecurity.com 2) http://www.cgisecurity.com 3) http://www. Windowsecurity.com 4) RamezElmasri and Shamkant B. Navathe, Fundamentals of database systems

24