Security

CPSC 356 Database

Ellen Walker

Hiram College

(Includes figures from Database Systems by Connolly & Begg, © Addison Wesley 2002)

Database Security: Definitions

• Security – The mechanisms that protect the database against

intentional or accidental threats

• Threat– Any situation or event, whether intentional or

accidental, that may adversely affect a system and consequently the organization

Why Security

• Data is a valuable resource• Corporate data can be strategic

– Trade secrets– Customer relationship information– Details of financials (costs, profits, etc.)

• Personal data can be sensitive– Medical records– Financial records

Aspects of Security Risk

• Theft and fraud• Loss of confidentiality• Loss of privacy• Loss of integrity• Loss of availability

Examples of Threats & Risks

• Using another person’s access– Theft/fraud, confidentiality, privacy

• Unauthorized changes to data– Theft/fraud, integrity, availability

• Theft of data, programs, and equipment– Theft/fraud, confidentiality, privacy, availability

• Power loss or surge; fire; physical damage– Integrity, availability

• Inadequate staff training– Confidentiality, privacy, integrity, availability

Sources of Threats (p. 521)

Who can use the data?

• Authorization– Granting a user rights or privileges to access the

system or some data

• Controlling privileges– Discretionary Access Control

• SQL grant & revoke statements

– Mandatory Access Control• Clearance attributes in tuples themselves

SQL GRANT / REVOKE

– GRANT SELECT ON Hotel, Room, Booking TO Users

– GRANT SELECT, UPDATE on Hotel, Room, Booking TO Managers WITH GRANT OPTION

– REVOKE ALL PRIVILEGES from User256

… Are You Who You Say You Are?

• Authentication– Secret passwords (most common)– Physical “keys” (e.g. dongles)– Biometrics

• Fingerprint• Voiceprint• Retinal scan• Iris measurements

Risks of Passwords

• Guessable passwords– Name, address, significant other, ssn– Dictionary words (or slight variations)– No special characters– Short passwords

• Shared passwords– Sharing with friends– Sticky note on monitor– Fraud

DBMS Account/Passwords

• Separate passwords for the DBMS– Some degree of safety– Users need to remember multiple passwords

• Use OS accounts / passwords– DB is only as secure as OS– User can’t be one account on OS and another on

DB

Users & Groups

• DBA can set up users and groups; assign users to groups– E.g. Administrators, Managers, Users

• Users and Groups can have various authorizations– SELECT, UPDATE, DELETE, INSERT, ALL

• Access control matrix– Rows are users / groups– Columns are attributes– Values are privileges

Views

• Views allow attributes to be hidden from users

• User has access to view, but not to base table– Faculty sees class list, but cannot access

complete student records– Department members see total salary budget, but

not individual salaries

Statistical Database Security

• Careful use of aggregates can reveal “hidden” information!– Min and max of salaries of dept. with 2 individuals– Average salaries of two sets of employees that

overlap by exactly one individual– Careful construction of conditions that select one

individual

Countermeasures

• Don’t report small sets– Still doesn’t solve “difference” problem

• Add random “noise” to each result– Aggregate data will be “close enough” for most

valid purposes– Differences won’t be accurate anymore– Many databases do this

Encryption

• Prevents data from being useful if it is stolen…– Theft of media (disks, backup tapes)– Eavesdropping (wiretapping, network “sniffing”)

• Unauthorized user sees gibberish• Authorized access through DB gets

decrypted– Requires extra time for every access

Encryption Definitions

• Plaintext– The original information

• Ciphertext– Information as stored or passed on a public line

(unintelligible)

• Encryption Key, Algorithm– Transforms plaintext into ciphertext

• Decryption Key, Algorithm– Transforms ciphertext into plaintext

Encryption Ideas

• Use a secret algorithm to transform the data. Only authorized recipients know the algorithm.

• Use an algorithm that takes data and a key and performs math on it. For example, multiply data by key. – With the key, divide to get the data– Without the key, try all factors?

Very Simple Encryption

• The Caesar cipher: each letter is replaced by one 13 steps ahead (with wrap) in the alphabet.– “Database” becomes “Qngnonfr”– “Qngnonfr” becomes “Database”

• No specific key; encryption and decryption algorithm are the same– Can generalize to arbitrary shift; key is number of

letters to shift.

Private Key Encryption

• Algorithm does encryption and decryption with a single key

• Sender and recipient of message must both have the key

• Problem: transmitting the key securely!• Example:

– Data Encryption Standard (DES) 56-bit key– PGP 128-bit key– The longer the key, the harder to break.

Public Key Encryption

• Pair of keys: public and private• Message encrypted by public key can be decrypted by

private key & vice versa (asymmetric)• Algorithm is public. All public keys are in a “phone

book”.• If I want to send you a message, I encrypt it using your

public key. Only you (with your private key) can decrypt it

• To sign the message, I encrypt a signature with my private key. You verify it’s me by decrypting it with my public key.

• Example: RSA Algorithm (initials of authors)

Public vs. Private Key

• Private key encryption / decryption is usually faster

• Private keys can be exchanged using a public key method.

RAID: Data Storage Redundancy

• Addresses risks of data loss, loss of integrity• RAID = Redundant Array of Independent

Disks• Levels 0 through 6 include combinations of:

– Striping: data is divided into equal-size partitions distributed among multiple disks

– Error-detecting (parity) and correcting codes– Mirroring: copying data to multiple disks

(see p. 530)

Error-Detecting & Correcting Codes

• Add extra bits to the data, so every bit combination isn’t valid

• Error detection – When the code is invalid we know it– Example: add a 9th bit to each group of 8 (parity bit) so that

the group of 9 bits has an even number of 0’s.

• Error correction– Add more extra bits to each group– If one bit is wrong, there is only one change that makes the

group valid– Example: Hamming Code

Web Security

• Internet traffic is “in the clear” – applications must encrypt/decrypt if desired

• Servers must be protected from external attacks across the networks

• Systems must be protected from executable web programs

Mechanisms for Web Security

• Proxy servers– Filter requests and improve performance

• Firewalls– May include packet filters, application gateways,

and proxy servers

• Certificates– Include digital signatures, message digests

• Secure Socket Layer (and shttp)

Security on the Web

• Many web sites are backed by databases– Must keep database safe!

• The Internet is notoriously insecure• We want customers to buy stuff!

– Keep credit card information confidential– Convince the customer the site is authentic.– Make sure customer “matches” credit card– Make sure credit card is “real”– Make sure purchase is charged exactly once!

SQL Injection Attack

Source: http://imgs.xkcd.com/comics/exploits_of_a_mom.png

SQL Injection Attack

• Website collects information and inserts into query, e.g.– SELECT * FROM students where name = ‘$name’;

• Malicious user puts SQL code into the “name” field, e.g.– Robert’; DROP TABLE students; --

• Result legal SQL, but not quite what we wanted:– SELECT * FROM students where name = ‘Robert’;– DROP TABLE students; -- ‘;

Protecting against User Input Attacks

• Validate inputs– If it’s supposed to be a number, make sure it’s a

number

• Verify input length (avoid “buffer overflow”)• Sanitize inputs before constructing a query

– Remove dangerous characters– Or escape them: ‘ becomes \’ and ; becomes \; – Mysql addslashes / stripslashes

• $query = “select * from table where name = ‘” . addslashes($name) . “’”

Requirements for a Safe Transaction

• Information is inaccessible to all but sender and receiver (privacy)

• Information does not change between sending and receiving (integrity)

• Recipient knows information came from sender (authenticity)

• Sender knows recipient is genuine (non-fabrication)• Sender cannot deny the purchase was made (non-

repudiation)

Web Security• Proxy server

– Intercept all requests, serve local file if possible– Recent requests are saved in cache– Improves both security and performance

• Firewall– Examines all messages; blocks any that don’t meet security

criteria

• Message Digest Algorithm & Digital Signature– Ensures the message is received as sent & who sent it

• Digital Certificates– “Authentication” of site from external authority (3rd party trust

model)– Based on public key mechanism

Secure Sockets Layer, Secure HTTP

• SSL: protocol developed by Netscape– Creates a secure session using private key– Browser & server not involved; SSL is at a lower level– Packets are encrypted before they’re sent; decrypted when

received– Complete “session” (conversation) is secure

• SHTTP: now owned by Verifone– Transmits individual messages securely– Browser & server involved in encryption / decryption

• SSL and SHTTP are complementary; many sessions use both.

Secure Electronic Transactions (SET)

• Open standard for processing credit card transactions on the Internet– Created by Netscape, Microsoft, Visa, Mastercard,

GTE, SAIC, Terisa Systems, and Verisign

• Splits transaction information– Merchant sees what is purchased, how much, &

payment approval– Card issuer sees purchase price but not items

purchased

• Heavy use of certificates & encryption