Upload
gourab87
View
1.730
Download
0
Embed Size (px)
DESCRIPTION
Navate Database Management system
Citation preview
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Database Security And Authorization
Chapter 23
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Introduction to Database Security Issues
Discretionary Access Control Based on Granting and Revoking Privileges
Mandatory Access Control and Role-Based Access Control for Multilevel Security
Introduction to Statistical Database Security
Introduction to Flow Control
Encryption and Public Key Infrastructures
Chapter Outline
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Database security considers the following types of security:
Legal and ethical issues regarding the right to access certain information
Policy issues (e.g., personal medical records should not be made public).
System-related issues (e.g., whether a security function should be handled at the physical hardware level, the operating system level, or the DBMS level).
Classification of security levels (e.g., top secret, secret, confidential, and unclassified).
Database Security Issues
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
A DBMS includes a database security and authorization subsystem.
Two types of database security mechanisms:
1) Discretionary security mechanism: these are used to grant privilege to users (e.g., the capability to access specific data files, records, or fields).
2) Mandatory security mechanism: these are used to enforce multilevel security by classifying the data and users into various security classes.
A common security problem is that of preventing unauthorized persons from accessing the system itself.
Database Security Issues
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Threats to Databases:Loss of integrity: information must be protected from improper modification.
Loss of availability: information must be available to users/programs to which they have a legitimate right.
Loss of confidentiality: information must be protected from unauthorized disclosure.
Protection of databases against the above threats can be achieved by employing: access control, flow control, inference control, and encryption.
Database Security Issues
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
The DBA is responsible for the overall security of the database system.
The DBA has a DBA account in the DBMS, which can be used to perform the following types of actions (not available to regular users):
1) Account creation: creates a new account and password for a user or a group of users.
2) Privilege granting: permits the DBA to grant certain privileges to certain accounts.
3) Privilege revocation: permits the DBA to revoke (cancel) certain privilege that were previously given to certain accounts.
4) Security level assignment: assigning user accounts to the appropriate security classification level.
Database Security and the DBA
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
In order to access the system, users must obtain (from the DBA) a user-name and a password.
The user must log in to the DBMS whenever database access is needed.
The DBMS keeps track of all operations on the database that are applied by a certain user. If any tampering with the database is suspected, a database audit is performed.
A database log that is used mainly for security purposes is sometimes called an audit trail.
Access Protection and Database Audits
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
This mechanism is based on granting and revoking of privileges.
There are two levels for assigning privileges:
1) The account level: the DBA specifies the particular privileges that each account holds independently of the relations in the database (CREATE TABLE, CREATE VIEW, DROP, and ALTER).
2) The relation/table level: the DBA can control the privilege to access each individual relation or view in the database.
Discretionary Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
To control the granting and revoking of relation privileges, each relation R in a database is assigned an owner account.
In SQL the following types of privileges can be granted on each individual relation R:
SELECT privilege: Gives the account retrieval privilege
Modify privilege: Gives the account the capability to modify tuples of R.
References privilege: Gives the account the capability to reference relation R.
Discretionary Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
The mechanism of VIEWS is an important discretionary authorization mechanism.
Whenever the owner A of a relation R grants a privilege on R to another account B, the privilege can be given to B with or without the GRANT OPTION.
The GRANT OPTION enables the propagation of privileges (e.g., user B can propagate the privilege to other accounts without the knowledge of the user A)
Discretionary Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
An Example: Suppose that the DBA creates four accounts (A1, A2, A3, and A4), and issuesGRANT CREATETAB TO A1;
Now A1 can create tables. Let A1 creates the two base relations EMPLOYEE and DEPARTMENT.
Discretionary Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Next, A1 can issue
GRANT INSERT, DELETE, ON EMPLOYEE, DEPARTMENT TO A2;
Now A2 can perform insert/delete operation on these two tables, but cannot propagate these privileges.
Next, suppose that A1 issues
GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;
Now A3 can issue
GRANT SELECT ON EMPLOYEE TO A4;
Discretionary Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Now suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation from A3,
REVOKE SELECT ON EMPLOYEE FROM A3;
The DBMS now automatically revokes the SELECT privilege on EMPLOYEE from A4, too.
Next, suppose A1 wants to give A3 a limited capability to SELECT from EMPLOYEE relation.
The limitation is to retrieve only the NAME, BDATE, and ADDRESS attributes and only for the tuples with DNO=5.
Discretionary Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Hence, A1 creates the following view:CREATE VIEW A3EMPLOYEE AS SELECT NAME, BDATE, ADDRESS FROM EMPLOYEEWHERE DNO = 5;
After the view is created, A1 issues
GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION;
Finally, suppose A1 wants to allow A4 to update only the SALARY attribute from EMPLOYEE;
GRANT UPDATE ON EMPLOYEE (SALARY) TO A4;
Discretionary Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
This mechanism provides multilevel security which is desirable in government, military, and intelligence applications.
Typical security classes are:Top secret (TS)Secret (S), Confidential (C), and Unclassified (U).
Where TS ≥ S ≥ C ≥ U.
Mandatory Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
A commonly used model for multilevel security, known as the Bell-Lapadual model, classifies each subject (user, account, program) and object (relation, tuple, column, view, operation) into one of the security classes TS, S, C, or U.
Two restricyions on data access based on the subject/object (S/O) classifications are:
1) A subject S is not allowed read access to an object O unless class (S) ≥ class (O). This is known as the simple security property.
2) A subject S is not allowed to write an object O unless class (S) ≤ class (O). This is known as the star property (or *-property).
Mandatory Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Incorporation of multilevel security notions with relational databases requires that each attribute A be associated with a classification attribute C in the schema. In some relational models, a tuple classification attribute TC is added to the relation attributes. Hence a multilevel relation schema R would be represented as:
R(A1 ,C1 ,A2 ,C2 , … An, Cn, TC)
The apparent key of a multilevel relation is the set of attributes that would have formed the primary key in a regular (single-level) relation.
Mandatory Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
It is possible to store a single tuple in the relation at a higher classification level and produce the corresponding tuples at a lower classification level through a process known as filtering.
Sometimes, it is necessary to store two or more tuples at different classification levels with the same value for the apparent key.This leads to the concept of polyinstantiation, where several tuples can have the same apparent key value but have different attribute values for users at different classification levels.
Mandatory Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
FIGURE 23.2
A multilevel relation to illustrate multilevel security. (a) The original EMPLOYEE tuples. (b) Appearance of EMPLOYEE after filtering for classification C users. (c) Appearance of EMPLOYEE after filtering for
classification U users. (d) Polyinstantiation ofthe Smith tuple: A Cuser updatesJobPerformanceto Excellent
Mandatory Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Role-based access control (RBAC) is a technology for managing an enforcing security in large-scale enterprisewide systems.
Permissions are associated with roles, and users are assigned to appropriate roles.
Roles can be created using the CREATE ROLE and DESTROY ROLE commands (GRANT and REVOKE commands can then be used to assign and revoke privileges from roles.)
Role-Based Access Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
A statistical database may contain confidential data on individuals, but users are permitted to retrieve statistical information on the population.
A population is a set of tuples of a relation that satisfy some selection condition.
Statistical database security techniques must prevent the retrieval of individual data.
In some cases it is possible to infer the values of individual tuples from a sequence of statistical queries ―this must be prevented by the statistical database security mechanism.
Statistical Databases Security
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
FIGURE 23.3The PERSON relation schema for illustrating statistical database
security.
Statistical Database Security
An example:Q1: SELECT COUNT (*) FROM PERSON WHERE <CONDITION>;Q2: SELECT AVG (INCOME) FROM PERSON
WHERE <CONDITION>;Now suppose that we know ‘Jane Smith’ is the only female that has a Ph.D. degree and lives in Bellaire, Texas. So, the following query returns her salary:
Q3: SELECT AVG (INCOME) FROM PERSONWHERE LAST_DEGREE = ‘Ph.D.’ AND Sex = ‘F’ AND
CITY = ‘Bellaire’ AND STATE = Texas’;
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
A flow between object X and object Y occurs when a program reads values from X and writes values into Y.
Flow controls must prevent any information leakage (a user cannot get indirectly in Y what s/he cannot get directly from X).
A flow policy specifies the channels along which information is allowed to move. It specifies two classes of information: confidential (C) and nonconfidential (N), and allows all flows except those from class C to class N.
Introduction To Flow Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
A covert channel allows a transfer of information that violates the security or the policy, that is, it allows information to pass from a higher classification level to a lower classification level through improper means.
Covert channels can be classified into:1) Timing channels: the information is conveyed
by the timing of events or processesExample: influence system load→time task execution
2) Storage channels: information conveyed through variables and attributes other than timeExample: cause resource exhaustion→request resources
Introduction To Flow Control
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Encryption consists of applying an encryption algorithm to data using some prespecified encryption key. The resulting data (cryptogram) has to be decrypted using a decryption key to recover the original data.
Cryptographic algorithms can be classified into tow main categories:
1) Private key (symmetric) algorithms: knowledge of one of the encryption/decryption keys is sufficient to learn the other key.
2) Public key (asymmetric) algorithms: knowledge of one of the encryption/decryption keys gives no idea about the other key.
Encryption and Public Key Infrastructures
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
A public key algorithm has six ingredients:1) Plaintext: the data or readable message,
2) Encryption algorithm: performs transformation on the plaintext and generates the ciphertext,
3) Public key: one of the keys (encryption key) which is made public (applies to encryption algorithm),
4) Private/secret key: the other key (decryption key), which is kept secure (applies to decryption algorithm),
5) Ciphertext: the scrambled message produced as output of the encryption algorithm,
6) Decryption algorithm: accepts the ciphertext and and the decryption key and produces the original plaintext.
Encryption and Public Key Infrastructures
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
The RSA public key system introduced in 1978. It operates with modular arithmetic mode n,
n = p * q where p and q are large and distinct primes.
The encryption key, e, is chosen such that gcd (e, (n)) = 1
where (n) = (p-1) * (q-1).
The decryption key, d, then is calculated such that
e * d = 1 mod (n)The owner of the system makes (e, n) public, but keeps d secret (destroys p and q).
Encryption and Public Key Infrastructures
Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition
Encryption of the message, M, is possible by anyone who knows the public key, e,:
C = Me mod n Decryption of the ciphertext, C, requires to
knowledge of the secret key, d,:M = Cd mod n
The owner of the private key can sign a message M,
S = Md mod nS is the digital signature of the owner of the
system (nobody can generate this, since they do not know d), but everybody can verify that this is the signature of message M, using S and e, as:
Se = M mod n
Encryption and Public Key Infrastructures