Download Data Modeling - Hiram College

Security
CPSC 356 Database
Ellen Walker
Hiram College
(Includes figures from Database Systems by Connolly & Begg, © Addison Wesley 2002)
Database Security: Definitions
• Security
– The mechanisms that protect the database
against intentional or accidental threats
• Threat
– Any situation or event, whether intentional or
accidental, that may adversely affect a system and
consequently the organization
Why Security
• Data is a valuable resource
• Corporate data can be strategic
– Trade secrets
– Customer relationship information
– Details of financials (costs, profits, etc.)
• Personal data can be sensitive
– Medical records
– Financial records
Aspects of Security Risk
•
•
•
•
•
Theft and fraud
Loss of confidentiality
Loss of privacy
Loss of integrity
Loss of availability
Examples of Threats & Risks
• Using another person’s access
– Theft/fraud, confidentiality, privacy
• Unauthorized changes to data
– Theft/fraud, integrity, availability
• Theft of data, programs, and equipment
– Theft/fraud, confidentiality, privacy, availability
• Power loss or surge; fire; physical damage
– Integrity, availability
• Inadequate staff training
– Confidentiality, privacy, integrity, availability
Sources of Threats (p. 521)
Who can use the data?
• Authorization
– Granting a user rights or privileges to access the
system or some data
• Controlling privileges
– Discretionary Access Control
• SQL grant & revoke statements
– Mandatory Access Control
• Clearance attributes in tuples themselves
SQL GRANT / REVOKE
– GRANT SELECT ON Hotel, Room, Booking TO
Users
– GRANT SELECT, UPDATE on Hotel, Room,
Booking TO Managers WITH GRANT OPTION
– REVOKE ALL PRIVILEGES from User256
… Are You Who You Say You Are?
• Authentication
– Secret passwords (most common)
– Physical “keys” (e.g. dongles)
– Biometrics
•
•
•
•
Fingerprint
Voiceprint
Retinal scan
Iris measurements
Risks of Passwords
• Guessable passwords
–
–
–
–
Name, address, significant other, ssn
Dictionary words (or slight variations)
No special characters
Short passwords
• Shared passwords
– Sharing with friends
– Sticky note on monitor
– Fraud
DBMS Account/Passwords
• Separate passwords for the DBMS
– Some degree of safety
– Users need to remember multiple passwords
• Use OS accounts / passwords
– DB is only as secure as OS
– User can’t be one account on OS and another on
DB
Users & Groups
• DBA can set up users and groups; assign users to
groups
– E.g. Administrators, Managers, Users
• Users and Groups can have various authorizations
– SELECT, UPDATE, DELETE, INSERT, ALL
• Access control matrix
– Rows are users / groups
– Columns are attributes
– Values are privileges
Views
• Views allow attributes to be hidden from
users
• User has access to view, but not to base
table
– Faculty sees class list, but cannot access
complete student records
– Department members see total salary budget, but
not individual salaries
Statistical Database Security
• Careful use of aggregates can reveal
“hidden” information!
– Min and max of salaries of dept. with 2 individuals
– Average salaries of two sets of employees that
overlap by exactly one individual
– Careful construction of conditions that select one
individual
Countermeasures
• Don’t report small sets
– Still doesn’t solve “difference” problem
• Add random “noise” to each result
– Aggregate data will be “close enough” for most
valid purposes
– Differences won’t be accurate anymore
– Many databases do this
Encryption
• Prevents data from being useful if it is
stolen…
– Theft of media (disks, backup tapes)
– Eavesdropping (wiretapping, network “sniffing”)
• Unauthorized user sees gibberish
• Authorized access through DB gets decrypted
– Requires extra time for every access
Encryption Definitions
• Plaintext
– The original information
• Ciphertext
– Information as stored or passed on a public line
(unintelligible)
• Encryption Key, Algorithm
– Transforms plaintext into ciphertext
• Decryption Key, Algorithm
– Transforms ciphertext into plaintext
Encryption Ideas
• Use a secret algorithm to transform the data.
Only authorized recipients know the
algorithm.
• Use an algorithm that takes data and a key
and performs math on it. For example,
multiply data by key.
– With the key, divide to get the data
– Without the key, try all factors?
Very Simple Encryption
• The Caesar cipher: each letter is replaced by
one 13 steps ahead (with wrap) in the
alphabet.
– “Database” becomes “Qngnonfr”
– “Qngnonfr” becomes “Database”
• No specific key; encryption and decryption
algorithm are the same
– Can generalize to arbitrary shift; key is number of
letters to shift.
Private Key Encryption
• Algorithm does encryption and decryption
with a single key
• Sender and recipient of message must both
have the key
• Problem: transmitting the key securely!
• Example:
– Data Encryption Standard (DES) 56-bit key
– PGP 128-bit key
– The longer the key, the harder to break.
Public Key Encryption
• Pair of keys: public and private
• Message encrypted by public key can be decrypted
by private key & vice versa (asymmetric)
• Algorithm is public. All public keys are in a “phone
book”.
• If I want to send you a message, I encrypt it using
your public key. Only you (with your private key) can
decrypt it
• To sign the message, I encrypt a signature with my
private key. You verify it’s me by decrypting it with
my public key.
• Example: RSA Algorithm (initials of authors)
Public vs. Private Key
• Private key encryption / decryption is usually
faster
• Private keys can be exchanged using a public
key method.
RAID: Data Storage Redundancy
• Addresses risks of data loss, loss of integrity
• RAID = Redundant Array of Independent
Disks
• Levels 0 through 6 include combinations of:
– Striping: data is divided into equal-size partitions
distributed among multiple disks
– Error-detecting (parity) and correcting codes
– Mirroring: copying data to multiple disks
(see p. 530)
Error-Detecting & Correcting Codes
• Add extra bits to the data, so every bit combination
isn’t valid
• Error detection
– When the code is invalid we know it
– Example: add a 9th bit to each group of 8 (parity bit) so that
the group of 9 bits has an even number of 0’s.
• Error correction
– Add more extra bits to each group
– If one bit is wrong, there is only one change that makes the
group valid
– Example: Hamming Code
Web Security
• Internet traffic is “in the clear” – applications
must encrypt/decrypt if desired
• Servers must be protected from external
attacks across the networks
• Systems must be protected from executable
web programs
Mechanisms for Web Security
• Proxy servers
– Filter requests and improve performance
• Firewalls
– May include packet filters, application gateways,
and proxy servers
• Certificates
– Include digital signatures, message digests
• Secure Socket Layer (and shttp)
Security on the Web
• Many web sites are backed by databases
– Must keep database safe!
• The Internet is notoriously insecure
• We want customers to buy stuff!
–
–
–
–
–
Keep credit card information confidential
Convince the customer the site is authentic.
Make sure customer “matches” credit card
Make sure credit card is “real”
Make sure purchase is charged exactly once!
SQL Injection Attack
Source: http://imgs.xkcd.com/comics/exploits_of_a_mom.png
SQL Injection Attack
• Website collects information and inserts into query,
e.g.
– SELECT * FROM students where name = ‘$name’;
• Malicious user puts SQL code into the “name” field,
e.g.
– Robert’; DROP TABLE students; --
• Result legal SQL, but not quite what we wanted:
– SELECT * FROM students where name = ‘Robert’;
– DROP TABLE students; -- ‘;
Protecting against User Input Attacks
• Validate inputs
– If it’s supposed to be a number, make sure it’s a
number
• Verify input length (avoid “buffer overflow”)
• Sanitize inputs before constructing a query
– Remove dangerous characters
– Or escape them: ‘ becomes \’ and ; becomes \;
– Mysql addslashes / stripslashes
• $query = “select * from table where name = ‘” .
addslashes($name) . “’”
Requirements for a Safe Transaction
• Information is inaccessible to all but sender and
receiver (privacy)
• Information does not change between sending and
receiving (integrity)
• Recipient knows information came from sender
(authenticity)
• Sender knows recipient is genuine (non-fabrication)
• Sender cannot deny the purchase was made (nonrepudiation)
Web Security
• Proxy server
– Intercept all requests, serve local file if possible
– Recent requests are saved in cache
– Improves both security and performance
• Firewall
– Examines all messages; blocks any that don’t meet security
criteria
• Message Digest Algorithm & Digital Signature
– Ensures the message is received as sent & who sent it
• Digital Certificates
– “Authentication” of site from external authority (3rd party trust
model)
– Based on public key mechanism
Secure Sockets Layer, Secure HTTP
• SSL: protocol developed by Netscape
– Creates a secure session using private key
– Browser & server not involved; SSL is at a lower level
– Packets are encrypted before they’re sent; decrypted when
received
– Complete “session” (conversation) is secure
• SHTTP: now owned by Verifone
– Transmits individual messages securely
– Browser & server involved in encryption / decryption
• SSL and SHTTP are complementary; many sessions
use both.
Secure Electronic Transactions
(SET)
• Open standard for processing credit card
transactions on the Internet
– Created by Netscape, Microsoft, Visa, Mastercard,
GTE, SAIC, Terisa Systems, and Verisign
• Splits transaction information
– Merchant sees what is purchased, how much, &
payment approval
– Card issuer sees purchase price but not items
purchased
• Heavy use of certificates & encryption