Security CPSC 356 Database Ellen Walker Hiram College (Includes figures from Database Systems by Connolly & Begg, © Addison Wesley 2002)

Database Security: Definitions Security –The mechanisms that protect the database against intentional or accidental threats Threat –Any situation or event, whether intentional or accidental, that may adversely affect a system and consequently the organization

Why Security Data is a valuable resource Corporate data can be strategic –Trade secrets –Customer relationship information –Details of financials (costs, profits, etc.) Personal data can be sensitive –Medical records –Financial records

Aspects of Security Risk Theft and fraud Loss of confidentiality Loss of privacy Loss of integrity Loss of availability

Examples of Threats & Risks Using another person’s access –Theft/fraud, confidentiality, privacy Unauthorized changes to data –Theft/fraud, integrity, availability Theft of data, programs, and equipment –Theft/fraud, confidentiality, privacy, availability Power loss or surge; fire; physical damage –Integrity, availability Inadequate staff training –Confidentiality, privacy, integrity, availability

Sources of Threats (p. 521)

Who can use the data? Authorization –Granting a user rights or privileges to access the system or some data Controlling privileges –Discretionary Access Control SQL grant & revoke statements –Mandatory Access Control Clearance attributes in tuples themselves

SQL GRANT / REVOKE –GRANT SELECT ON Hotel, Room, Booking TO Users –GRANT SELECT, UPDATE on Hotel, Room, Booking TO Managers WITH GRANT OPTION –REVOKE ALL PRIVILEGES from User256

… Are You Who You Say You Are? Authentication –Secret passwords (most common) –Physical “keys” (e.g. dongles) –Biometrics Fingerprint Voiceprint Retinal scan Iris measurements

Risks of Passwords Guessable passwords –Name, address, significant other, ssn –Dictionary words (or slight variations) –No special characters –Short passwords Shared passwords –Sharing with friends –Sticky note on monitor –Fraud

DBMS Account/Passwords Separate passwords for the DBMS –Some degree of safety –Users need to remember multiple passwords Use OS accounts / passwords –DB is only as secure as OS –User can’t be one account on OS and another on DB

Users & Groups DBA can set up users and groups; assign users to groups –E.g. Administrators, Managers, Users Users and Groups can have various authorizations –SELECT, UPDATE, DELETE, INSERT, ALL Access control matrix –Rows are users / groups –Columns are attributes –Values are privileges

Views Views allow attributes to be hidden from users User has access to view, but not to base table –Faculty sees class list, but cannot access complete student records –Department members see total salary budget, but not individual salaries

Statistical Database Security Careful use of aggregates can reveal “hidden” information! –Min and max of salaries of dept. with 2 individuals –Average salaries of two sets of employees that overlap by exactly one individual –Careful construction of conditions that select one individual

Countermeasures Don’t report small sets –Still doesn’t solve “difference” problem Add random “noise” to each result –Aggregate data will be “close enough” for most valid purposes –Differences won’t be accurate anymore –Many databases do this

Encryption Prevents data from being useful if it is stolen… –Theft of media (disks, backup tapes) –Eavesdropping (wiretapping, network “sniffing”) Unauthorized user sees gibberish Authorized access through DB gets decrypted –Requires extra time for every access

Encryption Definitions Plaintext –The original information Ciphertext –Information as stored or passed on a public line (unintelligible) Encryption Key, Algorithm –Transforms plaintext into ciphertext Decryption Key, Algorithm –Transforms ciphertext into plaintext

Encryption Ideas Use a secret algorithm to transform the data. Only authorized recipients know the algorithm. Use an algorithm that takes data and a key and performs math on it. For example, multiply data by key. –With the key, divide to get the data –Without the key, try all factors?

Very Simple Encryption The Caesar cipher: each letter is replaced by one 13 steps ahead (with wrap) in the alphabet. –“Database” becomes “Qngnonfr” –“Qngnonfr” becomes “Database” No specific key; encryption and decryption algorithm are the same –Can generalize to arbitrary shift; key is number of letters to shift.

Private Key Encryption Algorithm does encryption and decryption with a single key Sender and recipient of message must both have the key Problem: transmitting the key securely! Example: –Data Encryption Standard (DES) 56-bit key –PGP 128-bit key –The longer the key, the harder to break.

Public Key Encryption Pair of keys: public and private Message encrypted by public key can be decrypted by private key & vice versa (asymmetric) Algorithm is public. All public keys are in a “phone book”. If I want to send you a message, I encrypt it using your public key. Only you (with your private key) can decrypt it To sign the message, I encrypt a signature with my private key. You verify it’s me by decrypting it with my public key. Example: RSA Algorithm (initials of authors)

Public vs. Private Key Private key encryption / decryption is usually faster Private keys can be exchanged using a public key method.

RAID: Data Storage Redundancy Addresses risks of data loss, loss of integrity RAID = Redundant Array of Independent Disks Levels 0 through 6 include combinations of: –Striping: data is divided into equal-size partitions distributed among multiple disks –Error-detecting (parity) and correcting codes –Mirroring: copying data to multiple disks (see p. 530)

Error-Detecting & Correcting Codes Add extra bits to the data, so every bit combination isn’t valid Error detection –When the code is invalid we know it –Example: add a 9th bit to each group of 8 (parity bit) so that the group of 9 bits has an even number of 0’s. Error correction –Add more extra bits to each group –If one bit is wrong, there is only one change that makes the group valid –Example: Hamming Code

Web Security Internet traffic is “in the clear” – applications must encrypt/decrypt if desired Servers must be protected from external attacks across the networks Systems must be protected from executable web programs

Mechanisms for Web Security Proxy servers –Filter requests and improve performance Firewalls –May include packet filters, application gateways, and proxy servers Certificates –Include digital signatures, message digests Secure Socket Layer (and shttp)

Security on the Web Many web sites are backed by databases –Must keep database safe! The Internet is notoriously insecure We want customers to buy stuff! –Keep credit card information confidential –Convince the customer the site is authentic. –Make sure customer “matches” credit card –Make sure credit card is “real” –Make sure purchase is charged exactly once!

SQL Injection Attack Source:

SQL Injection Attack Website collects information and inserts into query, e.g. –SELECT * FROM students where name = ‘$name’; Malicious user puts SQL code into the “name” field, e.g. –Robert’; DROP TABLE students; -- Result legal SQL, but not quite what we wanted: –SELECT * FROM students where name = ‘Robert’; –DROP TABLE students; -- ‘;

Protecting against User Input Attacks Validate inputs –If it’s supposed to be a number, make sure it’s a number Verify input length (avoid “buffer overflow”) Sanitize inputs before constructing a query –Remove dangerous characters –Or escape them: ‘ becomes \’ and ; becomes \; –Mysql addslashes / stripslashes $query = “select * from table where name = ‘”. addslashes($name). “’”

Requirements for a Safe Transaction Information is inaccessible to all but sender and receiver (privacy) Information does not change between sending and receiving (integrity) Recipient knows information came from sender (authenticity) Sender knows recipient is genuine (non-fabrication) Sender cannot deny the purchase was made (non- repudiation)

Web Security Proxy server –Intercept all requests, serve local file if possible –Recent requests are saved in cache –Improves both security and performance Firewall –Examines all messages; blocks any that don’t meet security criteria Message Digest Algorithm & Digital Signature –Ensures the message is received as sent & who sent it Digital Certificates –“Authentication” of site from external authority (3rd party trust model) –Based on public key mechanism

Secure Sockets Layer, Secure HTTP SSL: protocol developed by Netscape –Creates a secure session using private key –Browser & server not involved; SSL is at a lower level –Packets are encrypted before they’re sent; decrypted when received –Complete “session” (conversation) is secure SHTTP: now owned by Verifone –Transmits individual messages securely –Browser & server involved in encryption / decryption SSL and SHTTP are complementary; many sessions use both.

Secure Electronic Transactions (SET) Open standard for processing credit card transactions on the Internet –Created by Netscape, Microsoft, Visa, Mastercard, GTE, SAIC, Terisa Systems, and Verisign Splits transaction information –Merchant sees what is purchased, how much, & payment approval –Card issuer sees purchase price but not items purchased Heavy use of certificates & encryption