Database Management Systems: Security and Authorization, Slides of Database Management Systems (DBMS)

A chapter extract from the book 'database management systems' by ramakrishnan and gehrke. It discusses various aspects of database security, including the importance of secrecy, integrity, and availability, as well as access controls, discretionary access, mandatory access, and encryption. It also covers role-based authorization and internet-oriented security.

Typology: Slides

2011/2012

Uploaded on 02/15/2012

arien
arien 🇺🇸

4.8

(24)

309 documents

1 / 8

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Database Management Systems, 3ed, R. Ramakrishnanand J. Gehrke 1
Security and Authorization
Chapter 21
Database Management Systems, 3ed, R. Ramakrishnanand J. Gehrke 2
Introduction to DB Security
Secrecy: Users should not be able to see
things they are not supposed to.
E.g., A student can’t see other students’ grades.
Integrity: Users should not be able to modify
things they are not supposed to.
E.g., Only instructors can assign grades.
Availability: Users should be able to see and
modify things they are allowed to.
Database Management Systems, 3ed, R. Ramakrishnanand J. Gehrke 3
Access Controls
A security policy specifies who is authorized
to do what.
A security mechanism allows us to enforce a
chosen security policy.
Two main mechanisms at the DBMS level:
Discretionary access control
Mandatory access control
pf3
pf4
pf5
pf8

Partial preview of the text

Download Database Management Systems: Security and Authorization and more Slides Database Management Systems (DBMS) in PDF only on Docsity!

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1

Security and Authorization

Chapter 21

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 2

Introduction to DB Security

™ Secrecy: Users should not be able to see

things they are not supposed to.

ƒ E.g., A student can’t see other students’ grades.

™ Integrity: Users should not be able to modify

things they are not supposed to.

ƒ E.g., Only instructors can assign grades.

™ Availability: Users should be able to see and

modify things they are allowed to.

Access Controls

™ A security policy specifies who is authorized

to do what.

™ A security mechanism allows us to enforce a

chosen security policy.

™ Two main mechanisms at the DBMS level:

ƒ Discretionary access control

ƒ Mandatory access control

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 4

Discretionary Access Control

™ Based on the concept of access rights or

privileges for objects (tables and views), and

mechanisms for giving users privileges (and

revoking privileges).

™ Creator of a table or a view automatically gets

all privileges on it.

ƒ DMBS keeps track of who subsequently gains and

loses privileges, and ensures that only requests

from users who have the necessary privileges (at

the time the request is issued) are allowed.

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 5

GRANT Command

™ The following privileges can be specified:

™ SELECT: Can read all columns (including those added later via ALTER TABLE command). ™ INSERT (col-name): Can insert tuples with non-null or non- default values in this column. ™ INSERT means same right with respect to all columns. ™ DELETE: Can delete tuples. ™ REFERENCES (col-name): Can define foreign keys (in other tables) that refer to this column.

™ If a user has a privilege with the GRANT OPTION, can

pass privilege on to other users (with or without

passing on the GRANT OPTION).

™ Only owner can execute CREATE, ALTER, and DROP.

GRANT privileges ON object TO users [WITH GRANT OPTION]

GRANT and REVOKE of Privileges

™ GRANT INSERT, SELECT ON Sailors TO Horatio

ƒ Horatio can query Sailors or insert tuples into it.

™ GRANT DELETE ON Sailors TO Yuppy WITH GRANT

OPTION

ƒ Yuppy can delete tuples, and also authorize others to do so.

™ GRANT UPDATE ( rating ) ON Sailors TO Dustin

ƒ Dustin can update (only) the rating field of Sailors tuples.

™ GRANT SELECT ON ActiveSailors TO Guppy, Yuppy

ƒ This does NOT allow the ‘uppies to query Sailors directly!

™ REVOKE : When a privilege is revoked from X, it is

also revoked from all users who got it solely from X.

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 10

Security to the Level of a Field!

™ Can create a view that only returns one field

of one tuple. (How?)

™ Then grant access to that view accordingly.

™ Allows for arbitrary granularity of control,

but :

ƒ Clumsy to specify, though this can be hidden

under a good UI

ƒ Performance is unacceptable if we need to define

field-granularity access frequently. (Too many

view creations and look-ups.)

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 11

Internet-Oriented Security

™ Key Issues: User authentication and trust.

ƒ When DB must be accessed from a secure location, password- based schemes are usually adequate.

™ For access over an external network, trust is hard to

achieve.

ƒ If someone with Sam’s credit card wants to buy from you, how can you be sure it is not someone who stole his card? ƒ How can Sam be sure that the screen for entering his credit card information is indeed yours, and not some rogue site spoofing you (to steal such information)? How can he be sure that sensitive information is not “sniffed” while it is being sent over the network to you?

™ Encryption is a technique used to address these issues.

Encryption

™ “Masks” data for secure transmission or storage

ƒ Encrypt(data, encryption key) = encrypted data ƒ Decrypt(encrypted data, decryption key) = original data ƒ Without decryption key, the encrypted data is meaningless gibberish

™ Symmetric Encryption:

ƒ Encryption key = decryption key; all authorized users know decryption key (a weakness). ƒ DES, used since 1977, has 56-bit key; AES has 128-bit (optionally, 192-bit or 256-bit) key

™ Public-Key Encryption: Each user has two keys:

ƒ User’s public encryption key: Known to all ƒ Decryption key: Known only to this user ƒ Used in RSA scheme (Turing Award!)

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 13

RSA Public-Key Encryption

™ Let the data be an integer I

™ Choose a large (>> I) integer L = p * q

ƒ p, q are large, say 1024-bit, distinct prime numbers

™ Encryption: Choose a random number 1 < e < L that is

relatively prime to (p-1) * (q-1)

ƒ Encrypted data S = I e^ mod L

™ Decryption key d: Chosen so that

ƒ d * e = 1 mod ((p-1) * (q-1)) ƒ We can then show that I = S d^ mod L

™ It turns out that the roles of e and d can be reversed; so

they are simply called the public and private keys

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 14

Certifying Servers: SSL, SET

™ If Amazon distributes their public key, Sam’s browser will encrypt his order using it. ƒ So, only Amazon can decipher the order, since no one else has Amazon’s private key. ™ But how can Sam (or his browser) know that the public key for Amazon is genuine? The SSL protocol covers this. ƒ Amazon contracts with, say, Verisign, to issue a certificate <Verisign, Amazon, amazon.com, public-key> ƒ This certificate is stored in encrypted form, encrypted with Verisign’s private key, known only to Verisign. ƒ Verisign’s public key is known to all browsers, which can therefore decrypt the certificate and obtain Amazon’s public key, and be confident that it is genuine. ƒ The browser then generates a temporary session key, encodes it using Amazon’s public key, and sends it to Amazon. ƒ All subsequent msgs between the browser and Amazon are encoded using symmetric encryption (e.g., DES), which is more efficient than public-key encryption. ™ What if Sam doesn’t trust Amazon with his credit card information? ƒ Secure Electronic Transaction protocol: 3-way communication between Amazon, Sam, and a trusted server, e.g., Visa.

Authenticating Users

™ Amazon can simply use password authentication, i.e., ask

Sam to log into his Amazon account.

ƒ Done after SSL is used to establish a session key, so that the transmission of the password is secure! ƒ Amazon is still at risk if Sam’s card is stolen and his password is hacked. Business risk …

™ Digital Signatures:

ƒ Sam encrypts the order using his private key, then encrypts the result using Amazon’s public key. ƒ Amazon decrypts the msg with their private key, and then decrypts the result using Sam’s public key, which yields the original order! ƒ Exploits interchangeability of public/private keys for encryption/decryption ƒ Now, no one can forge Sam’s order, and Sam cannot claim that someone else forged the order.

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 19

Intuition

™ Idea is to ensure that information can never flow

from a higher to a lower security level.

™ E.g., If Dick has security class C, Justin has class S,

and the secret table has class S:

ƒ Dick’s table, Horsie, has Dick’s clearance, C. ƒ Justin’s application has his clearance, S. ƒ So, the program cannot write into table Horsie.

™ The mandatory access control rules are applied in

addition to any discretionary controls that are in

effect.

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 20

Multilevel Relations

™ Users with S and TS clearance will see both rows;

a user with C will only see the 2 nd^ row; a user

with U will see no rows.

™ If user with C tries to insert <101,Pasta,Blue,C>:

ƒ Allowing insertion violates key constraint

ƒ Disallowing insertion tells user that there is another

object with key 101 that has a class > C!

ƒ Problem resolved by treating class field as part of key.

102 Pinto Brown C

101 Salsa Red S

bid bname color class

Statistical DB Security

™ Statistical DB: Contains information about

individuals, but allows only aggregate queries

(e.g., average age, rather than Joe’s age).

™ New problem: It may be possible to infer some

secret information!

ƒ E.g., If I know Joe is the oldest sailor, I can ask “How

many sailors are older than X?” for different values

of X until I get the answer 1; this allows me to infer

Joe’s age.

™ Idea: Insist that each query must involve at

least N rows, for some N. Will this work? (No!)

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 22

Why Minimum N is Not Enough

™ By asking “How many sailors older than X?”

until the system rejects the query, can identify

a set of N sailors, including Joe, that are older

than X; let X=55 at this point.

™ Next, ask “What is the sum of ages of sailors

older than X?” Let result be S1.

™ Next, ask “What is sum of ages of sailors other

than Joe who are older than X, plus my age?”

Let result be S2.

™ S1-S2 is Joe’s age!

Summary

™ Three main security objectives: secrecy, integrity,

availability.

™ DB admin is responsible for overall security.

ƒ Designs security policy, maintains an audit trail, or history of users’ accesses to DB.

™ Two main approaches to DBMS security: discretionary

and mandatory access control.

ƒ Discretionary control based on notion of privileges. ƒ Mandatory control based on notion of security classes.

™ Statistical DBs try to protect individual data by

supporting only aggregate queries, but often, individual

information can be inferred.