Upload
cameron-parks
View
222
Download
3
Embed Size (px)
Citation preview
Data security
2
Overview
generalities discretionary access control mandatory access control data encryption
Data security
3
aspects origins of security rules
social - legal, ethical, political, strategic, ...
operational problems are the computers “safe”? does the operating system have a security system
(passwords, storage protection keys ...)? ... does the DBMS have a concept of data ownership?
The problem of security
Data security
5
DBMS approaches to data security
discretionary users access data according to their privileges
/ authorities which are explicitly stated for each user and data object in part
mandatory each data object is given a classification level
and each user has a certain clearance level; a given data object can be accessed only by the users with a certain clearance level
Data security
6
The DBMS’s security mechanism
security rules: made known to the system
appropriate definitional language
remembered by the system security / authorisation rules stored in the catalogue
checked by the system security / authorisation subsystem
Data security
7
Discretionary access control
example in a pseudo-code
CREATE SECURITY RULE Rule1
GRANT RETRIEVE ( S_id, S_name, City ) , DELETE
ON Suppliers WHERE City ‘London’
TO Jim, Fred, Mary
ON ATTEMPTED VIOLATION Reject ;
Data security
8
Discretionary access control
components of a security rule name (Rule1) (why?) privileges (RETRIEVE on certain attributes, ...) scope (ON … WHERE …) users (user IDs) violation response (procedure)
Data security
9
General format of a rule (pseudo-code)
CREATE SECURITY RULE <name>
GRANT <list of privileges>
ON <expression>
TO <list of userIDs>
[ ON ATTEMPTED VIOLATION <action> ] ;
Data security
10
Clarifications
possible privileges are: RETRIEVE [ ( <attribute-list> ) ] INSERT UPDATE [ ( <attribute-list> ) ] DELETE ALL data definition operations ...
Data security
11
Clarifications
<expression> is an expression of relational algebra target: (one range variable which should refer to) only
one relation; i.e. the scope of the rule is a subset of of the tuples of a single relation
• this restriction is somehow ad-hoc; though, it induces in simplicity
<action> default: reject but it could be on any complexity, in theory
• examples - what would it be needed?
Data security
12
SQL’s GRANT and REVOKE
GRANT <list of privileges>
ON <data object>
TO <list of userIDs> | PUBLIC
[ WITH GRANT OPTION ]
REVOKE [ GRANT OPTION FOR] <list of privileges>
ON <data object>
FROM <list of userIDs> <option>
Data security
13
Clarifications
privileges USAGE (for domains), SELECT, INSERT (column
specific), UPDATE (column specific), DELETE, REFERENCES (for integrity constraint definitions)
<data object> DOMAIN <domain> [ TABLE ] <table> (a base table or a view)
<option> RESTRICT | CASCADE
Data security
14
Example #1
CREATE VIEW View1 AS
SELECT S_id, S_name, Status, City
FROM Suppliers WHERE City = ‘Paris’
GRANT SELECT, INSERT,
UPDATE ( S_name, Status ), DELETE
ON View1
TO Mark, Spencer
Data security
15
Example #2
CREATE VIEW View2 AS
SELECT S_id, S_name, Status, City FROM SWHERE EXISTS
( SELECT * FROM SP
WHERE EXISTS
(SELECT * FROM P
WHERE S.S_id = SP.S_id AND
P.P_id = SP.P_id AND P.City = ‘Rome’ )) ;
GRANT SELECT ON View2 TO John
Data security
16
CREATE VIEW View3 AS
SELECT P_id, ( SELECT SUM (Contracts.Qty)
FROM Contracts
WHERE Contracts.P_id = Parts.P_id )
AS Quantity
FROM Parts;
GRANT SELECT ON View3 TO Bill
Example #3
Data security
17
Other issues
context-independent rules the previous examples
context-dependent rules date(), day(), time(), user(), terminal()
specified within the rule
Data security
18
GRANT INSERT
ON Transactions
WHERE Day() NOT IN (‘Saturday’, ‘Sunday’) AND
Time() > ’ 9:00’ AND Time() < ‘17:00’
TO Till; --Till is a group of users
Example #4
Data security
19
Other issues
logical “OR” between security rules anything not explicitly allowed is implicitly
prohibited audit trial - for critical data
request (text), terminal, user, date and time, data objects
affected, old values, new values
Data security
20
Mandatory access control
each data object has a classification level each user has a clearance level rules
user U can see object O if the clearance level of U is greater or equal to the classification level of O
user U can modify object O only if the clearance level of U is equal to the classification level of O
used for DBs with a static and rigid classification structure
Data security
21
Data encryption - generalities
when the system was bypassed plain-text
original data
encryption encryption algorithm, encryption key
cipher-text encrypted text
Data security
22
An encryption algorithm
divide text into blocks of length equal to the encryption key
replace each character by a corresponding integer (blank=00, a=01, …, z=26)
repeat for the encryption key for each block, sum modulo 27 the corresponding
integers with those of the encryption key replace each integer with the corresponding
character
Data security
23
Example
plaintext: we all like databases key: ursu [we_a][ll-l][ike-][data][base][s---] 23050001 12120012 09110500 04012001 02011905 19000000 21181921 17231922 06031906 … --exercise
qwsv fcsf …
decoding algorithm?
Data security
24
Objective
the cost of breaking the coding algorithm should be greater than the potential payoff of accessing (illegally) the encoded data
usually, the encryption algorithm is made public but the encryption key is kept secret
the breaking of the coding (find the encryption key), usually, is done on the bases of some available cipher-texts and their corresponding plain-texts
Data security
25
Encryption algorithms
data encryption standard not truly secure
public-key encryption a modern approach
Data security
26
Data encryption standard
64 bit key (actually only 256 possible keys) permutation + 16 substitution steps + permutation each substitution step is based on a new key that is
computed from the current value of the block and the initial value of the key
the decryption algorithm is almost identical to the encryption one
Data security
27
Public-key encryption
makes public- encryption algorithm- encryption keykeeps- decryption key
Data security
28
Principles for public key encryption
the decryption key cannot feasibly be deduced from the encryption key there is a fast algorithm of determining whether a
given number is prime e.g. for a no of 130 digits - 7 minutes
there is no fast algorithm for finding the factors of a given non-prime number e.g. for a product of two prime no of 63 digits - 4 * 1016
years
Data security
29
“Signed” public key encryption
publishes encryption algorithm E1and encryption keycorresponding decryption algorithm(key) D1 is kept secret
publishes encryption algorithm E2and encryption keycorresponding decryption algorithm(key) D2 is kept secret
E2(D1(Original))E1(D2(Received)) = E1(D2(E2(D1(Original)))) =E1(D1(Original)=Original