Lecture 23 - Goldsmiths, University of London

Download Report

Transcript Lecture 23 - Goldsmiths, University of London 

Data security
Data security
1
Data security
Overview
 generalities
 discretionary access control
 mandatory access control
 data encryption
2
Data security
The problem of security
 aspects
 origins of security rules
 social - legal, ethical, political, strategic, ...
 operational problems
 are the computers “safe”?
 does the operating system have a security system
(passwords, storage protection keys ...)?
 ...
 does the DBMS have a concept of data ownership?
3
Data security
disregard
4
Data security
DBMS approaches to data security
 discretionary
 users access data according to their privileges
/ authorities which are explicitly stated for
each user and data object in part
 mandatory
 each data object is given a classification level
and each user has a certain clearance level; a
given data object can be accessed only by the
users with a certain clearance level
5
Data security
The DBMS’s security mechanism
 security rules:
 made known to the system
 appropriate definitional language
 remembered by the system
 security / authorisation rules stored in the catalogue
 checked by the system
 security / authorisation subsystem
6
Data security
Discretionary access control
 example in a pseudo-code
CREATE SECURITY RULE Rule1
GRANT RETRIEVE ( S_id, S_name, City ) , DELETE
ON Suppliers WHERE City  ‘London’
TO Jim, Fred, Mary
ON ATTEMPTED VIOLATION Reject ;
7
Data security
Discretionary access control
 components of a security rule





name (Rule1) (why?)
privileges (RETRIEVE on certain attributes, ...)
scope (ON … WHERE …)
users (user IDs)
violation response (procedure)
8
Data security
General format of a rule (pseudo-code)
CREATE SECURITY RULE <name>
GRANT
<list of privileges>
ON
<expression>
TO
<list of userIDs>
[ ON ATTEMPTED VIOLATION <action> ] ;
9
Data security
Clarifications
 possible privileges are:
 RETRIEVE [ ( <attribute-list> ) ]
 INSERT
 UPDATE [ ( <attribute-list> ) ]
 DELETE
 ALL
 data definition operations
 ...
10
Data security
Clarifications
 <expression>
 is an expression of relational algebra
 target: (one range variable which should refer to) only
one relation; i.e. the scope of the rule is a subset of of
the tuples of a single relation
• this restriction is somehow ad-hoc; though, it induces in simplicity
 <action>
 default: reject
 but it could be on any complexity, in theory
• examples - what would it be needed?
11
Data security
SQL’s GRANT and REVOKE
GRANT
<list of privileges>
ON
<data object>
TO
<list of userIDs> | PUBLIC
[ WITH GRANT OPTION ]
REVOKE [ GRANT OPTION FOR] <list of privileges>
ON
<data object>
FROM
<list of userIDs> <option>
12
Data security
Clarifications
 privileges
 USAGE (for domains), SELECT, INSERT (column
specific), UPDATE (column specific), DELETE,
REFERENCES (for integrity constraint definitions)
 <data object>
 DOMAIN <domain>
 [ TABLE ] <table> (a base table or a view)
 <option>
 RESTRICT | CASCADE
13
Data security
Example #1
CREATE VIEW View1 AS
SELECT S_id, S_name, Status, City
FROM Suppliers
WHERE City = ‘Paris’
GRANT SELECT, INSERT,
UPDATE ( S_name, Status ), DELETE
ON View1
TO Mark, Spencer
14
Data security
Example #2
CREATE VIEW View2 AS
SELECT S_id, S_name, Status, City FROM S
WHERE
EXISTS
( SELECT * FROM SP
WHERE EXISTS
(SELECT * FROM P
WHERE S.S_id = SP.S_id AND
P.P_id = SP.P_id AND P.City = ‘Rome’ )) ;
GRANT SELECT ON View2 TO John
15
Data security
Example #3
CREATE VIEW View3 AS
SELECT P_id, ( SELECT SUM (Contracts.Qty)
FROM Contracts
WHERE Contracts.P_id = Parts.P_id )
AS Quantity
FROM Parts;
GRANT SELECT ON View3 TO Bill
16
Data security
Other issues
 context-independent rules
 the previous examples
 context-dependent rules
 date(), day(), time(), user(), terminal()
specified within
the rule
17
Data security
Example #4
GRANT INSERT
ON Transactions
WHERE Day() NOT IN (‘Saturday’, ‘Sunday’) AND
Time() > ’ 9:00’ AND Time() < ‘17:00’
TO Till;
--Till is a group of users
18
Data security
Other issues
 logical “OR” between security rules
 anything not explicitly allowed is implicitly
prohibited
 audit trial - for critical data
 request (text), terminal, user, date and time, data objects
affected, old values, new values
19
Data security
Mandatory access control
 each data object has a classification level
 each user has a clearance level
 rules
 user U can see object O if the clearance level of U
is greater or equal to the classification level of O
 user U can modify object O only if the clearance
level of U is equal to the classification level of O
 used for DBs with a static and rigid classification
structure
20
Data security
Data encryption - generalities
 when the system was bypassed
 plain-text
 original data
 encryption
 encryption algorithm, encryption key
 cipher-text
 encrypted text
21
Data security
An encryption algorithm
 divide text into blocks of length equal to the
encryption key
 replace each character by a corresponding integer
(blank=00, a=01, …, z=26)
 repeat for the encryption key
 for each block, sum modulo 27 the corresponding
integers with those of the encryption key
 replace each integer with the corresponding
character
22
Data security
Example
 plaintext: we all like databases
 key: ursu
 [we_a][ll-l][ike-][data][base][s---]
 23050001 12120012 09110500 04012001 02011905 19000000
 21181921
 17231922 06031906 …
--exercise
 qwsv fcsf …
 decoding algorithm?
23
Data security
Objective
 the cost of breaking the coding algorithm
should be greater than the potential payoff of
accessing (illegally) the encoded data
 usually, the encryption algorithm is made public but
the encryption key is kept secret
 the breaking of the coding (find the encryption key),
usually, is done on the bases of some available
cipher-texts and their corresponding plain-texts
24
Data security
Encryption algorithms
 data encryption standard
 not truly secure
 public-key encryption
 a modern approach
25
Data security
Data encryption standard
 64 bit key (actually only 256 possible keys)
 permutation + 16 substitution steps + permutation
 each substitution step is based on a new key that is
computed from the current value of the block and the
initial value of the key
 the decryption algorithm is almost identical to the
encryption one
26
Data security
Public-key encryption
makes public
- encryption algorithm
- encryption key
keeps
- decryption key
27
Data security
Principles for public key encryption
 the decryption key cannot feasibly be
deduced from the encryption key
 there is a fast algorithm of determining whether a
given number is prime
 e.g. for a no of 130 digits - 7 minutes
 there is no fast algorithm for finding the factors of
a given non-prime number
 e.g. for a product of two prime no of 63 digits - 4 * 1016
years
28
Data security
“Signed” public key encryption
publishes encryption algorithm E1
and encryption key
corresponding decryption algorithm
(key) D1 is kept secret
publishes encryption algorithm E2
and encryption key
corresponding decryption algorithm
(key) D2 is kept secret
E2(D1(Original))
E1(D2(Received)) =
E1(D2(E2(D1(Original)))) =
E1(D1(Original)=
Original
29
Data security
Conclusions
 decisions on security issues
 dictated by policy
 various aspects to the security problem
 database security mechanisms
 discretionary
 mandatory
 data encryption
 for cases when the security system was bypassed
30