Sub: DBMS Batch : BIT IV Sem.

Database Security
The data stored in the database need to be protected from unauthorized access,
malicious destruction and alteration of data. To protect the database , we must take security
measures at several levels.
 Physical : The site or sites containing the computer systems must be physically secured
against armed or surreptitious entry by intruders.
 Human: Users must be authorized carefully to reduce the chance of any such user giving
access to an intruder in exchange for a bribe of other favours.
 Operating System : No matter how secure the database system is, Weakness in operating
system security may serve as a means of unauthorized access to the database.
 Network: Since most all database systems allow remote access through terminals or
networks, software level security within the network software is as important as physical
security, both the internet and in networks private to an enterprise.
 Database System: Some database system users may be authorized to access only a
limited portion of the database. Other users may be allowed to issue queries, but may
be forbidden to modify the data.

SQL Access for database Security

Database Security and the DBA
The database administrator (DBA) is the central authority for managing a database
system. The DBA's responsibilities include granting privileges to users who need to Use the
system and classifying users and data in accordance with the policy of the organization. The
DBA has a DBA account in the DBMS, sometimes called a system or superuser account, which
provides powerful capabilities that are not made available to regular database accounts and
users. DBA privileged commands include commands for granting and revoking privileges to
individual accounts, users, or user groups and for performing the following types of actions:
1. Account creation: This action creates a new account and password for a user or a group
of users to enable them to access the DBMS.
2. Privilege granting: This action permits the DBA to grant certain privileges to certain
accounts.
3. Privilege revocation: This action permits the DBA to revoke (cancel) certain privileges that
were previously given to certain accounts.
4. Security level assignment: This action consists of assigning user accounts to the
appropriate security classification level.
The DBA is responsible for the overall security of the database system.

GRANT and REVOKE

The view mechanism allows the database to be conceptually divided up into pieces in
various ways so that sensitive information can be hidden from unauthorized users. However, it
does not allow for the specification of the operations that authorized users are allowed to
execute against those pieces is performed by the GRANT statement.
Note first that the creator of any object is automatically granted all privileges that make
sense for that object. For example, the creator of a base table T is automatically granted the
SELECT, INSERT, UPDATE, DELETE, and REFERENCES privileges on T

The SQL commands used by DBA for security are as follows.

Creating user:
Create user supriya identified by s;

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 1
 This sql commands creates user supriya whose password is s. The privileges which can be
granted to supriya by DBA on any table employee (suppose the table employee is already
created) are SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER and REFERENCE.
The privileges can be granted by DBA to user supriya as follows.
Grant SELECT on employee to supriya;
Similarly INSERT,UPDATE,DELETE,INDEX,ALTER and REFERENCE can be granted to any
user.
Grant all on employee to supriya;
Grant SELECT,UPDATE on employee to supriya;
The REFERENCE Privilege allows the grantee to create integrity constraints that reference
that table.
Similarly the privileges can be revoked using revoke command as follows.
Revoke all on employee from supriya;
Revoke UPDATE on employee from supriya;

The current SQL standard supports discretionary access control only. Two more or less in-
dependent SQL features are involved-the view mechanism, which can be used to hide
sensitive data from unauthorized users, and the authorization subsystem itself, which allows
users having specific privileges selectively and dynamically to grant those privileges to other
users, and subsequently to revoke those privileges, if desired. Both features are discussed
below.

Views and Security

To illustrate the use of views for security purposes in SQL:
CREATE VIEW LS AS
SELECT S.S#, S.SNAME, S.STATUS S.CITY
FROM S
WHERE S,CITY = 'London' ;
The view defines the data over which authorization is to be granted. The granting itself is
done by means of the GRANT statement--e.g.:
GRANT SELECT, UPDATE , DELETE
ON LS
TO Dan, Misha ;

ACCESS CONTROL
The access to the database is controlled by defining user to the database, assigning
passwords to each user, assigning access privileges such as read, write, delete privileges, by
physical access control such as secured entrances, password protected workstations, voice
recognition technology etc. and by using DBMS utilities access control such as auditing and log
file features. Some used access control methods are Discretionary and Mandatory control.

Discretionary Access Control Based on Granting/Revoking of Privileges

The typical method of enforcing discretionary access control in a database system is
based on the granting and revoking of privileges. Let us consider privileges in the context of a
relational DBMS.
Informally there are two levels for assigning privileges to use the database system.
1. The account level: At this level, the DBA specifies the particular privileges that
each account holds independently of the relations in the database.
2. The relation( or table) level: At this level, we can control the privilege to access
each individual relation or view in the database.

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 2
 The privileges at the account levels include CREATE TABLE to create table, CREATE VIEW
to create view, CREATE SYNONYM to create synonym and all the privileges are granted by
DBA to individual user or account.
The privileges at the relation levels include SELECT, UPDATE, REFERENCES, DELETE for
particular relations and are granted by DBA.
In SQL2, the DBA can assign an owner to a whole, schema by creating the schema and
associating the appropriate authorization identifier with that schema using the CREATE
SCHEMA command. The owner account holder can pass privileges on any of the owned
relations to other users by granting privileges to their accounts. In SQL the following types of
privileges can be granted on each individual relation R:

 SELECT (retrieval or read) privilege on R: Gives the account retrieval; privilege In SQL
this gives the account the privilege to use the SELECT statement to retrieve, tuples
from R.
 MODIFY privileges on R:. This gives the account the capability to modify tuples of R. In
SQL this privilege is further divided into UPDATE, DELETE, and INSERT Privilege to
apply the corresponding SQL command to R. In addition, both the INSERT and UPDATE
privileges can specify that only certain attributes of R can be updated by the account.
 REFERENCES privilege on R: This gives the account the capability to reference relation
R when specifying integrity constraints. This privilege can also be restricted to
specific attributes of R.
Notice that to create a view the account must have SELECT privilege on all the involved in
the view definition.

Specifying Privileges Using Views

The mechanism of views is an important discretionary authorization mechanism in its
own right. For example, if the owner A of a relation R wants another account B to be able to
retrieve only some fields of R, then A can create a view V of R that includes only that attributes '

and then grant SELECT on V to B. The same applies to limiting B to retrieving only certain
tuples of R; a view V can be created by defining the view by means of a query that selects only
those tuples from R that A wants to allow B to access.

Revoking Privileges
In some cases it is desirable to grant some privilege to a user temporarily. For example,
the owner of a relation may want to grant the SELECT privilege to a user for a specific task and
then revoke that privilege once the task is completed. Hence, a mechanism for revoking
privileges is needed. In SQL a REVOKE command is included for the purpose of canceling
privileges.

Propagation of Privileges Using the GRANT OPTION

Whenever the owner A of a relation R grants a privilege on R to another account B, the
privilege can be given to B with or without the GRANT OPTION. If the GRANT OPTION is given,
this means that B can also grant that privilege on R to other accounts.

Specifying Limits on Propagation of Privileges

Techniques to limit the propagation of privileges have been developed, although they
have not yet been implemented in most DBMSs and are not a part of SQL. Limiting horizontal
propagation to an integer number i means that an account B given the GRANT OPTION can
grant the privilege to at most i other accounts. Vertical propagation is more complicated; it
limits the depth of the granting of privileges. Granting a privilege with vertical propagation of
zero is equivalent to granting the privilege with no GRANT OPTION. If account A grants a
privilege to account B with vertical propagation set to an integer number j > 0, this means that
the account B has the GRANT OPTION on that privilege, but B can grant the privilege to other
accounts only with a vertical propagation less than j. In effect, vertical propagation limits the
sequence of grant options that can be given from one account to the next based on a single
original grant of the privilege.

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 3
Mandatory Access Control for Multilevel Security
The discretionary access control technique of granting and revoking privileges on rela-
tions has traditionally been the main security mechanism for relational database systems. This
is an all-or-nothing method: a user either has or does not have a certain privilege. In many
applications, an additional security policy is needed that classifies data and users based on
security classes. This approach-known as mandatory access control-would typically be
combined with the discretionary access control mechanisms. It is important to note that most
commercial DBMSs currently provide mechanisms only for discretionary access control.
However, the need for multilevel security exists in government, military, and intelligence
applications, as well as in many industrial and corporate application.
Typical security classes are top secret (TS), secret (S), confidential (C), and unclassified
(U), where TS is the highest level and U the lowest Other more complex security classification
schemes exist, in which the security classes are organized in a lattice. For simplicity, four
security classification levels, where TS  S  C  U are used in the system. The commonly
used model for multilevel security known as the Bell-LaPadula model, classifies each subject
(user, account, program) and object (relation, tuple, column, view, operation) into one of the
security classifications TS, S, C, or U. We will refer to the clearance (classification) of a subject
S as class (S) and to the classification of an object O as class (O). Two restrictions are enforced
on data access based on the subject/object classifications: '
1. A subject S is not allowed read access to an object O unless class(S)  class(O).
This is known as the simple security property.
2. A subject S is not allowed to write an object O unless class(S)  class(O). This is, known
as the *property (or star property).
The first restriction is intuitive and enforces the obvious rule that no subject can read an
object whose security classification is higher than the subject's security clearance. The second
restriction is less intuitive. It prohibits a subject from writing an object at a lower security
classification than the subject's security clearance. Violation of this rule would allow
information to flow from higher to lower classifications, which violates a basic tenet of
multilevel security. For example, a user (subject) with TS clearance may make a copy' of an
object with classification TS and then write it back as a new object with classification U, thus
making it visible throughout the system.
To incorporate multilevel security notions into the relational database model, it is
common to consider attribute values and tuples as data objects. Hence, each attribute A is
associated with a classification attribute C in the schema, and each attribute value in a tuple is
associated with a corresponding security classification,- In addition, in some models, a tuple
classification attribute TC is added to the relation attributes to provide a classification for each
tuple as a whole. Hence, a multilevel relation schema R with n attributes would be represented
as
R(A1, C1, A2, C2, ..., An, Cn, TC)
where each Ci represents the classification attribute associated with attribute A i.
The value of the TC attribute in each tuple t-which is the highest of all attribute
classification values within t-provides a general classification for the tuple itself, whereas each
ci provides a finer security classification for each attribute value within the tuple. The apparent
key of a multilevel relation is the set of attributes that would have formed the primary key in a
regular (single-level) relation. A multilevel relation will appear to contain different data to
subjects (users) with different clearance levels. In some cases, it is possible to store a single
tuple in the relation at a higher classification level and produce the corresponding tuples at a
lower level classification through a process known as filtering. In other cases, it is necessary to
store two or more tuples at different classification levels with the same value for the apparent
key, This leads to the concept of polyinstantiation, where several tuples can have the same
apparent key value but have different attribute values for users at different classification
levels.
Assume that the Name attribute is the apparent key, and consider the query SELECT *
FROM EMPLOYEE. A user with security clearance S would see the same relation shown below in
fig.a, since all tuple classifications are less than or equal to S. However a user with security
clearance C would not be allowed to see values for salary of Shyam and job performance for
Ram as shown below in fig. b .
a. EMPLOYEE

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 4
 Name Salary JobPerformance TC
Ram U 5000 C Fair S S
Shyam C 5000 S Good C S
Fig. The original Employee tuples
b. EMPLOYEE
Name Salary JobPerformance TC
Ram U 5000 C Null C C
Shyam C null C Good C C
Fig. Appearance of EMPLOYEE after filtering for classification C users
ENCRYPTION
Access control is only applied to the established avenues of access to the database.
Clever people using clever instruments may be able to access the data by circumventing the
controlled avenues of access. Also, innocent people who passively stumble upon an avenue of
access may be unable to resist the temptation 'to look at and pet misuse the data so acquired.
To counteract the possibility that either active or passive intruders obtain unauthorized access
to sensitive data, it is desirable to obscure or hide the meaning of the data accessed.
Encryption is any sort of transformation applied to data (or text) prior to transmission or
prior to storage, which makes it more difficult to extract information content or meaning.
Decryption is method of retrieving the original message(text) from the encrypted message. The
word 'cryptography' comes from the Greek meaning 'hidden or secret. Cryptography includes
both encryption and decryption.
Encryption techniques complement access controls. Access controls are ineffective if

 A user leaves a listing in the work area or in the trash.

 Passwords are written down and found.
 Offline backup files are stolen.
 Confidential data is left in main memory after a job has completed.
 Someone taps in on a communication line.
When a data system' is geographically dispersed, physical security measures be come
less practical and less effective against intrusion because the system is more open and
vulnerable to penetration at more points. If the computer system and all the sensitive data are
maintained in a single, isolated environment into which a user must be admitted before access
to data is permitted, little need for encryption exists. An increased need for encryption comes
with the increased tendency for systems to reach out into the using environment and become
'more available to the users.
The basic encryption scheme is shown in Figure . Original plaintext is transformed by an
encryption algorithm using an encryption key to produce ciphertext. An inverse decryption
algorithm transforms the ciphertext using the same (or related) key to reconstruct the
plaintext.

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 5
 Figure Basic Encryption/ Decryption System.
An encryption algorithm (T). transforms a sender's plaintext message (M) using a key (K)
to produce ciphertext. Plaintext'is in a form recognizable by humans (or computers). The
encrypted message or data can be transmitted through an insecure channel or stored in an
insecure area since a potential intruder would only see a scrambled message. Using the same
(or related) key, the decryption algorithm applies an in years transformation (T-1) to the
ciphertext to reconstruct the original message (M). Transmission of the key to the decryption
must be kept secure, since knowing the decryption key and the encryption algorithm makes it
easy to decrypt or decipher a message, thereby disclosing sensitive information.
In a database environment, encryption techniques can be applied to:

 Transmitted data sent over communication lines between computer systems, or to

and from remote terminals (1).
 Stored data:
 remote backup data on removable media (2)
 active data on secondary storage devices (3)
 tables and buffers in internal main memory (4)
The figure below indicates the points where encryption can be used to protect data from
unauthorized access during transmission between the user and the system. With a remote

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 6
database, encryption can be used to protect the stored data from unauthorized access.

Fig Encryption in a Database Environment.

Encryption techniques can be used in the transmission or storage of data. The stored
data may be remote backup data on removable media, active (updated) data on secondary
storage devices, or tables and buffers in internal memory. Sensitive data outside of secured
area is more exposed to unauthorized disclosure and therefore encryption can contribute
significantly to greater security.

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 7
 Encryption methods can be classified according to:
1. The nature of the algorithm:

 Transposition, or permutation in general.

 Substitution, either mono-alphabetic or polyalphabetic.
 Product, combining permutations and substitutions.

Cryptographic techniques have been widely used in military and government intelligence
activities for centuries but due to the secretive nature of the subject.
The increased potential for more sophisticated encryption and cryptanalysis through the
use of computers, coupled with the increased concern for data privacy, has generated a great
surge of interest in the past decade or two. There has been substantial published literature on
the use of encryption in computerized database systems. The U:S. Government has adopted a
data encryption standard(DES).
Choosing an encryption method depends upon the cost, what is available, and the level
of user need. The object of any particular method is to raise the work factor high enough to
discourage anyone from breaking the code. The cost of the chosen method must be
commensurate with the level of risk and the degree of security desired. Even fairly modest and
simple encryption methods can render transmitted messages and stored data secure from all
but the most persistent penetrators.

Traditional Methods: Transposition and Substitution

Historically, transposition and substitution have been the two major classes of encryption
techniques. They were applied manually to encrypt streams of text prior to transmission.
Permutations and substitutions serve as the basis for some present-day computerized
methods.
Transposition techniques permute the ordering of characters in the data stream
according to some rule. For example, if the transposition pattern or rule is to transpose each
consecutive pair of characters, the phrase
database
would appear as

ADATABES

obviously not very secure. An example of a general permutation would be to form blocks
of, say, four characters and permute, 1234 to 3124. The phrase would now appear as:

TDAASBAE
With a correct guess of the length of the permutation block, only a few trials are needed
to break the code.
Substitution techniques retain the relative position of the characters in the original
plaintext but hide their identity in the ciphertext. By contrast, transposition techniques retain
the identity of the original characters but change their position.
A simple example is the Caesar Cipher which substitutes the nth letter away from ..the
plaintext character in the alphabet. This is applied 'modulo 27' (includes a blank), that is, if you
count past the end of the alphabet, cycle back to the beginning. The plaintext message in Fig.
was encrypted using a Caesar Cipher. The n is the key indicating the alphabet shift.
A general mono-alphabetic substitution cipher replaces characters in the plaintext with
characters from some other alphabet, called a cipher alphabet, which becomes the key. For
example:
Plaintext alphabet: abcdefghijklmnopqrstuvwxyz
Ciphertext alphabet: GORDNCHALESZYXWVUTQPMKJIFB
Transforms the Plaintext: database management system

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 8
 Into the Ciphertext: DGPGOGQN YGXGHNYNXP QFQPNYQ
Assuming that the plaintext message is written in natural English using 26 letters, mono-
alphabetic substutions are susceptible to frequency analysis of single letters, letter pairs, and
reversals. The analysis is increasingly accurate for larger messages the letter frequencies in
the message would approach the 'characteristic letter frequencies for the language. In English
the most frequently occurring letters are E,T,A,O,N,R,I,S,H. Some people can' even read such
ciphertext directly Some computers have built-in machine instructions to perform substitutions
between two alphabets (needed for A_CII-EBCDI_ code conversion), thus enabling faster
exhaustive analysis of mono-alphabetic' substitutions.
Polyalphabetic substitution uses multiple alphabets cyclically according to some rule.
Each character of the plaintext is replaced' with a character from a different Ciphertext
alphabet, thereby obscuring the frequency characteristics of the characters in the plaintext
alphabet.

© 2000 College of Information Technology & Engineering. All rights reserved, Circulation copy for CITians only. 9