Security for GIS N-tier Architecture

Michael Govorov, Youry Khmelevsky, Vasiliy Ustimenko, and Alexei

Khorev
1 GIS Unit, Department of Geography, the University of the South Pacific,
PO Box 1168, Suva, Fiji Islands, mgovorov@usp.ac.fj;
2 Computing Science Department, the University College of the Cariboo,
900 McGill Road, Kamloops, BC, Canada, khmelevsky@acm.org;
3 Department of Mathematics and Computer Science, The University of
the South Pacific, PO Box 1168, Suva, Fiji Islands, ustimenko_v@usp.ac.fj;
4 Institute of Computational Technologies, SBRAS, 6 Ac. Lavrentjev
Ave., Novosibirsk, 630090, Russia, k_aleksej@hotmail.com

Abstract
Security is an important topic in the Information Systems and their
applications, especially within the Internet environment. Security issue for
geospatial data is a relatively unexplored topic in Geographical
Information Systems (GIS). This paper analyzes the security solutions for
Geographical Information Storage Systems (GISS) within n-tier GIS
architecture. The first section outlines the application of the main
categories of database security for management spatial data. These
categories are then analyzed from a point of view of application within
GIS. A File System within Database (FSDB) with traditional and new encryption algorithms has been proposed to be used as a new GISS solution.
A FSDB provides more safe and secure storage for spatial files and support centralized authentication and access control mechanism in legacy
DBMS. Cryptography solutions as a topic of central importance to many
aspects of network security are discussed in detail. This part of the paper
describes several traditional and new symmetric, fast and nonlinear
encryption algorithms implementation with fixed and flexible key sizes.

72

M.Govorov, Y.Khmelevsky, V.Ustimenko, and A.Khorev

1 N-tier Distributive GIS Architecture

Two major recent tendencies in the development of GIS technology are
relevant to security:
1. First is adaptation of IT technology, such as n-tier software architecture. Existing GIS solutions started transition to the Web distributive and
open n-tier architecture a few years ago. But still in most existing GIS applications, the map server provides only cartographic rendering and simple
spatial data analysis on the client and back-end tiers. Current Web Map
Servers are a simplification of full functional application server at the middle of the 3-tier industry-standard architecture.
2. The second tendency is GISS transition from files spatial data warehouses to full functionality of spatial databases solutions with employment
of DBMS as a storage system within in Single Server or Distributed Environment. The advantages of such transition are well-known to the IT industry. In global geo-network large amounts of data are still stored in spatial warehouses as flat files (e.g. in .shp, .tab, .dxf, .img), which have
single user access, large size of files and no transaction based processing.

Fig. 1. The Feasible GIS n-tier Architecture

The purpose of this article is to analyze the security solutions for spatial
data management within GIS n-tier architecture. This section outlines the
feasible GIS n-tier architecture and role of GISS to store GIS spatial data.
The feasible GIS n-tier architecture is shown in Fig. 1.
GIS functionality, data, and metadata can be assigned to various tiers
(sometimes called layers) along a network and can be found on the server

Security for GIS N-tier Architecture

73

side in one or more intermediate middleware layers, either on the back-end

or client side. All 3-tiers can be independently configured to meet the users' requirements and scaled to meet future requirements.
The feasible architecture includes a client tier in which user services reside. Client tier is represented by Web browser or wireless device (thin client), and either Web browser with Java applets or ActiveX components or
a Java application (thick client) [9].
The middle tier is divided in two or more subsystems (layers) with different functions and security features, including SSL encryption, authentication, users validation, single-sign logon server, and digital signature.
GIS Web services perform specific GIS functions, and spatial queries; and
can be integrated as a part of the middle-tier application server [1].
Spatial components have capabilities for accessing and bundling maps
and data into the appropriate format before sending the data back to a client. These components support different functionalities: generate image
maps and stream vector spatial data for the client; return attribute data for
spatial and tabular queries; execute geo-coding and routing functions; extract and return spatial data in appropriate format; search a spatial metadata
repository for documents related to spatial data and services; and run spatial and cartographic generalization techniques.
Data Management Layer (GISS) controls database storage and retrieval.
Data access logic describes transactions with a database. Data access is
normally performed as a functionality of business logic. Since many spatial data are still stored in file format, the management of this data may be
significantly improved by storing data within a database system.
Critical security communication channels of information flows within
classical Application Server are between: a Web browser and a Web
Server; Web server and a business logic layer (cases of thin and medium
client configurations); and a business logic layer and a back-end tier. Also
attention should be focused on secure communication between all other
distributed components of middle tier. The first question is how to secure
flowing information, the second, how to maintain access control. Because
of the connectionless nature of the Web, security issues relate not only to
initial access, but to re-access also. For the case of the thick client, these
two problems can be addressed how to secure communication between
thick client and business logic layer.

74

M.Govorov, Y.Khmelevsky, V.Ustimenko, and A.Khorev

2 Security Controls within n-tier GIS Architecture

One of the primary reasons for deploying an n-tier system within Internet
environment is security improvement. Thus, application logic in the middle tier can provide a layer of isolation to sensitive data maintained in spatial database. For GIS applications, the middle tier in n-tier system can focus on pre-presentation processing and cartographic presentation of spatial
data to the user, allowing the back-end tier to focus on management and
heavy processing of spatial data. However, n-tier architectures increase the
complexity of practical security deployment compared with 2-tier Client/Server architecture.
For GIS n-tier architecture a general security framework should address
the same requirements as for legacy n-tier systems, which include authentication, authorization, identification, integrity, confidentiality, auditing,
non-repudiation, credential mapping, and availability [4, 15].
There are some specifics of spatial data management, which concern
protecting confidentiality, and integrity of data while in transit over the
Internet and when it is stored on internal servers and in databases. This
section outlines the general security framework for GIS Web based n-tier
architecture. In the next sections, solutions for confidentiality protection of
spatial data in storage are discussed.
A firewall can be basically the first choice of defense within GIS Web
based n-tier architecture. One device or application can use more than one
basic firewall mechanisms such as stateful packet filtering, circuit-level
gateway, and proxy server and application gateway. Many configurations
are possible with placement of firewalls. Several layers of firewalls can be
added for security [10]. Ideal solution is to provide buffers of protection
between Internet, GIS Application Server and spatial database [12].
Most of the existing Web Map Servers use a low level authentication,
which supports minimal security and based on a password. Cryptographic
authentication in the form of digital certificates must to be used for
stronger authentication. Authentication protection can be implemented
within Web Server, JSP, servlet or ASP connector, business logic layer
and back-end tier.
The next defense line of security in GIS Application Server is proper
access control to business logic components and back-end recourses. Authorization services determine what resources and files a user or application has access to. There are at least three main access control models,
which can be used - mandatory, discretionary and role-and-policy based
authorization schemes [5].

Security for GIS N-tier Architecture

75

If the subsystems of n-tier architecture have different security infrastructures, they may need to convey authorization information dynamically by
propagating it along with an identity. GIS Application Server can dynamically update users and roles by leveraging an external, centralized security
database or service, via LDAP server.
Determining whether a specific user could have access to a specific table or file, but not access to specific data within the table or file usually enforces access control within the spatial database. Such a situation can be
interesting for accessing certain level of multi-detailed representation of
spatial features from spatial multi-scale database. If there is need to enforce entity-level access control for data within tables, one has to rely on
database views, or program the access logic into stored procedures or applications. If access logic is programmed into applications, then these applications must be rewritten if security policies change.
Another important feature of GIS n-tier architecture security is protection of GIS data and service confidentiality in exchanges between clients,
middle tier and back-end tier, and in a spatial storage. Encryption is the
standard mechanism for these purposes and can be used within GIS n-tier
architecture for different purposes of protection.
First purpose of such protection is encryption of a users identity for authentication and authorization services. For a typical case, this relies on the
transport layer for security via the SSL protocol, which also provides data
integrity and strong authentication of both clients and servers. Second, encryption can be used for the protection of spatial data in transit. Next section of the article gives an overview of this security aspect. Third, cryptography can be used to encrypt sensitive data stored on DSS, including
caches.

3 Web Services' Security of Spatial Message Protection

A GIS Web service is a software component that can provide spatial data
and geographic information system functionality via the Internet to GIS
and custom Web applications. GIS Web services to perform real-time
processing on the computers where they are located and return the results
to local application over the Internet. The protocols, which form the basis
of the Web service architecture, include SOAP, WSDL, and UDDI.
Current SOAP security model is based upon relying on the transport
layer for security and recently emerged security specifications that provide
message-level security that works end-to-end through intermediaries [14].

76

M.Govorov, Y.Khmelevsky, V.Ustimenko, and A.Khorev

XML-based security schemes for Web services include XML Digital

signature, XML Encryption, XML Key Management Specification,
Extensible Access Control Markup Language (XACML), Secure Assertion
Markup Language (SAML), Web Services Security, and ebXML Message
Service. The XML Signature (XMLSIG) in conjunction with security tokens supports multiple signers for a single XML document for proving the
origin of data and to protect against tampering during transit and storage.
The XML Encryption (XMLENC) specification supports the ability to encrypt or portions of an XML document for providing the confidentiality.
SAML specifies the XML format of asserting authentication, authorization, and attributes for an entity. XACML out of the OASIS group specifies how authorization information can be represented in an XML format.
OpenGIS specifications are including Web Map Service, Web Feature
Service, Web Coverage Service, and Catalog Service/Web profile. The
SOAP message security approaches can be applied for protection of GIS
Web service. Thus, GIS applications, which are using XML (GML,
ArcXML) for a web services, can use XML digital signatures for verification of the origins of messages. Important advantage for encryption of spatial data (for large data streaming) with emerged XMLENC is encryption
of a part(s) of an XML document while leaving other parts open.
3.1 Internet File System (IFS) and Encryption Security
Solutions for Spatial Warehouses
Volumes of spatial information, which are stored in files, are growing at
explosive rates. According to some sources, the volume of such file storage is doubled every year [7]. At the same time, many new formats are
used to store spatial and non-spatial data within files. The GIS users and
distributive applications demand to store, manage and retrieve information
in safe and secure manner. GIS users and applications should have universal secure access mechanism to the spatial files database.
A RDBMS is a core system in any organization or should be a core system, which has powerful mechanism to store different type of information
with different access rights and sophisticated security mechanisms. Every
year new products have emerged on the market, which raise possibilities to
utilize legacy RDBMS for unusual purposes. But idea of application of
these products is similar: to have only one universal system for information storage, processing and retrieving within an organization.

Security for GIS N-tier Architecture

77

3.1.1 File System within RDBMS Instance as Storage for GIS

Data Files
File System within Database (FSDB), a relatively new idea, can help solve
the above-mentioned problem effectively as follows:
FSDB raises the possibility for any file to be created, reviewed, corrected, approved, and finally published with appropriate access restrictions
for user groups or simple users into DBMS. The files can be versioned,
checked in and checked out, and synchronized with the local copies [11].
At the same time FSDB can be replicated by standard replication procedures of any sophisticated modern DBMS. The protocol servers that are
included, for example, with the Oracle IFS allow the FSDB to provide support for all common industry standard protocols through the Internet or
application server and within the enterprise network [11].
A FSDB can provide a multi-level security model to ensure the privacy
and integrity of documents in a number of different ways, such as: leveraging the security provided by the DBMS; user authentication; access rights
definition; access control at the file, version and folder level; support for
Internet security standards; and anti-virus protection [11].
A FSDB secures GIS files by storing them in a DBMS. The FSDB uses
authentication mechanism to get access into a DBMS or repository of
FSDB, regardless of the protocol or tool being used to access a file. Newest versions of FSDB have more sophisticated authentication mechanisms,
such as SSO servers, Internet Directory and LDAP servers utilization.
Oracle IFS was used to test protection of the spatial data file while in
storage and during an on-going processing [8]. Users can use their desktop
GIS and any other applications while spatial data is stored and managed by
database, thereby leveraging the reliability, scalability and availability that
come with the database, and at the same time have the familiarity and ease
of a standard file system.
Oracle IFS stores spatial data files in the form of Large Objects (LOBs)
inside of database, which lets GIS users store very large files. LOBs are
designed for fast access and optimized storage for large binary content.
Fig. 2 shows authentication and authorization processes between external desktop GIS application and IFS storage.
Obviously FSDB while providing great possibility for security and
management of spatial data files also prompts several concerns:
Will the transition of spatial data files from standard OS file system (e.g.
NTFS or UFS) to FSDB affect the performance of input, retrieval and updating of spatial data?
Will the size of spatial storage be increased?

78

M.Govorov, Y.Khmelevsky, V.Ustimenko, and A.Khorev

Fig. 2. IFS Security Model

Performance results (time differences) of input, retrieval and updating

GIS data files in desktop GIS software such as MapInfo and ArcView
from Oracle IFS 9i are shown in Fig. 3. Different sizes of vector GIS files
were used for the study. The large pool size buffer, cache size and processes components of IFS and Oracle 9i Application Server were optimized
to achieve the best performance of IFS.

Fig. 3. IFS NTFS Time Differences (in seconds)

The negative results are obtained for processing of small-size files using
Oracle Buffer Cache. All other results give difference of about 1-2 seconds
for processing data files with the sizes up to 100 MB by using IFS storage
to compare to native OS system.
The study of the changes in the spatial data file sizes, compare with the
amount of space that they take up in NTFS and IFS drives, shows that the

Security for GIS N-tier Architecture

79

Oracle IFS tablespace is increased in size by about 12% only. That difference can be reduced changing database storage parameters for IFS.
The results of IFS performance investigation show that this approach is
acceptable for data processing within GISS. Within this approach of spatial
file storage, the following authentication and authorization levels can be
used to secure spatial data files: OS Level (share permissions and folder
permissions) and IFS Level. Permissions remain the same regardless of the
protocol (e.g. HTTP, FTP, SMB) being used to access the content stored in
IFS repository.
3.2 Conventional Encryption for GIS Data Protection in Storage
It is noteworthy that the IFS within DBMS is capable enough to provide
sufficient security to spatial files. If necessary, encryption can be employed to provide additional security to confidential and sensitive GIS information. Oracle Advanced Security of the Oracle 9iAS supports industry
standard encryption algorithms including RSAs RC4, DES and 3DES and
can be used for spatial data encryption [6]. Custom external encryption algorithms can be integrated into that security schema as well.
The data encryption can significantly degrade system performance and
application response time. For performance testing, the Oracle 9i
DBMS_OBFUSCATION.TOOLKIT was investigated (see Figure 4). Different key length gives different time results, for e.g. difference of time between 16 and 24 byte keys is about 10-20%, but time difference of 24 and
32 byte keys is about 5% only. Average speed 3 DES encryption is about
2.5 sec per megabyte, or about 1 hour to encrypt or decrypt 1 GB spatial
data on workstation (1.6 GHz Intel Processor within Window OS). To use
special multiprocessor UNIX servers, the encryption/decryption can be reduced to 10-20 minutes or in the best way to several minutes, what is applicable to real environment, when decryption/encryption of spatial data
should be performed once per session. To keep encrypted GIS data files
into IFS, standard encryption of Oracle and new developed encryption algorithms were analyzed and investigated for performance.
To provide encryption or decryption of sensitive application data, decryption procedures can be activated by database triggers for authenticated
users (during log in). To log off, user will again fire the trigger that should
execute the procedure to encrypt all the modified files or to replace decrypted files by already encrypted files into IFS LOB objects from the
temporary storage within encrypted files. If connection to database is lost
by accident, changes to files should be committed or roll backed by DBMS
and modified data encrypted back into permanent LOB objects. Decryp-

80

M.Govorov, Y.Khmelevsky, V.Ustimenko, and A.Khorev

tion and encryption of spatial data files will slow down user interaction
with the system. These delays would occur at two occasions when user
logs in and logs out or there is session failure.
3.2.1 New Encryption Algorithm for GIS Data Protection in
Storage
Special approaches were developed to use encryption for large files in
Oracle. To encrypt LOB data objects, the procedure splits the data into
smaller binary chunks, then encrypts and appends them to the LOB object
back. Once the encrypted spatial data files have been allocated into LOB
segments, they can be decrypted by chunks and written back to BLOB object. For the read-only spatial data files, additional LOB object once encrypted should always be kept. It will save time for encryption procedure
during log off. The decrypted spatial data files will be simply replaced by
read-only encrypted spatial data files in the main permanent storage during
log off.
The algorithm of binary and text files encryption, which is more robust,
compared to DES and 3DES, has strong resistance to attacks, when adversary has the image data and ciphertext proposed by V. Ustymenko [13].
This algorithm can be applied to encrypt spatial raster and vector data
types, which are commonly used in GIS.
The encryption algorithm is based on a combinatorial algorithm of
walking on a graph of high girth. The general idea was to treat vertices of a
graph as messages and arcs of a certain length as encryption tools. The encryption algorithm has a linear complexity and it uses nonlinear function
for encryption, thus it resists to different type of attacks of adversary. The
general idea was to treat vertices of a graph as messages and arcs of a certain length as encryption tools. The quality of such an encryption in case of
graphs of high girth by comparing the probability to guess the message
(vertex) at random with the probability to break the key, i.e. to guess the
encoding arc is good. In fact the quality is good for graphs, which are close
to the Erdos bound, defined by the Even Cycle Theorem [2, 3]. In the case
of algebraically defined graphs with special colorings of vertices there is a
uniform way to match arcs with strings in some alphabet. Among them can
be found ''linguistic graphs'' whose vertices (messages) and arcs (encoding
tools) both could be naturally identified with vectors over GF(q), and
neighbors of the vertex defined by a system of linear equations. The encryption algorithm is a private key cryptosystem, which uses a password to
encrypt the plain text, and produces a cipher text.

Security for GIS N-tier Architecture

81

The developed prototype model allows testing the resistance of the algorithm to attacks of different types. The initial results from such tests are
encouraging.
In case for p=127 (size of ASCII alphabet minus delete character),
some values of t(k,l) [time needed to encrypt (or decrypt because of symmetry) file, size of which is k Kilobytes with password of length l (key
space roughly 27l )], processed by an Intel Pentium 1.6 GHz processors
workstation (Oracle 9i DBMS Server, PL/SQL programming language),
can be represented by the matrix shown in Table 1.
Our results presented in Table 1 indicate that the encryption/decryption
time has linear correlation to the file size. Roughly it takes about 60 seconds for 51 KB file encryption within 16 byte length password by using
PL/SQL functions, and for 1 MB - about 17 minutes. If more powerful 2-4
processors workstation and C++ or Macro Assembler programming languages are used to rewrite encryption/decryption functions, encryption
time will be further decreased by several dozen times, e.g. for 100 MB file
size it can reach 20-30 minutes encryption/decryption time, which can be
used for practical implementation. Taking into consideration that the 10-20
processors systems are practical industrial server solution (expected to be
common in near future), GISS encryption/decryption time can be reduced
to less than 5 minutes.
Table 1. Processing time t(k,l) for encryption/decryption by the New Algorithm as
compared with RC4
New Algorithm (s)
Kb/L
7.6
51.5
96.6
305.0
397.0

48
26
179
335
1061
1379

40
22
149
279
883
1145

32
17
119
223
706
913

24
14
90
169
529
685

RC4 (s)
16
9
60
112
353
458

48
1
8
14
45
59

40
1
8
15
47
62

32
1
8
15
24
31

Difference
(times)
48
40
32
26
22
17
22.4
18.6 14.9
23.9
18.6 14.9
23.6
18.8 14.9
23.4
18.5 14.9

Currently, program code and encryption algorithm optimization are under investigation by the authors and will be the subject of our future publications.

82

M.Govorov, Y.Khmelevsky, V.Ustimenko, and A.Khorev

4 Conclusion
N-tier architectures and Web Services are making the application layer
more complex and fragmented. The solution in protection lies in application of the security framework to all subsystems and components of n-tier
system. This framework has to comply with the industry security requirements of major application development models.
GIS data management and Mapping Services are primary considerations
when developing GIS n-tier architectures. There are several reasons for
supporting n-tier architectures for spatial applications. Major reasons include providing user access to data resources and GIS services through the
Web and at the same time providing better data and service protection.
Framework of standard security mechanisms can be used to improve security within critical points of spatial information flows within GIS Application Server. Security solutions for GIS distributive systems can be approached in ways similar to e-commerce applications, but can be specific
to spatial data security management as it relates to spatial data types, large
size of binary files and presentations logic.
Often, file servers are used to store GIS data. A file system within database instance provides more safe and secure storage for spatial files within
centralized authentication and access control mechanism in legacy DBMS.
By using additional encryptions, a FSDB is able to guarantee that access
control is enforced in a consistent manner, regardless of which protocol or
tool is being used to access the repository. Our encryption model would
provide a secure working environment for GIS client to store and to transfer spatial data over the network. For this purpose we utilize existing and
new fast nonlinear algorithms of encryption with flexible size of keys
based on the graph theoretical approach.

References
[1]
[2]
[3]
[4]

ArcIMS 4 Architecture and Functionality (2002) An ESRI White Paper

Biggs NL (1988)Graphs with large girth, Ars Combinatoria 25, pp 73-80
Bollobas (1976) Extremal Graph Theory, Academic Press
Computer Networking: A Top-Down Approach Featuring the Internet (2001)
Addison Wesley Longman, Online Course
[5] De S, Eastman CM, Farkas C (2002) Secure Access Control in a Multi-user
Geodatabase, 22nd Annual ESRI International User Conference
[6] Heimann J (2003) Oracle 9i Application Server, Release 2, Security

Security for GIS N-tier Architecture

83

[7] iWrapper
software
(2002)
eSpatial,
http://www.espatial.com/products/iwrapper.htm
[8] New name: The Oracle Content Management SDK (2003)
http://otn.oracle.com/products/ifs/content.html
[9] OpenGIS Web Map Server Interface Implementation Specification, Revision
1.0.0 (2000) OpenGIS Project Document 00-028
[10] Security and ArcIMS (2001) An ESRI White Paper
[11] Security and the Oracle Internet File System, Oracle Internet File System
(2000) Technical White Paper
[12] System Design Strategies, (2003) An ESRI White Paper
[13] Ustimenko V (2002) Graphs with special arcs and Cryptography, Acta
Applicandae Mathematicae, 74, pp 117-153
[14] Web Services Security: SOAP Message Security 1.0 (2004) OASIS, WSSecurity, http://www.oasis-open.org/committees/documents.php
[15] WebLogic Security Framework: Working with Your Security Eco-System
(2003) BEA, White Paper
[16] WebSphere (2003)Web Services Handbook, IBM, Version 5