Cairo University

Faculty of Engineering
Biomedical & Systems Engineering Dept.

Database Security and Encryption

 By:

Muhammad H.Hammam Ahmad Khairy Sanad

Sec: 1 B.N: 9 Sec: 1 B.N: 9
Mamdoh Tal'at Sa'ad Hossam Nabil Ahmad
Sec: 4 B.N: 19 Sec: 2 B.N:8
A. Dahi Abdelmaksoud Sherif M.Mansour
Sec: 3 B.N:5 Sec: 2 B.N:41

Under Supervision Of:

Proff. Ahmad Hisham

Copyright © 2007 by Muhammad H.Hammam

'' The copyright of this report rests with author. No quotations from it should be
published without the author's prior written on sent and information derived from it
should be acknowledged.''
Chapter 1
Database Security
By Muhammad H.Hammam

1.1 Introduction:

The Database Management Systems (DBMS) use a lot of security rules for the
database management or for the users of the database, and these systems differ from
the database system to the other one and we here will describe the most used and
famous database systems such as (Oracle – MySQL – MS-SQL Server 2000 – SyBase
…….etc) to obtain the main uses for the securing systems and tools in the various
DBMS's.

The Role of Database Administrator (DBA):

The interesting with DBMS managing permits the improvement and rapid
operations in execution of the transactions and further units of work. To assure and
guarantee that, it should be there is a central authority for managing database system
which processes the users those who handle and deal with the database this is called
DBA or database administrator. The database administrator has all the permission for
adding, deleting or changing the users of the database. That is for more securing for
the database system. The user account of the DBA is called the super account or
system account, which provides powerful capabilities that are not made of available to
regular database accounts and users.

Assume we have an organization has a database system, if we haven't a DBA

for this database controls the DBMS of this organization, all the employees or the
users of the database will can change in the query or the structure of the database
without any knowledge which make it in dangerous to loose some of your data or
important data. That is for a local area network but what about connection to the
internet? The all data in the database will be available to everyone who can hack your
data.

The operating systems have some securing tools (such as "Windows",

"LINUX","UNIX",………etc) however there is new versions of these operating
systems have a new updates for securing tools, but that's not enough to secure your
database. So you have to use also the database securing tools to assure and guarantee
that your database is out of the hackers and ignorant users.

Overview on the DBMS and securing tools

You may need to have a database system to use it for you personal computer,
or your company and specifying the number of the licenses you need to multiple
factors and which you prefer or your choice and the tools of the system and the
amount of your data and your prediction of how the system can handle them and
secure.

So we will have a small overview on various DBMS's which is famous and used
mostly nowadays:

• Microsoft FoxPro
It's considered as a powerful database with a unique user mainly, and uses with
limited methods some of SQL properties and a use a file has an extension of
XBase and every table is saved in a unique file.

• Microsoft Access
It's used commonly in the personal computers which use the windows operating
systems; it uses the SQL properties more than FoxPro and the database and their
appendices stored in one file

• Oracle
It's the most powerful DBMS because it has almost SQL standard properties
beside that there are other properties called PL/SQL. This DBMS involves all
security properties and tools (full security) and the ability of adding securing rules
and specify the accessing level for all system components.

• SyBase Or Transact-SQL
Microsoft and SyBase use SQL Server Database system so the common shared
language between them is Transact-SQL. Beside that the SyBase DBMS has the
same power, characteristics and tools of securing system of Oracle DBMS.

• MySQL Server
MySQL supported with a lot of properties, tools, securing systems and
qualification measurement system, which make it a strong competitor for the other
systems. Especially it's upgraded and developed rapidly and its most versions
work with open source freeware which make it has no comparison in its cost with
other DBMS's. The security properties of MySQL differ from the properties of the
other DBMS's because it handled by some automatic tools.

The security in ORACLE and MySQL DBMS's

After choosing and installing the DBMS you have to secure it. But before that we
have to make some points in our considerations:

• Who will have the role of DataBase Administrator (DBA)?

• How many users for our database?
• What are the competences of these users?
• How can process and handle theses users?
In this paper we will describe how to secure your DBMS for Oracle and MySQL.

Oracle uses three factors or concepts for database security:

 • USERS
• ROLES
• PRILIVEGES
But MySQL uses only the PRILIVEGES and USERS for the same purpose.

Access Protection, user Accounts, and Database Audits

Whenever a person or group of persons or users needs to access the database system,
they should have

1.2 Creating users:-

The USER is an account name permits the access to the DBMS of Oracle, and this is
the main used form of oracle syntax for creating users:

CREATE USER user

IDENTIFIED {BY password | EXTERNALY}
[DEFAULT TABLESPACE tablespace]
[TEMPRORARY TABLESPACE tablespace]
[QOUTA {integer [K|M] |UNLIMITED} ON tablespace]
[PROFILE profile]
[PASSWORD EXPIRE]
[ACCOUNT LOCK]
From the previous syntax form it's clear that the instruction has a multiple options:

CREATE USER clause: Specify the name of the user to be created. This
name can contain only characters from your database character set.

IDENTIFIED clause: lets you indicate how Oracle Database authenticates the
user.

• BY password: The BY password clause lets you creates a local user and
indicates that the user must specify password to log on to the database.
Passwords can contain only single-byte characters from your database
character set regardless of whether the character set also contains multi-
byte characters.

• EXTERNALLY clause: Specify EXTERNALLY to create an external user.

Such a user must be authenticated by an external service, such as an
operating system or a third-party service. In this case, Oracle Database
relies on authentication by the operating system or third-party service to
ensure that a specific external user has access to a specific database user.

• Globally clause: The GLOBALLY clause lets you create a global user. Such
a user must be authorized by the enterprise directory service (Oracle
Internet Directory).
The directory_DN string can take one of two forms:

™ The X.509 name at the enterprise directory service that identifies

this user. It should be of the form CN=username, other_attributes,
where other_attributes is the rest of the user's distinguished name
(DN) in the directory. This form creates a private global schema.

™ A null string (' ') indicating that the enterprise directory service will
map authenticated global users to this database schema with the
appropriate roles. This form is the same as specifying the
GLOBALLY keyword alone and creates a shared global schema.

DEFAULT TABLESPACE clause: Specify the default tablespace for objects

that the user creates. If you omit this clause, then the user's objects are stored
in the database default tablespace. If no default tablespace has been specified
for the database, then the user's objects are stored in the SYSTEM tablespace.

TEMPRORARY TABLESPACE Clause: Specify the tablespace or

tablespace group for the user's temporary segments.

QUOTA clause: Use the QUOTA clause to specify the maximum amount of
space the user can allocate in the tablespace.

PROFILE clause: Specify the profile you want to assign to the user. The
profile limits the amount of database resources the user can use. If you omit
this clause, then Oracle Database assigns the DEFAULT profile to the user.
 PASSWORD EXPIRE clause: Specify PASSWORD EXPIRE if you want
the user's password to expire. This setting forces the user or the DBA to
change the password before the user can log in to the database.

ACCOUNT clause: Specify ACCOUNT LOCK to lock the user's account and
disable access. Specify ACCOUNT UNLOCK to unlock the user's account and
enable access to the account.

example for user creation in ORACLE DBMS:

CREATE USER muhammad

IDENTIFIED BY hammam
DEFAULT TABLESPACE example
QUOTA 10M ON example
TEMPORARY TABLESPACE temp
QUOTA 5M ON system
PROFILE app_user
PASSWORD EXPIRE;

The user muhammad has the following characteristics:

• The password hammam

• Default tablespace example, with a quota of 10 megabytes
• Temporary tablespace temp
• Access to the tablespace system, with a quota of 5 megabytes
• Limits on database resources defined by the profile app_user
• An expired password, which must be changed before muhammad can
log in to the database

The MySQL differs in user creation, where the user accounts stored in a table called
USER and the password and privileges stored in it for every user. There are two
databases involved in MySQL system as parts of it, one called mysql and the other
called test, when you access from MySQL system and want to switch to mysql
database to view its tables you will have the following result:

mysql> use mysql;

Database changed;
MySQL>show tables;
Tables_in_mysql
columns_priv
db
func
help_category
help_keyword
help_relation
help_topic
host
tables_priv
time_zone
time_zone_leap_second
time_zone_name
time_zone_transiition
time_zone_transition_type
user
15 rows inset;

These tables in the above form is just the names of the tables which MySQL uses for
storing system information and when you want to use or handle them, that related for
your privileges.

From the above we find that MySQL uses tables to store the data of security and the
system of the DBMS MySQL.

To view the structure of user table :

mysql>desc user;
desc user (31 Records)
Field Type Null Key Default Extra
Host varchar(60) PRI
User varchar(16) PRI
Password varchar(41) N
Select_priv enum('N','Y') N
Insert_priv enum('N','Y') N
Update_priv enum('N','Y') N
Delete_priv enum('N','Y') N
Create_priv enum('N','Y') N
Drop_priv enum('N','Y') N
Reload_priv enum('N','Y') N
Shutdown_priv enum('N','Y') N
Prcess_priv enum('N','Y') N
File_priv enum('N','Y') N
Grant_priv enum('N','Y') N
References_priv enum('N','Y') N
Index_priv enum('N','Y') N
Alter_priv enum('N','Y') N
Show_db_priv enum('N','Y') N
Super_priv enum('N','Y') N
Create_tmp_table_priv enum('N','Y') N
Lock_tables_priv enum('N','Y') N
Execute_priv enum('N','Y') N
Repl_Slave_priv enum('N','Y') N
Repl_client_priv enum('N','Y') N
ssl_type enum(",'ANY','X509','SPECIFIED')
ssl_chiper blob
x509_issuer Blob
x509_subject Blob
max_questions Int(11) unsigned 0
max_updates Int(11) unsigned 0
max_connections Int(11) unsigned 0

generated in 2/24/2007 2:24:27 PM by MySQL-Front 1.22

In MySQL we insert a user as following:

mysql> insert into user
(host, user, password, select_priv, insert_priv)
values
('localhost','muhammad','hammad','y',y');

we inserted anew user has the following values: name: muhammad and the
password: hammad and we select here the privileges (Select – Insert) .i.e. he can
only use the statements of selection and insertion for the data tables.

And we can change the values for any user by using the command ALTER and it has
the form:

ALTER USER user

IDENTIFIED{ BY password | EXTERNALY}
[DEFAULT TABLESPACE tablespace]
[TEMPRORARY TABLESPACE tablespace]
[QOUTA {integer [K|M] |UNLIMITED} ON tablespace]
[PROFILE profile]
[DEFAULT ROLE {role [, role]….
| ALL [EXCEPT role [, role]…]|none}]

1.3 Creating Roles

The ROLE considered as one of privileges or the privileges which given to the user,
to guarantee using of some of options in databases. To create a role for the user we
use the following form:
GRANT role TO user [WITH ADMIN OPTION];

If we use the option WITH ADMIN OPTION the user has all privileges to give privileges
to other users. In the following lines we will describe all the roles and how to use
these statements for remove ROLE you can use REVOKE statement as shown:

REVOKE role FROM user

When you access the database system after using CREATE USER command (.i.e.
after using the account which created), you will access only the system but you don't
have any privileges to do anything because you exceed the limits of your privileges.
So you have to register in one of these roles which give the privileges of connection,
using resources or DBA role.

ORACLE system gives you the permission in registration in one of these roles:
 • Connect
• Resources
• DBA

Connect role

This role considered as the least privileges role and it is given to the users who have a
limited privilege. It gives the permissions for using SELECT, INSERT, UPDATE,
DELETE , CREATE TABLES, VIEWS AND CLUSTERS commands and they
are privileges without permissions

GRANT CONNECT TO muhammad;

Grant succeeded

____________________________________

Resource Role

Beside the previous privileges there are other privileges which permits the creation of
procedures, triggers c indexes
GRANT RESOURCE TO muhammad;
Grant succeeded
____________________________________

DBA Role

This role has all privileges, and the users of this role have all previous privileges and
others. After choosing this role you can delete the other roles (Connect, Resource)
because they are useless for who have the DBA role:

GRANT DBA TO muhammad;

REVOKE CONNECT TO muhammad;
REVOKE RESOURCE TO muhammad;

User Privileges

After you choose the role for every user for you database you have to choose the
permissions for every user. ORACLE system gives to types of permissions or
privileges:
• System privileges
• Object privileges
The first class applied for all of the system and it has the general form:

GRANT system_privilege TO {user_name | role | Public}

[WITH ADMIN OPTION];

i.e it can be given for specific user, role or published for all users.
Chapter 2
Database Security
By:
Hossam Nabil, Mamdoh Talat, Abdelmaksoud Dahi, Sherif Mansour, Ahamd Khairy

2.1 Discretionary Access control Based on Granting and Revoking Privileges

The typical method of enforcing discretionary access control in a database system is
based on the granting and revoking of privileges. The main idea is to include
statements in the query language that allow the DBA and selected users to grant and
revoke privileges.
2.2 Types of Discretionary privileges
The concept of authorization identifier is used to refer to a user account. The DBMS
must provide selective access to each relation in the database based on specific
accounts. Operations may also be controlled; thus, having an account doesn’t
necessarily entitle the account holder to all the functionality provided by the DBMS.
Informally, there are two levels of assigning privileges to use the database system:
• The account Level: At this level, the DBA specifies the particular privileges
that each account holds independently of the relations in the database.
• The relation (or table)Level: at this level, the DBA can control the privilege to
access each individual relation or view in the database.
At the account level CREATE SCHEMA or CREATE TABLE privilege is
added, to create a schema or base relation; CREATE VIEW privilege; the ALTER
privilege to apply schema changes such as adding or removing attributes from
relations; the DROP privilege to delete relations or views; the MODIFY privilege to
insert, delete, or update tuples, and the SELECT privilege to retrieve information
from the database by using a SELECT query.
The second level of privileges applies to the relation level whether they are base
relations or virtual (view) relations.
Privileges at the relation level specify for each user the individual relations on
which each type of command can be applied. Some privileges also refer to individual
columns (attributes) of relations.
The granting and revoking of privileges generally follow an authorization
model for discretionary privileges known as the matrix access model.
 To control the granting and revoking of relation privileges, each relation R in a
database is assigned an owner account, which is typically the account that was used
when the relation was created in the first place.
In SQL the following types of privileges can be granted on each individual
relation R:
• SELECT (retrieval or read) privilege on R: Gives the account retrieval
privilege. In SQL this gives the account the privilege to use the SELECT
statement to retrieve tuples from R.
• MODIFY privileges on R: This gives the account the capability to modify
tuples of R, In SQL this privilege is further divided into UPDATE, DELETE
and INSERT privileges to apply the corresponding SQL command to R. In
addition, both the INSERT and UPDATE privileges can specify that only
certain attributes of R can be updated by the account.
• REFERENCES privilege on R: This gives the account the capability to
reference relation R when specifying integrity constraints. This privilege can
be restricted to specific attributes of R.

2.3 Revoking privileges

In some cases it is desirable to grant a privilege to a user temporarily. For
example, the owner of a relation may want to grant the SELECT privilege to a user
for a specific task and then revoke that privilege once the task is completed. Hence, a
mechanism for revoking privileges is needed. In SQL a REVOKE command is
included for the purpose of canceling privileges.

2.4 Propagation of privileges using the Grant option

Whenever the owner A of a relation R grants a privilege on R to another
account B, the privilege can be given with or without GRANT option. If the GRANT
option is given, this means that B can also grant that privilege on R to other accounts.
Suppose that B is given the GRANT option by A and that B then grants the privilege
on R to a third account C, also with GRANT option. In this way, privileges on R can
propagate to other accounts without the knowledge of the owner of R. If the owner
account A now revokes the privilege granted to B, all the privileges that B propagated
based on that privilege should automatically be revoked by the system.
2.5 Specifying limits on propagation of privileges
Techniques to limit the propagation of privileges have been developed,
although they have not yet been implemented in most DBMSs and are not a part of
SQL. Limiting Horizontal propagation to an integer number i mean that an account
B given the GRANT option can grant the privilege to at most i other accounts.

Vertical propagation
It is more complicated; it limits the depth of granting of privileges. Granting a
privilege with a vertical propagation of zero is equivalent to granting the privilege
with no GRANT option. If account A grants a privilege to account B with the vertical
propagation set to an integer number j > 0, this means that the account B has the
GRANT option on that privilege, but B can grant the privilege to other accounts only
with vertical propagation less than j. In effect, vertical propagation limits the sequence
of GRANT option that can be given from one account to the next based on a single
original grant of the privilege.

Mandatory Access Control and Role-Based control for Multilevel security

The discretionary access control technique of granting and revoking privileges on
relations has traditionally been the main security mechanism for relational database
systems. In many applications, an additional security policy is needed that classifies
data and users based on security classes. This approach, known as mandatory access
control would typically be combined with the discretionary access control
mechanism. However, the need for multilevel security exists in government, military,
and intelligence applications.
Typical security classes are top secret (TS), secret(S), confidential (C), and
unclassified (U), where TS is the highest level and U the lowest, where TS≥S≥C≥U.
There are two restrictions are enforced on data access based on the subject/object
classification:
1. A subject S is not allowed read access to an object O unless class (S) ≥class
(O).
This is called simple security property.
2. A subject S is not allowed to write an object O unless class (S)≤class(O).
 This is known as the star property (*property).

2.6 Comparing Discretionary Access Control and Mandatory Access Control

DAC policies are characterized by a high degree of flexibility which makes
them suitable for a large variety of application domains. The main drawback of DAC
models is their vulnerability to malicious attacks, such as Trojan horses embedded in
application program.
By contrast, mandatory policies ensure a high degree of protection in away
they prevent any illegal flow of information. They are therefore suitable for military
types of applications which require a high degree of protection. However, mandatory
policies have the drawback of being too rigid in that they require a strict classification
of subjects and objects into security levels.

2.7 Role-Based Access Control

RBAC emerged rapidly in the 1990s as a proven technology for managing and
enforcing security in large scale enterprise wide systems.
RBAC appears to be a viable alternative to traditional discretionary and
mandatory access controls.
An important consideration in RBAC systems is the possible temporal
constraints that may exist on roles, such as the time and duration of role activation and
time triggering of a role by an activation of another role.
RBAC models have several desirable features, such as flexibility, policy
neutrality, better support for security management and administration. In contrast
DAC and MAC models lack capabilities needed to support the security requirements
of emerging enterprises and web-based application.
_____________________________________________________________________
2.8 Access Control policies for E-commerce and the web
Electronic commerce environment are characterized by any transactions that
are done electronically. They require elaborate access control policies that go beyond
traditional DBMSs. In conventional database environments, access control is usually
performed using a set of authorizations stated by security officers or users according
to some security policies.
 It is believed that the XML language can play a key role in access control for
e-commerce applications. The reason is that XML is becoming the common
representation language for document interchange over the web and is also becoming
the language for e-commerce.
Chapter 3
Encryption and Public Key
Infrastructures
By:
Hossam Nabil, Mamdoh Talat, Abdelmaksoud Dahi, Sherif Mansour, Ahamd Khairy
Introduction
The previous method of access and flow control despite being strong
countermeasures may not be able to protect databases from some threats by using
encryption we can disguise the message so that so that if the transmission of data is
diverted the message will not be revealed. Encryption consists of applying an
encryption algorithm to data using some prespecified encryption key. The resulting
data has to be decrypted using a decryption key to recover the original data.

The Data and Advanced Encryption Standards

The data encryption standards (DES) are a system developed by the U.S.
government for use by the general public. It has been widely accepted as a
cryptographic standard both in the United States and abroad. DES can provide end to
end encryption on the channel between the sender A an receiver B. The DES
algorithm is acareful and complex combination of the fundamental building blocks of
encryption: substitution and permutation (transposition).

Public key Encryption

Public key algorithm is based on mathematical functions rather than
operations on bit patterns. They also involve the use of two separate keys, in contrast
to conventional encryption, which uses one key. The use of two keys can have
profound consequences in the area of confidentiality, key distribution, and
authentication the two keys are public key and the private key. Invariably, the
private key is kept secret.
The public key encryption scheme or infrastructure has six ingredients:
1. Plaintext: this is the data or readable message that is fed into the algorithm as
input.
2. Encryption algorithm: it performs various transformations on the plaintext.
3. &4. public and private keys: they are a pair of keys that have been selected
so that if one is used for encryption the other is used for decryption.
5. Cipher text: this is the scrambled message produced as output. It depends on
the plaintext and the key.
6. Decryption algorithm: this algorithm accepts the cipher text and the
matching key and produces the original plain text.
As the same suggests, the public key of the pair is made public for others to
use, whereas the private key is known only to its owner. A general purpose public
key cryptographic algorithm relies on one key for encryption and a different but
related one for decryption. The essential steps are as follows:
1. Each user generates a pair of keys to be used for the encryption and
decryption of message.
2. Each user places one of the two keys in public register or other accessible
file.
3. If a sender wishes to send a private message to a receiver the sender
encrypts the message using the receiver’s public key.
4. when the receiver receives the message he or she decrypts it using the
receiver’s private key.