Database security applied distributed system with public key
Kyung-kug Kim, Yang-kyu Lim and Dong-ho Won
School of Electrical and Computer Engineering
Sungkyunkwan University
300, Chunchun-Dong, Jangan-Ku,Suwon, Korea, 440-746
{kkkim, yklim, dhwon}@dosan.skku.ac.kr
Abstract: This paper addresses distributed resource management and access control. We propose a scheme of “The DB security applied Distributed system with public key”. This paper handles a method for role based access control, and distributed firewall, a method allowing users to
manage resources within a distributed system across administrative domain boundaries with interlocking operating systems by verifiable authentication scheme.
Keywords: Database Security, Public key, authentication scheme
Introduction
tem each other [1].
A database is a collection of permanent data,
managed by the Database Management
Sytems(DBMSs). The target of a DBMS is that
it is able to access efficiently applicationdefined subsets of data in a DB.
The database protection requirements are as follows:
Although the increasingly widespread use of
both centralized and distributed database has
proved necessary to support business functions,
it has also posed serious problems of data security [6]. The increasing development of information technology arise several problems such
as assuring system continuity and reliability
and to protect data and programs from intrusions, modifications, theft and unauthorized
disclosure.
This paper addresses distributed resource management and access control. We proposes a
new version of “The DB security applied Distributed system with public key”.
This paper handles a method for role based
access control, and distributed firewall, a
method allowing users to manage resources
within a distributed system across administrative domain boundaries with operating systems
by verifiable authentication scheme.
Related works
Database security problems
Information security in a database includes
three main aspects: secrecy, integrity, and
availability.
They means preventing /detecting /deterring
the malicious disclosure, modification and denial of access to services provided by the sys-
- Protection from improper access and interference
- Integrity of the database
- Operational and semantic integrity of data
- Accountability and auditing
- User authentication
- Management and protection of sensitive
data
- Multilevel protection and confinement
And Database protection can be obtained through
security measures such as flow control, interference control, access control and cryptographic
techniques.
The field of the practical implementation is
that , in bi-directional broadcasting TV system,
users demand TV digital program and TV system(server) authenticate the each user with verifiable self-certified public key.
Design of secure OS
The security mechanisms provide to a processing
system and to its applications are based firstly on
the security functions available in its Operating
System(OS). They constitute the grounds for database security but owing to the different kind of
resources to be protected in a database, the OSprovided protection functions prove insufficient
to support database security policies. So we consider the OS security mechanisms by the design
of secure OS and by using additional specialpurpose security software.
Generally, an OS provides some data protection
functions. Data protection means checking that
152
only authorized users access the resource containing the data. So we adapt the OS security
functions as follows [2]:
- User identification/authentication
- Memory protection
- Access control to resources
- Flow control
- Auditing
In many OSs, the different protection mechanisms are provided by modules[2] . It is Kernel-based approach.
different clearness and act as reference monitor, it
sees all the data required to answer a query, and
is enabled to eliminate from the returned data
view those data for which the user is not cleared.
- DBMS: it is responsible for multilevel protection of the data base objects.
Trusted Filter(TF) is inserted between
the FE and the DBMS.
TF is responsible for enforcing security functions
and multilevel protection and for the generation
of its own audit records.
Security kernel must satisfy the following
properties such as Completeness, Isolation, and
Verifiability.
A stamp is generated using a cryptoseal
mechanisms such as timestamp and serial number
for checksum technique. It is stored in an encrypted format into the database.
The kernel supports and monitors the following
functions [3] such as multiprocessing, execution domain switching, memory protection, I/O
operations.
At the moment of retrieval, stamps are recomputed by the FE and matched against the stored version, to detect possible mismatches, before data is
released to the user.
The problems in a distributed environment
However, a stamp-based mechanism is insufficient to guarantee security because of Trojan
Horses leakage risks.
Most of the computer systems in use are based
on security model. We will point out the problems when working in a distributed environment [4].
- User-names are often duplicated across namespace domains in a distributed system.
- Location transparency may not be possible.
- Unique user identifiers based on user-name
and host-name combinations.
This means that security is a problem since the
security of the distributed system depends on
the security of the individual hosts.
- The administration is reluctant to permit a
single user to have multiple user-names.
- It may be difficult to share resources with
other users on other computer systems without
getting permission from the administration for
real-time applications.
- In hierarchical systems, it is difficult to model
and implement harmoniously.
To avoid these threats, selections, projections,
subquery handling, query optimization and statistical operations must be placed in the TF, or in
the FE, and not in the DBMS.
The basic function of OS-level are authentication,
identification, access control and auditing.
Trusted OS: it is responsible for the
physical access to data in the database, and for
enforcing mandatory protection.
Audit records are generated by the trusted OS for
operations concerning access to OS objects, and
other audit records must be generated for DBMS
operations and recorded in a system high audit
trail, possibly with the same format as the OS
audit records [5].
Proposal Model
Security checking lists for database
Interlocking with Operating systems
Our security model is defined through:
If an improper user accesses the system and
pretends a root, then OS kernel monitor his
public-key which is calculated with his-ID,
with interlocking OS and checks the user-id,
group-id, etc.
We will introduce the process architecture[10].
- Identification of the subjects and objects relevant from a security viewpoint.
- Identification of the access modes granted to
different subjects on different objects, recognizing possible constraints on access.
- Analysis of the propagation of authorizations in
the system through grant/revoke privileges.
- Front End(FE): it interfaces the users with
153
The checking lists for the database are as follow:
- Account, network, object integrity
- Login parameters, Password strength
- User files, startup files
- File attributes, file access, file find
- System auditing, mail, system queues
- OS patch and discovery
public key. The user’s attributes-identity, secret
key, public key, etc-satisfy a computational unforgeable relationship, which is verified implicitly during the proper use of keys in any cryptographic protocol.
1.
(verifiability) Furthermore, if necessary,
there is an efficient way to verify the authenticity
of the public key after knowing a witness.
Authentication with interlocking OS
A scheme using RSA digital signature scheme
Girault’s self-certified public keys
Set-up:
For simplicity we only describe a scheme using
RSA/Rabin digital signature scheme. In the setup phase, the CA(Certificate Authority) chooses a RSA modulus n  p  q such that
p and q are large prime integers, generates an
integer e coprime to p  1 and q  1 , and
the inverse d of e modulo ( p  1)  (q  1) .
Then it computes an integer  of maximal order in the multiplicative group ( Z / nZ )* . The
CA makes n , e and  public, whilist keeps
p , q and d secret.
The Key generation phase consists of two steps.
First, each user randomly chooses a secret key
x , computes his public key y    x (mod
n ) and gives y to the CA. Then he proves to
the CA that he knows x without revealing it.
Afterwards the CA computes the witness as a
RSA signature of the modular difference of
  x and user’s identity I :
So the following equation holds:
(mod n ).
(1)
However, in Girault’s self-certified keys, anyone can obtain the pair( y ,  ) satisfying the
equation (1) by only the known-key attack:
R Z n ,
y  e  I
a base   1 of order
(i.e.,  r  1 (mod n)) .
-
r  p 'q '
a larger integer u  r , and
-
a one-way hash function h which will
output positive odd integers between 2128 and
p' (and q ' ). This can be easily implemented by
flipping the least significant bit, if even.
The DBMS makes n ,  , u , f public, keeps
p and q secret.
Verifiable self-certified key generation:
OS who asks the DBMS receives a witness  A
is generated as follows:
  ( y  I ) d (mod n ).
e  I  y
an integer n 2512 as the product of two
large distinct random prime p and q of almost
the same size, such that p  2 p '1 and
q  2q '1 , where p' and q ' are also prime integers,
(mod n ).
So if the verification of a digital signature fails
using a self-certified public key it is uncertain,
whether the signature or the public key is incorrect.
Verifiable self-certified public keys
Definition 1.(verifiable self-certified public
keys) Verifiable self-certified public key
scheme satisfies the following two conditions:
1 OS chooses her secret key xA  u as a random
integer and computes her public key as
y A    xA
Next, OS visits the DBMS and gives y A to it.
2. The DBMS, after having checked the Alice’s
identity, prepares the corresponding IDA , and
compute
1
 A  ( y A  IDA ) h( y A ) (mod n ). (2)
DBMS transmits  A to OS.
Then, OS’s verifiable self-certified public key is  A and eA  h( y A ) .
Now, this set-up will enable OS to explicitly
check the authenticity of public key y A , since,
given the pair( y A ,  A ), the following equation
holds:
 h ( y )  IDA  y A (mod n ).
A
(self-certification) The witness is equal to the
(mod n ).
154
Key exchange protocol:
ed system with public key”.
Let ( IDA , x A ,  A , eA ) be the attributes of OS,
( IDB , xB , B , eB ) those of malicious attacker.
They can simply exchange an authenticated
key by choosing (See Fig.1):
We handles a method for role based access control, and distributed firewall, a method allowing
users to manage resources within a distributed
system across administrative domain boundaries
with interlocking operating system.
K AB  ( B B  IDB ) x A  ( A A  IDA ) x B
   x A  x B (mod n ).
e
e
OS
DBMS
e A  h( y A )
eB  h ( y B )
 A , eA
 B , eB
K AB  ( A A  ID A ) xB
e
K AB  ( B B  IDB ) x A
e
Fig.1: Verifiable self-certified key exchange
protocol
This protocol is related to Girault’s one. But
contrary to it, if the key exchange protocol fails,
each user can verify the authenticity of the
public key by computing :
~
y A( B ) ? ~AA((BB))  IDA( B ) (mod n ),
eA( B )  h( y A( B ) ).
e
Proposed Architecture for secure DB
User
Front End
Trusted filter
Cryptographic tool
Append
Stamp
Query
Check
Stamp
Store
Response
DBMS
Authentication
We also solved the interlocking problem with OS
for database security. And copyright protection
problem has been solved with public key. The
security of the proposed schemes is based on both
rth-residues problem and discrete logarithm problem.
Access
control
Auditing
Trusted OS
Reference
1. Courtney R.H. (1990). Factors affecting the
availability of security measures in data processing system components. In proc. 13 th National Computer Security Conf. 10. 1990
2. Tanenbaum A.S. (1998). Operating systems
Design and Implementation. Prentice-Hall.
3. Pfleeger C.P. (1989). Security in Computing.
Prentice-Hall.
4. Steven J.G. (1996). A New security policy for
distributed resource management and access control. Proc. ACM
5. Lunt T.F. (1998). A near-term design for the
SeaView multilevel database system. In Proc.
IEEE symposium on Security and Privacy.
6. Parker D.B. (1984). The many faces of da ta
vulnerability. IEEE Spectrum, 21(5).
Prospects (Landwehr C.E., ed.), Elsevier NotrhHolland, IFIP
7. M. Girault, “Self-certified public keys,” Advances in Cryptology(Proceedings of EuroCrypt’91), Lecture Notes in Computer Science,
vol.547, Springer-Verlag, 1991, pp.490-497.
8. H. Petersen and P. Horster, “Self-certified keys
– concepts and applications,” Proc.3.Conf. on
Communication and Multimedia Security, September 22-23, 1997, Chapman&Hall
9. R.L. Rivest, A. Shamir and L. Adleman, “A
method for obtaining digital signatures and public-key cryptosystems,” CACM, Vol.21, no.2, Feb.
1978, pp. 120-126.
10.Granbart R. The Integrity lock approach to
secure database management. In Proc. IEEE
symp. On security and privacy, 4.1984.
DataBase
Conclusion
This paper addresses distributed resource management and access control. We propose a new
scheme of “The DB security applied Distribut155