Docstoc

database_presentation

Document Sample
database_presentation Powered By Docstoc
					                         Database Security
                               Ilya Dovidovskii
                                    Andy Hill
                              Fernando Medrano
                                   John Tran
                                  Ralph Ware



CS4235A - Database Security
                                      Agenda
    •   Introduction
          – Database security risks in industry
          – Profile of Company X
    •   Storage Models
          –   Server Based Database Storage
          –   Client Based Database Storage
          –   Chip-Secured Data Access Model
          –   Query Evaluation
    •   Query-Cost Model
          – Overview
          – Advantages / Disadvantages
    •   Implementation
          – Encrypted Table Translation
          – Encrypted Query Evaluation
          – Program Demonstration
    •   Conclusion
    •   Questions


CS4235A - Database Security
                          Database Security
Introduction
 DB Encryption
 Company X
Storage Models
 Server Based
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
Implementation
 Table Translation
 Query Evaluation
Demo
Conclusion
Questions




 CS4235A - Database Security
                                Company X
Introduction         • National Distribution of widgets
 DB Encryption
 Company X
Storage Models
                     • One store with four satellite sites
 Server Based
 Client Based              – Need access to data across a network
 Smart Card
 Query Evaluation
Query-Cost Model     •   Over 100K records, up to 200 fields
Implementation
 Table Translation
 Query Evaluation    •   Sensitive Data (Client Data, Profits)
Demo
Conclusion
Questions
                     •   Four tiers of security access
                     •   Looking for a cost effective solution
                     •   High probability of security attacks from
                         competitors
 CS4235A - Database Security
                     Server Based Storage
Introduction
 DB Encryption
 Company X
Storage Models
 Server Based
 Client Based

                     • Database is typically encrypted
 Smart Card
 Query Evaluation
Query-Cost Model
Implementation
 Table Translation
                     • Decryption occurs at the server
 Query Evaluation
Demo
Conclusion
                     • DBA retains full access to data
Questions
                           – Query execution
                           – Access rights management
                     • Security Administrator (SA) separates
                       database server from security server
 CS4235A - Database Security
                      Client Based Storage
Introduction
 DB Encryption
 Company X
Storage Models
 Server Based
 Client Based
 Smart Card
                     • Decryption occurs with the client
                     • Exclusive access (Privacy)
 Query Evaluation
Query-Cost Model
Implementation
 Table Translation
 Query Evaluation
                           – the client manages the keys
Demo
Conclusion                 – efficiency is the main concern
Questions

                     • Confidentiality
                           – security mechanism is required on the client
                             side to manage keys and access rights
                     • Difficult to share data across a network
 CS4235A - Database Security
                     Chip-Secured Data Access
Introduction
 DB Encryption
 Company X
Storage Models
 Server Based
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
                       • Smartcard provides a Secured Operating
Implementation
 Table Translation
                         System (SOE)
                       • DBA only needed to issue smartcards
 Query Evaluation
Demo
Conclusion
Questions
                       • Accessible across a network
                       • Smartcard
                           – Highly Secured
                           – Cost Effective
 CS4235A - Database Security
                     Chip-Secured Data Access
Introduction
                       • Privacy and Confidentiality
 DB Encryption
 Company X
                           – Self or User Administered
Storage Models
 Server Based              – Only encrypted data transmitted over network
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
                       • Access rights defined on views
Implementation
 Table Translation
                           – Query translation in the SOE
                           – Part of query execution in the SOE
 Query Evaluation
Demo
Conclusion
Questions
                       • Sensitive Data is stored on smartcard
                       • Constraints
                           – Storage capacity limited by the smartcard
                           – Slower processing time with large datasets
 CS4235A - Database Security
                                  Query Execution
Introduction
 DB Encryption                                       Total amount of
 Company X
Storage Models                                      orders passed by
 Server Based                                         customer #22
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
Implementation
 Table Translation
 Query Evaluation
Demo
Conclusion
Questions


                        Customers
                     living in France




 CS4235A - Database Security
                               Query Execution
Introduction
 DB Encryption
 Company X
Storage Models
 Server Based
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
Implementation
 Table Translation
 Query Evaluation
Demo
Conclusion
Questions




 CS4235A - Database Security
                                Query Cost Model
Introduction
                              • Developed to address the
 DB Encryption
 Company X
Storage Models
                                vulnerabilities of DSP Model
 Server Based
 Client Based
 Smart Card
                                – Client based storage
                                – Protection when physical security of
 Query Evaluation
Query-Cost Model
 Overview
 Advantages / Disadvantages
Implementation                    DB cannot be guaranteed
 Table Translation
 Query Evaluation
Demo                            – Hash-based encryption
Conclusion
Questions




 CS4235A - Database Security
                               Query Cost Model
Introduction
                              • Advantages
                                – Protection against Inference Attacks
 DB Encryption
 Company X
Storage Models

                                – Reliability not effected with CF of 1
 Server Based
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
 Overview
 Advantages / Disadvantages
                              • Disadvantages
Implementation
 Table Translation              – Client does extra work on the results
 Query Evaluation
Demo
Conclusion                      – Efficiency suffers
Questions
                                – Vulnerable to inference attacks with
                                  table is small: ~ 10-15 tuples

 CS4235A - Database Security
                               Table Translation
Introduction
 DB Encryption
 Company X
Storage Models
 Server Based
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
 Overview
 Advantages / Disadvantages
Implementation
 Table Translation
 Query Evaluation
Demo
Conclusion
Questions




 CS4235A - Database Security
                                    Query Execution
Introduction
 DB Encryption
                                                               How the program
 Company X                                                     translates query
Storage Models
 Server Based
 Client Based
 Smart Card                   SELECT FirstName, LastName                          SELECT KhtuvPcog, NcuvPcog
 Query Evaluation
Query-Cost Model              FROM tblCustomer                                    FROM vdnEwuvqogt
 Overview
 Advantages / Disadvantages   WHERE tblCustomer.State = ‘NH’                      WHERE vdnEwuvqogt.Uvcvg = ‘PJ’
Implementation
 Table Translation
 Query Evaluation
Demo
Conclusion
Questions                                                                         SELECT FirstName, LastName
                                                                                  FROM tblCustomer
                                                 What the user                    WHERE tblCustomer.State = ‘NH’
                                                 needs to enter



 CS4235A - Database Security
                                  Query Execution
                                                                             Program scans the
Introduction                   SELECT KhtuvPcog, NcuvPcog                    encrypted table for this
 DB Encryption                 FROM vdnEwuvqogt                              query and selects all rows
 Company X
Storage Models                 WHERE vdnEwuvqogt.Uvcvg = ‘PJ’                (tuples) where this holds true
 Server Based
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
  Overview
  Advantages / Disadvantages
Implementation
 Table Translation
  Query Evaluation
Demo
Conclusion
Questions

                                   Only the first attribute is returned so
                                   only one decryption is necessary
                                                                              After its been decrypted, a scan is
                                                                              performed to pick out only those
                                                                              fields requested (FirstName, Last
                                                                              Name)
                                                                              Whats displayed to user:

 CS4235A - Database Security                                                             Carole Vermeren
                               Query Execution
Introduction
                         • Where the encryption mechanism fails:
 DB Encryption                   – Ranged Queries
 Company X
Storage Models
 Server Based                        SELECT *
 Client Based
 Smart Card
                                     FROM tblCustomer
 Query Evaluation                    WHERE tblCustomer.ID > 50
Query-Cost Model
 Overview
 Advantages / Disadvantages
                                     The encryption does not maintain original ordering, so
Implementation
 Table Translation
                                     ranged queries can’t be done to get meaningful
 Query Evaluation                    results.
Demo
Conclusion
Questions




 CS4235A - Database Security
                               Implementation
Introduction
 DB Encryption
 Company X
Storage Models
 Server Based
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model                Demonstration
 Overview
 Advantages / Disadvantages
Implementation
 Table Translation
 Query Evaluation
Demo
Conclusion
Questions




 CS4235A - Database Security
                                 Conclusion
Introduction
                          • Database Security is essential for
 DB Encryption
 Company X
Storage Models
                            any company trying to secure data
                          • C-SDA / Query Cost model offer an
 Server Based
 Client Based
 Smart Card
 Query Evaluation
Query-Cost Model
 Overview
 Advantages / Disadvantages
                            efficient solution for Company X
                          • Everyone wants to sell widgets…
Implementation
 Table Translation
 Query Evaluation
Demo
Conclusion
Questions




 CS4235A - Database Security
                              Questions?




CS4235A - Database Security

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:5
posted:9/8/2011
language:Spanish
pages:19