Unit-3rd(Network Security)x - Fadoohelp.com

stagetofuΤεχνίτη Νοημοσύνη και Ρομποτική

29 Οκτ 2013 (πριν από 4 χρόνια και 6 μήνες)

123 εμφανίσεις

Download: www.fadoohelp.com



Network security

consists of the provisions and

adopted by a
network administrator

prevent and monitor

access, misuse, modification,
or denial of a
computer network

accessible resources. Network security involves the authorization of access to data in a
network, which is controlled by the net
work administrator. Users choose or are assigned an ID and
password or other authenticating information that allows them access to information and programs
within their authority.

Network security starts with

the user, commonly with a username and a password.
Since this requires just one detail authenticating the user name

i.e. the password, which is
something the user 'knows'

this is sometimes termed one

authentication. With
, something the user 'has' is also used (e.g. a
security token

or 'dongle', an
ATM card
, or
mobile phone
); and with three
factor authentication, something the user 'is' is also used (e.g. a

al scan

Threats in Networks:

Trojan horses, worms and DoS (denial of service) attacks are often maliciously used to consume and
destroy the resources of a network. Sometimes, misconfigured servers and hosts can serve as network
security threats as they

unnecessarily consume resources. In order to properly identify and deal with
probable threats, one must be equipped with the right tools and security mechanisms.

Types of Network Threats

Most experts classify network security threats in two major categori
logic attacks and resource

Logic attacks are known to exploit existing software bugs and vulnerabilities with the intent
of crashing a system. Some use this attack to purposely degrade network performance or grant an
intruder access to a system.

Resource attacks are the second cate
gory of network security threats. These types of attacks are
intended to overwhelm critical system resources such as CPU and RAM. This is usually done by
sending multiple IP packets or forged requests. The malicious software normally contains code for
cing numerous attacks and a standard communications infrastructure to enable remote control.

a network security software provider, offered his observations on the top 10 threats that can harm
networks from the inside and ways to combat them.

the top 10 int
ernal network vulnerabilities are:

USB drives

Download: www.fadoohelp.com

laptops and netbooks

wireless access points

miscellaneous USB devices (digital cameras, MP3 players, etc.)

employees borrowing others’ machines or devices

the Trojan Human (attackers who visit sites disguised a
s employee personnel or contractors)

optical media (CDs, DVDs, etc.)

lack of employee alertness





can be categorized as external versus internal, and unstructured versus

External & Internal Security

An external

threat occurs when someone outside your

creates a

threat to
. If you are using an intrusion
detection system (IDS), which detects attacks as they
occur, you probably will be mildly shocked at the


probes and attacks that occur against


An internal

threat occurs when someone from inside your

creates a

threat to
. Interestingly, the CSI study has found that,

the 70 percent

the c
ompanies that had

breaches, 60 percent

these breaches come from internal sources. Some


breaches were malicious

intent; others were accidental. Therefore, you should not just be concerned
about protecting the perimeter

, you should also aim to protect every key resource and

Unstructured and Structured

General methods of security threats fall under two categories:

Unstructured threats

Structured threats

An unstructured security threat is one created by an inexperienced person who is trying to gain access
to your network?a wannabe hacker.

A structured

threat, on the other hand, is implemented by a technically skilled person who is
trying to gain
access to your
. This hacker creates or uses some very sophisticated tools to
break into your

or to disrupt the services running


Figure 1
2. Sophisticated Spoofing Attack

Download: www.fadoohelp.com

Network Security Controls

It presents many
excellent defenses available to the network security engineer. It will provide detailed
explanations for three particularly important controls

firewalls, intrusion detection systems, and
encrypted e


Encryption is probably the most import
ant and versatile tool for
a network security expert. E
is powerful for providing privacy, authenticity, integrity, and limited access to data. Because networks
often involve even greater risks, they often secure data with encryption, perhaps in c
ombination with
other controls.


Firewalls were officially invented in the early 1990s

A firewall is a device that filters all traffic
between a protected or "inside" network and a less trustworthy or "outside" network.

Because a
firewall is executable code, the attacker could compromise that code and execute from the firewall's
device. Firewall code usually runs on a proprietary or carefully minimized operating system. The
purpose of a firewall is to keep "bad" things o
utside a protected environment. To accomplish that,
firewalls implement a security policy that is specifically designed to address what bad things might

Download: www.fadoohelp.com

Design of Firewalls

A firewall is a special form of reference monitor. By carefully positioni
ng a firewall within a network,
we can ensure that all network accesses that we want to control must pass through it. A firewall is
typically well isolated, making it highly immune to modification. Usually a firewall is implemented
on a separate computer,
with direct connections only to the outside and inside networks.

Types of Firewalls

Types of firewalls include

packet filtering gateways or screening routers

stateful inspection firewalls

application proxies


personal firewalls

Comparison of Firewall


Packet Filtering






More complex

Even more

Most complex

Similar to packet
filtering firewall

Sees only
addresses and
service protocol

Can see either
addresses or

Sees full data
portion of packet

Sees full text of

Can see full data
portion of packet

Auditing difficult

Auditing possible

Can audit activity

Can audit activity


usually does

audit activity

pc牥ens based on
connection 牵les

eens based on
pc牥ens based on
pc牥ens based on
inte牰牥tation o映
sc牥ens based on

Download: www.fadoohelp.com

Packet Filtering





across packets

in either header
or data field


message content

information in a
single packet,
using header or

addressing rules
can make

preconfigured to
detect certain
attack signatures

Simple proxies
can substitute for
addressing rules

Complex guard
functionality can
limit assurance

Usually starts in
"deny all
inbound" mode,
o which user
adds trusted
addresses as they

Intrusion Detection Systems

intrusion detection system

) is a device, typically another separate computer, that monitors
activity to identify malicious or suspicious events. An IDS is a sensor,
like a smoke detector, that
raises an alarm if specific things occur.

Common Components of an Intrusion Detection Framework.

IDSs perform a variety of functions:

monitoring users and system activity

auditing system configuration for vulnerabilities
and misconfigurations

assessing the integrity of critical system and data files

recognizing known attack patterns in system activity

Download: www.fadoohelp.com

identifying abnormal activity through statistical analysis

managing audit trails and highlighting user violation of policy
or normal activity

correcting system configuration errors

installing and operating traps to record information about intruders

No one IDS performs all of these functions.

Types of IDSs

The two general types of intrusion detection systems are signature based and heuristic.

intrusion detection systems perform simple pattern
matching and report situations that match a
pattern corresponding to a known attack type.

ntrusion detection systems, also known
anomaly based
, build a model of acceptable behavior and flag exceptions to that model; for the
future, the administrator can mark a flagged behavior as acceptable so that the heuristic IDS will now
treat that previo
usly unclassified behavior as acceptable.

Intrusion detection devices can be network based or host based. A

IDS is a stand
alone device attached to the network to monitor traffic throughout that network; a

runs on a single works
tation or client or host, to protect that one host.

Goals for Intrusion Detection Systems

It should detect all attacks with little performance penalty. An IDS could use some

or all

of the
following design approaches:

filter on packet headers

filter on
packet content

maintain connection state

use complex, multipacket signatures

use minimal number of signatures with maximum effect

filter in real time, online

hide its presence

use optimal sliding time window size to match signatures

Download: www.fadoohelp.com

IDS Strengths and

On the up side, IDSs detect an ever
growing number of serious problems. And as we learn more about
problems, we can add their signatures to the IDS model. Thus, over time, IDSs continue to improve.
At the same time, they are becoming cheaper an
d easier to administer.

On the down side, avoiding an IDS is a first priority for successful attackers. An IDS that is not well
defended is useless.

IDSs may have identical vulnerabilities, and their selection criteria may miss similar attacks. Knowing

to evade a particular model of IDS is an important piece of intelligence passed within the attacker

Another IDS limitation is its sensitivity, which is difficult to measure and adjust. IDSs will never be
perfect, so finding the proper balance i
s critical.

An IDS does not run itself; someone has to monitor its track record and respond to its alarms. An
administrator is foolish to buy and install an IDS and then ignore it.

Secure E

mail is vital for today's commerce, as well a convenient
medium for communications among
ordinary users.

Threats to E

Consider threats to electronic mail:

message interception (confidentiality)

message interception (blocked delivery)

message interception and subsequent replay

message content modification

message origin modification

message content forgery by outsider

message origin forgery by outsider

message content forgery by recipient

message origin forgery by recipient

denial of message transmission

Download: www.fadoohelp.com

Confidentiality and content forgery are often handled

by encryption. Encryption can also help in a
defense against replay, although we would also have to use a protocol in which each message contains
something unique that is encrypted. Symmetric encryption cannot protect against forgery by a
recipient, since

both sender and recipient share a common key.

Requirements and Solutions

message confidentiality
(the message is not exposed en route to the receiver)

message integrity
(what the receiver sees is what was sent)

sender authenticity
(the receiver is
confident who the sender was)

(the sender cannot deny having sent the message)


The sender chooses a (random) symmetric algorithm encryption key. Then, the sender encrypts a copy
of the entire message to be transmitted, includ
ing FROM:, TO:, SUBJECT:, and DATE: headers.
Next, the sender prepends plaintext headers. For key management, the sender encrypts the message
key under the recipient's public key, and attaches that to the message as well. The process of creating
an encrypt
ed e
mail message is shown in Figure.

The encrypted e
mail standard is designed to support multiple encryption algorithms, using popular
algorithms such as DES, triple DES, and AES for message confidentiality, and RSA and Diffie

Hellman for key exchange.

Other Security Features

Encrypted e
mail messages always carry a digital signature, so the authenticity and nonrepudiability
of the sender is assured. The integrity is also assured because of a hash function (called a
integrity check
, or
) in
the digital signature. Optionally, encrypted e
mail messages can be
encrypted for confidentiality.

Download: www.fadoohelp.com

Fig.Encrypted E
Mail Processing in Message Transmission.

Example Secure E
Mail Systems


PGP stands for Pretty Good P
rivacy. It was invented by Phil Zimmerman in 1991.

it is heavily used by individuals exchanging private e

PGP addresses the key distribution problem with what is called a "ring of trust" or a user's "keyring."
One user directly gives a public key to another, or the second user fetches the first's public key from a
server. Some people include their PGP public k
eys at the bottom of e
mail messages. And one person
can give a second person's key to a third (and a fourth, and so on).

PGP does not mandate a policy for establishing trust. Rather, each user is free to decide how much to
trust each key received.

The PG
P processing performs some or all of the following actions, depending on whether
confidentiality, integrity, authenticity, or some combination of these is selected:

Create a random session key for a symmetric algorithm.

Encrypt the message, using the sessi
on key (for message confidentiality).

Encrypt the session key under the recipient's public key.

Generate a message digest or hash of the message; sign the hash by encrypting it with the
sender's private key (for message integrity and authenticity).

the encrypted session key to the encrypted message and digest.

Transmit the message to the recipient.

Download: www.fadoohelp.com

The recipient reverses these steps to retrieve and validate the message content.


An Internet standard governs how e
mail is sent and received. The
general MIME specification
defines the format and handling of e
mail attachments.

(Secure Multipurpose Internet Mail
Extensions) is the Internet standard for secure e
mail attachments.

S/MIME is very much like PGP and its predecessors
The principal d
ifference between S/MIME and
PGP is the method of key exchange. Basic PGP depends on each user's exchanging keys with all
potential recipients and establishing a ring of trusted recipients; it also requires establishing a degree
of trust in the authenticit
y of the keys for those recipients. S/MIME uses hierarchically validated
certificates, usually represented in X.509 format, for key exchange. Thus, with S/MIME, the sender
and recipient do not need to have exchanged keys in advance as long as they have a c
ommon certifier
they both trust.

S/MIME works with a variety of cryptographic algorithms, such as DES, AES, and RC2 for
symmetric encryption.

S/MIME performs security transformations very similar to those for PGP. PGP was originally
designed for plaintext
messages, but S/MIME handles (secures) all sorts of attachments, such as data
files (for example, spreadsheets, graphics, presentations, movies, and sound).

DataBase Security:

Databases are essential to many business and government organizations.

Protecting data is at the heart of many secure systems.

There are more security concerns for which there are not available controls.

Database security

concerns the use of a broad range of information security controls to
protect databases (potentially including the data, the database applications or stored
functions, the database systems, the database servers and the associated network links)
against co
mpromises of their confidentiality, integrity and availability. It involves various
types or categories of controls, such as technical, procedural/administrative and physical.
Database security

is a specialist topic within the broader realms of
computer security
information security

risk management

Security risks to database systems include, for example:

Unauthorized or unintended activity or misuse by authorized database users, database
administrators, or network/systems managers, or by unauthori
zed users or hackers (e.g.
inappropriate access to sensitive data, metadata or functions within databases, or
inappropriate changes to the database programs, structures or security configurations);

Malware infections causing incidents such as unauthorized
access, leakage or disclosure of
personal or proprietary data, deletion of or damage to the data or programs, interruption or
denial of authorized access to the database, attacks on other systems and the unanticipated
failure of database services;

s, performance constraints and capacity issues resulting in the inability of
authorized users to use databases as intended;

Download: www.fadoohelp.com

Physical damage to database servers caused by computer room fires or floods, overheating,
lightning, accidental liquid spills, stati
c discharge, electronic breakdowns/equipment failures
and obsolescence;

Design flaws and programming bugs in databases and the associated programs and systems,
creating various security vulnerabilities (e.g. unauthorized
privilege escalation
), data
loss/corruption, performance degradation etc.;

Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in
database or system administration p
rocesses, sabotage/criminal damage etc.

Security Requirements:

• Physical database integrity

• Logical database integrity

• Element integrity

• Auditability

• Access Control

• User Authentication

• Availability

Security Requirements

The basic security requirements of database systems are not unlike those of other
computing systems we have studied. The basic problemsaccess control, exclusion of spurious
data, authentication of users, and reliabilityhave appeared in many contexts so far

Following is a list of requirements for database security

database integrity

The data of a database are immune to physical problems,
such as power failures, and someone can reconstruct the database if it is destroyed
through a catastrophe.

cal database integrity.

The structure of the database is preserved. With logical
integrity of a database, a modification to the value of one field does not affect other
fields, for example.

Element integrity.

The data contained in each element are accurate


It is possible to track who or what has accessed (or modified) the
elements in the database.

Access control

A user is allowed to access only authorized data, and different users
can be restricted to different modes of access (such as read or write).

User authentication

Every user is positively identified, both for the audit trail and for
permission to access c
ertain data.


Users can access the database in general and all the data for which they
are authorized.

Integrity of the Database

The data must be protected from corruption

Two situations can affect the integrity of a database:

Download: www.fadoohelp.com


When the whole

database is damaged (as happens, for example, if its storage medium is


When individual data items are unreadable.

Integrity of the database as a whole is the responsibility of the DBMS, the operating system, and
the (human) computing system man
ager. From the perspective of the operating system and the
computing system manager, databases and DBMSs are files and programs, respectively. Therefore,
one way of protecting the database as a whole is to regularly back up all files on the system



of database elements is their correctness or accuracy. Ultimately, authorized
users are responsible for entering correct data into databases. However, users and programs
make mistakes collecting data, computing results, and entering

values. Therefore, DBMSs
sometimes take special action to help catch errors as they are made and to correct errors after
they are inserted.


For some applications it may be desirable to generate an audit record of all access (read or write)
a database. Such a record can help to maintain the database's integrity, or at least to discover after
the fact who had affected which values and when. A second advantage, as we see later, is that users
can access protected data incrementally; that is,
no single access reveals protected data, but a set of
sequential accesses viewed together reveals the data, much like discovering the clues in a detective

Access Control

Databases are often separated logically by user access privileges. For example
, all users can
be granted access to general data, but only the personnel department can obtain salary data
and only the marketing department can obtain sales data. Databases are very useful because
they centralize the storage and maintenance of data. Limi
ted access is both a responsibility
and a benefit of this centralization.

The database administrator specifies who should be allowed access to which data, at the
view, relation, field, record, or even element level. The DBMS must enforce this policy,
ing access to all specified data or no access where prohibited. Furthermore, the number
of modes of access can be many. A user or program may have the right to read, change,
delete, or append to a value, add or delete entire fields or records, or reorganiz
e the entire

User Authentication

Download: www.fadoohelp.com

The DBMS can require rigorous user authentication. For example, a DBMS might insist that
a user pass both specific password and time
day checks. This authentication supplements
the authentication performed by t
he operating system. Typically, the DBMS runs as an
application program on top of the operating system. This system design means that there is no
trusted path from the DBMS to the operating system, so the DBMS must be suspicious of any
data it receives, in
cluding user authentication. Thus, the DBMS is forced to do its own


A DBMS has aspects of both a program and a system. It is a program that uses other
hardware and software resources, yet to many users it is the only applicatio
n run. Users often
take the DBMS for granted, employing it as an essential tool with which to perform particular
tasks. But when the system is not available busy serving other users or down to be repaired or
upgraded the users are very aware of a DBMS's un

Reliability and Integrity

Databases amalgamate data from many sources, and users expect a DBMS to provide access
to the data in a reliable way. When software engineers say that software has
, they
mean that the software runs for v
ery long periods of time without failing.

Database concerns about reliability and integrity can be viewed from three dimensions:

Database integrity

concern that the database as a whole is protected against damage,
as from the failure of a disk drive or th
e corruption of the master database index.
These concerns are addressed by operating system integrity controls and recovery

Element integrity:

concern that the value of a specific data element is written or
changed only by authorized users. Pro
per access controls protect a database from
corruption by unauthorized users.

Element accuracy

concern that only correct values are written into the elements of a
database. Checks on the values of elements can help prevent insertion of improper
values. Al
so, constraint conditions can detect incorrect values.

Availability of Data

One or more required elements may be inaccessible. For example, if a user is updating
several fields, other users' accesses to those fields must be blocked temporarily. This blocki
ensures that users do not receive inaccurate information, such as a new street address with an
old city and state, or a new code component with old documentation. Blocking is usually
temporary. When performing an update, a user may have to block access
to several fields or
several records to ensure the consistency of data for others.

Acceptability of Access

Download: www.fadoohelp.com

Deciding what is sensitive, however, is not as simple as it sounds, because the fields may not be
directly requested. A user may have asked for
certain records that contain sensitive data, but the
user's purpose may have been only to project the values from particular fie
lds that are not sensitive.

Assurance of Authenticity

Certain characteristics of the user external to the database may also be

considered when pe
access. For example, to enhance security, the database administrator may permit someone to access
the database only at certain times, such as during working hours. Previous user requests may also be
taken into account; repeated
requests for the same data or requests that exhaust a certain category
of information may be used to find out all elements in a set when a direct query is not allowed.

Sensitive Data

Several factors can make data sensitive.

Inherently sensitive.

The value
itself may be so revealing that it is sensitive.
Examples are the locations of defensive missiles or the median income of barbers in a
town with only one barber.

From a sensitive source

The source of the data may indicate a need for
confidentiality. An ex
ample is information from an informer whose identity would be
compromised if the information were disclosed.

Declared sensitive

The database administrator or the owner of the data may have
declared the data to be sensitive. Examples are classified militar
y data or the name of
the anonymous donor of a piece of art.

Part of a sensitive

or a sensitive

In a database, an entire
attribute or record may be classified as sensitive. Examples are the salary attribute of
a personnel database or a re
cord describing a secret space mission.

in relation to previously disclosed information

Some data become
sensitive in the presence of other data. For example, the longitude coordinate of a
secret gold mine reveals little, but the longitude
coordinate in conjunction with the
latitude coordinate pinpoints the mine.

Access Decisions

It Depends


Availability of Data.


Acceptability of Access.


Assurance of Authenticity.

Availability of Data

One or more required elements may be inaccessible. For exa
mple, if a user is updating
several fields, other users' accesses to those fields must be blocked temporarily. This blocking

Download: www.fadoohelp.com

ensures that users do not receive inaccurate information, such as a new street address with an
old city and state, or a new code co
mponent with old documentation. Blocking is usually
temporary. When performing an update, a user may have to block access to several fields or
several records to ensure the consistency of data for others.

Acceptability of Access

Deciding what is sensitive
, however, is not as simple as it sounds, because the fields may not be
directly requested. A user may have asked for certain records that contain sensitive data, but the
user's purpose may have been only to project the values from particular fie
lds that a
re not sensitive.

Assurance of Authenticity

Certain characteristics of the user external to the database may also be considered when pe
access. For example, to enhance security, the database administrator may permit someone to access
the database

only at certain times, such as during working hours. Previous user requests may also be
taken into account; repeated requests for the same data or requests that exhaust a certain category
of information may be used to find out all elements in a set when a

direct query is not allowed.

Types of Disclosures

Exact Data

The user may know that sensitive data are being requested, or the user may request general
data without knowing that some of it is sensitive. A faulty database manager may even
deliver sensitive

data by accident, without the user's having requested it. In all of these cases
the result is the same: The security of the sensitive data has been breached.


Indicating that a sensitive value, y, is between two values, L and H. Sometimes, by using
a narrowing
technique not unlike the binary search, the user may first determine that

L< y<H

and then see whether
L<y< H/2,

and so forth, thereby permitting the user o determine y to
any desired precision. In another case, merely revealing that a value such as the athletic scholarship
budget or the number of CIA agents exceeds a certain amount may be a serious breach of securi

Sometimes, however, bounds are a useful way to present sensitive data. It is common to
release upper and lower bounds for data without identifying the specific records.

For example


company may announce that its salaries for programmers range from $5
0,000 to $82,000. If you
are a programmer earning $79,700, you can presume that you are fairly well off, so you have the
information you want; however, the announcement does not disclose who are the highest

paid programmers.

Download: www.fadoohelp.com

Negative Result

metimes we can word a query to determine a negative result. That is, we can learn


the value of

For example,

knowing that 0 is not the total number of felony convictions for a person
reveals that the person was convicted of a felony. The d
istinction between 1 and 2 or 46 and
47 felonies is not as sensitive as the distinction between 0 and 1. Therefore, disclosing that a
value is not 0 can be a significant disclosure.

Similarly, if a student does not appear on the honors list, you can infer

that the person's grade
point average is below 3.50. This information is not too revealing, however, because the
range of grade point averages from 0.0 to 3.49 is rather wide.


In some cases, the existence of data is itself a sensitive piece of d
ata, regardless of the actual value.

For example,

n employer may not want employees to know that their use of long distance telephone lines is
being monitored. In this case, discovering a LONG DISTANCE field in a personnel file would reveal
sensitive dat

Probable Value

Finally, it may be possible to determine the probability that a certain element has a certain value.


Types of inference attacks:

1) Direct attack

2) In Direct Attack

1)Direct Attack

Infer sens. data from results of
queries run by attacker

item k
percent rule:

Data withheld if n items represent > k percent of the result reported

Most obvious case: 1
item 100
percent case: 1 person represents 100 % of results reported

Indirect attack

Download: www.fadoohelp.com

Infer sens. info from statis
tics (Sum, Count, Median) also from info external to t

he attacked

Tracker attacks (intersection of sets)

Linear system vulnerability

Use algebra of multiple equations to infer

Indirect can be implemented with help of following






tracker attack

can fool the database manager into locating the desired data by using
additional queries that produce small results. The tracker adds additional records to be
retrieved for
two different queries
; the two sets of records cancel each other out, leaving
only the statistic or data desired.

The approach is to use intelligent padding of two queries. In other words, instead of trying to
identify a unique value, we request n

1 other values (where th
ere are n values in the
database). Given n and n

1, we can easily compute the desired single element.

For instance, suppose we wish to know how many female Caucasians live in Holmes Hall. A
query posed might be

count ((SEX=F)

owever, further analysis of the query allows us to track sensitive data through
nonsensitive queries.

The query

Download: www.fadoohelp.com

q=count((SEX=F) ^(RACE=C) ^(DORM=Holmes))

is of the form

q = count(a ^ b ^ c)

By using the rules of logic and algebra, we can transform this q
uery to

q = count(a ^ b ^ c) = count(a) count( a ^ ¬ (b ^ c))

Linear System Vulnerability

A tracker is a specific case of a more general vulnerability. With a little logic, algebra,
and luck in the distribution of the database contents, it may be possi
ble to construct a
series of queries that returns results relating to several different sets.

For example
, the following system of five queries does not overtly reveal any single

value from the database. However, the queries' equations can be solved for

each of the

values, revealing them all.

Inference Controls


data not provided to querying user

Suppress combinations of rows and columns

Combine results (to hide actual answers)


close answers, not exact given to querying user


Present range of results

Present r
andom sample results

Perturb random data (generate small + and


Suppression and concealing are two controls applied to data items.


sensitive data values are not provided; the query is rejected without


the answer provided is close to but not exactly the actual value.

Multilevel Database


Download: www.fadoohelp.com

Multilevel databases provide data security by classifying the da
ta in relation with the user’s
access type. The structure of such databases is similar to relational databases, but include
an additional piece of information, the classification or access class. Low
level security users
cannot access high
level security d
ata. Sometimes new rows with the same primary key are
created with low
level security users operations.


Database security is becoming one the most important topics when designing and
developing database systems. Most of the main providers of
database software and
hardware provide security that prevents unauthorized users to access from outside.
However, an equal or greater threat lies within the company; the employees. If employees
are able to access all sensitive data, the company is put in h
igh risk, and data can be easily
abused. This essay addresses the benefits, and security issues of a multilevel database,
MLS database basic concepts, the principle of Polyinstantiation, some security issues, and a
brief description of some MLS database se
curity models.

What is a MLS Database?

The concept of multilevel secure databases has been developed over the years. Not long
ago some scholars stated that “there is no clear consensus regarding what exactly an MLS
relational data model is.” (Toward a MLSR

Data Model) This type of databases is mainly
used by The United States federal government in the disclosing information process. This
operation needs additional security than it is commercially available. Most of the security
available for databases today

protects databases from outside
unauthorized users. A
multilevel secure database provides internal security in relationship with the user’s access
type to the database. The data store in MLS databases is classified in several levels of
sensitivity. A user

can only see the data that matches its classification level. The user
classification sometimes is referred to clearance, and “as we rise a user’s clearance new

Download: www.fadoohelp.com

facts emerge; conversely, as we lower a user’s clearance some facts get hidden. Therefore,
s with different clearances see different versions of reality.”

Basic Concepts of Multilevel Security:
A MLS database structure is similar to most
databases. Its data is organized in tables with rows and columns. These elements take
different names by dif
ferent database designers. For the purpose of this essay, tables are
“called relations. Each relation contains a number of columns, called attributes. At any given
time, a relation contains a number of rows, called tuples.” (Toward a MLSR Data Model) One
f the most important aspects of MLS databases is the data classification. In MLS database
these classifications are called “Access Class”. The assignment of access is a major topic,
since “access classes can be assigned to relations, to individual tuples
in a relation, to
individual attributes of a relation, or to individual data elements of the tuples of a relation.”
(Toward a MLSR Data Model) The following example demonstrates data classification to
individual data elements in a relation.

Proposals for M
ultilevel Security

multilevel security

for databases is difficult, probably more so than in
operating systems, because of the small granularity of the items being controlled.

obvious control for multilevel databases is partitioning. The database is divided into separate
databases, each at its own level of sensitivity. This approach is similar to maintaining
separate files in separate
file cabinets


This control destroys a basic advantage of databases: elimination of redundancy and
improved accuracy through having only one field to update. Furthermore, it does not address
the problem of a high
level user who needs access to some low
level data combine
d with
level data.

Nevertheless, because of the difficulty of establishing, maintaining, and using multilevel
databases, many users with data of mixed

handle their data by using separate,
isolated databases. If sensitive data are encryp
ted, a user who accidentally receives them
cannot interpret the data. Thus, each level of sensitive data can be stored in a table encrypted
under a key unique to the level of sensitivity. But
has certain disadvantages. First,
a user can mount a
chosen plaintext attack. Suppose party affiliation of REP or DEM is
stored in encrypted form in each record.

Download: www.fadoohelp.com

Cryptographic Separation: Different Encryption Keys.

Cryptographic Separation: Block Chaining.

Using a different
encryption key

for each reco
rd overcomes these defects. Each record's fields
can be encrypted with a different key, or all fields of a record can be cryptographically
linked, as with cipher block chaining.

The disadvantage , then, is that each field must be decrypted when users perf

database operations such as "select all records with SALARY > 10,000." Decrypting the
SALARY field, even on rejected records, increases the time to process a query. (Consider the
query that selects just one record but that must decrypt and com
pare one field of each record
to find the one that satisfies the query.) Thus, encryption is not often used to implement
separation in databases.

The sensitivity label should be

Download: www.fadoohelp.com

so that a malicious subject cannot create a new sensitivity lev
el for an

so that a malicious subject cannot copy a sensitivity level from another

so that a malicious subject cannot even determine the sensitivity level of
an arbitrary element

The interaction between a user, a trust
ed front end, and a DBMS involves the following steps.


The user issues a query to the front end.


The front end verifies the user's authorization to data.


The front end issues a query to the database manager.


The database manager performs I/O access, interacting with low
level access
control to achieve access to actual data.


The database manager returns the result of the query to the trusted front end.


The front end analyzes the sensitivity levels of the data items in the result and
selects those items consistent with the user's security level.


The front end transmits selected data to the untrusted front end for formatting.


The untrusted front
end transmits formatted data to the user.

Trusted Front End.