A PRACTICAL IMPLEMENTATION OF TRANSPARENT ENCRYPTION AND SEPARATION OF DUTIES IN ENTERPRISE DATABASES - Protection against External and Internal Attacks on Databases

Ulf T. Mattsson

Abstract

Security is becoming one of the most urgent challenges in database research and industry, and there has also been increasing interest in the problem of building accurate data mining models over aggregate data, while protecting privacy at the level of individual records. Instead of building walls around servers or hard drives, a protective layer of encryption is provided around specific sensitive data-items or objects. This prevents outside attacks as well as infiltration from within the server itself. This also allows the security administrator to define which data stored in databases are sensitive and thereby focusing the protection only on the sensitive data, which in turn minimizes the delays or burdens on the system that may occur from other bulk encryption methods. This paper presents a practical implementation of field level encryption in enterprise database systems, based on research and practical experience from many years of commercial use of cryptography in database security. We use the key concepts of security dictionary, type transparent cryptography and propose solutions on how to transparently store and search encrypted database fields. In this paper we will outline the different strategies for encrypting stored data so you can make the decision that is best to use in each different situation, for each individual field in your database to be able to practically handle different security and operating requirements. The papers presents a policy driven solution that allows transparent data level encryption that does not change the data field type or length. We focus on how to integrate modern cryptography technology into a relational database management system to solve some major security problems.

References

  1. Adam, 1989. Security-control methods for statistical databases. ACMComputing Surveys, 21(4):515- 556, Dec. 1989.
  2. Agrawal, 2001. Watermarking relational
  3. databases. In 28th Int'l Conference on Very Large Databases, Hong Kong, China.
  4. Agrawal, 2002. Hippocratic databases. In Proc. of the 28th Int'l Conference on Very Large Databases, Hong Kong, China, August 2002.
  5. Agrawal, 2004. Implementing P3P using database technology. In Proc. of the 19th Int'l Con-ference on Data Engineering, Bangalore, India.
  6. Agrawal, 2003. Path-based preference language for P3P. In Proc. of the 12th Int'l World Wide Web Conference, Budapest, Hungary, May 2003.
  7. Denning, 1997. Cryptography and Data Security. Addison-Wesley Publishing Company, Inc., 1982.
  8. Dierks, 1996. The TLS Protocol - Version 1.0, InternetDraft. November 1997.
  9. Freier, 1997. The SSL Protocol Version 3.0, InternetDraft. November 1996.
  10. Garnkel, 1997. Web Security & Commerce. O'Reilly & Associates, Inc., 1997.
  11. Guthery, 1998. Smart Card Developer's Kit. Macmillan Technical Publishing, 1998.
  12. Informix, 1994. Informix-Online Dynamic Server Administrator's Guide, Version 7.1. INFORMIX Software, Inc., 1994.
  13. Koch, 1997. The Complete Reference. Osborne/McGrawHill, 1997.
  14. Lagarias, 1990. Pseudo-random number generators in cryptography and number theory. InCryptology and Computational Number Theory, pages 115{143. American Mathematical Society, 1990.
  15. Lindemann, 2001. Improving DES Hardware Throughput for Short Operations, IBM Research Report, 2001.
  16. Lunt, 1993. A survey of intrusion detection techniques. Computer & Security, 12(4), 1993.
  17. NIST, 1993. National Bureau of Standards FIPS Publication 180. Secure Hash Standard, 1993.
  18. NIST, 1977. National Bureau of Standards FIPS Publication 46. Data Encryption Standard (DES), 1977.
  19. Neuman, 1994. Kerberos: An authentication service for computer networks. IEEE Communications, 32(9):33{38, 1994.
  20. San Jose Mercury News, 2000. Web site hacked; cards being canceled, Jan. 20, 2000.
  21. Oracle, 1999. Technical White Paper. Database Security in Oracle8i, November 1999.
  22. Rankl, 1997.Smart Card Handbook. John Wiley & Sons Ltd, 1997.
  23. Rivest, 1992. The MD5 Message-Digest Algorithm, RFC1321 (I). April 1992.
  24. Rivest, 1978. A method for obtaining digital signature and public key cryptosystems. Communications of the ACM, 21:120{126, February 1978.
  25. Rosenberry, 1992. Understanding DCE. O'Reilly & Associates, Inc.,1992.
  26. Shamir, 1979. How to share a secret. Communication of the ACM, 22(11):612-613, 1979.
  27. Stinson, 1995. Cryptography; Theory and Practice. CRC Press, Inc., 1995.
Download


Paper Citation


in Harvard Style

T. Mattsson U. (2005). A PRACTICAL IMPLEMENTATION OF TRANSPARENT ENCRYPTION AND SEPARATION OF DUTIES IN ENTERPRISE DATABASES - Protection against External and Internal Attacks on Databases . In Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 1: ICEIS, ISBN 972-8865-19-8, pages 146-153. DOI: 10.5220/0002518001460153


in Bibtex Style

@conference{iceis05,
author={Ulf T. Mattsson},
title={A PRACTICAL IMPLEMENTATION OF TRANSPARENT ENCRYPTION AND SEPARATION OF DUTIES IN ENTERPRISE DATABASES - Protection against External and Internal Attacks on Databases},
booktitle={Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 1: ICEIS,},
year={2005},
pages={146-153},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002518001460153},
isbn={972-8865-19-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Seventh International Conference on Enterprise Information Systems - Volume 1: ICEIS,
TI - A PRACTICAL IMPLEMENTATION OF TRANSPARENT ENCRYPTION AND SEPARATION OF DUTIES IN ENTERPRISE DATABASES - Protection against External and Internal Attacks on Databases
SN - 972-8865-19-8
AU - T. Mattsson U.
PY - 2005
SP - 146
EP - 153
DO - 10.5220/0002518001460153