Presentation is loading. Please wait.

Presentation is loading. Please wait.

Based on notes by Fei Li and Hong Li

Published byGrant Ramsey Modified over 5 years ago

Similar presentations

Presentation on theme: "Based on notes by Fei Li and Hong Li"— Presentation transcript:

1 Based on notes by Fei Li and Hong Li
Securing a Database Based on notes by Fei Li and Hong Li 11/14/2018

2 Topics Securing the connections to the database:
SSL-tunneling between client machine and database machine A secure JDBC driver Securing the data within a database Secure Thin JDBC Connection Sample 11/14/2018

3 JDBC Basics JDBC is a Java API for executing SQL statements
JDBC makes it possible to do three things: establish a connection with a database send SQL statements process the results. 11/14/2018

4 Securing a database Two points of attack against a database
The connection between clients and database The data in the database 11/14/2018

5 Securing the JDBC driver transmission
Approach 1: SSL-tunneling Running a daemon on the client machine Advantage: simplicity and performance Disadvantage: not enough of authentication, esp. if the client machine is a shared or multi-user environment. Approach 2: Proxy to JDBC drivers developing a JDBC driver proxy Advantage: provide more security Disadvantage: much more complex 11/14/2018

6 SSL-Tunneling Database Machine Client Machine TunnelServer
SSL Socket Database Machine Client Machine TunnelServer TunnelServer SQL request SQL response SQL request SQL response Client Application Database instance 11/14/2018

7 The SSL-Tunneling Approach
Two instances of the tunnel server, one on the client machine and the other on the database server machine Each instance serves as a proxy. Simplicity of encrypting the database connection by SSL-tunneling between the client application and the DBMS 11/14/2018

8 Query processing Client Machine Client application The JDBC client
Client-side tunnel server Reads unencrypted data from the JDBC client; Write it to the database machine over SSL Database Machine Server-side tunnel server Reads the encrypted data from the client-side tunnel server; Sends it unencrypted to the DBMS over localhost Database server 11/14/2018

9 Response processing Database Machine Database server
Sends query result to the tunnel server Server-side tunnel server Reads the query result from the DBMS over localhost; Sends it encrypted to the client-side tunnel server; Client Machine Client-side tunnel server Reads encrypted data from the server-side tunnel server; Write it to the JDBC client; Client application 11/14/2018

10 The SSL-Tunneling Approach
2. Encrypted SQL request Database Machine Client Machine TunnelServer TunnelServer 1. SQL request 4. SQL response 5. Encrypted SQL response 3. SQL request 6. SQL response Client Application Database instance Assumption: Connections to localhost cannot be snooped. True or false? 11/14/2018

11 Example 1: The Tunnel Server
Two classes TunnelServer TunnelThread TunnelServer class (p. 310) Correction: client (mRemote == false) or the server (mRemote == true) public TunnelServer (String server, int appPort, int tunnelPort, boolean remote) { super(); mDestServer = server; mAppPort = appPort; mTunnelPort = tunnelPort; mRemote = remote; waitForConnections(); } 11/14/2018

12 Example1: The Tunnel Server
Get server socket, waiting for connections, and create two instances of TunnelThread. private void waitForConnections() { …… serverSocket = getServerSocket(); while (mListening) { try { logMessage("Waiting for connections."); srcSocket = serverSocket.accept(); destSocket = connect(); logMessage("Connected to remote server at " + destSocket .getInetAddress() + "."); fromClient = getTunnelThread("fromClient"); toClient = getTunnelThread("toClient"); 11/14/2018

13 Example1: The Tunnel Server
The TunnelThread class (p ) Forwarding requests and responds /** Creates new TunnelThread name a name for this thread*/ public TunnelThread(String name) { super(name); setDaemon(true); } /**Default constructor -- create a tunnel thread with a default name*/ public TunnelThread( ) { super( ); public void run ( ) { 11/14/2018

14 Example1: The Tunnel Server
Run the Tunnel Server with JDBC Generate keystore/certificates for client and server  serverKeyStore, clientKeyStore (p.317) Copy serverKeyStore to the database server; Start the tunnel server on the server side (database machine) Copy clientKeyStore to the client machine; Start the tunnel server on the client side (client machine) (p.318) Run a test application on the client machine 11/14/2018

15 Example1: The Tunnel Server
Create Keystore >keytool -genkey -keyalg RSA -keystore serverKeyStore >keytool -genkey -keyalg RSA -keystore clientKeyStore 11/14/2018

16 Example1: The Tunnel Server
Create Keystore Export the certificates >keytool -export -keystore serverKeyStore -file server.cer >keytool -export -keystore clientKeyStore -file client.cer 11/14/2018

17 Example1: The Tunnel Server
Create Keystore Import the certificates >keytool -import -file client.cer -alias client -keystore serverKeyStore >keytool -import -file server.cer -alias server -keystore clientKeyStore 11/14/2018

18 Example1: The Tunnel Server
Start the tunnel server on the server Copy serverKeyStore TunnelServer.class, and TunnelThread.class to the database machine >java -Djavax.net.ssl.keyStore=serverKeyStore -Djavax.net.ssl.keyStorePassword=sps2020 -Djavax.net.ssl.trustStore=serverKeyStore com.isnetworks.crypto.net.TunnelServer localhost remote Exercise: Use the TunnelServer.java source code to trace the execution of the server-side TunnelServer and show its screen output. 11/14/2018

19 Example1: The Tunnel Server
Start the tunnel server on the client Copy clientKeyStore TunnelServer.class, and TunnelThread.class to the clinet machine >java -Djavax.net.ssl.keyStore=clientKeyStore -Djavax.net.ssl.keyStorePassword=cps2020 -Djavax.net.ssl.trustStore=clientKeyStore com.isnetworks.crypto.net.TunnelServer diamond.rocks.cl.uh.edu local 11/14/2018

20 Example1: The Tunnel Server
Run a test application on the client machine Use JDBCTest.java Set the JDBC driver (classes.zip) in the classpath DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver()); Connection conn = DriverManager.getConnection ( “username", “password"); 11/14/2018

21 Example1: The Tunnel Server
Sample programs for running Tunnel Server on dcm.cl.uh.edu (the client application) and diamond.rocks.cl.uh.edu (the DBMS server): TunnelServer.java TunnelThread.java JDBCTest.java Detailed instructions: instructions.doc 11/14/2018

22 Securing the JDBC Driver Transmission
Approach 2: Proxy to JDBC drivers developing a JDBC driver proxy Advantage: provide more security Disadvantage: much more complex 11/14/2018

23 The JDBC Driver Proxy Provide the encryption and authentication for many applications Delegate all the calls to dynamically bound driver Provide proxies to JDBC driver classes Proxy design pattern in distributed computing Use SSL for the connection Encryption Authentication later on 11/14/2018

24 The JDBC Driver Database Machine Proxy
Secure JDBC Driver Database client (application server) DB 11/14/2018

25 The JDBC Driver Client-Server communication
Server handles configuration, connections to the DB, and delegation of the JDBC calls Client delegates all the connections to the server Choose RMI as a network transport for communication Have to add one more layer to the remote call The diagram on p.321. 11/14/2018

26 The JDBC Driver Implementation
Delegate the common operations to an abstract super class. Use a single remote class to pass any method call instead of creating an RMI proxy for each JDBC interface Is a complex solution to a simple problem Proxy pattern enables developer to add service 11/14/2018

27 The JDBC Driver Using the secure JDBC driver
Detailed instructions for running the sample application: SecureDriver.rtf Steps of Configuring the driver: Generate the keys and certificates Edit the SecureDriver_config.xml file Create policy files for the server and client 11/14/2018

28 The JDBC Driver Edit the SecureDriver_config.xml file
Defines JDBC connection directly to the database from the secure driver Create policy files RMI requires that code run with a security manager Add some special permissions to policy files Server policy file The ability to connect to the database The ability to talk to the RMI registry The ability to receive a connection from a remote client 11/14/2018

29 The JDBC Driver Connecting to the RMI server process:
The connect( ) method is called by DriverManager and connects to the RMI server process, which is where the actual JDBC connections reside. 11/14/2018

30 The JDBC Driver Discussion:
Can the application be modified to run without RMI? How? 11/14/2018

31 Securing Data in the Database
Protect the data in database Database permission Should be set properly by the administrator Read- or write-only database If it is well protected, highly controlled, and not often accessed Large online retailers use write-only database 11/14/2018

32 Securing data in the database
Protect the data in databases Symmetric encryption Applications storing a secret key need to be completely safe Asymmetric encryption Public key is used for encrypting the data in the DB Private key must be stored somewhere safe. Disadvantage of encrypting data Expensive Remove some of the value of using a database 11/14/2018

33 Example3: Encrypting credit cards
3Xizmj2 Cg31C1l One-way encrypt Database (Stores encrypted credit card data) Server Decrypt Finance client 11/14/2018

34 Encrypting credit cards
CreditCardFactory -mAccountID -mCreditCardNumber -mPublicKey +createCreditCard() +findAllCreditCards() +findCreditCard() +CreditCard() +getAccountID() +getCreditCardNumber() CrditCardDBO DatabaseOperations -mAccountID -mEncryptedCCNumber -mEncryptedSessionKey +getAllCreditCardAccountIDs() +loadCreditCardDBO() +store(creditCardDBO:CreditCardDBO) +CreditCardDBO() +getAccountID() +getEncryptedCCNumber() +getEncryptedSessionKey() 11/14/2018

35 Encrypting credit cards
Testing the application – CreateTest.java Create a credit card based on user-specified account ID and credit card number Create a Properties object from the file system Properties properties = new Properties(); FileInputStream fis = new FileInputStream(PROPERTIES_FILE); properties.load(fis); fis.close(); // Create the credit card CreditCardFactory factory = new CreditCardFactory(properties); CreditCard creditCard = factory.createCreditCard(id,ccNumber); 11/14/2018

36 Encrypting credit cards
Testing the application – ViewTest Define the location of the keystore Load the keystore to retrieve the private key private static final String KEYSTORE = "creditcardExample.ks"; …… // Load the keystore to retrieve the private key. String ksType = KeyStore.getDefaultType(); KeyStore ks = KeyStore.getInstance(ksType); FileInputStream fis = new FileInputStream(KEYSTORE); ks.load(fis,PASSWORD); fis.close(); PrivateKey privateKey = (PrivateKey)ks.getKey("mykey",PASSWORD); 11/14/2018

37 Secure Thin JDBC Connection
Oracle JDBC Thin Driver The Oracle JDBC Thin driver is a 'Type IV' (native protocol, 100% Pure Java) implementation that complies with the JDBC 1.22 standard. The JDBC Thin driver uses Java Sockets to connect directly to the Oracle Server The JDBC Thin driver does not require Oracle software on the client side 11/14/2018

38 Secure Thin JDBC Connection
Encryption and integrity support use Oracle Advanced Security data encryption and integrity features in your Java database applications When using the Thin driver, the parameters are set through a Java properties file Encryption is enabled or disabled based on a combination of the client-side encryption-level setting and the server-side encryption-level setting 11/14/2018

39 Secure Thin JDBC Connection
Get SecureThinDriver.jar to run the sample Configuring Encryption Parameter Using Oracle Net Manager Run the Application using JDeveloper Environment Run the Application from JDK Environment  11/14/2018

40 Reference [1] JDBC Introduction
[2] J. Garms and D. Somerfield. Professional Java Security [3] Secure Thin JDBC Connection [4] The status of HIPNS [5] Improving Database Performance with Oracle8‚ 11/14/2018

Download ppt "Based on notes by Fei Li and Hong Li"

Similar presentations

Message Passing Vs Distributed Objects

Message Passing Vs Distributed Objects
What is RMI? Remote Method Invocation –A true distributed computing application interface for Java, written to provide easy access to objects existing.

What is RMI? Remote Method Invocation –A true distributed computing application interface for Java, written to provide easy access to objects existing.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Company LOGO Remote Method Invocation Georgi Cholakov, Emil Doychev, University of Plovdiv “Paisii.

Company LOGO Remote Method Invocation Georgi Cholakov, Emil Doychev, University of Plovdiv “Paisii.
FONG CHAN SING (143334) WONG YEW JOON (143388). JAVA RMI is a distributive system programming interface introduced in JDK 1.1. A library that allows an.

FONG CHAN SING (143334) WONG YEW JOON (143388). JAVA RMI is a distributive system programming interface introduced in JDK 1.1. A library that allows an.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Distributed Application Development B. Ramamurthy.

Distributed Application Development B. Ramamurthy.
Component-Based Software Engineering Introducing the Bank Example Paul Krause.

Component-Based Software Engineering Introducing the Bank Example Paul Krause.
Java Server Programming Jeff Schmitt Towson University October 15, 1998.

Java Server Programming Jeff Schmitt Towson University October 15, 1998.
Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.

Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.
8/19/20151 Securing a Database Based on notes by Fei Li and Hong Li.

8/19/20151 Securing a Database Based on notes by Fei Li and Hong Li.
Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –

Advance Computer Programming Java Database Connectivity (JDBC) – In order to connect a Java application to a database, you need to use a JDBC driver. –
Getting connected.  Java application calls the JDBC library.  JDBC loads a driver which talks to the database.  We can change database engines without.

Getting connected.  Java application calls the JDBC library.  JDBC loads a driver which talks to the database.  We can change database engines without.
1 CSC 440 Database Management Systems JDBC This presentation uses slides and lecture notes available from

1 CSC 440 Database Management Systems JDBC This presentation uses slides and lecture notes available from
Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun.

Securing Large Applications CSCI 5931 Web Security Rungang Mo, Yingying Sun.
Hands-On Microsoft Windows Server 20081 Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Connecting to Oracle using Java November 4, 2009 David Goldschmidt, Ph.D. David Goldschmidt, Ph.D.

Connecting to Oracle using Java November 4, 2009 David Goldschmidt, Ph.D. David Goldschmidt, Ph.D.
Spring/2002 Distributed Software Engineering C:\unocourses\4350\slides\DefiningThreads 1 RMI.

Spring/2002 Distributed Software Engineering C:\unocourses\4350\slides\DefiningThreads 1 RMI.

Similar presentations

Ads by Google