473,890 Members | 5,884 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Secure Database Systems

I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?

I have the following in mind:

I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other important
documents
imagined in the database.

The data will be entered either manually and/or scanned(with OCR). I
need to
be able to search on all the fields in the database.

We have 10 computers(5bros , 4sisters, and myself) plus 1 server with I
maintained. The data should be synchronize/replicate between those
computers.

Well, so far it is easy, isn't it?

Here's my question:

a) How can I make sure that it secure so only authorized person can
modify/add/delete the information? Beside transaction logs, are there
any
other method to trace any transaction(kin d of paper trail)?

Assuming there are 3 step process to one enter the info e.g:
- One who enter the info (me)
- One who verify the info(the owner of info)
- One who verify and then commit the change!
How can I implement such a process in RDBMS and/or PHP or any other web
language?

b) How can I make sure that no one can tap the info while we are
entering
the data in the computer? (our family are scattered within US and
Canada)

c) Is it possible to securely synchronize/replicate between our
computers
using VPN? Does RDBMS has this functionality by default?

d) Other secure method that I have not yet mentioned.

Anyone has good ideas on how to implement such a systems?

Thanks

Jul 17 '05 #1
6 3139
Sarah Tanembaum wrote:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)
combination?


Within the scope of your requirements,

Yes.

It should have nothing to do with the language you use, just the DBMS. To
explain how to do it would take much longer than is polite to post to a
single newsgroup let alone 6, and the fact that you're asking the question
rather suggests you would be struggling to understand the answer.

Briefly, all the DBMS you've mentioned provide access controls. Using a
distributed database is rather more complex and not supported by all the
products. Managing a distributed system can be tricky - consider using a
master db with replication to read-only slaves.

The best technologies are the ones that will be the least struggle for you -
what do you know already? How much help can you get? What does the person
sitting next to you know?

HTH

C.
Jul 17 '05 #2
Sarah Tanembaum schrieb:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?

I have the following in mind:

I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other important
documents
imagined in the database.
Store the information in a filesystem (accessible via https://), the
metainformation (catalogue) in a database which delivers as result a
link (for example a weblink). The link may be a script which delivers
the actual content (use include() in php) after checking the authorization

The data will be entered either manually and/or scanned(with OCR). I
need to
be able to search on all the fields in the database.
We have 10 computers(5bros , 4sisters, and myself) plus 1 server with I
maintained. The data should be synchronize/replicate between those
computers.

Well, so far it is easy, isn't it?

Here's my question:

a) How can I make sure that it secure so only authorized person can
modify/add/delete the information? Beside transaction logs, are there
any
other method to trace any transaction(kin d of paper trail)?
If you are going to replicate between several databases, any member of
the family may have access to all data (if they are able), so I suppose
transaction is more an informal process (Who has added information in
case of further questions ?)

Assuming there are 3 step process to one enter the info e.g:
- One who enter the info (me)
- One who verify the info(the owner of info)
- One who verify and then commit the change!
How can I implement such a process in RDBMS and/or PHP or any other web
language?
The problem is again, that the one person who administrates the whole
lot could do anything she / he liked. Normally, secret sharing uses the
fact, that a system of equations is defined by exactly the amount of its
variables.

b) How can I make sure that no one can tap the info while we are
entering
the data in the computer? (our family are scattered within US and
Canada)
Search the web for secure copy, secure socket layer (SSL) etc.

c) Is it possible to securely synchronize/replicate between our
computers
using VPN? Does RDBMS has this functionality by default?
VPN just gives you the same thing as if in a phone network, everyone
would have the same number range while living at different places.

Look after IPSEC

d) Other secure method that I have not yet mentioned.

Anyone has good ideas on how to implement such a systems?
a lot of time will help...

Thanks

Jul 17 '05 #3
Sarah Tanembaum wrote:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?

I have the following in mind:

I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other important
documents
imagined in the database.

The data will be entered either manually and/or scanned(with OCR). I
need to
be able to search on all the fields in the database.

We have 10 computers(5bros , 4sisters, and myself) plus 1 server with I
maintained. The data should be synchronize/replicate between those
computers.

Well, so far it is easy, isn't it?

Here's my question:

a) How can I make sure that it secure so only authorized person can
modify/add/delete the information? Beside transaction logs, are there
any
other method to trace any transaction(kin d of paper trail)?

Assuming there are 3 step process to one enter the info e.g:
- One who enter the info (me)
- One who verify the info(the owner of info)
- One who verify and then commit the change!
How can I implement such a process in RDBMS and/or PHP or any other web
language?

b) How can I make sure that no one can tap the info while we are
entering
the data in the computer? (our family are scattered within US and
Canada)

c) Is it possible to securely synchronize/replicate between our
computers
using VPN? Does RDBMS has this functionality by default?

d) Other secure method that I have not yet mentioned.

Anyone has good ideas on how to implement such a systems?

Thanks


Some suggestions:

1. Use 2-factor authentication. So if a password gets stolen, it isn't
enough by itself to access data.

2. Use 128-bit encryption for storage using secure algorithm (blowfish,
twofish or AES.

3. Use 128-bit encryption for communication.

4. Use secure key exchange protocols.

5. Use secure key generation algorithm.

6. Use digital signatures and public-key encryption where appropriate.
Client should authenticate server and server should authenticate
client to eliminate man-in-the-middle attacks.

7. Take a look at Groove.net products to see how they designed their
secure p2p shared-workspace applications.

8. Use firewalls to restrict access to communication ports based on IP
addresses or range of addresses or ip countries. Why allow access from
Chinese or Russian IP addresses if all your family members are in USA? ;)

IMHO, the openssl interface in Ruby 1.8.1-snapshot makes this fairly
easy to do compared to other scripting languages.
Jul 17 '05 #4
Sarah Tanembaum wrote:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?

I have the following in mind:

I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other important
documents
imagined in the database.

The data will be entered either manually and/or scanned(with OCR). I
need to
be able to search on all the fields in the database.

We have 10 computers(5bros , 4sisters, and myself) plus 1 server with I
maintained. The data should be synchronize/replicate between those
computers.

Well, so far it is easy, isn't it?

Here's my question:

a) How can I make sure that it secure so only authorized person can
modify/add/delete the information? Beside transaction logs, are there
any
other method to trace any transaction(kin d of paper trail)?

Assuming there are 3 step process to one enter the info e.g:
- One who enter the info (me)
- One who verify the info(the owner of info)
- One who verify and then commit the change!
How can I implement such a process in RDBMS and/or PHP or any other web
language?

b) How can I make sure that no one can tap the info while we are
entering
the data in the computer? (our family are scattered within US and
Canada)

c) Is it possible to securely synchronize/replicate between our
computers
using VPN? Does RDBMS has this functionality by default?

d) Other secure method that I have not yet mentioned.

Anyone has good ideas on how to implement such a systems?

Thanks


One more thing...ssh tunneling is your best friend. If the
communication protocols available in your RDBMS server or client aren't
sufficiently secure, simply using SSH tunneling.
Jul 17 '05 #5
>I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?
It depends on how you define 'secure' and what your security policy
is. For example, MySQL allows database connections to be encrypted
with SSL. I suspect that some of the others do also. Also, most
web servers can be set up in a configuration that supports https.
And pretty much every web browser supports https.
I have the following in mind:

I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other important
documents
imagined in the database.
Why is this not several SEPARATE databases?
The data will be entered either manually and/or scanned(with OCR). I
need to
be able to search on all the fields in the database.
Do you actually have a program that does decent OCR of handwriting,
starting from images? It would be useful to be able to take a bunch
of scanned cancelled checks and search for, say, "Auto insurance"
(a comment I'd probably write on the memo line of the check).

It is very difficult to get anything useful out of searching images
stored as binary blobs in a database table.
We have 10 computers(5bros , 4sisters, and myself) plus 1 server with I
maintained. The data should be synchronize/replicate between those
computers.
MySQL allows replication between different servers, again with SSL
for the replication connection. Generally, though, changes need to
be entered at the master.
Well, so far it is easy, isn't it?

Here's my question:

a) How can I make sure that it secure so only authorized person can
modify/add/delete the information? Beside transaction logs, are there
any
other method to trace any transaction(kin d of paper trail)?
Who's an authorized person?
At what granularity do you need the access controls? For example,
MySQL has access controls on individual table columns, so a specific
person (database login) may be allowed read-write, read, or no
access to the 'SSN' column. However, I do not believe it has any
kind of access restrictions that would allow one to read and alter
the SSN in THEIR OWN RECORD ONLY. If you put each person's data
in different tables, or different databases, that would make access
control better, but it makes it harder to search for things like
"whose wills are kept by <name of attorney>"?

It is possible for PHP to access the data using its own database
login (for which it will likely have near-full privileges), and let
the PHP code enforce restrictions like "a user may see only his own
SSN". PHP would have its own set of web users (with their own
passwords, privileges, etc. enforced by PHP but with the info kept
in the database). This does mean, however, that anyone with PHP's
database login gets to see all the data. It also means that the
PHP code that enforces the security rules could leak information
if the security policy is not implemented correctly. And implementing
all that PHP code CORRECTLY takes work.

A suggestion for your PHP web pages: log the time, date, IP address
the request came from, user name (or other form identifying the
requester), whether the password was correct (log the bad attempts
too!), what they accessed, and what they changed, and what the old
values of the changed fields were.

MySQL has query logs (however, if there is one database user, PHP,
for all the web page users, it will not log which query was made
on behalf of who). Your PHP application can log what screens who
viewed and what changes were entered. This takes WORK. PHP will
not do all that logging itself automatically.

Assuming there are 3 step process to one enter the info e.g:
- One who enter the info (me)
Now, right here, you've got a security problem. You see all the data.
And you shouldn't.
- One who verify the info(the owner of info)
- One who verify and then commit the change!
For a multi-step process like this you need some place in the database
to store pending changes. What is your access policy for THOSE?
Can I, who entered the data, see the data I entered while it is waiting
for the owner of the data to approve it?
How can I implement such a process in RDBMS and/or PHP or any other web
language?

b) How can I make sure that no one can tap the info while we are
entering
the data in the computer? (our family are scattered within US and
Canada)
Use SSL web pages (https). SSL between the web server and the
database matters less if the web server and the database are on the
same machine or on a local LAN, and direct access to the database
is not allowed except on the same machine or within the local LAN.
But SSL between the web server and various users' browsers all over
the continent is a must. Even if you use a VPN, browsers tend to
take better care of SSL data (like not leaving it around in a cache).
c) Is it possible to securely synchronize/replicate between our
computers
using VPN? Does RDBMS has this functionality by default?
VPN is typically not a feature of a RDBMS (neither is "wireless
802.11g", or DSL, or IP over Avian Carriers - a RDBMS typically
runs over IP, and a VPN uses some means to transport IP securely).
A RDBMS that can replicate over the net should be able to transparently
replicate over a VPN if you set up the VPN to encrypt all traffic.
There is nothing inherently wrong with using multiple security
layers (e.g. https over IPSEC over SSH tunnel over WEP-enabled
802.11g, although this is a bit extreme) unless the overhead just
gets to be unacceptable.

MySQL supports replication over a SSL database connection, by itself
without needing to install a VPN. (Having both is not an unreasonable
choice, though).

Is there a need for users of this database to access data on the
road, away from their VPNs? For example, several family members
are on a trip, there's an accident, and one of them urgently needs
medical history information for one of the others.

d) Other secure method that I have not yet mentioned.
Another thing to think of is encrypting data *IN* the database, and
if you do that, how you manage keys. Presumably some of this info
is being kept to ensure that it is available if the owner of the
data dies, which may make this option less desirable.
Anyone has good ideas on how to implement such a systems?


First, you need to decide on your security policy (especially the part about
legitimate users snooping on other legitimate users data). You also need to
decide what functions are needed. A RDBMS can generally "search on anything"
but a web page, unless it lets you enter an arbitrary SQL query, usually doesn't.

Gordon L. Burditt
Jul 17 '05 #6
Sarah Tanembaum wrote:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination?

I have the following in mind:

I wanted to store all my( and my brothers and sisters) important
document
information such as birth certificate, SSN, passport number, travel
documents, insurance(car, home, etc) document, and other important
documents
imagined in the database.

they are actually going to allow you to do this?? I certainly
wouldn't... because if you didn't do it right, all of you would be
subject to identity theft.

<snippage>

Michael Austin.
Jul 17 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

7
3277
by: Norm | last post by:
Hi All, I have an MDB file which I want to remain secure. It checks for certain parameters upon startup, and will automatically exit if the program is opened/executed by an unauthorized user. My concern is that somebody could read the MDB file using a utility such as MDB Tools (http://mdbtools.sourceforge.net/) and then export the data from my file. I have not used this tool, so is that actually possible using this or some other...
4
1455
by: Sarah Tanembaum | last post by:
I was wondering if it is possible to create a secure database system using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc) combination? I have the following in mind: I wanted to store all my( and my brothers and sisters) important document information such as birth certificate, SSN, passport number, travel documents, insurance(car, home, etc) document, and other...
5
1911
by: DraguVaso | last post by:
Hi, I need a SECURE way to copy parts of a file. I'm having files which contains a whole bunch of records. In one 'fysical' file I'm having one or more logical files. What I need to do is to copy a logical file (a part of the fysical file) into a new file. But the 'big' problem is: these records contains bankstatements, so I can't take the risk that there would be a record missing, or even one little charachter. The copy I make has to...
7
4978
by: Robert Seacord | last post by:
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already developed significant content for the C programming language that is available at: https://www.securecoding.cert.org/ by clicking on the "CERT C Programming Language Secure Coding Standard"
14
4934
by: knal | last post by:
Hi there, I'm looking for a secure login script for a sort-of-community site... (PHP, MySQL, sessions, or maybe something else ... ) I know there are a lot of scripts out there, but none of them really seem secure, or have other kind of flaws (like IP based login etc.). Why i'm asking here, is because there's experience out there, and i hope experience can tell me what my best shot is. I'm aware that i will very probably have to do...
3
4588
by: Raqueeb Hassan | last post by:
Hello, Given the idea of having voter ID card for all the citizens of Bangladesh, I was thinking of assessing few things before it actually starts. The election commission, the government agency responsible for issuing voter ID cards in Bangladesh might plan to use this - not only to hold a fair election but to facilitate its citizen to establish their credentials seeking access to all government and other commercial privileges - from...
1
1147
by: osid | last post by:
Suppose you are provided with several computer systems on the market. The systems include hardware, system software, applications, operating systems, DBMS and many others. Is it possible to enhance one of the computer systems such that it can be customized to be a totally standalone system, so much so that the system only processes and outputs the required results, no other external inputs and no upgrade of the system are required. Will this...
6
1646
by: =?Utf-8?B?Q3JhaWc=?= | last post by:
If I have an application that I send out to users, and the application interacts with the database (behind the scenes, no direct sql creation by the users)....do webservices make the app more secure? I always thought of webservices as just a good way to allow users to have an API for them to interact with the database, but are webservices useful if the user never really knows that they are there?
46
2194
by: RAZZ | last post by:
Hello, Can anyone suggest me solution? I Need to manage different types of documents (doc,xls,ppt etc) in server. I have folder structure to maintain these documents in server. Say folder1 is having all doc files; folder2 is having all xls files and so on. Now these documents should not be able to get access through the url
0
9979
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, weíll explore What is ONU, What Is Router, ONU & Routerís main usage, and What is the difference between ONU and Router. Letís take a closer look ! Part I. Meaning of...
0
9823
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11234
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10827
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
10463
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7170
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5854
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
6049
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4681
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.