1. Database security features
Database security refers to the protection of databases to prevent data leakage, alteration or destruction caused by illegal operations. Whether the system protection measures are effective is one of the main technical indicators of the database system.
Database-related security functions mainly include technologies such as user authentication, multi-layer access control, auditing, and data encryption. The following is an access control flow chart for database security protection:
1. User authentication
User authentication is the outermost security protection measure provided by the database management system. Each user has a unique user ID in the system, which consists of user name and user identification number (UID), where the UID is unique in the entire life cycle of the system.
The identification of all legal users is recorded in the database, and the system identification means that the database provides a certain way for users to identify their own names or identities. Every time a user accesses the database, it is checked by the system, and the authority to use the database management system is provided only after passing the authentication. There are many methods for user identification, and in a system, multiple methods are often combined to obtain stronger security. Commonly used user authentication methods are as follows:
Static password authentication:
This method is the most commonly used identification method. The static password is generally set by the user. As long as the correct password is entered as required during authentication, the system will allow the user to use the database management system. These passwords are static and can be easily cracked. Once cracked, illegal users can pretend to be the users to use the database. Therefore, although this method is simple, it is easy to be attacked and has low security.
Dynamic password authentication:
It is the most secure identification method at present. The password of this method is dynamically changed, and the new password generated dynamically is used to log in to the database management system each time it is authenticated. Compared with static password authentication, this authentication method increases the difficulty of password theft or cracking, and the security is relatively high.
Biometric Identification:
It is a technology for authentication through biometrics, in which biometrics refers to the only stable biometrics that an organism has that can be measured, identified and verified, such as fingerprints, iris and palm prints. This method realizes authentication based on biometrics by adopting technologies such as image processing and pattern recognition. Compared with traditional password authentication, it undoubtedly produces a qualitative leap and has higher security.
Smart Card Authentication:
A smart card is a kind of non-replicable hardware, a chip with built-in integrated circuit, with hardware encryption function. The smart card is carried by the user. When logging into the database management system, the user inserts the smart card into a special card reader for authentication. Since the data read from the smart card is static every time, it is possible to intercept the user's authentication information through technologies such as memory scanning or network monitoring, which poses a security risk. Therefore, the combination of personal identification code (PIN) and smart card is generally used in practical applications.
2. Access Control
The most important point of database security is to ensure that only qualified users are authorized to access the database, and all unauthorized personnel cannot access the data, which is mainly achieved through the access control mechanism of the database system. Database systems generally provide two access control mechanisms, namely discretionary access control and mandatory access control.
2.1 Discretionary Access Control (DAC)
Autonomous access control is also often referred to as permission control. Users have different read and write permissions for different database objects, and different users have different permissions for the same object, and users can delegate their own read and write permissions to others. user. Therefore, the flexibility of discretionary access control is high. Permission control authorizes the user through the GRANT statement, and the REVOKE statement revokes the permission.
2.2 Mandatory Access Control (Mandatory Access Control - MAC)
Discretionary Access Control (DAC) can effectively control the reading and writing of sensitive data through an authorization mechanism. However, since the user's read and write restrictions on data are "autonomous", the user can freely decide who to grant the read and write rights to the data, and whether to grant the authorization ability to others. However, under this authorization mechanism, there may be "unintentional disclosure" of data.
In mandatory access control, all entities managed by the database management system are divided into two categories: subject and object. The main body is the active entity in the system, including not only the actual users managed by the database management system, but also the processes that represent the users. Objects are passive entities in the system that are manipulated by subjects, including files, basic tables, indexes, and views. For subjects and objects, the database management system assigns a sensitivity flag to each instance of them.
The subject's sensitivity flag is called the license level, and the object's sensitivity flag is called the security level. For any database object, only users with valid licenses can read and write. The mandatory access control mechanism is to determine whether the subject can operate the object by comparing the sensitivity mark of the subject with the sensitivity mark of the object.
Access rules are generally based on the following two read and write rules, confidentiality rules and integrity rules:
confidentiality rules
· Only when the subject's license level is higher than or equal to the object's security level, the subject can read the corresponding object. (read below)
· Only when the subject's license level is lower than or equal to the object's security level, the subject can write the corresponding object. (written above)
integrity rules
· Only when the subject's license level is lower than or equal to the object's security level, the subject can read the corresponding object. (read above)
· Only when the subject's license level is higher than or equal to the object's security level, the subject can write the corresponding object. (write below)
Discretionary access control and compulsory access control together constitute the security mechanism of the database management system. The system first checks the discretionary access control, and then the system automatically performs compulsory access control checks on the database objects that have passed the discretionary access control check and is allowed to read and write. All subjects that pass the check can access database objects.
3. Audit
Database auditing is a system that supervises database operation behavior. It records database activities in real time, and automatically records all operations performed by users on the database into the audit log. Auditors can use audit logs to monitor various behaviors in the database. After a database security event occurs, they can find out who, time, and content illegally read and write data, so as to provide a basis for traceability, recovery, accountability, and determination of accountability.
Real-time alarms are provided for attacks and risk operations against the database, so that managers can take timely measures to avoid data damage or theft. If database intrusion behaviors, abnormal database behaviors, or illegal database access behaviors are found, real-time alarms can be sent through SMS, email, and Syslog.
At the same time, it can analyze the records of users' access to the database, and form different audit reports according to requirements, such as comprehensive reports, compliance reports, special reports, and custom reports.
4. Intrusion Detection
SQL injection is one of the more common network attacks. The web application does not judge the legitimacy of the user input data or the filtering is not strict. The attacker can add additional SQL at the end of the pre-defined query statement in the web application. In this way, the database server can be deceived to execute unauthorized arbitrary statements, so as to further obtain the corresponding data information, and illegal access will cause data leakage.
5. Data encryption
Data encryption stores the data in the database, especially sensitive data, in an encrypted way, which is an effective means to prevent the leakage of database data during storage and transmission. The basic idea of encryption is to transform the original plaintext data into an unrecognizable ciphertext format according to a certain algorithm, so that people who do not know the decryption key cannot know the content of the data.
For storage encryption, a transparent storage encryption method is generally provided. Transparent storage encryption is a database kernel-level encryption protection method that is completely transparent to users. Opaque storage encryption is achieved by providing encryption functions.
Database transparent encryption technology is a database encryption technology that emerges as the times require for relational database confidentiality. The so-called transparency means that users do not need to change the existing application system and operating habits. When a user accesses the database through an application program, he gets plaintext data, while unauthorized users access the database through illegal means and get ciphertext data. Data is plaintext in the application and ciphertext in the database. Once it leaves the usage environment, the application cannot be opened because it cannot get the automatic decryption service, thus protecting the data in the database.
Corresponding to transparent encryption, data is encrypted in the application system and then stored in the database; when real data is needed, the ciphertext is read from the database, and then the plaintext is decrypted. Users can freely choose the sensitive information that needs to be encrypted, and the encryption method, instead of encrypting all data. Encrypting only part of the data in this way can improve the speed of database access, which is beneficial for users to choose between efficiency and security.
6. Inference control:
Inferential control deals with issues not addressed by mandatory access control. For example, users use the functional dependencies of columns to derive high-security-level information that they are not authorized to access from low-security-level information, thereby leading to information leakage.
Database reasoning control is used to prevent users from using the data they can access to infer higher-level data, that is, the user uses the results of multiple queries that are allowed, combined with relevant domain background knowledge and constraints between data, to deduce that it cannot be used. access data. In terms of inference control, the commonly used methods include inference control based on functional dependencies and inference control based on sensitive associations.
In "GB/T 20273-2019 Information Security Technology Database Management System Security Technical Requirements", the security function no longer requires inference control.
2. Security functions and implementation of Yunxi database
1. Login authentication
1.1 Certificate Authentication
A digital certificate refers to a digital certification that marks the identity information of each party in the transmission communication . At the same time, the transmitted information and data can be encrypted and decrypted through the certificate , which ensures the integrity and security of the information.
Yunxi Database can use the znbase cert command to create a CA certificate and key, and then create a node and client certificate signed by the CA certificate. When a connection is established between nodes, or when a client establishes a connection with a node, they use CA certificates to verify each other's identities.
1.2 Password Authentication
In order to protect user information, the database system does not directly store the user's plaintext password in the database, but stores the ciphertext obtained after the password is encrypted. The encryption method generally adopts an irreversible digest algorithm.
The digest algorithm is an algorithm that generates a fixed-length output by hashing an input of any length. The main feature is that the encryption process does not require a key , and the encrypted data cannot be decrypted. message digest algorithm to get the same ciphertext .
In order to increase the difficulty of password cracking, salting measures are generally taken when passwords are encrypted, that is, additional information is added to the plaintext password, and then hash operation is performed. The salt value is taken out during verification, and the salt is subjected to the same hash operation as the plaintext password, and the obtained result is compared with the ciphertext stored in the database.
At present, Yunxi database supports BCRYPT, SM3, PBKDF2 , three encryption algorithms.
The figure below shows the ciphertext obtained after encryption by the BCRYPT algorithm, which includes the number of hashes, the salt value, and the hash value .
1.3 Client Authentication
Client authentication is used to set the IP address that is allowed to access and the authentication method of access. It is set by the cluster parameter server.host_based_authentication.configuration , and the format is the same as that of the pg_hba.conf configuration file of PostgreSQL.
Each record specifies a connection type, a client IP address range (if relevant to the connection type), a database name, a username, and the authentication method to use for connections matching these parameters. The first record matching the connection type, client address, database and username requested for the connection will be used to perform authentication.
Currently supported authentication methods are:
certCertificate-based authentication for connections via SSL onlycert-passwordAllow certificate-based or password-based authentication over SSL connectionspasswordPassword-based authentication over SSL connectiontrustUnconditionally allow matching connections- Unconditionally
rejectreject matching connections
Note that authentication rules cannot be defined on non- SSL connections. Non- SSL connections are only available on databases running in non-secure mode. In non-secure mode, all authentication logic is completely disabled.
2. Permission Control
The above table shows the existing database objects in the Yunxi database
User permission information consists of three parts: user, object and permission type. User permission information is stored in PrivilegeDescriptor under Descriptor of each database object. The structure is shown in the figure below.
Users can perform permission management operations through the GRANT/REVOKE statement, and can grant their own permissions (requires authorization capability, that is, grantable is true) to other users. Note that authorization cannot be circulated, as shown in the figure below, circular authorization will lead to cascading revocation of permissions, and the source of the authority cannot be tracked. Users can only revoke the permissions granted by themselves, but cannot revoke permissions granted by other users. At the same time, when the permission is revoked, the granted permission will be revoked in cascade. As shown in the figure, when u1 revokes the permission granted to u2, the permission granted to u3 by u2 and granted to u4 by u3 will be revoked.
When checking the user's permission, taking the permission of the check table as an example, it will first check whether the table can be accessed, that is, check the USAGE permission on the database and schema, and then check whether there is corresponding permission on the table. In the case of column permissions (SELECT, INSERT, UPDATE), the permissions on the corresponding column are also checked.
The permission check will check the permissions of three parts (that is, the permissions of the user come from three parts): (1) Check whether the user is the Owner of the object; (2) Check whether the user has corresponding permissions; (3) Check whether the user belongs to Whether the role has corresponding permissions.
The owner of the database object is the owner of the database object. By default, it is the creator of the database object and has all the permissions of the object. Currently, it is not supported to change the Owner. In the INSERT operation of the updatable view shown in the figure below, when the user INSERT can update the view, it will check whether the user has the INSERT permission of the view, and whether the owner of the view has the INSERT permission of the table.
3. Audit
At present, the operation behavior has been audited, including most DDL and DCL operations. For specific operation types, please refer to Chapter 7.5 Security Audit in the User Manual of Yunxi NewSQL Distributed Database.
When the audit switch is turned on, the database will record the corresponding operation information in the audit record table and audit log. The record information includes user information, operation time, event type, the name of the accessed resource, and the access result. For table-level DQL and DML operations, you need to use the ALTER TABLE table_name EXPERIMENTAL_AUDIT SET READ WRITE statement to turn on the audit switch for the table.
Due to frequent DQL and DML operations, the read and write operations of all tables are automatically audited, which will generate a large number of audit records. Therefore, users can independently control the tables that need to be audited.
At the same time, the audit supports the email alarm function. After triggering the alarm rule of the corresponding operation, the relevant email will be sent to the preset mailbox. For this email alert system, sometimes it is not necessary to add every event to the scope of email alerts. In this case, you can use the disabled event setting to ignore operations that do not require alerts. For example, SET CLUSTER SETTING audit.event.disable.list="drop_database,drop_table";
In addition, in order to meet the user's requirement to limit the length of SQL statements, the audit module adds the function of SQL length limit, and you can set the maximum allowed SQL statement length through audit.sql.length.
4. SQL interception
Yunxi database generates fingerprint rules by lexical analysis of user input, and then uses binary search algorithm to match in the signature database, and reports SQL injection vulnerability if it matches.
The SQL interception function, controlled by the audit.sql.inject.bypass.enabled parameter, is used to set whether to bypass the SQL injection interception function. When the value is true, the SQL injection interception function is bypassed, and SQL injection detection and interception are not performed on the executed SQL statements; when the value is false, the SQL injection interception function is enabled. The default value is true.
When executing a statement with possible SQL injection, such as: SELECT (1 OR ( SELECT * FROM test)); an error will be reported: sql with fingerprint of 'E(1&('.