Special Issue - 2016 International Journal of Engineering Research & Technology (IJERT)

ISSN: 2278-0181
ICRET - 2016 Conference Proceedings

Advanced Database Security and Encryption

Anil Dixit Dr. Suchithra R
Research Scholar Jain Global Campus, Jain University
Jain University, Bangalore Jain University, Bangalore
Karnataka – 560027, India Karnataka – 560027, India

Abstract: Data is more or less part of today’s life of an II. LITERATURE SURVEY
Organization, Enterprise, State and Country. Top of agenda is
to safeguard the data from getting into wrong hands. Choosing As discussed previously confidentiality imposes limits while
database for an entity is an important decision that could save retrieving the secure data and therefore averting the illegal
from future embarrassments and loss - be it socially or
access to the data. Integrity means that the data will not be
commercially. Open source and Commercial databases are
available in the market wherein the latter is not viable tainted in any way. Availability of data on time is the
commercially. This survey paper describes about the property of secure databases. [1][5]
database security threats, various ploys and suitable
techniques to counter them. There are many threats in There are four types of controls mentioned by Denning [1]
database which leaks the information for prohibited purpose. to obtain the database protection, those includes: access
The main threats in database security are Excessive Privilege control, information flow control, cryptographic flow
Abuse, Legitimate Privilege Abuse, Privilege Elevation, control and inference control.
Database Platform Vulnerabilities, SQL Injection, Weak
Audit Trail, Denial of Service, Database Communication
Protocol Vulnerabilities, Weak Authentication and Backup
Data Exposure. The main important method to secure database
from attackers/intruders are Cryptography, Steganography
and Access Control.

Keywords: Security, Threats, breaches, DoS, SQL,

Cryptography, Encryption, Rootkits, Encryption, Database,
Security, Encryption and Access Control.

I. INTRODUCTION

We ask that authors follow some simple guidelines. In

essence, we ask you to make your paper look exactly like
this document. The easiest way to do this is simply to
download the template, and replace the content with your
own material. Information or data is a valuable asset in any
organization. Almost all organization whether social, Access controls ensures that all direct accesses to the system
governmental, educational etc., have now automated their are authorized. The access controls governs that that can
information systems and other operational functions. They access the system’s objects. Often it happens that important
have maintained the databases that contain the crucial information or data is leaked out or misused not because of
information. So database security is a serious concern. To defective access control but because of improper
go further, we shall first discuss what actually the database information flow. When policies for information flow are
security is? Protecting the confidential/sensitive data stored not properly defined than the system data is less protected.
in a repository is actually the database security. It deals with The cryptographic control, controls (secures) the data by
making database secure from any form of illegal access or encrypting it. [1][2]. another approach has been adopted for
threat at any level. Database security demands permitting or securing the databases. It has been discussed that to make
prohibiting user actions on the database and the objects the databases secure different policies at organization level
inside it. Organizations that are running successfully can be implemented. Data/information is always a most
demand the confidentiality of their database. They do not important asset for any organization whose security cannot
allow the unauthorized access to their data/information. And be compromised. With the advances in technology, the risk
they also demand the assurance that their data is protected to these valuable assets increases. So their security is a big
against any malicious or accidental modification. Data challenge. In [8] different database
protection and confidentiality are the security concerns.
Figure 1 below shows the properties of database security that security layers are defined shown in figure (2) below. These
are: confidentiality, integrity and availability [6] [7] [8]. layers are: database administrator, system administrator,
security officer, developers and employee. For each layer
some well-defined security policies have been anticipated.

Volume 4, Issue 21 Published by, www.ijert.org 1

Special Issue - 2016 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
ICRET - 2016 Conference Proceedings

These policies ensure the security features, privacy, document. This list is taken from a white paper presented by
confidentiality and integrity. This study mainly focuses on Imperva’s Application Defense Center. [3]
issues in databases security and measures taken to solve
those issues. Securing sensitive data from illegal access, Excessive Privilege Abuse - When users are specified with
theft and forging becomes a big challenge for different the access rights that allow them to perform other tasks not
organizations, like government, no-government and privates included in their job, harmful intent can be discovered
sectors. Encryption of data in client or server side where through such tasks thus leading to misuse of such privileges.
data is shared between different parties is not sufficient. When we talk of such abuse, an example of university can
Basically the problem is to ensure that semi trusted database be quoted in which an administrator who is given access to
is secure or not. [6] all databases and holds the privilege to change the records
A new hypothesis for database encryption is proposed in of any student. This may lead to misuse such as changing of
which database encryption can be provided as a service to grades, marks of students or change in the amount of fine
applications with unified access to encrypted database. charged to any student. As a result, all users who perform
Using such an encrypted data management model, different tasks are given default level of privileges that
applications can concentrate on their core businesses and grants access in excess.
protect data privacy against both malicious outsiders and the
untrusted database service users without need to know
encryption details. [12]

Legitimate Privilege Abuse - Legitimate privilege abuse can

be in the form of misuse by database users, administrators or
a system manager doing any unlawful or unethical activity.
It is, but not limited to, any misuse of sensitive data or
unjustified use of privileges.

Privilege Elevation - Excessive exposure leads to discovery

Further we shall discuss what actually has been of flaws which is taken advantage of by attackers and may
implemented to reduce/eliminate the security threats and result in the change of privileges e.g. ordinary user given the
how the database security was enhanced in the past. And we access of administrative privileges. The loss of which could
shall see what needs to be done for securing a valuable asset, result in bogus accounts, transfer of funds, misinterpretation
the databases of organizations. of certain sensitive analytical information. Such cases are
also found to be in database functions, protocols and even
Security Risks to Databases SQL statements.

The initiative database organization is subject to prodigious Database Platform Vulnerabilities - Vulnerabilities in the
variety of threats. Some serious threats are envisioned in this previous operating systems such as Windows 98, Windows
2000, etc. may create data loss from a database, data
corruption or service denial conditions. For instance, the

Volume 4, Issue 21 Published by, www.ijert.org 2

Special Issue - 2016 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
ICRET - 2016 Conference Proceedings

blaster worm created denial of service conditions from a Access Control - Access control ensures all communications
vulnerability found in Windows 2000. with the databases and other system objects are according to
the policies and controls defined. This makes sure that no
SQL Injection - Random SQL queries are executed on server interference occurs by any attacker neither internally nor
by some spiteful attacker. In this attack SQL statement is externally and thus, protects the databases from potential
followed by a string identifier as an input. That is validated errors-errors that can make impact as big as stopping firm’s
by the server. If it does not get validated it might get operations. Access control also helps in minimizing the risks
executed. Through these unobstructed rights may gain by that may directly impact the security of the database on the
the attackers to the whole database. main servers. For example, if any table is accidentally
deleted or access is modified the results can be roll backed
Weak Audit Trail - A database audit policy ensures or for certain files, access control can restrict their deletion.
automated, timely and proper recording of database
transactions. Such a policy should be a part of the database Inference Policy - Inference policy is required to protect the
security considerations since all the sensitive database data at a certain level. It occurs when the interpretations
transactions have an automated record and the absence of from certain data in the form of analysis or facts are required
which poses a serious risk to the organization’s databases to be protected at a certain higher security level. It also
and may cause instability in operations. determines how to protect the information from being
disclosed.
Denial of Service - It is the attack that prevents the legitimate
users of a program/application/data to use or access that
specific service. DOS can take place using different
technique. Attacker may get access to database and tries to
crash the server or resource overloading, network flooding
and data corruption can be the techniques for creating
conditions of DOS attack. It is a serious threat for any
organization.

Database Communication Protocol Vulnerabilities - Large

number of security weaknesses is being identified in the
database communication protocols of all database retailers.
Deceitful activity directing these susceptibilities can varies
from illegal data access, to data exploitation, to denial of
service.

Weak Authentication - A weak authentication strategy User Identification/Authentication - User identification and
renders the databases more vulnerable to attackers. The authentication is the basic necessity to ensure security since
identity of database users are stolen or the login credentials the identification method defines a set of people that are
are obtained through some source which then helps in allowed to access data and provides a complete mechanism
modification of data or obtaining sensitive information and of accessibility. To ensure security, the identity is
if authentication is not properly implemented and is weak, it authenticated and it keeps the sensitive data safe and from
helps the attacker to steal data. being modified by any ordinary user.

Backup Data Exposure - Backup data exposure is an Accountability and auditing - Accountability and audit
important threat that needs to be taken care of. Since checks are required to ensure physical integrity of the data
backups on tapes, DVD’s or any external media are exposed which requires defined access to the databases and that is
to high risks, they need to be protected from attack such as managed through auditing and record keeping. It also helps
theft or destruction. So far we he discussed some important in analysis of information held on servers for authentication,
threats to database security. accounting and access of a user.

Now we shall see what can be done to limit these risks and
threats. Encryption - Encryption is the process of concealing or
transforming information by means of a cipher or a code so
Database Security Considerations that it becomes unreadable to all other people except those
who hold a key to the information. The resulting encoded
To eliminate the security threats every organization must information is called as encrypted information.
define a security policy. And that security policy should be
strictly enforced. A strong security policy must contain well Data is valuable assets of an organization. So its security is
defined security features. Figure 2 shows some critical areas always a big challenge for an organization. In recent times
that need to be considered are explained below. [1][3][4] security of shared databases was studied through
cryptographic viewpoint. A new framework was proposed

Volume 4, Issue 21 Published by, www.ijert.org 3

Special Issue - 2016 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
ICRET - 2016 Conference Proceedings

in which different keys are used by different parties to any change in existing application. In storage level
encrypt the databases in assorted form that was named as encryption it has to be guaranteed that there should be no
Mixed Cryptography Database (MCDB). [6] copy left unencrypted so it is risky to selectively encrypt the
files e.g., in temporary files,, log files etc. When the data is
Different governmental, non-governmental, and private and saved or recovered from the database then database level
many other organizations have sensitive data on web servers encryption is performed. It is part of the database design.
that really need to be protected from attacker or intruders. Here encryption can be done at selective granularities, like
To make the databases secure different security techniques on row or column or tables. For both storage level and
were developed. One of them is encryption techniques. database level encryption strategies, the encryption keys
Though encryption improves the protection but its must be available ate server side to decrypt the data. The
implementation decisions are also very important. Like third application level encryption is performed within the
what, how, when and where is to be encrypted. . Following application. When selection of keys and encryption
figure 4 shows where encryption takes place. Developing the granularity is made on application logic it provides highest
encryption strategies arises some important questions also, flexibility.
like how, when and where the encryption will be performed.
Encryption algorithm, key size and keys protection are the
parameters that ensure the security. The better the
encryption algorithm is used the better will be the security.
And with strong encryption algorithm, appropriate operation
mode is also very important. To overcome the problem of
unauthorized access of keys, two solutions were proposed.
HSM and Security server approach. After the addition of
security server or HSM that lessen the disclosure of
encryption keys, database is still vulnerable to threats.

To make the databases protected, encryption techniques are

widely used. Implementing encryption on databases is
though not an easy task [9]. But it is generally known as
solitary the key concerns of data security. However
preserving data privacy providing boosted data sharing, an
innovative encryption scheme is proposed. Secure data is
protected and key management is done efficiently. That
helps to share the encrypted data easily. Encryption provides
the confidentiality in databases.
Encryption algorithm, symmetric or asymmetric is not
explained in this framework. Query processing performance A model has been proposed that provides the threats are
is badly affected by these algorithms. The encryption confronted by the database. Arbitrarily created working keys
algorithms affect the performance of query processing and are used by the user to encrypt the data. Private Key is
security analysis. Other important research issues related to decrypted in order to see the encrypted data.
this framework: first, the best encryption algorithm used in
the mixed cryptography database on performance and Evolutionary trend of technology has eliminated the notion
security perspectives; second, access control methods used of boundary to access of any medium of data. This limitless
to control access for all parities using the database; and access has made this world smaller bringing it closer via
finally indexing and joining between different databases. click of a mouse but it also increases threat of breach of
security especially for the global business environment.
According to [7], it does not matter which access control Responding to such issues Transparent Data Encryption
method is used; there are no of ways to avoid the technology has been formulated and evolved offering secure
authorization imposed by the database server. For instance, solutions. Encryption is defined as encoded information that
the information system can be intruded by stalker who tries is only readable and decoded by the persons whom the
to source the database impression on disk. Databases are information is intended. This study discusses how the
being outsourced to database service providers (DSP) that Transparent Data Encryption technology is utilized to secure
also welcomes the threats. The database owner has no other against data frauds and theft. The basic technological
choice than to trust the DSP’s. Than the database meaning of Transparent Data encryption is encoding or
administrator can also miss use his rights and spay the encrypting databases on networks, hard disk and/or on any
database. backup media to provide highly configurable, transparent,
safe and secure environments for application development.
Three encryption levels are defined. Storage-level Microsoft SQL Server 2008 uses this technology to encrypt
encryption, database-level encryption and application-level database content stored on any network, disk or backup
encryption. Storage level encryption encrypts the data in the medium along with process of creation of a Master Key.
storage subsystem. It is transparent thus avoids the risk of This involves creation of key, protection by the certificate

Volume 4, Issue 21 Published by, www.ijert.org 4

Special Issue - 2016 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
ICRET - 2016 Conference Proceedings

and ways to set the database to use in Microsoft SQL Server Comparative Analysis
encryption. This study investigates what Microsoft SQL In this section comparative analysis is performed by taking
Server configurable environment has to offer in terms of three factors from each paper discussed in above literature
data safety, security and application development for survey.
developers. [10]
Encryption in Databases
In [11], a new light weight encryption method is proposed Following table 1 explains how encryption is performed in
that is used for columns stored in data ware houses with databases, what methods, and algorithms are used and where
trusted servers. The new method is called Fats Comparison it is implemented. Different techniques or methods are
Encryption (FCE). Its overhead makes the comparison fats identified in the table 1 below that is used to encrypt the data.
and efficient. So far we have discussed the work done on The table 2 then gives the comparison of those
database security using Encryption. Now the next section methods/techniques.
will present the comparison of the study done so far.

Table 1: Encryption in Databases

Paper Methods/Techniques Algorithm Where encryption

can be performed
A Novel Framework for Mixed Cryptography Technique Any symmetric Encryption Encryption is
Database Security based on based on data Classification algorithm can be used done at
Mixed Cryptography [6] methods -Client side
-Untrusted database
-Server
Database Encryption [7] Hash Security Module State –of-the art algorithm Encryption can be at:
Encryption Strategy and mode of operation -Storage Level
should be used. -Database Level
-Application Level
A Database Encryption Scheme Combination of the
for Enhanced Conventional encryption
Security and Easy Sharing and public key encryption,
[9] utilizing the speed of X X
conventional encryption and
convenience of public key
encryption.
Transparent Data Encryption- Transparent Data Encryption
Solution for used by Master database key
X Page Level
Security of Database Contents
[10]
Fast, Secure Encryption for
Indexing in a Column- Fast Comparison Encryption Symmetric encryption algorithm DataWare houses
Oriented DBMS [11]

Comparison of Encryption Methods/Techniques

Methods/Techniques Advantages Disadvantages / Limitations

Mixed Cryptography Technique Sensitive data is protected from attacks even Performance of queries and security analysis
based on data classification methods at multiple levels because of having many is affected because of encryption algorithms.
keys to different parties.
Access control methods are not defined.
Secure data storage and data transmission is
performed to ensure the maximum protection
of sensitive data.
Hash Security Module Encryption Strategy Security server is not tampered Complex
Encryption keys are never exposed.
Transparent Data Encryption used by Master Provides protection to sensitive data on disk Encryption across communication channels is
database key drives and backup media from illegal access. not provided.
Cost of user management is reduced.
Provide privacy management. Database could not be opened if the
certificate is not available and the backup of
certificate and private key is not maintained.

Database becomes inaccessible after altering

the certificates to be password protected
Fast Comparison Encryption Fast indexing operation Low decryption
overhead

Volume 4, Issue 21 Published by, www.ijert.org 5

Special Issue - 2016 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
ICRET - 2016 Conference Proceedings

The following section will give an empirical analysis. Medium, Moderate, High and Very High. The percentage
range for criticality is defined below:
Empirical Analysis

This empirical study is done by keen observation of the

literature and then results are drawn. Frequency of
benchmarks in different papers that were under
consideration is shown below in a table.

Frequency - Frequency is the number of occurrences of a

repeating commonness .The frequency is calculated in such
a way that the paper which has an issue not common in some
other paper is evaluated as having frequency “1” whereas the
papers which have the common issues have been given
frequency equal to the number of papers having that issue.
The frequency calculation has been shown in Table 3.

With the help of data obtained in Table 1 we can calculate

the percentage and criticality also as shown in Table 2.

CONCLUSION
The Percentage out of 5 papers, frequency and criticality has
Data to any organization is a most valuable property.
been shown in Table 3.
Security of sensitive data is always a big challenge for an
organization at any level. In today’s technological world,
Criticality - To find the measure of frequency of occurrence
database is vulnerable to hosts of attacks. In this study major
of an issue the Criticality factor is divided into four parts i.e.
security issues faced databases are identified and some
encryption methods are discussed that can help to reduce

Volume 4, Issue 21 Published by, www.ijert.org 6

Special Issue - 2016 International Journal of Engineering Research & Technology (IJERT)
ISSN: 2278-0181
ICRET - 2016 Conference Proceedings

the attacks risks and protect the sensitive data. It has been
concluded that encryption provides confidentiality but give
no assurance of integrity unless we use some digital
signature or Hash function. Using strong encryption
algorithms reduces the performance. The future work could
be carried out make encryption more effective and efficient.

REFERENCES

[1] Ahmad Baraani-Dastjerdi; Josef Pieprzyk; Baraanidastjerdi Josef

Pieprzyk; ReihanedSafavi-Naini, Security In Databases: A Survey
Study, 1996
[2] http://en.wikipedia.org/wiki/Database_security
[3] Amichai Shulman; Top Ten Database Security Threats, How to
Mitigate the Most Significant Database Vulnerabilities, White Paper.
[4] Tanya Bacca; Making Database Security an IT Security Priority A
SANS Whitepaper – November 2009
[5] http://www.freetechexams.com/computerstips/computer-
tips/database-security.html
[6] Kadhem, H.; Amagasa, T.; Kitagawa, H.; A Novel Framework for
Database Security based on Mixed Cryptography; Internet and Web
Applications and Services, 2009. ICIW '09. Fourth International
Conference on; Publication Year: 2009, Page(s): 163 – 170
[7] Luc Bouganim; Yanli GUO; Database Encryption;Encyclopedia of
Cryptography and Security, S. Jajodia and H. van Tilborg (Ed.) 2009,
page(s): ) 1-9
[8] Khaleel Ahmad; JayantShekhar; Nitesh Kumar; K.P.Yadav; Policy
Levels Concerning Database Security; International Journal of
Computer Science & Emerging Technologies (E-ISSN: 2044-6004)
368 Volume 2, Issue 3, June 2011, page(s); 368-372
[9] Gang Chen; Ke Chen; Jinxiang Dong; A Database Encryption
Scheme for Enhanced Security and Easy Sharing; Computer
Supported Cooperative Work in Design, 2006. CSCWD '06. 10th
International Conference on; Publishing year 2006, page(s): 1 - 6
[10] Dr. Anwar Pasha Abdul GafoorDeshmukh; Dr. Anwar Pasha Abdul
GafoorDeshmukh; Transparent Data Encryption- Solution for
Security of Database Contents; (IJACSA) International Journal of
Advanced Computer Science and Applications, Vol. 2, No.3, March
2011
[11] TingjianGe, Stan Zdonik; Fast, Secure Encryption for Indexing in a
Column-Oriented DBMS; 2007 IEEE 23rd International Conference
on Data Engineering (2007) Publisher: IEEE, Page(s): 676-685.
[12] Lianzhong Liu and JingfenGai; A New Lightweight Database
Encryption Scheme Transparent to Applications; Published in
Industrial Informatics, 2008. INDIN 2008. 6th IEEE International
Conference Issue Date: 13-16 July 2008 On page(s): 135 - 140

Volume 4, Issue 21 Published by, www.ijert.org 7