Abstract
Database applications are a very pervasive tool that enable businesses to make the most out of the data they collect and generate. Furthermore, they can also be used to provide services on top of such data that can access, process, modify and explore it. It was argued in the work this paper extends that when client applications that access a database directly run on public or semi-public locations that are not highly secured (such as a reception desk), the database credentials used could be stolen by a malicious user. To prevent such an occurrence, solutions such as virtual private networks (VPNs) can be used to secure access to the database. However, VPNs can be bypassed by accessing the database from within the business network in an internal attack, among other problems. A methodology called Secure Proxied Database Connectivity (SPDC) is presented which aims to push the database credentials out of the client applications and divides the information required to access them between a proxy and an authentication server, while supporting existing tools and protocols that provide access to databases, such as JDBC. This approach will be shown and further detailed in this paper in terms of attack scenarios, implementation and discussion.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Oracle JDBC Introduction (1997). http://docs.oracle.com/javase/tutorial/jdbc/overview/index.html. Accessed 3 Mar 2014
Bauer, C., King, G.: Hibernate in Action (2005)
Shay, R., Cranor, L.F., Komanduri, S., et al.: Designing password policies for strength and usability. ACM Trans. Inf. Syst. Secur. 18, 1–34 (2016). https://doi.org/10.1145/2891411
Yang, X.L., Lo, D., Xia, X., et al.: What security questions do developers ask? a large-scale study of stack overflow posts. J. Comput. Sci. Technol. 31, 910–924 (2016). https://doi.org/10.1007/s11390-016-1672-0
Regateiro, D.D., Pereira, Ó.M., Aguiar, R.L.: SPDC: secure proxied database connectivity. In: 6th Data - International Conference Data Science Technology Applications (2017)
Pereira, Ó.M., Regateiro, D.D., Aguiar, R.L.: Secure, dynamic and distributed access control stack for database applications. Int. J. Softw. Eng. Knowl. Eng. 25, 1703–1708 (2015). https://doi.org/10.1142/S0218194015710035
Regateiro, D.D., Pereira, Ó.M., Aguiar, R.L.: A secure, distributed and dynamic RBAC for relational applications. University of Aveiro (2014)
Pereira, O.M., Regateiro, D.D., Aguiar, R.L.: Role-based access control mechanisms. In: 2014 IEEE Symposium Computers and Communications, pp. 1–7. IEEE, Vancouver (2014)
IETF (2008) RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2. http://tools.ietf.org/html/rfc5246
Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle. Comput. Commun. 29, 2238–2246 (2006). https://doi.org/10.1016/j.comcom.2006.03.004
Oppliger, R., Hauser, R., Basin, D.: SSL/TLS session-aware user authentication revisited. Comput. Secur. 27, 64–70 (2008). https://doi.org/10.1016/j.cose.2008.04.005
Abramov, J., Anson, O., Dahan, M., et al.: A methodology for integrating access control policies within database development. Comput. Secur. 31, 299–314 (2012). https://doi.org/10.1016/j.cose.2012.01.004
Gessert, F., Friedrich, S., Wingerath, W., et al.: Towards a scalable and unified REST API for cloud data stores. Lect Notes Informatics (LNI), Proc - Ser Gesellschaft fur Inform P-232, pp. 723–734 (2014)
Zarnett, J., Tripunitara, M., Lam, P.: Role-based access control (RBAC) in Java via proxy objects using annotations. In: Proceedings of 15th ACM Symposium Access Control Model Technology-SACMAT 2010, p. 79 (2010). https://doi.org/10.1145/1809842.1809858
Naylor, D., Schomp, K., Varvello, M., et al.: Multi-context TLS (mcTLS). ACM SIGCOMM Comput. Commun. Rev. 45, 199–212 (2015). https://doi.org/10.1145/2829988.2787482
Ferraro, P.: HA-JDBC: High-Availability JDBC. https://ha-jdbc.github.io. Accessed 13 Sep 2016
Villager, C., Dittmann, J.: Biometrics for user authentication. Encyclopedia of Multimedia, pp. 48–55. Springer, Boston (2008)
de Lavarene, J.: SSL With Oracle JDBC Thin Driver (2010)
Oracle Authentication Using Third-Party Services. https://docs.oracle.com/cd/B19306_01/network.102/b14266/authmeth.htm#i1009853. Accessed 13 Aug 2016
Microsoft SQL Server Security Modes. https://msdn.microsoft.com/en-us/library/aa266913(v=vs.60).aspx. Accessed 13 Sep 2016
Zimmerman, M.: Biometrics and User Authentication (2003)
Neuman, C.B., Ts’o, T.: Kerberos: an authentication service for computer networks. In: IEEE Communications Magazine, pp. 33–38 (1994)
IETF (2000) RFC 2865: Remote Authentication Dial In User Service (RADIUS). https://tools.ietf.org/html/rfc2865
IETF (2000) RFC 2743: Generic Security Service Application Program Interface Version 2, Update 1. https://tools.ietf.org/html/rfc2743
Acknowledgements
This work is funded by National Funds through FCT - Fundação para a Ciência e a Tecnologia under the project UID/EEA/50008/2013 and SFRH/BD/109911/2015.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Regateiro, D.D., Pereira, Ó.M., Aguiar, R.L. (2018). Server-Side Database Credentials: A Security Enhancing Approach for Database Access. In: Filipe, J., Bernardino, J., Quix, C. (eds) Data Management Technologies and Applications. DATA 2017. Communications in Computer and Information Science, vol 814. Springer, Cham. https://doi.org/10.1007/978-3-319-94809-6_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-94809-6_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-94808-9
Online ISBN: 978-3-319-94809-6
eBook Packages: Computer ScienceComputer Science (R0)