Design and Realization of Security Network Database.doc

1、1Design and Realization of Security Network Database( Department of Computer Science and Technology in Hulunbeier College ,Hulunbeier,Inner Mongolia 021008 China ) Abstract: This paper analyzes the functional design and structure design of the database security model networks, research and further r

2、ealize the key features of the model. The system is suitable for network security database management system, which has a certain universality and portability. Keywords: network database; security model; digital signature 0 Introduction With the development of network information technology, network

3、 information security is getting more and more attention of the society, and the network database system security is an important part of the network information security. Network database security access system should be defined security policy according to user needs, the installation environment,

4、 specifically relates to two levels, the first level is security, system operation such as: physical and 2safety of hardware. The second level is the security, system information such as: password authentication, access control, data encryption etc. This paper is mainly based on the access control t

5、echnology, and combined with the design of system security access to the encryption and communication technology of network database. 1 Design of database security model based on Network The security structure model of network database in paper research as shown in Figure 1. Key code of business pro

6、cessing and implementation are described in the following: module relates to the functions are: authentication, authorization and RBAC log record. Fig.1 Schematic diagram of the structure of network database security model 1.2 The authorization of RBAC control function Network database security mode

7、l is divided into ordinary user, members of the user and super user. According to the three categories of users, this paper established the role user, the purpose is to let the user access to the database according to the related authorization. Authorization mapping mechanism through the many to man

8、y role, that can be authorized into matrix role corresponding digital and database identifier 3corresponding to digital, the user role with the rows of the matrix to be expressed, and related database table with columns of the matrix representation. When the user passes the identity authentication,

9、role permissions corresponding identification number can be used as an important parameter, and transmitted to the interface module database role table, and the interface module is authorized processing module. Each time a user is authorized, must be with the help of the corresponding role of digita

10、l access to the database, and obtain power identification number corresponding to the corresponding access control, authorization. 1.3 Authentication of user identity In this paper, through the implementation of identity authentication user digital signature technology, authentication flow shown in

11、Figure 2 as shown in fig.: Fig.2 Schematic diagram of the authentication process of database security model The user authentication steps are described in the following: 1) the request of user is sent to the authentication server; 2) the authentication server receives a user request, at 4the same ti

12、me generation timestamp and the corresponding data feedback to the client; 3) the client sign based on the content that feedback by private key, and the result is transferred again to the authentication server; 4) the server directly be authentication according to the signature. Because the private

13、key corresponding to the client knows only, so the signature is - correspondence, the server can also resolve what users need and have the right to access to the database. 2 The detailed design of the network database security access system 2.1 System design of presentation layer Said layer that acc

14、ess by the network database security system is the first barrier, that is responsible to received, filter and submit the information for user. The presentation layer is mainly by means of the form appears, to the tree list displays the user name and the corresponding role, involves: user login ID, u

15、ser name, login time and power etc. Forms authentication of system design layer described below: (1)The user sends a connection request to the database, Internet Information Services allow connection requests to the 5database by. NET for be checked. When the user requests authentication, it can be d

16、irected to the login screen, the user must provide a user name and password before they can submit the corresponding login form. (2)The system for the user to provide a user name and password, according to the database to match the relevant information to verify, as verified by that distribution cor

17、responding roles. At the same time, create a Cookie and feedback to the client. This time, the roles can be temporarily stored in the corresponding first data field, the user can prevent the subsequent database connection requests sent repeatedly to get the role. (3)When the user is redirected to th

18、e original interface, the event handler creates an object Iprinicipal, and save the object in the HttpContext. Eventually, users will be related to operation of the database based on the different roles assigned login interface. In addition, the system involved in the presentation layer designed to

19、prevent SQL injection attacks. When performing SQL statements and stored procedure calls in the system, direct use Parameters collection, which can effectively achieve no matter what the user input characters can be processed as text, and can be checked on the character 6type and the length of terms

20、, there is no qualified character value, can have triggered an exception. But note that when there is an exception occurs SQL code, not directly to the SQL error to the user presentation layer, but should be recorded by the system error message and give the user some friendly message can be, so to a

21、void system exposure to some of the details, and provide access to the attacker. 2.2 Design of data access layer Security access systems that data access the network database primarily include encryption and decryption, and authentication authorization. Among them, the need for encryption and decryp

22、tion of data processed have three ways: the string connect to database, user password, the information that required to validate user input. The system through Secret class Encrypt encrypts information for the relevant data, and passes the ciphertext to the backend authentication server. Authenticat

23、ion server for encrypted information is based on a hash algorithm, and direct calls to Compute Hash hash method to calculate the parameters of information, combined with an array filled with random numbers after the return. Algorithm flow shown in Figure 3: Fig.3 Schematic diagram of the hash encryp

24、tion algorithm 7In addition, the authentication and authorization of data access layer are the matching user roles and database in the User- Role table information, the operation is to be performed in the in the User-Role table. In determining the user role: senior, ordinary or administrator, the sy

25、stem can implement different processes. For example: advanced users can achieve a common user role change, and role to delete; ordinary users can the role permissions based on, to access the database; the administrator can according to user role, change its permissions, even can directly modify the

26、User- Role list etc. 2.3 Design of data layer Data layer is mainly reflected in the database systems in a network database security access system architecture, which is aimed primarily at the database table. Depending on the security access system requirements for database functions, system tables a

27、re mainly related to basic message authentication, roles, and permissions and so on. Especially the authentication database, including: user information table, user login table, roles table, permissions table and so on. The data sheet for the stored procedure is a key feature of the data layer, the

28、design principle is: Based on the implementation of the Auth database table processing to obtain 8information, to provide user data with other roles, resources and authority issues, the data layer SQLServer stored procedure is mainly based on a custom stored procedures to be implemented. (1) Distrib

29、ution of system user roles and permissions CREATE PROC R-R-Dis RlID RigID ReID AS EXEC sp_add RlID GRANT RigID ON ReID To RlID SELECT RlNm = RlNm FROM Rl-Rig WHERE RlID = RlID . INSERT INTO Us-Rl VALUES (RigNm, RigID, RlNm, RlID, ResNm, ResID) This stored procedure will be able to call by administra

30、tor ,only to realize assign roles and permissions. The main parameters of the stored procedure from the Auth database Role-Right table, using a sp_add stored procedures, and the allocation of resources by means of GRANT privileges to the appropriate roles. (2) Revoke privileges CREATE PROC Rig-Del R

31、EVOKE RigID RsID FROM RlID DELETE * FROM Role-Right where RlID = RlID The stored procedure of privilege revoked, that can only be 9called directly by a user administrator privileges, the main role of the corresponding privileges removed. Users first stored procedure call system itself, followed by t

32、he role of the corresponding operating privileges revoked, and then delete the relevant records to the Role-Right on the table and then authentication database. (3) the signature authentication server function Signature authentication server mainly realize server authentication, involves: file syste

33、m corresponding to the public key in the initialization; network connection; the connection state real-time monitoring server port; generation timestamp and random number and feedback; receiving, client signature verification process and feedback etc. The key code to its realization are described in

34、 the following: Public static void main (String args)throws Exceptin PublicmainKey pKey = Repub (pubmainkey, File-name); / the corresponding public key of customer is obtained ServerSocket DD = new Serversocket (serPort); / generate the corresponding socket to detect of connection, Private static Pu

35、bicmainKey republicKey (String filenm) throw Exception / public key corresponding reading processing 10function . While (tB = files.read (=-1) !) Baos.read (tB); / / get the public key (4) To achieve the client authentication function To achieve the client authentication function mainly involves: re

36、ading the client users private key, and the decryption processing; open the connection with the server; need to obtain feedback from the servers signature data processing; feedback array signature and results of data; access to the server authorization Boolean value. The key to its realization are d

37、escribed in the following code: Public static void main (String args) throws Exception / access, read and interpret user corresponding private key Socket clientSocket = new Socket (cliethostnm,PORT); / The connection is opened IntoutFormServer. reF(data _BeSing);/ Gets the signature data Signature.sntue = Singature.gInstance (“MD5”); / The