Securing a DatabaseTopicsJDBC BasicsSecuring a databaseSecuring the JDBC driver transmissionSSL-TunnelingThe SSL-Tunneling ApproachQuery processingResponse processingSlide 10Example 1: The Tunnel ServerExample1: The Tunnel ServerSlide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Securing the JDBC Driver TransmissionThe JDBC Driver ProxyThe JDBC DriverSlide 25Slide 26Slide 27Slide 28Slide 29Slide 30Securing Data in the DatabaseSecuring data in the databaseExample3: Encrypting credit cardsEncrypting credit cardsEncrypting credit cardsSlide 36Secure Thin JDBC ConnectionSecure Thin JDBC ConnectionSlide 39Reference01/13/19 1Securing a DatabaseBased on notes byFei Li and Hong Li01/13/19 2TopicsSecuring the connections to the database:1. SSL-tunneling between client machine and database machine2. A secure JDBC driverSecuring the data within a databaseSecure Thin JDBC Connection Sample01/13/19 3JDBC BasicsJDBC is a Java API for executing SQL statements JDBC makes it possible to do three things: 1.establish a connection with a database 2.send SQL statements 3.process the results.01/13/19 4Securing a databaseTwo points of attack against a database–The connection between clients and database–The data in the database01/13/19 5Securing the JDBC driver transmissionApproach 1: SSL-tunneling–Running a daemon on the client machine–Advantage: simplicity and performance–Disadvantage: not enough of authentication, esp. if the client machine is a shared or multi-user environment.Approach 2: Proxy to JDBC drivers–developing a JDBC driver proxy–Advantage: provide more security–Disadvantage: much more complex01/13/19 6SSL-TunnelingTunnelServerDatabase instanceDatabase MachineTunnelServerClient MachineClient ApplicationSQL requestSQL responseSQL responseSQL requestSSL Socket01/13/19 7The SSL-Tunneling ApproachTwo instances of the tunnel server, one on the client machine and the other on the database server machineEach instance serves as a proxy.Simplicity of encrypting the database connection by SSL-tunneling between the client application and the DBMS01/13/19 8Query processing Client Machine• Client applicationThe JDBC client• Client-side tunnel serverReads unencrypted data from the JDBC client;Write it to the database machine over SSL Database Machine• Server-side tunnel serverReads the encrypted data from the client-side tunnel server;Sends it unencrypted to the DBMS over localhost• Database server01/13/19 9Response processing Client Machine• Client-side tunnel serverReads encrypted data from the server-side tunnel server;Write it to the JDBC client;• Client application Database Machine• Database serverSends query result to the tunnel server• Server-side tunnel serverReads the query result from the DBMS over localhost;Sends it encrypted to the client-side tunnel server;01/13/19 10The SSL-Tunneling ApproachTunnelServerDatabase instanceDatabase MachineTunnelServerClient MachineClient Application3. SQL request4. SQL response6. SQL response1. SQL request2. Encrypted SQL request5. Encrypted SQL response•Assumption: Connections to localhost cannot be snooped. True or false?01/13/19 11Example 1: The Tunnel ServerTwo classes–TunnelServer–TunnelThreadTunnelServer class (p. 310)–Correction: client (mRemote == false) or the server (mRemote == true)public TunnelServer (String server, int appPort, int tunnelPort, boolean remote) { super(); mDestServer = server; mAppPort = appPort; mTunnelPort = tunnelPort; mRemote = remote; waitForConnections(); }01/13/19 12Example1: The Tunnel ServerGet server socket, waiting for connections, and create two instances of TunnelThread. private void waitForConnections() { …… serverSocket = getServerSocket(); while (mListening) { try { logMessage("Waiting for connections."); srcSocket = serverSocket.accept(); …… destSocket = connect(); logMessage("Connected to remote server at " + destSocket .getInetAddress() + "."); fromClient = getTunnelThread("fromClient"); toClient = getTunnelThread("toClient"); ……01/13/19 13Example1: The Tunnel ServerThe TunnelThread class (p. 315-316)–Forwarding requests and responds/** Creates new TunnelThread * @param name a name for this thread*/ public TunnelThread(String name) { super(name); setDaemon(true); } /**Default constructor -- create a tunnel thread with a default name*/ public TunnelThread( ) { super( ); setDaemon(true); } public void run ( ) { }01/13/19 14Example1: The Tunnel ServerRun the Tunnel Server with JDBC1. Generate keystore/certificates for client and server  serverKeyStore, clientKeyStore (p.317)2. Copy serverKeyStore to the database server; Start the tunnel server on the server side (database machine)3. Copy clientKeyStore to the client machine; Start the tunnel server on the client side (client machine) (p.318)4. Run a test application on the client machine01/13/19 15Example1: The Tunnel ServerCreate Keystore>keytool -genkey -keyalg RSA -keystore serverKeyStore>keytool -genkey -keyalg RSA -keystore clientKeyStore01/13/19 16Example1: The Tunnel ServerCreate Keystore–Export the certificates >keytool -export -keystore serverKeyStore -file server.cer>keytool -export -keystore clientKeyStore -file client.cer01/13/19 17Example1: The Tunnel ServerCreate Keystore–Import the certificates>keytool -import -file client.cer -alias client -keystore serverKeyStore>keytool -import -file server.cer -alias server -keystore clientKeyStore01/13/19 18Example1: The Tunnel ServerStart the tunnel server on the server–Copy serverKeyStore TunnelServer.class, and TunnelThread.class to the database machine>java -Djavax.net.ssl.keyStore=serverKeyStore -Djavax.net.ssl.keyStorePassword=sps2020 -Djavax.net.ssl.trustStore=serverKeyStore com.isnetworks.crypto.net.TunnelServer localhost 1521 6543 remoteExercise: –Use the TunnelServer.java source code to trace the execution of the server-side TunnelServer and show its screen output.01/13/19 19Example1: The Tunnel ServerStart the tunnel server on the client–Copy clientKeyStore TunnelServer.class, and TunnelThread.class to the clinet machine>java -Djavax.net.ssl.keyStore=clientKeyStore -Djavax.net.ssl.keyStorePassword=cps2020 -Djavax.net.ssl.trustStore=clientKeyStore com.isnetworks.crypto.net.TunnelServer diamond.rocks.cl.uh.edu 1521 6543 local01/13/19 20Example1: The Tunnel ServerRun a test