Database access security: network authentication or data encryption?

Table of Contents

Designing for performance: Strategic database application deployments
An introduction to database transaction management
Executing SQL statements using prepared statements and statement pooling
Database access security: network authentication or data encryption?
Static SQL vs. dynamic SQL for database application performance
Improving ODBC application performance and coding
Selecting ODBC functions for optimized SQL statements
Guidelines for managing data updates to optimize ODBC performance

Copyright Info The Data Access Handbook by John Goodson and Robert A. Steward ISBN 0137143931 First Printing March 2009 Prentice Hall Professional

Extended Security

It is no secret that performance penalties are a side effect of extended security. If you've ever developed an application that required security, we're sure that you've discovered this hard truth. We include this section in the book simply to point out the penalties that go along with security and to provide suggestions for limiting these penalties if possible.

In this section, we discuss two types of security: network authentication and data encryption across the network (as opposed to data encrypted in the database).

If your database driver of choice does not support network authentication or data encryption, you cannot use this functionality in your database application.

Performance Tip To get the best performance possible when using Kerberos, place the Kerberos server on a dedicated machine, reduce the networking services run on this machine to the absolute minimum, and make sure you have a fast, reliable network connection to the machine.

Network Authentication
On most computer systems, an encrypted password is used to prove a user's identity. If the system is a distributed network system, this password is transmitted over the network and can possibly be intercepted and decrypted by malicious hackers. Because this password is the one secret piece of information that identifies a user, anyone knowing a user's password can effectively be that user.

In your enterprise, the use of passwords may not be secure enough. You might need network authentication.

Kerberos, a network authentication protocol, provides a way to identify users. Any time users request a network service, such as a database connection, they must prove their identity.

Kerberos was originally developed at MIT as a solution to the security issues of open network computing environments. Kerberos is a trusted third-party authentication service that verifies users' identities.

Kerberos keeps a database (the Kerberos server) of its clients and their private keys. The private key is a complex formula-driven value known only to Kerberos and the client to which it belongs. If the client is a user, the private key is an encrypted password.

Both network services that require authentication and clients who want to use these services must register with Kerberos. Because Kerberos knows the private keys of all clients, it creates messages that validate the client to the server and vice versa.

In a nutshell, here is how Kerberos works:

1. The user obtains credentials that are used to request access to network Services. These credentials are obtained from the Kerberos server and are in the form of a Ticket-Granting Ticket (TGT). This TGT authorizes the Kerberos server to grant the user a service ticket, which authorizes his access to network services.
2. The user requests authentication for a specific network service. The Kerberos server verifies the user's credentials and sends a service ticket to him.
3. The user presents the service ticket to the end server. If the end server validates the user, the service is granted.

Figure 2-9 shows an example of requesting a database connection (a network service) when using Kerberos.

An application user requests a database connection after a TGT has been obtained:

1. The application sends a request for a database connection to the Kerberos server.
2. The Kerberos server sends back a service ticket.
3. The application sends the service ticket to the database server.
4. The database server validates the client and grants the connection.

Figure 2-9 Kerberos

Even when you don't use Kerberos, database connections are performance-expensive; they can require seven to ten network round trips (see the section, "Why Connections Are Performance-Expensive," page 11, for more details). Using Kerberos comes with the price of adding more network round trips to establish a database connection.

Data Encryption Across the Network
If your database connection is not configured to use data encryption, data is sent across the network in a "native" format; for example, a 4-byte integer is sent across the network as a 4-byte integer. The native format is defined by either of the following:

• The database vendor
• The database driver vendor in the case of a driver with an independent protocol architecture such as a Type 3 JDBC driver

The native format is designed for fast transmission and can be decoded by interceptors given some time and effort.

Because a native format does not provide complete protection from interceptors, you may want to use data encryption to provide a more secure transmission of data. For example, you may want to use data encryption in the following scenarios:

• You have offices that share confidential information over an intranet.
• You send sensitive data, such as credit card numbers, over a database connection.
• You need to comply with government or industry privacy and security requirements.

Data encryption is achieved by using a protocol for managing the security of message transmission, such as Secure Sockets Layer (SSL). Some database systems, such as DB2 for z/OS, implement their own data encryption protocol. The way the database-specific protocols work and the performance penalties associated with them are similar to SSL.

In the world of database applications, SSL is an industry-standard protocol for sending encrypted data over database connections. SSL secures the integrity of your data by encrypting information and providing client/server authentication.

From a performance perspective, SSL introduces an additional processing layer, as shown in Figure 2-10.

Figure 2-10 SSL: an additional processing layer

Performance Tip To limit the performance penalty associated with data encryption, consider establishing a connection that uses encryption for accessing sensitive data such as an individual's tax ID number, and another connection that does not use encryption for accessing data that is less sensitive, such as an individual's department and title. There is one caveat here: Not all database systems allow this. Oracle and Microsoft SQL Server are examples of database systems that do. Sybase is an example of either all connections to the database use encryption or none of them do.

The SSL layer includes two CPU-intensive phases: SSL handshake and encryption.

When encrypting data using SSL, the database connection process includes extra steps between the database driver and the database to negotiate and agree upon the encryption/decryption information that will be used. This is called the SSL handshake. An SSL handshake results in multiple network round trips as well as additional CPU to process the information needed for every SSL connection made to the database.

During an SSL handshake, the following steps take place, as shown in Figure 2-11:

1. The application via a database driver sends a connection request to the database server.
2. The database server returns its certificate and a list of supported encryption methods (cipher suites).
3. A secure, encrypted session is established when both the database driver and the server have agreed on an encryption method.

Encryption is performed on each byte of data transferred; therefore, the more data being encrypted, the more processing cycles occur, which means slower network throughput.

SSL supports symmetric encryption methods such as DES, RC2, and Triple DES. Some of these symmetric methods cause a larger performance penalty than others, for example, Triple DES is slower than DES because larger keys must be used to encrypt/decrypt the data. Larger keys mean more memory must be referenced, copied, and processed. You cannot always control which encryption method your database server uses, but it is good to know which one is used so that you can set realistic performance goals.

Figure 2-12 shows an example of how an SSL connection can affect throughput. In this example, the same benchmark was run twice using the same application, JDBC driver, database server, hardware, and operating system. The only variable was whether an SSL connection was used.

Figure 2-12 Rows per second: SSL versus non-SSL

Figure 2-13 shows the CPU associated with the throughput of this example. As you can see, CPU use increases when using an SSL connection.

Figure 2-13 CPU utilization: SSL versus non-SSL

More on accessing data:

• Read the next section — Static SQL vs. dynamic SQL for database application performance.
• Intrigued by this book excerpt? Download a free PDF of this chapter: Chapter 2 —Designing for Performance: What's Your Strategy?
• Read more excerpts and download more sample chapters from our Data Management bookshelf
• To purchase the book or similar titles, visit InformIT

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data warehouse strategy Advantages and disadvantages of XML shredding How to shred XML with the DB2 XMLTABLE function Shredding XML docs into relational tables with annotated XML schemas Examples of single and bulk XML shredding of XML documents Definition of primary, super, foreign and candidate key in the DBMS What are some emerging data warehouse and DBMS trends? Improving ODBC application performance and coding Selecting ODBC functions for optimized SQL statements Guidelines for managing data updates to optimize ODBC performance How to capture metadata information, ETL rules with CA Erwin Data Modeler Database management systems (DBMS) architecture and design Definition of primary, super, foreign and candidate key in the DBMS What is the difference between a logical and physical warehouse design? What are some emerging data warehouse and DBMS trends? Data Warehouse Platforms Product Directory Designing for performance: Strategic database application deployments An introduction to database transaction management Static SQL vs. dynamic SQL for database application performance Executing SQL statements using prepared statements and statement pooling How to get data/database independence with a three-tier architecture How to select an MPP database: DB2 vs. Teradata Enterprise data architecture best practices Advantages and disadvantages of XML shredding How to shred XML with the DB2 XMLTABLE function Shredding XML docs into relational tables with annotated XML schemas Teradata takes a logical approach to data warehousing appliances Examples of single and bulk XML shredding of XML documents What is the difference between a logical and physical warehouse design? What are some emerging data warehouse and DBMS trends? Teradata VP talks data warehouse appliances, reveals cloud and SSD plans Selecting ODBC functions for optimized SQL statements Guidelines for managing data updates to optimize ODBC performance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data classification  (SearchDataManagement.com) OLAP  (SearchDataManagement.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary