‘Enhanced Encryption and Fine-Grained Authorization for Database Systems

The aim of this research is to enhance fine-grained authorization and encryption so that database systems are equipped with the controls necessary to help enterprises adhere to zero-trust security more effectively. For fine-grained authorization, this thesis has extended database systems with three new concepts: Row permissions, column masks and trusted contexts. Row permissions and column masks provide data-centric security so the security policy cannot be bypassed as with database views, for example. They also coexist in harmony with the rest of the database core tenets so that enterprises are not forced to compromise neither security nor database functionality. Trusted contexts provide applications in multitiered environments with a secure and controlled manner to propagate user identities to the database and therefore enable such applications to delegate the security policy to the database system where it is enforced more effectively. Trusted contexts also protect against application bypass so the application credentials cannot be abused to make database changes outside the scope of the application’s business logic. For encryption, this thesis has introduced a holistic database encryption solution to address the limitations of traditional database encryption methods. It too coexists in harmony with the rest of the database core tenets so that enterprises are not forced to choose between security and performance as with column encryption, for example. Lastly, row permissions, column masks, trusted contexts and holistic database encryption have all been implemented IBM DB2, where they are relied upon by thousands of organizations from around the world to protect critical data and adhere to zero-trust security more effectively

Making Existing Software Quantum Safe: Lessons Learned

In the era of quantum computing, Shor's algorithm running on quantum computers (QCs) can break asymmetric encryption algorithms that classical computers essentially cannot. QCs, with the help of Grover's algorithm, can also speed up the breaking of symmetric encryption algorithms. Though the exact date when QCs will become "dangerous" for practical problems is unknown, the consensus is that this future is near. Thus, one needs to start preparing for the era of quantum advantage and ensure quantum safety proactively. In this paper, we discuss the effect of quantum advantage on the existing software systems and recap our seven-step roadmap, deemed 7E. The roadmap gives developers a structured way to start preparing for the quantum advantage era. We then report the results of a case study, which validates 7E. Our software under study is the IBM Db2 database system, where we upgrade the existing cryptographic schemes to post-quantum cryptography (using Kyber and Dilithium schemes) and report our findings and learned lessons. The outcome of the study shows that the 7E roadmap is effective in helping to plan the evolution of existing software security features towards quantum safety

INTER-NODE RELATIONSHIP LABELING: A FINE-GRAINED XML ACCESS CONTROL IMPLEMENTATION USING GENERIC SECURITY LABELS

Keywords: Authorization-transparent, fine-grained access control, label-based access control, XML relationship labeling. Abstract: Most work on XML access control considers XML nodes as the smallest protection unit. This paper shows the limitation of this approach and introduces an XML access control mechanism that protects inter-node relationships. Our approach provides a finer granularity of access control than the node-based approaches(i.e., more expressive). Moreover, our approach helps achieve the “need-to-know ” security principle and the “choice” privacy principle. This paper also shows how our approach can be implemented using a generic label infrastructure and suggests algorithms to create/check a secure set of labeled relationships in an XML document.