WO2005067394A2 - Amelioration de la securite de l'interface pilote odbc/oledb/jdbc - Google Patents

Amelioration de la securite de l'interface pilote odbc/oledb/jdbc Download PDF

Info

Publication number
WO2005067394A2
WO2005067394A2 PCT/IN2004/000244 IN2004000244W WO2005067394A2 WO 2005067394 A2 WO2005067394 A2 WO 2005067394A2 IN 2004000244 W IN2004000244 W IN 2004000244W WO 2005067394 A2 WO2005067394 A2 WO 2005067394A2
Authority
WO
WIPO (PCT)
Prior art keywords
server
client
control packet
dsn
odbc
Prior art date
Application number
PCT/IN2004/000244
Other languages
English (en)
Other versions
WO2005067394A3 (fr
Inventor
Vinayak K. Rao
Original Assignee
Vaman Technologies (R & D) Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vaman Technologies (R & D) Limited filed Critical Vaman Technologies (R & D) Limited
Publication of WO2005067394A2 publication Critical patent/WO2005067394A2/fr
Publication of WO2005067394A3 publication Critical patent/WO2005067394A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the security is dependent on the Operating system (OS) user authentication (trusted connections created by the network administrator) or the native database security and user schemas which maybe independent from the OS user details created and managed by the database administrator (DBA)
  • OS Operating system
  • DBA database administrator
  • every system is at risk to some degree, DBAs and developers who work with the Databases Server can improve their systems' security by understanding the ramifications of the authentication mode they choose
  • SQL Server 2000 and 7 0 provide two authentication modes SQL Server and Windows authentication (also called mixed authentication) and Windows integrated authentication Mixed authentication lets applications connect to SQL Server by using accounts and passwords stored in SQL Server tables or in a Windows domain or local machine
  • mixed authentication is easy to use, it lacks account-lockout capabilities and can expose your systems to attack through SQL Server's vulnerable and often mismanaged system administrators (sa) account Windows authentication, which requires one to use a Windows account for all database connectivity, provides a mechanism for account lockout and eliminates the security risks associated with the sa account
  • the other problem is that the current drivers do not support dialing to a Remote Access Service (RAS) server directly The driver expects an already established connection to ride with the database connection (which is generally done through a dial up networking interface)
  • RAS Remote Access Service
  • the present invention provides a system and method to enhances security
  • the preferred embodiment of the present invention also extends to various the Server networking requirements.
  • the present invention can be used as a software licensing and monitoring tools to extend ODBC features to monitor software license management without any hardware locks and dongles such as CPUID, etc. It serves to secure developer effort of design and prevents unauthorized data access for the end user.
  • the present invention enables carrying out of the said enhanced security using the modified connection string.
  • the DSN parameters are parsed during the first connection attempt itself for analysis of extended arguments.
  • the licensing policy of the server as per the users purchase schema dictates the security levels, encryption algorithm, authentication keys, encryption key size etc.
  • the Server name is resolved from the DSN string.
  • the control packet is transmitted to authenticate the existence of the Server and accordingly fetches license details.
  • the client uses the licensing parameters to validate the user identity, password, encryption string.
  • the SQLConnect (or equivalent) is fired and proceeded.
  • the present invention also provides a system and method for the driver supports dialing from a RAS interface.
  • FSM Finite State Machine
  • Fig 1 is a diagram depicting the Basic Database Driver Mechanism
  • Fig 2 is a flow diagram illustrating the Development phase on the client
  • Fig 3 is a flow diagram illustrating the Development phase on the Serverside
  • Fig 4 is a flow diagram illustrating the Execution phase on the Serverside
  • Fig 5 is an example illustrating the working of the preferred embodiment of the current invention
  • Fig 6 illustrates the working / configuration of the invention during setup using the screen shot
  • Fig 7 illustrates the working / configuration of the invention during setup using the screen shot
  • Fig 8 illustrates the working / configuration of the invention during setup using the screen shot
  • Fig 9 illustrates the working / configuration of the invention during setup using the screen shot
  • Fig 10 illustrates the working / configuration of the invention during setup using the screen shot
  • Fig 11 illustrates the working / configuration of the invention during setup using the screen shot
  • Fig 12 illustrates the working / configuration of the invention during setup using the screen shot
  • Fig 1 shows the Basic Database Driver mechanism including the Database client 100 and the Database Server 105
  • the Client front-end application talks to either the ODBC / OLEDB / JDBC layer
  • This ODBC / OLEDB / JDBC layer 115 communicates with the Driver Manager 120
  • This Driver Manager 120 communicates with the Desktop Operating System 125
  • This Desktop Operating System 125 uses the Network Hardware and the Network Transport Layer 130 to communicate to the Database Server 105
  • the Multiuser Operating System 135 inter communicates with the Database Server 140
  • the current DSN information consists of parameters such as the Server name, Provider, User Identity and Password etc.
  • the current application proposes enhancements in these parameters to accommodate more network protocol specific and security parameters so that the developer is assured of his application design security and the end user of his data generated by the application business logic Since any existing RDBMS parses these parameters from drivers and get the needful information any additional parameter stated does not crash or generate application errors
  • the current application proposes an argument encrypted (basically an acronym like User Identity i e UID for encrypt) which by default will be assumed disabled but the application developer can use encrypted arguments and flag this option as true
  • the client and server communication depends on the license file residing on the server and configured as per user purchase licensing policy This files dictates the security level, default encryption algorithm, authentication key(s), encryption size (64,128, 1024 etc)
  • Fig 2 is a flowchart depicting the Development phase on the Client
  • the isolation of the server name from the specified arguments 200 is carried out After the Server Name is isolated 200, the system proceeds to prepare control packet with the client hardware information 205 (typically Ethernet address, hard disk serial number or CPUID whichever is supported and required by the server later on) Further after the control packet is prepared 205 the database configuration setting (created during deployment phase of the product during client installation of the database product) is read and the configured protocols are used to establish a server connection 210 Thereafter the control packet is transmitted to get security details 215 and the system awaits server acknowledgement 220 As soon as a response is acknowledged 220, the received packet is decrypted as per the client hardware information 225
  • connection timeout 230 In the event, response from the server is not obtained in a predefined time, the system checks for connection timeout 230 In the event the Connection timeout 230 has not expired then the system continues to wait for the timeout to occur 240 In the event the timeout has occurred 230 then triggers an error of server unavailability upon timeout expiry 235, else upon receipt of data packet, data is decrypted as per client hardware information 225, the system proceeds to acknowledge encryption algorithm and algorithm key(s) 245 Further acknowledging the encryption algorithm and algorithm key(s) 245 proceed to use the algorithm to encrypt the User Identity (UID) and password (PWD) 250 After using the algorithm to crypt the UID and PWD 250, the developer can proceed to use these encrypted keys as DSN arguments 255
  • Fig 3 is a flow diagram depicting the Server Side flow during the application development phase
  • the Server After the Server gets the client request for security details 300, it proceeds to analyze the request packet details and use specific client hardware information as encryption key 310 Further the system proceeds to read the Server licensing information and configured security policy 320 Thereafter the security details are transmitted in encrypted packets 330 and further the system waits for client acknowledgement 340
  • the use of the client hardware information as keys for encryption guarantees that the same request by various clients has various encrypted data packets and delays any anti debugging activities using packet sniffers
  • Fig 4 is a flow diagram depicting the Server-side flow during the application execution.
  • the isolation of the arguments from the DSN parameters as specified in "SQLConnect" command in ODBC (or similar corresponding first connection technologies is adopted by the OLEDB or JDBC) is carried out 400.
  • the systems checks whether the encryption tag is a part of the DSN parameters 405 In the event that the encryption tag is not part of the DSN parameter 405, the system proceeds with the normal connection process flow 410. Further the connection is successful 415 is reported upon successful parameter authentication.
  • the verification of the encryption levels and the standards specified is carried out 420 After this verification 420, the system uses the server configured licensing and security policy to decrypt UID and PWD details 425. After decryption 425, the validity of these UID and PWD is checked 430 against the database schema details and any unsuccessful authentication triggers connection failure 435.
  • the Fig 5 is an example illustrating the working of the preferred embodiment of the current invention
  • the Server 1 and the numerous applications residing on these different clients communicate using various communication mechanisms
  • various client applications such as Application 1 510 uses ODBC 520 as the connection mechanism to connect to the Server 1 500 using the driver of this invention
  • Application 2 530 connects using the OLEDB 540 mechanism to connect and communicate with the Server 1 500
  • Application 3 550 connects using the JDBC 560 mechanism to connect to the Server 1 500
  • the Server NLS (National Language Support) settings such as Date, Time, and Currency etc can all be synchronized as per the client needs without resetting the Server or the client.
  • the Server responds as per the requesting clients format and data pattern
  • the Fig 6 is an example of the preferred embodiment of the current invention.
  • This figure illustrates the server and the clients using various connection mechanisms to connect the application
  • the fig a screenshot of the first step used for creation of a new Data Source in the preferred embodiment of the present invention
  • the user is required to create an ODBC Data Source to connect to the database server
  • the ODBC configuration utility automatically senses currently live active servers and populates the server selection combobox
  • the user specifies a name to the DSN connection 600 and description implies application usability 610
  • the description string 610 is optional and may not necessarily be defined by the user which is assumed as NULL string in absence of valid argument
  • the current ODBC implementation allows user to define and choose a RAS server, which is selected by clicking the Remote Server Configuration button 630
  • the Remote Server Configuration button 630 is as shown in the screenshot that allows the client to connect the server via a RAS device such as modem binded with requisite protocols This happens typically by default when the configuration manager senses RAS support available and is unable
  • the Fig 7 is a screen shot, which pops when the user clicks on the Remote Server Configuration of the previous screen
  • a separate form provides textbox interfaces for phone number 700, the extension 710, the RAS (Remote Access Service) UserlD 720 and password 730 If the proposed server implementation supports multiple database instances for single server instance this option allows the user to choose any database from the active server instance running on the server machine specified After the user confirms his selection then presses the "OK" button 740 to continue with the next step Also at appropriate times the "Cancel" Button 750 can be used
  • the Fig 8 is the next step where DSN arguments like UID and password are specified by the application developer.
  • the user is required to choose the Server Authentication such as either Operating System based Authentication 800 or connection using the Server's Login ID and password 810
  • the appropriate values of Login ID 820 and the Password 830 needs to be entered
  • the server verifies these arguments against the user schema details in the selected database Any invalid or unspecified user or password halts further completion of DSN process
  • the form provides option for configuring the client connectivity protocol using the Client "Configuration" button 860
  • the 'Back" 870, 'Next" 880, Close” 890, "Help” 895 buttons are provided When the user clicks on the 'Next” button 880, the next form pops
  • the developer typically uses this in the development phase rather than deployment cycle This form is an intuitive interface for generating encrypted keys, which the developer embeds in the application code to manage DSN less connectivity
  • the Fig 9 is a screenshot that pops up once the user clicks on the Encryption Authentication of the previous form
  • the Encryption form pops up where the users Login ID 900 along with the Encrypted Login ID 910 Password 920 and the Encrypted Password 930 are displayed
  • the Fig 10 is the form that pops up when the 'Client Configuration" button is clicked
  • the wizard requests for selecting preferred communication protocol between server and database clients using the Network Libraries 1000 such as Named Pipe 1005, NWLink IPX/SPX 1010, TCP/IP 1015, Bequeath 1020 and FTP 1025
  • the choice for these network protocols depends upon the underlying hardware and the OS deployed and binded protocol available with the hardware configured
  • the driver option allows specifying a Service Name 1030 or a Network address 1035 including the details such as IP Address 1045, Port Address 1050 and the network address 1055 which can later be resolved by the DNS server
  • a Service Name 1035 can also be used to bind a client - server driver communication mechanism
  • the Ok" button 1060 is clicked to proceed to the next form Besides at any time the "Cancel” button can be used to exit the wizard
  • the Fig 11 is the next part of DSN User Interface, which allows basic data interpretation options between server and ODBC data buffer As per the user's rights
  • the Fig 12 is the last form that appears and displays the parameters of the ODBC data source are Buffer Size, Compat Level, Computer, Conn Timeout, Database etc
  • the list will be populated with the user specified DSN options or defaults in case the user has skipped few
  • the Test Connectivity" button 1210 verifies whether the options selected and accepted by the server communicate well Incase the connectivity fails the user needs to reconfigure options to suite server / database / schema / protocols etc to ensure seamless client server connectivity
  • the "Finish” button 1220 option saves these DSN arguments in the OS registry and is used for future retrievals during DSN modifications
  • the 'Cancel' button 1230 is used to cancel the process at any time
  • the "Help" button 1240 is used to find help as the name suggest

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Medicines Containing Material From Animals Or Micro-Organisms (AREA)
  • Acyclic And Carbocyclic Compounds In Medicinal Compositions (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne le domaine des bases de données clients conformes ODBC/OLEDB/JDBC. Plus particulièrement, l'invention concerne l'amélioration de la sécurité des bases de données clients sur diverses topologies de procédés de connexion et l'amélioration de celles-ci pour étendre les caractéristiques courantes des pilotes ODBC/OLEDB/JDBC sur diverses exigences de serveurs spécifiques d'un protocole en termes de sécurité et de connectivité de données.
PCT/IN2004/000244 2003-08-14 2004-08-13 Amelioration de la securite de l'interface pilote odbc/oledb/jdbc WO2005067394A2 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN811MU2003 2003-08-14
IN811/MUM/2003 2003-08-14

Publications (2)

Publication Number Publication Date
WO2005067394A2 true WO2005067394A2 (fr) 2005-07-28
WO2005067394A3 WO2005067394A3 (fr) 2005-10-20

Family

ID=34779402

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IN2004/000244 WO2005067394A2 (fr) 2003-08-14 2004-08-13 Amelioration de la securite de l'interface pilote odbc/oledb/jdbc

Country Status (1)

Country Link
WO (1) WO2005067394A2 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8284944B2 (en) 2008-03-13 2012-10-09 International Business Machines Corporation Unified and persistent system and method for automatic configuration of encryption
US8302154B2 (en) 2007-11-10 2012-10-30 International Business Machines Corporation Automatic and adjustable system and method for synchronizing security mechanisms in database drivers with database servers

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002061550A2 (fr) * 2001-02-01 2002-08-08 3M Innovative Properties Company Procede et systeme pour securiser un reseau informatique et dispositif d'identification personnelle utilise dans ce systeme pour controler l'acces aux composants du reseau
WO2002091195A1 (fr) * 2001-05-07 2002-11-14 Science Park Corporation Programme pilote d'interface ordinateur
US20030140131A1 (en) * 2002-01-22 2003-07-24 Lucent Technologies Inc. Dynamic virtual private network system and methods
US6694359B1 (en) * 1991-08-21 2004-02-17 Unova, Inc. Data collection and dissemination system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6694359B1 (en) * 1991-08-21 2004-02-17 Unova, Inc. Data collection and dissemination system
WO2002061550A2 (fr) * 2001-02-01 2002-08-08 3M Innovative Properties Company Procede et systeme pour securiser un reseau informatique et dispositif d'identification personnelle utilise dans ce systeme pour controler l'acces aux composants du reseau
WO2002091195A1 (fr) * 2001-05-07 2002-11-14 Science Park Corporation Programme pilote d'interface ordinateur
US20030140131A1 (en) * 2002-01-22 2003-07-24 Lucent Technologies Inc. Dynamic virtual private network system and methods

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8302154B2 (en) 2007-11-10 2012-10-30 International Business Machines Corporation Automatic and adjustable system and method for synchronizing security mechanisms in database drivers with database servers
US8284944B2 (en) 2008-03-13 2012-10-09 International Business Machines Corporation Unified and persistent system and method for automatic configuration of encryption

Also Published As

Publication number Publication date
WO2005067394A3 (fr) 2005-10-20

Similar Documents

Publication Publication Date Title
US10693916B2 (en) Restrictions on use of a key
US6453353B1 (en) Role-based navigation of information resources
US6922695B2 (en) System and method for dynamically securing dynamic-multi-sourced persisted EJBS
US6182142B1 (en) Distributed access management of information resources
US8555273B1 (en) Network for updating electronic devices
KR101720160B1 (ko) 인간의 개입이 없는 어플리케이션들을 위한 인증 데이터베이스 커넥티비티
US20080301443A1 (en) Mobility device platform
US20130124695A1 (en) Mobility Device Method
US20080244265A1 (en) Mobility device management server
WO2004023345A1 (fr) Systeme et procede de correlation dynamique de java beans d'entreprise persistants dynamiques multisources
WO2004023297A1 (fr) Systeme et procede de securisation dynamique de java beans d'entreprise persistants multisources dynamiques
WO2005067394A2 (fr) Amelioration de la securite de l'interface pilote odbc/oledb/jdbc
Elrom et al. MERN Stack: Part II
Servlets et al. Java Servlets
Meeson et al. Analysis of Secure Wrapping Technologies
Alonso et al. Oracle Secure Enterprise Search Administrator’s Guide, 10g Release 1 (10.1. 6) B19002-02
Files 3 OS and J2SE versions compatible with Pramati Server 3.5........ 19
Balthes et al. Oracle Secure Enterprise Search Administrator's Guide, 10g Release 1 (10.1. 8) B32259-01
Dorninger Securing Remote Data Stores
Young et al. Oracle® Retail Price Management Installation Guide, Release 13.2. 5

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

122 Ep: pct application non-entry in european phase