Security For GIS N-Tier Architecture: Mgovorov@usp - Ac.fj
Security For GIS N-Tier Architecture: Mgovorov@usp - Ac.fj
Security For GIS N-Tier Architecture: Mgovorov@usp - Ac.fj
Abstract
Security is an important topic in the Information Systems and their
applications, especially within the Internet environment. Security issue for
geospatial data is a relatively unexplored topic in Geographical
Information Systems (GIS). This paper analyzes the security solutions for
Geographical Information Storage Systems (GISS) within n-tier GIS
architecture. The first section outlines the application of the main
categories of database security for management spatial data. These
categories are then analyzed from a point of view of application within
GIS. A File System within Database (FSDB) with traditional and new encryption algorithms has been proposed to be used as a new GISS solution.
A FSDB provides more safe and secure storage for spatial files and support centralized authentication and access control mechanism in legacy
DBMS. Cryptography solutions as a topic of central importance to many
aspects of network security are discussed in detail. This part of the paper
describes several traditional and new symmetric, fast and nonlinear
encryption algorithms implementation with fixed and flexible key sizes.
72
The purpose of this article is to analyze the security solutions for spatial
data management within GIS n-tier architecture. This section outlines the
feasible GIS n-tier architecture and role of GISS to store GIS spatial data.
The feasible GIS n-tier architecture is shown in Fig. 1.
GIS functionality, data, and metadata can be assigned to various tiers
(sometimes called layers) along a network and can be found on the server
73
74
75
If the subsystems of n-tier architecture have different security infrastructures, they may need to convey authorization information dynamically by
propagating it along with an identity. GIS Application Server can dynamically update users and roles by leveraging an external, centralized security
database or service, via LDAP server.
Determining whether a specific user could have access to a specific table or file, but not access to specific data within the table or file usually enforces access control within the spatial database. Such a situation can be
interesting for accessing certain level of multi-detailed representation of
spatial features from spatial multi-scale database. If there is need to enforce entity-level access control for data within tables, one has to rely on
database views, or program the access logic into stored procedures or applications. If access logic is programmed into applications, then these applications must be rewritten if security policies change.
Another important feature of GIS n-tier architecture security is protection of GIS data and service confidentiality in exchanges between clients,
middle tier and back-end tier, and in a spatial storage. Encryption is the
standard mechanism for these purposes and can be used within GIS n-tier
architecture for different purposes of protection.
First purpose of such protection is encryption of a users identity for authentication and authorization services. For a typical case, this relies on the
transport layer for security via the SSL protocol, which also provides data
integrity and strong authentication of both clients and servers. Second, encryption can be used for the protection of spatial data in transit. Next section of the article gives an overview of this security aspect. Third, cryptography can be used to encrypt sensitive data stored on DSS, including
caches.
76
77
78
The negative results are obtained for processing of small-size files using
Oracle Buffer Cache. All other results give difference of about 1-2 seconds
for processing data files with the sizes up to 100 MB by using IFS storage
to compare to native OS system.
The study of the changes in the spatial data file sizes, compare with the
amount of space that they take up in NTFS and IFS drives, shows that the
79
Oracle IFS tablespace is increased in size by about 12% only. That difference can be reduced changing database storage parameters for IFS.
The results of IFS performance investigation show that this approach is
acceptable for data processing within GISS. Within this approach of spatial
file storage, the following authentication and authorization levels can be
used to secure spatial data files: OS Level (share permissions and folder
permissions) and IFS Level. Permissions remain the same regardless of the
protocol (e.g. HTTP, FTP, SMB) being used to access the content stored in
IFS repository.
3.2 Conventional Encryption for GIS Data Protection in Storage
It is noteworthy that the IFS within DBMS is capable enough to provide
sufficient security to spatial files. If necessary, encryption can be employed to provide additional security to confidential and sensitive GIS information. Oracle Advanced Security of the Oracle 9iAS supports industry
standard encryption algorithms including RSAs RC4, DES and 3DES and
can be used for spatial data encryption [6]. Custom external encryption algorithms can be integrated into that security schema as well.
The data encryption can significantly degrade system performance and
application response time. For performance testing, the Oracle 9i
DBMS_OBFUSCATION.TOOLKIT was investigated (see Figure 4). Different key length gives different time results, for e.g. difference of time between 16 and 24 byte keys is about 10-20%, but time difference of 24 and
32 byte keys is about 5% only. Average speed 3 DES encryption is about
2.5 sec per megabyte, or about 1 hour to encrypt or decrypt 1 GB spatial
data on workstation (1.6 GHz Intel Processor within Window OS). To use
special multiprocessor UNIX servers, the encryption/decryption can be reduced to 10-20 minutes or in the best way to several minutes, what is applicable to real environment, when decryption/encryption of spatial data
should be performed once per session. To keep encrypted GIS data files
into IFS, standard encryption of Oracle and new developed encryption algorithms were analyzed and investigated for performance.
To provide encryption or decryption of sensitive application data, decryption procedures can be activated by database triggers for authenticated
users (during log in). To log off, user will again fire the trigger that should
execute the procedure to encrypt all the modified files or to replace decrypted files by already encrypted files into IFS LOB objects from the
temporary storage within encrypted files. If connection to database is lost
by accident, changes to files should be committed or roll backed by DBMS
and modified data encrypted back into permanent LOB objects. Decryp-
80
tion and encryption of spatial data files will slow down user interaction
with the system. These delays would occur at two occasions when user
logs in and logs out or there is session failure.
3.2.1 New Encryption Algorithm for GIS Data Protection in
Storage
Special approaches were developed to use encryption for large files in
Oracle. To encrypt LOB data objects, the procedure splits the data into
smaller binary chunks, then encrypts and appends them to the LOB object
back. Once the encrypted spatial data files have been allocated into LOB
segments, they can be decrypted by chunks and written back to BLOB object. For the read-only spatial data files, additional LOB object once encrypted should always be kept. It will save time for encryption procedure
during log off. The decrypted spatial data files will be simply replaced by
read-only encrypted spatial data files in the main permanent storage during
log off.
The algorithm of binary and text files encryption, which is more robust,
compared to DES and 3DES, has strong resistance to attacks, when adversary has the image data and ciphertext proposed by V. Ustymenko [13].
This algorithm can be applied to encrypt spatial raster and vector data
types, which are commonly used in GIS.
The encryption algorithm is based on a combinatorial algorithm of
walking on a graph of high girth. The general idea was to treat vertices of a
graph as messages and arcs of a certain length as encryption tools. The encryption algorithm has a linear complexity and it uses nonlinear function
for encryption, thus it resists to different type of attacks of adversary. The
general idea was to treat vertices of a graph as messages and arcs of a certain length as encryption tools. The quality of such an encryption in case of
graphs of high girth by comparing the probability to guess the message
(vertex) at random with the probability to break the key, i.e. to guess the
encoding arc is good. In fact the quality is good for graphs, which are close
to the Erdos bound, defined by the Even Cycle Theorem [2, 3]. In the case
of algebraically defined graphs with special colorings of vertices there is a
uniform way to match arcs with strings in some alphabet. Among them can
be found ''linguistic graphs'' whose vertices (messages) and arcs (encoding
tools) both could be naturally identified with vectors over GF(q), and
neighbors of the vertex defined by a system of linear equations. The encryption algorithm is a private key cryptosystem, which uses a password to
encrypt the plain text, and produces a cipher text.
81
The developed prototype model allows testing the resistance of the algorithm to attacks of different types. The initial results from such tests are
encouraging.
In case for p=127 (size of ASCII alphabet minus delete character),
some values of t(k,l) [time needed to encrypt (or decrypt because of symmetry) file, size of which is k Kilobytes with password of length l (key
space roughly 27l )], processed by an Intel Pentium 1.6 GHz processors
workstation (Oracle 9i DBMS Server, PL/SQL programming language),
can be represented by the matrix shown in Table 1.
Our results presented in Table 1 indicate that the encryption/decryption
time has linear correlation to the file size. Roughly it takes about 60 seconds for 51 KB file encryption within 16 byte length password by using
PL/SQL functions, and for 1 MB - about 17 minutes. If more powerful 2-4
processors workstation and C++ or Macro Assembler programming languages are used to rewrite encryption/decryption functions, encryption
time will be further decreased by several dozen times, e.g. for 100 MB file
size it can reach 20-30 minutes encryption/decryption time, which can be
used for practical implementation. Taking into consideration that the 10-20
processors systems are practical industrial server solution (expected to be
common in near future), GISS encryption/decryption time can be reduced
to less than 5 minutes.
Table 1. Processing time t(k,l) for encryption/decryption by the New Algorithm as
compared with RC4
New Algorithm (s)
Kb/L
7.6
51.5
96.6
305.0
397.0
48
26
179
335
1061
1379
40
22
149
279
883
1145
32
17
119
223
706
913
24
14
90
169
529
685
RC4 (s)
16
9
60
112
353
458
48
1
8
14
45
59
40
1
8
15
47
62
32
1
8
15
24
31
Difference
(times)
48
40
32
26
22
17
22.4
18.6 14.9
23.9
18.6 14.9
23.6
18.8 14.9
23.4
18.5 14.9
Currently, program code and encryption algorithm optimization are under investigation by the authors and will be the subject of our future publications.
82
4 Conclusion
N-tier architectures and Web Services are making the application layer
more complex and fragmented. The solution in protection lies in application of the security framework to all subsystems and components of n-tier
system. This framework has to comply with the industry security requirements of major application development models.
GIS data management and Mapping Services are primary considerations
when developing GIS n-tier architectures. There are several reasons for
supporting n-tier architectures for spatial applications. Major reasons include providing user access to data resources and GIS services through the
Web and at the same time providing better data and service protection.
Framework of standard security mechanisms can be used to improve security within critical points of spatial information flows within GIS Application Server. Security solutions for GIS distributive systems can be approached in ways similar to e-commerce applications, but can be specific
to spatial data security management as it relates to spatial data types, large
size of binary files and presentations logic.
Often, file servers are used to store GIS data. A file system within database instance provides more safe and secure storage for spatial files within
centralized authentication and access control mechanism in legacy DBMS.
By using additional encryptions, a FSDB is able to guarantee that access
control is enforced in a consistent manner, regardless of which protocol or
tool is being used to access the repository. Our encryption model would
provide a secure working environment for GIS client to store and to transfer spatial data over the network. For this purpose we utilize existing and
new fast nonlinear algorithms of encryption with flexible size of keys
based on the graph theoretical approach.
References
[1]
[2]
[3]
[4]
83
[7] iWrapper
software
(2002)
eSpatial,
http://www.espatial.com/products/iwrapper.htm
[8] New name: The Oracle Content Management SDK (2003)
http://otn.oracle.com/products/ifs/content.html
[9] OpenGIS Web Map Server Interface Implementation Specification, Revision
1.0.0 (2000) OpenGIS Project Document 00-028
[10] Security and ArcIMS (2001) An ESRI White Paper
[11] Security and the Oracle Internet File System, Oracle Internet File System
(2000) Technical White Paper
[12] System Design Strategies, (2003) An ESRI White Paper
[13] Ustimenko V (2002) Graphs with special arcs and Cryptography, Acta
Applicandae Mathematicae, 74, pp 117-153
[14] Web Services Security: SOAP Message Security 1.0 (2004) OASIS, WSSecurity, http://www.oasis-open.org/committees/documents.php
[15] WebLogic Security Framework: Working with Your Security Eco-System
(2003) BEA, White Paper
[16] WebSphere (2003)Web Services Handbook, IBM, Version 5