Encrypted private keys could then be stored on servers, in smart cards, or on your credit card. Access to a database, for example, would only be permitted by sending a certain code encrypted with your private key. The encoded document is received by the user authentication program, it is decoded with your public key, and access is granted.
Kerberos
Kerberos is a server of secured user names and passwords. The power of Kerberos is that it provides one centralized security server for all data and resources on the network. Database access, login, resource control, and other security features are centralized on trusted Kerberos servers. Security companies are currently looking to merge Kerberos and Certificate Servers to provide a networkwide secure system. Invented at MIT, Kerberos was named after the three-headed monster that guards the gates of hell in Greek mythology -- only in this case it guards the gates of a network.Kerberos has a function similar to that of a Certificate Server: It serves as a guardian, ensuring that a user is identified and validated. Using tokens and various other technologies, a Kerberos system creates a secure distributed network. Combined with public-key transfer, Kerberos may prove ubiquitous in the deployment of Web security over the next few years.
Vendor-Specific Security
Individual vendors largely determine the security scheme that will be implemented to provide the link between the database and the published HTML page. Following are some of the security components provided by major vendors. Like client/server systems, solutions must be pieced together using multiple vendor products.
Oracle
Oracle Corp. (Redwood Shores, Calif.), while providing SSL and S-HTTP security, is planning on using Java as a basic component of its security model. The company created its Oracle Web Server to work most effectively with Oracle clients such as Oracle Power Browser and solutions created with the Developer/2000 development tools.Oracle also modified the HTTP protocol to allow a state connection to be established between the client and the server. This connection actually defines a session in which the user is identified by a generated ID to identify the user.
These enhancements are present in the Secure Network Server (SNS) included in the Oracle Universal Database. The SNS incorporates support for the Kerberos security standard. Through a Kerberos system, a single login permits access to any Oracle database in an enterprise system. The Java security classes are used by the Oracle development tools to provide complete security integration with the client.
Sybase
Sybase Inc. (Emeryville, Calif.) provides a rather elegant way of protecting data access through the Web. Rather than construct its own custom Web framework, the logon security present in the Web server simply passes through to the database server for authentication, taking advantage of the native security present in the database.Sybase provides a piece of middleware called Web.sql that is used to interface with the Netscape Web servers. Communication between the Netscape Suitespot servers and the database passes through the API for Web.sql.
Informix
Informix Corp. (Menlo Park, Calif.), like Sybase, currently relies on the logon security present in the Web server. Therefore, any access is specified through traditional ODBC-type login channels, passing the user and password information through the connectivity middleware. Specific drivers called Universal Web Connect are available to integrate Informix database security with both Netscape and Microsoft Web servers.
Microsoft
Microsoft Corp. (Redmond, Wash.) is one of the most active players in the Internet security field because of its pursuit of the twin markets of Intranet deployment and Internet commerce, both of which require extensive security. By taking an active role in the security standards debate, Microsoft hopes to shape policy to its advantage.With Internet Information Server (IIS), Microsoft has included most of the key security technologies. For user authentication, Microsoft provides its tried-and-true challenge/response mechanism. Traditional login on the Web features the same security present at basic Windows NT login. Unfortunately, only the Microsoft Internet Explorer browser supports this login approach, and Netscape has made no announcements to integrate it into Navigator.
For database access, Microsoft has integrated IIS security with Microsoft SQL Server through the Internet Database Connector. User logins must occur through an HTML login form, but the information may be verified using a SQL Server stored procedure. Look for better integrated security with the release of SQL Server 7.0.
Microsoft is also integrating the Kerberos security architecture into Windows NT Server 5.0. By releasing the server, Microsoft hopes to integrate the Kerberos native to NT Server with public key security. Microsoft already released a Certificate Server API in an attempt to create a Certificate Server standard.
Netscape
Netscape Communications Corp. (Mountain View, Calif.) intends to market its suite of servers as a complete system for security on the Internet. Login occurs originally through the browser and then, as in Novell Directory Services, all certification is unified in this model. Therefore, once login to the browser occurs, any resources that are permitted to the user are now accessible.Currently, user authentication occurs by passing information to the data source via middleware. Most companies, including Sybase, Oracle, and Informix, provide the necessary connectors for this process to occur.
Netscape's Certificate Server will be the cornerstone of this secure system. It can generate a key pair (public and private keys) for users and store the public certificate for automated retrieval. Netscape positions its Certificate Server along with SSL/S-HTTP as the primary means of providing security for Web access. The Certificate Server complies with the public standard X.509, SSL, PKCS, and LDAP.
Allaire
A popular piece of database connector middleware software is Cold Fusion by Allaire Corp. (Cambridge, Mass.). Cold Fusion can access any ODBC-standard database for publishing information to the Web. Cold Fusion does not have any built-in security foundation.Cold Fusion handles user authentication by passing the username and password through the ODBC data source for authentication. Unfortunately, these pieces of private information are sent across the network unencoded. Therefore, for true security, make sure that this information transfer occurs used only under an SSL-encoded session or when security is not crucial.
Consider All the Angles
Making your data secure for broadcast over the Internet or Intranet is no easy task. The best way to evaluate your security needs is to weigh the disadvantages of unauthorized users seeing your data. The more privacy your data requires, the more security you should have in place. Security is often far easier to implement than to maintain. Make sure that the necessary processes in your organization keep your system current. Security is often neglected or bypassed by day-to-day users for convenience. By the time loss of data or security breaks have been discovered, much damage may have already been done. Database and Web server vendors are constantly upgrading their systems, so staying current on the particular architectures is a must. For general security information available on the Web, the best place to begin your search is with the National Computer Security Associationhttp://www.governmentsecurity.org/articles/DatabaseSecurityPart1.php
