Scribd
Upload
37 views

Database System Security Workbook

Uploaded by

prudhviponnuru
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
37 views

Database System Security Workbook

Uploaded by

prudhviponnuru
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 139

K L UNIVERSITY | DATABASE & SYSTEMS SECURITY 21CS3260R

21CS3260R DATABASE & SYSTEMS SECURITY

STUDENT NAME
REG. NO
YEAR
SEMESTER
SECTION
FACULTY

LABORATORY WORKBOOK

4
21CS3260R DATABASE & SYSTEMS SECURITY

Table of Contents

1. Fundamentals of Database Security.................................6

2. Backing up, recovering and restoring database..............14

3. Triggers for Database Security 1....................................24

4. Triggers for Database Security 2....................................35

5. Digital Signature Generation..........................................47

6. Hashing in Oracle...........................................................54

7. Validate using Hashing...................................................64

8. Hashing Data in Transit..................................................76

9. Validation of hashes of Data in Transit...........................84

10. Encrypting Data in Transit............................................91

11. Validating Data after Encryption................................101

12. Hashing Data in Transit 2...........................................115

4
21CS3260R DATABASE & SYSTEMS SECURITY

Organization of the STUDENT LAB WORKBOOK

The laboratory framework includes a creative element but shifts the time-intensive
aspects outside of the Two-Hourclosed laboratory period. Within this structure, each
laboratory includes three parts: Prelab, In-lab, and Post-lab.
a. Pre-Lab
The Prelab exercise is a homework assignment that links the lecture with the
laboratory period - typically takes 2 hours to complete. The goal is to synthesize the
information they learn in lecture with material from their textbook to produce a
working piece of software. Prelab Students attending a two-hour closed laboratory
are expected to make a good-faith effort to complete the Prelab exercise before
coming to the lab. Their work need not be perfect, but their effort must be real
(roughly 80 percent correct).
b. In-Lab
The In-lab section takes place during the actual laboratory period. The First hour of
the laboratory period can be used to resolve any problems the students might have
experienced in completing the Prelab exercises. The intent is to give constructive
feedback so that students leave the lab with working Prelab software - a significant
accomplishment on their part. During the second hour, students complete the In-lab
exercise to reinforce the concepts learned in the Prelab. Students leave the lab
having received feedback on their Prelab and In-lab work.
c. Post-Lab
The last phase of each laboratory is a homework assignment that is done following
the laboratory period. In the Post-lab, students analyse the efficiency or utility of a
given system call. Each Post-lab exercise should take roughly 120 minutes to
complete.

4
21CS3260R DATABASE & SYSTEMS SECURITY

2023-24 EVEN SEMESTER LAB CONTINUOUS EVALUATION


Pre- In-Lab Post Faculty
Viva Voce Total
Lab Lab Signatur
LOGIC EXECUTION RESULT ANALYSIS (5M) (50M)
(5M) (10M) (10M) (10M) (5M) (5M) e

4
21CS3260R DATABASE & SYSTEMS SECURITY

Sl (50M Signatur
Date Experiment Name (5M) (5M)
No LOGIC EXECUTION RESULT ANALYSIS ) e
(10M) (10M) (10M) (5M)

10

11

12

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

1. Fundamentals of Database Security

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of roles and privileges in a database.
 To understand and implement the concept of data manipulation and authorization
in a database.

PRE-REQUISITE:
In lab, you do not have the admin access to the server and hence cannot perform the
required essential operations.

So, configure using the ‘Net Configuration Assistant’ and create an alias to connect to the
oracle instance. The steps to do so are mentioned below-

Go to the ‘Oracle’ folder in the start menu  Click on ‘Net Configuration Assistant’  Click
on ‘Other Choices’ when asked to login and click on the ‘Samyak’ user and login using the
password ‘klu@123’  Choose ‘Local Net Service Name Configuration’  Choose ‘Add’ 
Service Name: orcl Choose ‘TCP’  Host Name: desktop-t11csnm (or) 10.30.11.121(may
be subject to change. Ask the server admin for details if the aforementioned Host Names
don’t work) Choose ‘Yes, perform a test’  Net Service Name: dbs Click ‘No’.

NOTE – Here, ‘dbs’ is the alias name.

You can now login in to sqlplus with ‘connect KL17003XXXX/KL17003XXXX@dbs’.

4
21CS3260R DATABASE & SYSTEMS SECURITY

Pre-Lab:

Q1.What is a role and user in


oracle.

Sol)

Q2. Write a query to create a


role.

Sol)

Q3. What is the default role a user gets when it is created.

Sol)

Q4.What privilege does CONNECT role provide.

Sol)

Q5.List different types of priviliges and explain each of

4
21CS3260R DATABASE & SYSTEMS SECURITY

them.

Sol)

Q6. Write a query to grant permissions to a role or a user.

Sol)

Q7.Write a query to grant password protected role to a user.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Q1. Create a user with a default tablespace, temporary tablespace and with a 2M quota.

Sol)NOTE – You have to connect to system account first.

Q2. Alter the earlier created user and change his password as well as lock his account.

Sol) NOTE – You have to connect to system account first.

NOTE – The account is now locked. Unlock it using the alter command again.

Q3. Display the count of employees.

Sol) NOTE – We accessed the tables from system account.

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4. PayrollSpecialist - this group of employee needs to create a session and is responsible
for working with all of the Employee data. Create this role using SQL.

Sol) NOTE – You have to connect to system account first.

Q5. Provide system and object privileges to the role created earlier.

Sol) NOTE – You have to connect to system account first.

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q6. Grant the earlier created role (with the added privileges) to the earlier created user.

Sol)NOTE – You have to connect to system account first.

Q7. Now you will test if the earlier created user can SELECT from the hr.EMPLOYEES table.
Display all the employees with the last name ‘Smith’.

Sol) Connect to the user account you created.

Q8. Remove the earlier granted privilege from the user.

Sol) NOTE – You have to connect to system account first.

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. Connect to any database as SYS user and grant him SYSDBA privilege.

Sol)

Q2. Write a query to retrieve all the columns of data from V$PWFILE_USERS view.

Sol)

Q3. Create a role named appaccess and grant the ability to read the application tables to
that role.

Sol)

Q4.Create a role create_session_role that will have only one privilege CREATE SESSION in
order to connect to an ORACLE database.

Sol)

Q5.Write a query that adds to existing roles

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q6.Create the user secadm and grant him password protected create_session_role

Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

2. Backing up, recovering and restoring database

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of backups using Oracle.
 To understand and implement the concept of database recovery and restoring in
Oracle.

Pre-Lab:

Q1. What is a backup in SQL?

Sol)

Q2. What is archivelog mode?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. What is noarchivelog mode in SQL?

Sol)

Q4. What is the command to shutdown the database?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Q1. Enable ARCHIVELOG mode and change flash recovery area size using SQL.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q2. Backup the database

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Restore the database

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4. Recover a deleted row in employee table using flashback query

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. What are the advantages and disadvantages of ARCHIVELOG mode?

Sol)

Q2. What are the advantages and disadvantages of NOARCHIVELOG mode?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Write a query to list details about all the database users

Sol)

Q4.Write a query to connect to the security administrator role to validate by a procedure,


that we have only permitted one account, secadm to execute the procedure. Execute it
now to acquire secadm_role

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q5. Write a query to connect as secadm and run sys.p_check_secadm_access from


SQL*Plus on the Oracle Database?
Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

3. Triggers for Database Security 1

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of triggersfor database security.
 To understand and implement the concept of restricting access using triggers.

Pre-Lab:

Q1. What is a trigger in sql? What all events are triggers written to be executed in
response to?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q2. Write the syntax of a trigger.

Sol)

Q3. What is the TO_CHAR function in sql? Write its syntax.

Sol)

Q4. What is SYSDATE in sql?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q5. Which format specifier of the ‘TO_CHAR’ function is


used to convert a datetime value to Day?

Sol)

Q6. How to raise an error in sql? Write its syntax.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Flow of the program – (from Q1 to Q3)

Create table ‘emp_data_labtrig’.

Create table ‘emp_backup_labtrig’.

Create trigger ‘labtrig’ to work before deletion in ‘emp_data_labtrig’ table and


create backup in ‘emp_backup_labtrig’.

Fire the trigger and check backup table.

Q1. Create a table ‘emp_data_labtrig’ with the columns ‘eno’, ‘ename’, ‘job’, ‘hire_day’
and ‘salary’ and insert the following data:

‘eno’ is the primary key.

ENO ENAME JOB HIRE_DAY SALARY


23 Jay CEO 22 100000
34 May CTO 14 100500
45 Kay CFO 02 300000

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q2. Create a table called ‘emp_backup_labtrig’ with the same columns as


‘emp_data_labtrig’. Then create a trigger ‘labtrig’ which will work before deletion in
‘emp_data_labtrig’ table and create a copy of the record to be deleted in the table
‘emp_backup_labtrig’.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Fire the trigger ‘labtrig’ and test whether it works by deleting the row where the
employee name is ‘Kay’ and check the ‘emp_backup_labtrig’ table and write the output.

(That means you have to delete the required row and display emp_backup_labtrig to see if
the deleted row has been copied into the table successfully.)

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

--------------------------------------------------------------------------------------------------------------------------

Flow of the program – (from Q4 to Q5)

Create table ‘rest_table’.

Create trigger ‘restrictions’ to restrict operations on database according to given


requirements.

Fire the trigger to test it.

Q4. Create a table ‘rest_table’ and create a trigger ‘restrictions’ that does not let a user
change the content of the table during working hours (8 am to 6 pm) and during a
Thursday or a Friday.

ENO ENAME JOB


23 Jay CEO

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q5. Test the trigger by trying to delete the row where employee name is ‘Jay’ and write
the output.

Sol)

--------------------------------------------------------------------------------------------------------------------------

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. Create a table ‘dummy’.

DEPTNO DNAME LOC


10 Hi York

Sol)

Q2. Create a trigger ‘restrict_dummy’ on update/delete that will turn the attempted
operation around and reject it.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Test the trigger ‘restrict_dummy’ by updating the record where LOC is York to New
and write the output.

Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

4. Triggers for Database Security 2

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of triggersfor database security.
 To understand and implement the concept of auditing using triggers.

Pre-Lab:

Q1. What is auditing in Oracle?

Sol)

Q2. What are the different types of auditing present in Oracle?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. What is the importance of auditing?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Flow of the program – (from Q1 to Q3)

Create table ‘emp_data_labtrig2’.

Create table ‘emp_backup_labtrig2’.

Create trigger ‘labtrig2’ to work before updating in ‘emp_data_labtrig2’ table and


create backup in ‘emp_backup_labtrig2’.

Fire the trigger and check backup table.

Q1. Create a table ‘emp_data_labtrig2’ with the column ‘eno’, ‘ename’, ‘job’, ‘hire_day’
and ‘salary’ and insert the following data:

‘eno’ is the primary key.

ENO ENAME JOB HIRE_DAY SALARY


23 Jay CEO 22 100000
34 May CTO 14 100500
45 Kay CFO 02 300000

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q2. Create a table called ‘emp_backup_labtrig2’ with the same columns as


‘emp_data_labtrig2’. This will be the audit table. Then create a trigger ‘labtrig2’ which will
work before updation in ‘emp_data_labtrig2’ table and create a copy of the record to be
updated in the table ‘emp_backup_labtrig2’.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Fire the trigger ‘labtrig2’ and test whether it works by updating the row where the
employee name is ‘Kay’ and check the ‘emp_backup_labtrig2’ table and write the output.

(That means you have to update the required row and display emp_backup_labtrig2 to see
if the updated row has been copied into the table successfully.)

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

--------------------------------------------------------------------------------------------------------------------------
Flow of the program – (from Q4 to Q6)

Create ‘dept’ table.

Create ‘deptaudit’ table.

Create trigger ‘auditDEPTAR’ that audits according to given requirements and stores the
output in ‘deptaudit’ table.

Test the trigger by inserting data and display the ‘deptaudit’ table.

Q4. Create dept table and deptaudit table.

Dept table -

DEPTNO DNAME LOC


10 ACCOUNTING NEW YORK
20 RESEARCH DALLAS
30 SALES CHICAGO
40 OPERATIONS BOSTON

Deptaudit table structure –

Name Null? Type


DEPTNO NUMBER
DNAME VARCHAR2(14)
LOC VARCHAR2(13)
CHANGE_TYPE VARCHAR2(1)
CHANGED_BY VARCHAR2(30)

4
21CS3260R DATABASE & SYSTEMS SECURITY

CHANGED_TIME DATE
Sol)

Q5. Create a trigger ‘auditDEPTAR’ that audits the operations performed on the ‘dept’
table.

The trigger should work after any insert, update or delete operation.

It must log those operations in a table called ‘deptaudit’. It should display ‘I’ for insert, ‘U’
for update and ‘D’ for delete.

It must also log the data (i.e. ‘deptno’, ‘dname’, ‘loc’) as well as who changed the data and
when it was changed.

The output is stored in the table ‘deptaudit’.

Check by inserting the data 50, TEST, TESTS in ‘dept’ table.

Sample Output-

DEPTNO DNAME LOC C CHANGED_BY CHANGED_T


--------------------- ----------- -------------------- -----------------
50 TEST TESTS I SYSTEM 29-DEC-2019

4
21CS3260R DATABASE & SYSTEMS SECURITY

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q6. Display the audit table after insertion of data and write the output.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. Create a table ‘bank_transactions’ with the column ‘TID’, ‘TNO’, ‘NAME’, ‘CREATOR’
and insert the following data:

‘TID’ is the primary key

TID TNO NAME CREATOR


1 T1234 Peter HR
2 T9999 James HR
Sol)

Q2. Create a table called ‘bank_transactions_audit’ with the same columns as


‘bank_transactions’. This will be the audit table. Then create a trigger ‘labtrig22’ which
will work before updation in ‘bank_transactions’ table and create a copy of the record to
be updated in the table ‘bank_transactions_audit’.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Fire the trigger ‘labtrig22’ and test whether it works by updating the row where the
name is ‘James’ and check the ‘bank_transactions_audit’ table and write the output.

(That means you have to update the required row and display bank_transactions_audit to
see if the updated row has been copied into the table successfully.)

Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

5. Digital Signature Generation

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of Java Cryptography.
 To understand and implement the concept of Digital Signature generation.

Pre-Lab:

Q1.What is Digital Signature and what is the need of Digital Signatures?

Sol)

Q2. What are the advantages of Digital Signature?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Draw the model diagram for generation of Digital Signature.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4.Why is the KeyPairGenerator class used in java cryptography and what are the steps to
create KeyPairGenerator Class?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Q1. Generate the Digital Signature of the file sample.txt and store the output in
sample1.txt using java.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. Grant create_session_role to appsec and protect it with a password.

Sol)

Q2. Grant create procedure, create table, create view system priviliges to appsec_role.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Grant appsec_role to appsec

Sol)

Q4. To run an application, we will create an application user, appusr. numerous people
will use an application, and the application will connect all of them to Oracle as our one
big application user. Write a query that they do not need individual person accounts and
passwords for this access

Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

6. Hashing in Oracle

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of use of hashing for database security.
 To understand and implement the concept of hashing in Oracle.

Pre-Lab:

Q1. What is DBMS_CRYPTO?

Sol)

Q2. List the different package features in DBMS_CRYPTO.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Write a short note on DBMS_CRYPTO.HASH.

Sol)

Q4. What are the different cryptographic hash algorithms present in DBMS_CRYPTO?

Sol)

Q5. Why is ‘UTL_RAW.CAST_TO_RAW’ used?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Flow of the program –

Create table ‘app_users’.

Create sequence ‘app_users_seq’.

Connect as SYSDBA and grant execute on dbms_crypto package.

Create function ‘get_hash’ to hash given username and password using specified
algorithm.

Create procedure ‘add_user’ which executes ‘get_hash’ function and stores the
given username and hashed password in the table ‘app_users’.

Execute the procedure ‘add_user’ with required inputs.

Display table ‘app_users’ which has username and hashed password from
‘add_user’ procedure.

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q1. Create a table ‘app_users’ with the following columns: id, username, password. ‘id’ is
the primary key and ‘username’ is unique.

Sol)

Q2. Create a sequence ‘app_users_seq’.

Sol)

Q3. Grant execute on dbms_crypto package to the user to be able to use that to hash.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4. Create a function ‘get_hash’ (which uses dbms_crypto) in PL/SQL to hash the given
username and password using SH1 algorithm.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q5. Create a procedure ‘add_user’ which executes the ‘get_hash’ function and stores the
given username and hashed password in the table ‘app_users’.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q6. Execute the function ‘add_user’ with inputs as ‘labtest’ (for username) and ‘labtest1’
(for password) and display the table ‘app_users’ from Q5.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. Create a function ‘get_hash’ (which uses dbms_crypto) in PL/SQL to hash the given
username and password using MD4 algorithm.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q2. Execute the function ‘add_user’ with inputs as ‘labtest2’ (for username) and
‘labtest12’ (for password) and display the table ‘app_users’.

Sol)

Q3. Create a function ‘get_hash’ (which uses dbms_crypto) in PL/SQL to hash the given
username and password using MD5 algorithm.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4. Execute the function ‘add_user’ with inputs as ‘labtest3’ (for username) and
‘labtest123’ (for password) and display the table ‘app_users’.

Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

7. Validate using Hashing

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of hashing in Oracle.
 To understand and implement the concept of validation using hashing in Oracle.

Pre-Lab:

Q1. Why do we need hashing algorithms for integrity checking?

Sol)

Q2. How can credentials be validated using hashing?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. What is SELECT INTO in PL/SQL?

Sol)

Q4. How do you execute a PL/SQL procedure?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Flow of the program –

Drop table ‘app_users’ and create again.

Drop sequence ‘app_users_seq’ and create again.

Connect as SYSDBA and grant execute on dbms_crypto package.

Create function ‘get_hash’ to hash given username and password using specified
algorithm.

Create procedure ‘add_user’ which executes ‘get_hash’ function and stores the
given username and hashed password in the table ‘app_users’.

Execute the procedure ‘add_user’ with required inputs.

Display table ‘app_users’ which has username and hashed password from
‘add_user’ procedure.

Create a procedure ‘valid_user’ that validates the given credentials using the
‘get_hash’ function and ‘app_users’ table.

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q1. Drop the table ‘app_users’ created in the previous lab and create a table ‘app_users’
with the following columns: id, username, password. ‘id’ is the primary key and
‘username’ is unique.

Sol)

Q2. Drop the sequence created in the previous lab and create a sequence ‘app_users_seq’.

Sol)

Q3. Similar to the previous lab, grant execute on dbms_crypto package to the user to be
able to use that to hash.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4. Similar to the previous lab, create a function ‘get_hash’ in PL/SQL to hash the given
username and password usingSH1 algorithm.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q5. Similar to the previous lab, create a procedure ‘add_user’ which executes the
‘get_hash’ function and stores the given username and hashed password in the table
‘app_users’.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q6. Execute the function ‘add_user’ with inputs as ‘labtest’ (for username) and ‘labtest1’
(for password) and display the table ‘app_users’ from Q5.

Sol)

Q7. Create a procedure ‘valid_user’ that will check if the username and password given as
input by user is valid or not by checking with the previously stored values in the
‘app_users’ table and validating.

Username 1 – labtest

Password 1 – labtest1

------------------------------

Username 2 – labtest1

Password 2 – labtest2

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. Write the differences between a procedure and a function in PL/SQL.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q2. Create a procedure to protect access to the hrview_role

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Create a role named hrview_role. Through that role we will grant access to the data
needed by a variety of applications that we plan to build. At the outset, we only want
folks who are on our internal network to access this data, and only during our normal
office hours of 7 AM to 7 PM

Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

8. Hashing Data in Transit

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of hashing using Oracle.
 To understand and implement the concept of hashing data in transit in Oracle.

Pre-Lab:

Q1. Write a short note on MD5.

Sol)

Q2. Which package of java is to be imported to be able to use MD5?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Write the names of a few classes in java.security.

Sol)

Q4. Write some examples of hashing algorithms?

Sol)

Q5. How many bits does the hash value of MD5 have?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Q1. You are a database security consultant for a company. The company has given you the
task of creating a registration page which takes username and password as inputs and
stores the hashed value of the password in a database table. You plan to store the hash
value of the password in the database. The hashing is done using MD5. You are to
implement this using Javascript.

First, create a html page with the username and password fields. Once the credentials are
given as input and submit button is pressed, the javascript program in the background will
hash the password and store it in the database along with the username.

Create a table called ‘dbusers’ to store the credentials.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. You are a database security consultant for a company. The company has given you the
task of creating apage which takes username, password and gender as inputs and stores
the hashed value of the password, gender in a database table. You plan to store the hash
values of the password, gender in the database. The hashing is done using MD5. You are
to implement this using Javascript.

First, create a html page with the username, password and gender fields. Once the details
are given as input and submit button is pressed, the javascript program in the background
will hash the password, gender and store it in the database along with the username and
original value of gender.

Create a table called ‘dbusers3’ to store the credentials.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

9. Validation of hashes of Data in Transit

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of hashing using Oracle.
 To understand and implement the concept of hashing data in transit in Oracle.
 To understand and implement the concept of validating data in transit in Oracle.

Pre-Lab:

Q1. What is hashing (in relation to security)?

Sol)

Q2. What is data in transit?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. What is ResultSet?

Sol)

Q4. What method of java can you use to check if two strings are equal?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Q1. You are a database security consultant for a company. The company has given you the
task of creating a login page which takes username and password as inputs and hashes
the password and compares it with the previously stored hash value (from previous lab)in
the database table and validates it. The hashing is done using MD5. You are to implement
this using Javascript.

First, create a html page with the username and password fields. Once the credentials are
given as input and submit button is pressed, the javascript program in the background will
hash the password and compare it with the previously stored value in the database.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:
Q1.Toggle Between Roles

You can see the effects of running SET ROLE by observing your current session roles as you
toggle back and forth between create_session_role and secadm_role. As secadm user, do
this and observe the list of roles when you do each SELECT query:
i) SELECT * FROM sys.session_roles;
ii) SET ROLE create_session_role;
iii) SELECT * FROM sys.session_roles;
iv) EXECUTE sys.p_check_secadm_access;
v) SELECT * FROM sys.session_roles;

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

10. Encrypting Data in Transit

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of encryption using Oracle.
 To understand and implement the concept of encrypting data in transit in Oracle.

Pre-Lab:

Q1. Which API of java is used for cryptography?

Sol)

Q2. What are the different packages available in Java Cryptography API?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Q1. You are a database security consultant. You want to store some confidential
information in your database. Do this using AES encryption.

First, create a html page with the username and secret message fields. Once the inputs are
given and submit button is pressed, the javascript program in the background will encrypt
the message using AES and store it in the database along with the username.

Create a table called ‘dbusers2’ to store the output.

AES Java Code – (use this to create a package)

------------------------------------------------------------------------
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class AdvancedEncryption


{
private byte[] key;

private static final String ALGORITHM = "AES";

public AdvancedEncryption(byte[] key)


{
this.key = key;
}

/**
* Encrypts the given plain text
*

4
21CS3260R DATABASE & SYSTEMS SECURITY

* @paramplainTextThe plain text to encrypt


*/
public byte[] encrypt(byte[] plainText) throws Exception
{
SecretKeySpecsecretKey = new SecretKeySpec(key, ALGORITHM);
Cipher cipher = Cipher.getInstance(ALGORITHM);
cipher.init(Cipher.ENCRYPT_MODE, secretKey);

return cipher.doFinal(plainText);
}

/**
* Decrypts the given byte array
*
* @paramcipherTextThe data to decrypt
*/
public byte[] decrypt(byte[] cipherText) throws Exception
{
SecretKeySpecsecretKey = new SecretKeySpec(key, ALGORITHM);
Cipher cipher = Cipher.getInstance(ALGORITHM);
cipher.init(Cipher.DECRYPT_MODE, secretKey);

return cipher.doFinal(cipherText);
}
}
------------------------------------------------------------------------

Usage example:

byte[] encryptionKey = "MyKeyValue16char".getBytes(StandardCharsets.UTF_8);


byte[] plainText = "(MySecretMessage)".getBytes(StandardCharsets.UTF_8);

4
21CS3260R DATABASE & SYSTEMS SECURITY

AdvancedEncryptionStandardadvancedEncryptionStandard =
newAdvancedEncryptionStandard(encryptionKey);
byte[] cipherText = advancedEncryptionStandard.encrypt(plainText);
byte[] decryptedCipherText = advancedEncryptionStandard.decrypt(cipherText);
------------------------------------------------------------------------

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1.Create an Application Security User

Sol)

Q2.Our application security user needs to create procedures, functions, Java stored
procedures, tables, and views. When creating those items, appsec requires the CREATE
PROCEDURE, CREATE TABLE, and CREATE VIEW system privileges. We will grant those
privileges to a role named appsec_role, and grant that role to the appsec user.
Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. Write a query to specify how much space appsec may use, a quota. We’ll start out
permitting two megabytes of space
Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4.Write a query to Create a table in the appsec schema for logging errors and create a
trigger associated with that table.
Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q5.Create a trigger, to grant the privilege of non-default role


Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

11. Validating Data after Encryption

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of encrypting using Oracle.
 To understand and implement the concept of encrypting data in transit in Oracle.
 To understand and implement the concept of validating data after encryption in
Oracle.

Pre-Lab:

Q1. Name the cryptographic algorithms present in DBMS_CRYPTO.

Sol)

Q2. What is DBMS_CRYPTO.ENCRYPT used for?

Sol)

Q3. How many bits of data do the data and keys have in AES?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4. What is the key length of DES?

Sol)

Q5. Write a short note on Cipher Block Chaining and draw its diagram.

Sol)

Q6. What is PKCS#5?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q7. Write the syntax of DBMS_CRYPTO.ENCRYPT and DBMS_CRYPTO.DECRYPT for RAW


return type.

Hint - https://www.enterprisedb.com/edb-docs/d/edb-postgres-advanced-server/user-
guides/database-compatibility-for-oracle-developers-guide/9.4/
Database_Compatibility_for_Oracle_Developers_Guide.1.178.html

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Q1. You are a database security consultant. You stored some confidential information
previously in your database using AES encryption.

First, create a html page with the username and secret message fields. Once the inputs are
given and submit button is pressed, the javascript program in the background will encrypt
the message using AES.Thencheck it with the data (stored in the previous lab) of the
secret message in the database table using a function. If both of them match then print
“Secret Verified Successfully”, else print “Invalid Secret”.

Create a function to check if both the values in the table are matching.

NOTE – There can only be two values in the table. One, the values entered in the previous
lab and two, the values entered in this lab.

AES Java Code –

------------------------------------------------------------------------
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

public class AdvancedEncryption


{
private byte[] key;

private static final String ALGORITHM = "AES";

public AdvancedEncryption(byte[] key)


{
this.key = key;
}

4
21CS3260R DATABASE & SYSTEMS SECURITY

/**
* Encrypts the given plain text
*
* @paramplainTextThe plain text to encrypt
*/
public byte[] encrypt(byte[] plainText) throws Exception
{
SecretKeySpecsecretKey = new SecretKeySpec(key, ALGORITHM);
Cipher cipher = Cipher.getInstance(ALGORITHM);
cipher.init(Cipher.ENCRYPT_MODE, secretKey);

return cipher.doFinal(plainText);
}

/**
* Decrypts the given byte array
*
* @paramcipherTextThe data to decrypt
*/
public byte[] decrypt(byte[] cipherText) throws Exception
{
SecretKeySpecsecretKey = new SecretKeySpec(key, ALGORITHM);
Cipher cipher = Cipher.getInstance(ALGORITHM);
cipher.init(Cipher.DECRYPT_MODE, secretKey);

return cipher.doFinal(cipherText);
}
}

Usage example:

4
21CS3260R DATABASE & SYSTEMS SECURITY

byte[] encryptionKey = "MyKeyValue16char".getBytes(StandardCharsets.UTF_8);


byte[] plainText = "(MySecretMessage)".getBytes(StandardCharsets.UTF_8);
AdvancedEncryptionStandardadvancedEncryptionStandard = new
AdvancedEncryptionStandard(
encryptionKey);
byte[] cipherText = advancedEncryptionStandard.encrypt(plainText);
byte[] decryptedCipherText = advancedEncryptionStandard.decrypt(cipherText);

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1.We want HR to execute the appsec security structures. We’d like to create a role to
which we might grant execute on a package, and then grant that role to whomever needs
it.
Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q2.Write a query to grant access to HR Security Package, hr_sec_pkg, to a role that appusr
has, the hrview_role
Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3.Connect to Oracle database as appsec user, and set your role to the non-default role,
appsec_role:
Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q4.Create the Application Security Error Log Table, t_appsec_errors


Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q5.Create Index for the Application Security Error Log Table, t_appsec_errors
Sol)

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING


SUBJECT CODE: 18CS3278
DATABASE & SYSTEM SECURITY WORKBOOK

12. Hashing Data in Transit 2

Date of the Session: ___/___/___ Time of the Session: _____to______

Learning Outcomes:
 To understand and implement the concept of hashing using Oracle.
 To understand and implement the concept of hashing data in transit in Oracle.

Pre-Lab:

Q1.What are temporal data types in Oracle?

Sol)

Q2. What is VArray?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

Q3. What is the difference between rename and alias?

Sol)

Q4. Can we store pictures in the database and if so, how it can be done?

Sol)

Q5.What is hash cluster?

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

In-Lab:

Q1. You are a database security consultant for a company. The company has given you the
task of creating a page which takes username, message, gender and place as inputs and
stores the hashed value of the message, gender, place in a database table. You plan to
store the hash values of the message, gender, place in the database. The hashing is done
using MD5. You are to implement this using Javascript.

First, create a html page with the username, message, genderand place fields. Once the
details are given as input and submit button is pressed, the javascript program in the
background will hash the message, gender, place and store it in the database along with
the username and original value of message, gender, place.

Create a table called ‘dbusers22’ to store the credentials.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

Post-Lab:

Q1. You are a database security consultant for a company. The company has given you the
task of creating a registration page which takes username, password, gender and place as
inputs and stores the hashed value of the password, gender, placein a database table. You
plan to store the hash values of the password, gender, place in the database. The hashing
is done using MD5. You are to implement this using Javascript.

First, create a html page with the username, password, genderand place fields. Once the
details are given as input and submit button is pressed, the javascript program in the
background will hash the password, gender, place and store it in the database along with
the username and original value of gender, place.

Create a table called ‘dbusers22’ to store the credentials.

Sol)

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

(For Evaluator’s use only)


Comment of the Evaluator (if Any)

Evaluator’s Observation

Marks Secured: __________ out of ___________

Full Name of the Evaluator:

Signature of the Evaluator Date of Evaluation:

4
21CS3260R DATABASE & SYSTEMS SECURITY

4
21CS3260R DATABASE & SYSTEMS SECURITY

ROUGH

4
21CS3260R DATABASE & SYSTEMS SECURITY

ROUGH

You might also like