International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No.

2 ISSN: 1837-7823

Implementing I&A in Multilayer Checkpoints for DB Security

Nooruldeen Nasih Qader University of Sulaimani, Computer Science Department nnq@yahoo.co.uk Abstract
Multilayer Checkpoints for DB Security (MLC-DBS) is an application to protect sensitive data. Database (DB) has different vulnerabilities, but peoples still have no choice to store their own data in DB systems, so the need to secure DB systems remains a live area of research due to the significant role of DB on modern life and progresses of malicious techniques to crack the DB. Although many methods of I&A exist, the tradition method (e.g., password) stills the most common method for I&A due to its easiness and familiarity. On the other hand, users practice insecure behaviors in using of PW. Thus, PW considers the weakest link in authentication mechanism, but it could be efficient if selected intelligently and managed properly. Therefore, we should improving PW characteristics and combing it with other methods. However, a PW should be both easy to remember but difficult to guess. Practically most users do not understand security issues. To obtain secure system, information systems should help users implementing techniques for improving techniques. MLC-DBS is differs from multilevel security for DB; the first is general and the second is concerned only with authorization layer. For most security systems, Identification and Authentication (I&A) are in the first layer of defense. In this paper I applied two methods of I&A layer in MLC-DBS. The result shows that the utilized I&A method is flexible and could be configured based on the implementing circumstances. The power of MLCDBS is, it could be the best choices for securing some DB (e.g., Flash memory DB, small DB, NoSQL DB, Serverless DB). Keywords: database, security, Identification, Authentication, Multilevel, Layer, Encryption, Password.

1. Introduction
MLC-DBS is an application to protect sensitive data. DB has different vulnerabilities, but peoples still have no choice to store their own data in DB systems, so the need to secure DB systems becomes an important issue. DB security remains a live area of research due to the significant role of DB on modern life and progress of malicious techniques to crack the DB. Different approaches adopted to secure DB. An MLC - DBS system may be the best under specific circumstances [9]. MLC-DBS is differs from multilevel security for DB in logical viewpoint and in the mechanism. MLCDBS Addresses applying different security layers to prevent unauthorized user to access the DB, But multilevel security for DB addresses the natural expectation that users at different levels should be able to use the same DB, with each seeing only that data for which he has appropriate authorization, and users with different authorizations sharing some data [17]. Thus, multilevel security is a forcing special arrangement between subjects and objects; the work area of multilevel security is the authorization layer, while MLC-DBS is using general techniques of information security and forcing lawyers to prevent intruder [2, 13, 18]. The established MLC-DBS implies following layers: I&A, encryption, decryption, digital signature (i.e., digests) and data type validation have been used to maintain DB integrity, audit trail, intrusion detection system, notification system, and DB backup. As well as MLC-DBS involve the creation and manipulation of DB. Manipulations include encryption and decryption of data, tables' names, and fields' names [9]. Although there are currently many forms of authentication methods, the most common method for authentication is the combination of user ID (identification) and password (authentication). A recent study shows that users practice insecure behaviors in the utilization of passwords (PW). Therefore, most systems enforce users to select strength PW [4]. In this paper, we focus on I&A layer starting from some diagrams illustrate the design of MLC-DBS system, including the general MLC-DBS diagram, and authentication diagram. Here, I use two methods of authentication: the first I&A method is based on something that user knows (i.e., PW), the second I&A is based on something that user has, where the Serial Number (SN) of USB Flash memory and CPU (also, SN, of BIOS, mother board, and hard disk could be used) are utilized. Once the authentication test procedure result is 4

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 "authenticated user" then the user will granted access, which is extracted from the SN of the user USB flash memory key. The rest of this paper is organized as follows: I discussed Identification and Authentication (I&A) techniques and objective. And then, I suggested some techniques for improving PW characteristics and increase PW entropy. I proposed the design method and presented the results in the context of MLC-DBS. Finally, I discussed conclusions and suggestion for future works.

2. IDENTIFICATION AND AUTHENTICATION (I&A)

I&A is the basic mechanism for authorization, confidentiality and auditing. For most security systems, I&A are in the first line of defense. They are technical measures that prevents unauthorized people (or unauthorized processes) from entering a computer system. I&A is a critical building block of computer security since it is the basis for most types of access control and for establishing user accountability (the means of identifying and tracing who has had access to the system, and to what data on the system so they can be held accountable for their actions). Access control often requires that the system be able to identify and differentiate among users. For example, access control is often based on least privilege, which refers to the granting to users only those accesses required to perform their duties. User accountability requires the linking of activities on a computer system to specific individuals and, therefore, requires the system to identify users [2, 12]. Identification is the means by which a user provides a claimed identity to the system. Identification is the process by which a subject professes an identity and Accountability is initiated. A user, providing a username, a logon ID, a Personal Identification Number (PIN), or a smart card represents the identification process. Providing a process ID number also represents the identification process. Once a subject has identified itself, the identity is accountable for any further actions of that subject. Information Technology (IT) systems track activity by identities, not by the subjects themselves. A computer does not know one human from another, but it does know that your user account is different from all other user accounts. Authentication is the means of establishing the validity of the provided identity. It is an attempt to prevent unauthorized use by requiring users to validate their authorization to access the system. Authentication is the process of determining if a user or entity is who he claims to be. Authentication is the process of verifying or testing that the claimed identity is valid. It requires that the subject provides additional information that must exactly correspond to the identity indicated. Identification is a fairly straightforward concept. A subject must provide an identity to a system to start the authentication, authorization, and accountability processes. Providing an identity can be typing in a username, swiping a smart card, waving a token device, speaking a phrase, or positioning your face, hand, or finger for a camera or scanning device. Without an identity, a system has no way to correlate an authentication factor with the subject. A subjects identity is typically considered to be public information. Authentication verifies the identity of the subject by comparing one or more factors against the DB of valid identities (i.e., user accounts). The authentication factor used to verify identity is typically considered to be private information. The ability of the subject and a system to maintain the secrecy of the authentication factors for identities directly reflects the level of security of that system. I&A are always applied together as a single two-step process. Providing an identity is step one and providing the authentication factor(s) is step two. Without both, a subject cannot gain access to a system; either element alone is not useful. The primary objective of an authentication system is to prevent unauthorized user from gaining access to a private computer system. Much like with a normal door lock, authorized users are given a key to the system thus keeping unauthorized user out. This does not mean, however, that unauthorized users are unable to gain access to the system. It has become quite common for authorized user to be lax in the protection of their access key. That is, unauthorized users are able to access the system by using another person's key and appearing to be an authorized user. This is possible because the system does not authenticate the identity of the user, only who the key holder claims to be. Since the authentication system cannot verify the user's true identity, methods must be put in place to reduce the opportunity for an unauthorized user to appear as an authorized user and access the system. This is accomplished with one or more of the numerous authentication methods.

3. Authentication Methods
A computer system may employ different types of authentication methods; these methods can be used alone or in combination: 1. Something the individual knows (or information key, a secret): the user should provide specific information to access the system (e.g., a PW, pass phrases, questionnaires, PIN, or cryptographic key). 5

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 2. Something the individual possesses (or physical keys, a token): they are objects that a user must have to access the system (e.g., magnetic cards, an ATM card or a smart card). 3. Something the individual is (a biometric) relies on user's physical attributes to grant or deny access (e.g., voice pattern, handwriting dynamics, or a fingerprint) [3, 7, 14]. 4. Something you do, such as writing a signature, typing out a pass phrase (keyboard dynamics), or how you say a phrase. Something you do is often included in the something you are category. 5. Somewhere you are, such as a specific computer terminal, dialing up from a specific phone number identified by caller ID, or dialing up from a specific country identified by your IP address. "Somewhere you are" is often included in the something you have category. Two-factor authentication occurs when two of the above mentioned factors are used to provide authentication. For example, when cashing a check at the grocery store, the driver often has to provide his drivers license (something you have) and his phone number (something you know). Once the logon credentials of the offered identity and the authentication factor(s) are provided to the system, they are checked against the DB of identities on the system. If the identity is located and the correct authentication factor(s) are provided, then the subject will be authenticated [1, 15].

4. I&A Based on Something the User Knows

The most common form of I&A is a user ID coupled with a PW. This technique is based solely on something the user knows. In general, PW systems work by requiring the user to enter a user ID and PW (or pass phrase or PIN). The system compares the PW to a previously stored PW for that user ID. If there is a match, then the user is authenticated and granted access [5]. PW have been successfully providing security for computer systems for a long time. They integrate into many operating systems, and users and system administrators are familiar with them. When properly managed in a controlled environment, they can provide effective security. The security of a PW system is dependent upon keeping it secret. Unfortunately, there are many ways that the secret may be divulged. The problems are discussed below can be mitigated by improving PW security. However, there is no solution for the problem of electronic monitoring, except to use more advanced authentication (e.g., based on cryptographic techniques or tokens) [6]. PW considers being the weakest form of protection. PW is poor security mechanisms for several reasons, including the following: 1. Guessing or finding PW: If users select their own PW, they tend to make them easy to remember. That often makes them easy to guess. The names of people's children, pets, or favorite sports teams are common examples. On the other hand, assigned PW may be difficult to remember, so users are more likely to write them down. Another method of learning PW is to observe someone entering a PW. The observation can be done by someone in the same room or by someone some distance away using binoculars. Also, PW can be stolen through many means, including recording and playback, and security DB theft. Short PW can be discovered quickly in brute force attacks. 2. Giving PW away: Users may share their PW. They may give their PW to a co-worker in order to share files, also PW are easily written down and forgotten. 3. Electronic monitoring: PW are often transmitted in clear text or with easily broken encryption protocols. When PW are transmitted to a computer system, they can be electronically monitored. This can happen on the network used to transmit the PW or on the computer system itself. Simple encryption of a PW that will be used again does not solve this problem because encrypting the same PW will create the same cipher text; the cipher text becomes the PW. 4. Accessing the PW file: PWDBs are often stored in publicly accessible online locations. If the PW file is not protected by strong access controls, the file can be downloaded. PW files are often protected with one-way encryption so that plain-text PW are not available to system administrators or hackers (if they successfully bypass access controls). Even if the file is encrypted, brute force can be used to learn PW if the file is downloaded (e.g., by encrypting English words and comparing them to the file).

5. I&A Based On Something the User Possesses

Physical keys are items that a user must have in their possession to access the system. Much like a key that is required to enter a locked room, a special key may be required to access a computer system or network. Along with user name or PW, the user must present, or insert, their personal key to gain access. If the key and 6

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 identification number do not match or are invalid, the user is cannot access. The most common used physical keys are magnetic card, smart card and specialized calculators. These keys are widely used because they provide a higher level of security than PW alone, simple to use, and are relatively unobtrusive. The greatest problem with physical keys arises when they are lost or broken, making authorized access to the system impossible until the key is replaced. Although some techniques are based solely on something the user possesses, most of the techniques are combined with something the user knows. This combination can provide significantly stronger security than either something the user knows or possesses alone. Token devices are a form of something you have. Tokens are PW-generating devices that subjects must carry with them. A token can be a static PW device, such as an ATM card. To use an ATM card, the subject must supply the token (the ATM card itself) and his PIN. Tokens can also be one-time or dynamic PW devices that look a bit like small calculators. The device displays a string of characters (a PW) for the subject to enter into the system. There are four types of token devices: 1. Static tokens, 2. Synchronous dynamic PW tokens, 3. Asynchronous dynamic PW tokens, 4. Challenge-response tokens. A static token can be a swipe card, a smart card, a floppy disk, a USB RAM dongle, or even something as simple as a key to operate as a physical lock. Static tokens offer a physical means to provide identity [16]. Another example of static token is the Universal Serial Bus (USB) flash memory, computer hardware's specification (i.e., the SN of a hard disk, Mother board, BIOS, Central Processor Unit (CPU) etc) [1, 15].

6. I&A BASED ON SOMETHING THE USER IS

Biometric authentication technologies use the unique characteristics (or attributes) of an individual to authenticate that person's identity. These include physiological attributes (such as fingerprints, hand geometry, or retina patterns) or behavioral attributes (such as voice patterns and hand-written signatures). Biometric authentication provides many advantages over other methods, they are unique, they are difficult to duplicate or forge, and they are always in the possession of their authorized user, these characteristics make biometrics an excellent method for user authentication, although these biometric technologies have still less matured than that of memory tokens or smart tokens. Imperfections in biometric authentication devices arise from technical difficulties in measuring and profiling physical attributes as well as from the somewhat variable nature of physical attributes. These may change depending on various conditions. For example, a person's speech pattern may change under stressful conditions or when suffering from a sore throat or cold. Due to their relatively high cost, biometric systems are typically used with other authentication means in environments requiring high security [3, 7, 14].

7. Improving PW Characteristics
The types of PW are: static; always remain the same, dynamic; change after a specified interval of time or use, one-time PW or single-use PW; changed every time they are used (variant of dynamic PW). One-time PW has high security, but have a problem with distribution and protection of PW list. Although many methods of I&A exist, the traditional method is still the most common method for authentication (i.e., The combination of user ID and PW). On the other hand, a recent study shows that users practice insecure behaviors in using of PW. Thus, PWconsiders the weakest link in authentication mechanism, but it could be efficient if selected intelligently and managed properly. Therefore, in the following I propose improving PW characteristics, mainly by increasing PW entropy [4, 8, 10]. 1. PW secrecy, security of the PW system depends upon keeping PW secret, therefore avoid write it down, and never tell it to anyone. But as a fact, if the PW is not easy to remember, people toward to write it down, it may seem reasonable; however, it has a risky. Just a risky of writing PW down is telling a PW to another person. Never allow PW to be transmitted in clear text or with weak encryption over the network. 2. PW attributes: users can be instructed, or the system can force them to select a PW:1. with a certain minimum length, 2. with special characters, 3. that is unrelated to their user ID, and dont reuse part of your name, logon name, e-mail address, employee number, social security number, phone number, extension, or other identifying name or code, 4. do not use dictionary words, or industry acronyms, 5. use nonstandard capitalization and spelling, 6. switch letters and replace letters with numbers. PW that is generally accepted have at least eight characters, but according to the Sans Institute Password Policy PW should contain at least fifteen alphanumeric characters, at least one of which is a number, symbol, or punctuation mark. In general, a user's PW should be both easy to remember but difficult to guess or a PW should appear randomly yet is familiar and meaningful to the user. A good method for selecting a strong PW use the first or last letters from each word in memorable phrase and then mix in some numbers or punctuation, for example, 7

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 starting the phrase " I will never forget to wash behind my ears" and producing "Iwnf2wbme!" as a PW. This often results in a relatively strong PW that is difficult to guess but easy to remember. Also, one may suggest encrypting their PW by a strong cryptographic algorithm and store it [4]. 3. Storing user names and PW, in all PW schemes the system must maintain storage of user names and corresponding PW to be used in the authentication process. This store should be secure. Secure means the PW should be stored in such a way that the application can compute and compare PW presented to it as part of an authentication scheme, but the DB should not be able to use or read by anyone; even administrative users or by an adversary who manages to compromise the system. 4. PW generators: if users are not allowed to generate their own PW, they cannot pick easy-to-guess PW. Some generators create only pronounceable non-words to help users remember them. However, users tend to write down hard-to-remember PW. 5. Limits attempts to login: many systems can be configured to lock a user ID after a set number of failed login attempts. This helps to prevent guessing of PW. 6. Changing PW: periodic changing of PW can reduce the damage done by stealing PW and can make brute-force attempts to break into systems more difficult. Too frequent changes, however, can be irritating to users. 7. Use PW verification tools and PW cracking tools against your own PWDB file. Any accounts with a weak or discovered PW should be informed to change their PW. 8. Disable user accounts that have short periods of inactivity, such as a week or a month. And delete the user accounts that are no longer used. 9. Train users the necessity of maintaining security and the use of strong PW. Warn them about writing down or sharing PW. Offer tips to prevent shoulder surfing or keyboard logging to capture PW. Offer tips and recommendations on how to create strong PW. 10. The strength of information system security varies from a system to another. Therefore, we should avoid using same PW for the multiple account system. People have multiple accounts and they may reuse the same passwords for them, if hackers can gain access to one account, other accounts also cracked. For example, many users of email accounts have cracked because the users reuse the same PW for email system and a Facebook account. In reality, most users do not understand security problems. To obtain secure system by using PW, the system should help users implementing (as much as possible) the previous list of improving techniques.

8. MLC-DBS Authentication Method

The diagram of the established authentication task is shown in Figure 1. The authentication steps are the followings: 1. Check the visitor count, this option is given a chance to the user to evaluate the software (i.e., trail version), in case of first visit, when the user tries to open MLC-DBS for the first time, then the system will allow the user to login to the system without asking him to enter his PW. In other words, at the first visit, the user should define his ID and PW, so in the next visits, the user must enter ID and PW correctly, otherwise he will not allow to access the DB. MLC-DBS will encrypt and save ID & PW, the PW is correlated with the ID. 2. Check version: In case of full version, the MLC-DBS will check the user PW, while in case of trial version, MLC-DBS will check the visit count (e.g., if it is less 50). 3. Check visit count: In case of trial version, the MLC-DBS registers the number of the user's visit, if it is greater than a maximum predefined count (e.g., 50), then the system will not allow the user to access the DB, but if the visit count is less than or equal the maximum count then the user will be permitted to access to system. 4. Check PW: Once the user enters his ID and user PW, the MLC-DBS compares the input data with preregistered PW list (after decrypting its content) and matches the user ID. If the entered PW does not match the pre-registered PW then MLC-DBS will not grant access to the user, otherwise the system will go to the next step. 5. Check the SN of some selected computer hardware elements (e.g., Mother Board, BIOS, CPU, and Hard Disk). The system should read the current computer hardware and compare this reading with those pre-registered in one of the system's dedicated DBs, if they do not match, then MLC-DBS will terminate the user trial to access the DB. 6. Check USB flash memory: It is like the previous step, but the distinction difference between them is in the mobility of hardware. The flash memory is portable while the other checked hardware elements are fixed. In 8

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 the proposed MLC-DBS, the flash key is used as a user ID identifier; beside to PW it holds the user ID number. 7. Audit trail records all the necessary information about the user tries to access DB, whether they are permitted to access or not.
Start Authentication

Yes valid hardware Yes Entering PW & user ID Yes Encryption Visit count>1? Yes No

No

Trail No

No

visit account > 50?

Entering PW & user ID Save to file Yes Is PW valid? No

Audit trail End

Figure 1: Authentication flow chart

9. Implementation of I&A in MLC-DBS

I&A are important security steps, in the following sub-sections the two I&A methods were implemented: 9.1 I&A Based on Something the User Knows The common form of this method is PW; it is considered as a strong way, if the PW is kept secret. In other words, the security of this method depends exclusively on keeping the PW secret. For this reason, several techniques are used, including saving the encrypted PW, limit the time of writing the PW (e.g., up to 15 second), enforce user to select PW length not less than six characters, mixing PW of digits, numbers, symbols, lower case, and upper case, display PW contents as a string of the character '*', so it cannot be divulged by direct observation. MLC-DBS provides the required capability to select PW and change this PW periodically from time to time. I&A process passes through the following steps: at the first visit to MLC-DBS it is opened without PW, the system just asks the user to name PW through the following issue message dialogue "Enter your PW, so that at your next visit, you will be able to launch this system". If the user does not enter his PW he cannot access MLCDBS. Once, the user enters his ID and PW, then MLC-DBS will cipher these entries and save them, so in the next visit to MLC-DBS by the same user, the system will compare the provided user ID and PW with those registered in one of the system's files. If they match each other, then the user will grant an access, otherwise not. This process includes three issues for generating a cryptographic key (to encrypt the user ID and PW), saving and checking the user ID and PW, as follows: A. Generate Cryptographic Key Asymmetric cryptosystem is used to encrypt and decrypt PW, the security of a symmetric cryptosystem depends on the cryptographic key which should be dealt as a private, and so some techniques are used to create it automatically, increase its complexity and make it difficult to guess, as shown in the algorithm1. The advantage of cryptographic key generation is to remove the needs for memorizing, write down or enter the long PW because it will be generated automatically when MLC-DBS is started up, in addition, its easy use it and cannot 9

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 be stolen, so it is a strong way of selecting cryptographic key [11, 13]. B. Saving User ID and PW The user must define his PW and user ID at his first visit to MLC-DBS, also the user can change this PW at any time later. User ID and PW will be stored after encryption. C. Checking User ID and PW If the comparison between the provided user ID and PW with the pre-stored ones indicate match, then the user will grant access, otherwise he cannot access. The pre-registered user ID and PW should be encrypted. Therefore the PW checking operation should imply decryption of both the PW and user ID.
Algorithm Encryption key generation Input: user name, creation time Output: EncKey //get user name from operating system setUserN=user name //determine creation time of application file setCrY=year of the creation time setCrM=month of the creation time setCrD=day of the creation time setCrH=hour of the creation time setEncKey=concatenate UserN, CrY, CrM, CrD and CrH End

9.2 I&A Based on Something that User Possesses This operation is carried out by specifying some attributes of the computer's hardware as system signature (i.e., the SN of the BIOS, M.B, H.D, CPU and USB flash memory). Each of these elements has a unique SN, MLC-DBS checks one or more of these hardware's. In the designed MLC-DBS the SN of more than one hardware element is utilized, because some of these elements may not have SN, so at least one of the chosen hardware elements should have a SN. The main advantage of using hardware signature for authentication is to restrict the operation of MLC-DBS on specific machines whose elements are owned by the user, the major disadvantage of using hardware authentication is the complicated procedure that should be followed if any one of the checked hardware elements is replaced or its characteristics (e.g., disks formatted) are changed, in such cases a new installation to the application MLC-DBS must be generated because the new or reformatted parts have new signature value. MLC-DBS could be designed to run on a specific computer, i.e., select checking hardware for specific computer. Also, it could be designed to run on any computer, i.e., select the portable device for checking hardware such as USB flash memory or mobile phone. MLC-DBS security technique is interacting with the selected hardware.

10. Results
The implemented MLC-DBS is demonstrated by providing figures captured during the testing phase. Here, I illustrate the implementation by capturing debug window to show what is going on when the MLC-DBS is running, most of these debug windows will not appear during the real-time application of MLC-DBS; so that debug windows are put just for demonstration. In the following subsections the application of the established I&A in MLC-DBS is clarified. 10.1 Generate Cryptographic Key Two methods of I&A are used in MLC-DBS, the first method depends on something that the user knows, and the second depends on something that user possesses. But before the stage of I&A, the MLC-DBS must generate cryptographic key to encrypt/decrypt user ID and PW. Generate Cryptographic Key is shown by this example, if the creation date and time of the file "MLC10

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 DBS.exe" is "25/5/2006, 10:14:01", respectively, and the system user name is "Nooruldeen" the generated cryptographic key will be "1F4C68CA=ur%n1Owueijpv", as shown in Figure 2. 10.2 I&A Based on Something the User Knows MLC-DBS use PW schema as a method of I&A which is based on something the user knows. Here, the way of using PW is illustrated, as well as some of the techniques conducted to improve PW security are present. On login screen a user ID must be entered in the user text box, the user will have 15 second to write the correct PW, otherwise MLC-DBS will terminate its execution if it is not provided with the correct PW, the time limitation restricts the illegal attempts from conducting a long sequence of trail PW. This constraint on the login time is one of the steps to improve the PW security. This limitation is indicated in MLC-DBS visually by two ways: first, by a number shows remaining time from the 15 seconds, and the second way be displaying a progress bar at the bottom of the screen window. The time limitations make the attacker anxious, because he tries to steal secret information and he has a limited time. Once the MLC-DBS is shut down due to delays in correct PW entry, the user can run it again. The time limitation technique could be supported by the following ways: (1) the number of failed trials could be limited up to 3 attempts during the day (for example), (2) all the involved information associated with each attempt to run MLC-DBS will recorded in audit trails, which can give good information about the attack nature.

Figure 2: Encryption key

If the user ID is "Nooruldeen", and the PW is "123456", it will be encrypted and saved in a file "Readme.mls" as "IAcO?W" and "E??", respectively. With MLC-DBS, the administrator can change user ID and PW by using the form shown in the Figure 3. MLC-DBS uses numerous features to improve PW security, such as PW length, encryption, and ability to change the PW.

Figure 3: Change PW

10.3 I&A Based on Something the User Possesses MLC-DBS uses some computer hardware signature to accomplish the I&A task. By checking the hard disk, USB flash memory, CPU, and BIOS the established MLC-DBS will be attached logically to those hardware. Figure 4 illustrates the message associated with the process of checking the hard disk SN, the listed codes imply the steps of comparing the pre-registered hard disk SN. With the found computer hard disk SN during the starting, the check between the two is necessary to decide whether MLC-DBS is working on the same installed computer or not. Therefore, the computer SN is treated as a system's signature. The pre-registered SN is captured during the installation phase of MLC-DBS, then encrypted and stored as a part of the system package.

11

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823

Figure 4: MLC-DBS Hard disk SN capture

Figure 5 shows a capture of the message that clarifies the process of checking legal flash memory. The involved steps of checking the flash memory are similar to the steps of checking the hard disk. Figure 5 also, illustrates part of the code used to match the detected SN of the flash disk, during the start operation of MLCDBS with the pre-defined number. Figure 6 shows the printed message when the two SNs did not match.

Figure 5: Capture of legal USB flash memory

Figure 6: Capture of illegal USB flash memory

12. Conclusion and Future Research

Although many methods of I&A exist, the tradition method (PW) still the most common method for I&A due to its easiness and familiarity. On the other hand, users practice insecure behaviors in using of PW. Thus, PW considers the weakest link in authentication mechanism, but it could be efficient if selected intelligently and 12

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 managed properly. Therefore, we should improving PW characteristics, increasing PW entropy, and combing it with other methods. However, a PW should be both easy to remember but difficult to guess; a PW should appear random, but familiar and meaningful to the user. In this paper I presented two methods of authentication: the first I&A method is based on something that user knows (i.e., PW), the second I&A is based on something that user has, where the SN of USB Flash memory and CPU (also, SN, of BIOS, mother board, and hard disk could be used) are utilized. For future works, I will present MLC-DBS with other layers such as: encryption, decryption, digital signature, audit trail, intrusion detection system, notification system, and DB backup. As well as MLC-DBS involve the creation and manipulation of DB. Manipulations include encryption and decryption of data, tables' names, and fields' names.

Bibliography
[1] Al-Husainy, D. and Fadhil, M. 2013. MAC Address as a Key for Data Encryption. International Journal of Computer Science and Information Security. XXX, XXX (2013). [2] Asole, S. and Mundada, M. 2013. A Survey on Securing Databases From Unauthorized Users. INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH. 2, 4 (2013), 24. [3] Banerjee, S.P. and Woodard, D.L. 2012. Biometric Authentication and Identification using Keystroke Dynamics [4] [5] [6] [7] : A Survey. 7, (2012), 116 139.

Charoen, D. 2014. Password Security. International Journal of Security. 8, 1 (2014), 114. Curphey, M. et al. 2002. A guide to building secure web applications. Guttman, B. and Roback, E. 1995. An introduction to computer security: the NIST handbook. Image, I.J. 2013. A Hybrid Model for Biometric Authentication using Finger Back Knuckle Surface based on Angular Geometric Analysis. August (2013), 4554.

[8]

Lakshmi, B. 2013. Data Confidentiality and Loss Prevention using Virtual Private Database. International Journal on Computer Science and Engineering. 5, 03 (2013), 143149.

[9]

Qader, N. and Geroge, L. 2014. Design and Implement a Secure Database Using Multi Level Security. LAP LAMBERT ACADEMIC.

[10]

Rane, P.B. 2012. Application-Level and Database Security for E- Commerce Application. 41, 18 (2012), 15.

[11]

Rao, U. and Patel, D. 2011. Database Security Architecture for Detection of Malicious Transactions in Database. nternational Conference on Security. 395007, (2011).

[12]

Rezk, A. and Ali, H.A. 2012. Database Security Protection based on a New Mechanism. 49, 19 (2012), 3138.

[13]

Sartape, A. and Vasgi, B. 2013. Data-Base Security Using Different Techniques: A Survey. International Journal of Computer Trends and Technology. 4, April (2013), 483485.

[14] [15] [16] [17]

Sekhar, V.C. A Robust Biometric-Based Three-factor Remote User Authentication Scheme. 23. Sherman, M. et al. User-Generated Free-Form Gestures for Authentication: Security and Memorability. Tittle, E. and Stewart, J. 2006. CISSP: Certified Information Systems Security Professional Study Guide. Wang, B. et al. 2008. A Formal Multilevel Database Security Model. 2008 International Conference on Computational Intelligence and Security. (Dec. 2008), 252256.

13

International Journal of Computational Intelligence and Information Security, March 2014 Vol. 5, No. 2 ISSN: 1837-7823 [18] Yalamanchili, S. and Rao, K. 2011. Authentication and Confidentiality in IKE using Dual Signature, Digital Enveloping and PGP. International Journal of Computational Intelligence and Information Security. 2, 6 (2011), 4149.

14