Lecture 14

Database Systems
Zubaira Naz
Information Technology University (ITU)
 Agenda
• Application Design and Development
– Application Programs and User Interfaces
– Web Fundamentals
– Encryption
Application Design
and Development
Application Programs and User Interfaces

• An application program acts as the intermediary

between users and the database
– Applications split into
• front-end
• middle layer
• backend
• Front-end: user interface
– Forms
– Graphical user interfaces
– Many interfaces are Web-based
Application Architecture Evolution
• Three distinct era’s of application architecture
– mainframe (1960’s and 70’s)
– personal computer era (1980’s)
– We era (1990’s onwards)
 Web Interface
• Web browsers have become standard user
interface to databases
– Enable large numbers of users to access databases from
anywhere
– Avoid the need for downloading/installing specialized
code, while providing a good graphical user interface
• Javascript, and other scripting languages run in browser, but
are downloaded transparently
– Examples: banks, airline and rental car reservations,
university course registration and grading, an so on.
 The World Wide Web
• The Web is a distributed information system based
on hypertext.
• Most Web documents are hypertext documents
formatted via the HyperText Markup Language
(HTML)
• HTML documents contain
– text along with font specifications, and other formatting
instructions
– hypertext links to other documents, which can be
associated with regions of the text.
– forms, enabling users to enter data which can then be
sent back to the Web server
 Uniform Resources Locators
• In the Web, functionality of pointers is provided by
Uniform Resource Locators (URLs).
• URL example:
http://www.acm.org/sigmod
– The first part indicates how the document is to be accessed
• “http” indicates that the document is to be accessed using the Hyper
Text Transfer Protocol.
– The second part gives the unique name of a machine on the
Internet.
– The rest of the URL identifies the document within the machine.
• The local identification can be:
• The path name of a file on the machine, or
• An identifier (path name) of a program, plus arguments to be passed
to the program
– E.g., http://www.google.com/search?q=silberschatz
 HTML and HTTP
• HTML provides formatting, hypertext link, and
image display features
– including tables, stylesheets (to alter default
formatting), etc.
• HTML also provides input features
• Select from a set of options
– Pop-up menus, radio buttons, check lists
• Enter values
– Text boxes
– Filled in input sent back to the server, to be acted
upon by an executable at the server
• HyperText Transfer Protocol (HTTP) used for
communication with the Web server
 Sample HTML Source Text
<html>
<body>
<table border>
<tr> <th>ID</th> <th>Name</th> <th>Department</th> </tr>
<tr> <td>00128</td> <td>Zhang</td> <td>Comp. Sci.</td> </tr>
….
</table>
<form action="PersonQuery" method=get>
Search for:
<select name="persontype">
<option value="student" selected>Student </option>
<option value="instructor"> Instructor </option>
</select> <br>
Name: <input type=text size=20 name="name">
<input type=submit value="submit">
</form>
</body> </html>
Display of Sample HTML Source
 Web Servers
• A Web server can easily serve as a front end to a variety of
information services.
• The document name in a URL may identify an executable
program, that, when run, generates a HTML document.
– When an HTTP server receives a request for such a document, it
executes the program, and sends back the HTML document that is
generated.
– The Web client can pass extra arguments with the name of the
document.
• To install a new service on the Web, one simply needs to create
and install an executable that provides that service.
– The Web browser provides a graphical user interface to the
information service.
• Common Gateway Interface (CGI): a standard interface between
web and application server
Three-Layer Web Architecture
Two-Layer Web Architecture
! Multiple levels of indirection have overheads
Alternative: two-layer architecture
 HTTP and Sessions
• The HTTP protocol is connectionless
– That is, once the server replies to a request, the server closes the
connection with the client, and forgets all about the request
– In contrast, Unix logins, and JDBC/ODBC connections stay
connected until the client disconnects
• retaining user authentication and other information
– Motivation: reduces load on server
• operating systems have tight limits on number of open connections on
a machine
• Information services need session information
– E.g., user authentication should be done only once per session
• Solution: use a cookie
 Sessions and Cookies
• A cookie is a small piece of text containing
identifying information
– Sent by server to browser
• Sent on first interaction, to identify session
– Sent by browser to the server that created the cookie on
further interactions
• part of the HTTP protocol
– Server saves information about cookies it issued, and can
use it when serving a request
• E.g., authentication information, and user preferences
• Cookies can be stored permanently or for a limited
time
 Encryption
• Data may be encrypted when database authorization
provisions do not offer sufficient protection.
• Properties of good encryption technique:
– Relatively simple for authorized users to encrypt and decrypt data.
– Encryption scheme depends not on the secrecy of the algorithm but
on the secrecy of a parameter of the algorithm called the encryption
key.
– Extremely difficult for an intruder to determine the encryption key.
• Symmetric-key encryption: same key used for encryption
and for decryption
• Public-key encryption (a.k.a. asymmentric-key
encryption): use different keys for encryption and decryption
– encryption key can be public, decryption key secret
 Encryption (Cont.)
• Data Encryption Standard (DES) substitutes characters and rearranges
their order on the basis of an encryption key which is provided to
authorized users via a secure mechanism. Scheme is no more secure
than the key transmission mechanism since the key has to be shared.

• Advanced Encryption Standard (AES) is a new standard replacing DES,

and is based on the Rijndael algorithm, but is also dependent on shared
secret keys.

• Public-key encryption is based on each user having two keys:

– public key – publicly published key used to encrypt data, but cannot be used
to decrypt data
– private key -- key known only to individual user, and used to decrypt data.
Need not be transmitted to the site doing encryption.
Encryption scheme is such that it is impossible or extremely hard to
decrypt data given only the public key.
 Encryption in Databases
• Database widely support encryption
• Different levels of encryption:
– disk block
• every disk block encrypted using key available in database-system
software.
• Even if attacker gets access to database data, decryption cannot be done
without access to the key.
– Entire relations, or specific attributes of relations
• non-sensitive relations, or non-sensitive attributes of relations need not
be encrypted
• however, attributes involved in primary/foreign key constraints cannot
be encrypted.
• Storage of encryption or decryption keys
– typically, single master key used to protect multiple
encryption/decryption keys stored in database
• Alternative: encryption/decryption is done in application,
before sending values to the database
 Encryption and Authentication
• Password based authentication is widely used, but is susceptible to
sniffing on a network.
• Challenge-response systems avoid transmission of passwords
– DB sends a (randomly generated) challenge string to user.
– User encrypts string and returns result.
– DB verifies identity by decrypting result
– Can use public-key encryption system by DB sending a message
encrypted using user’s public key, and user decrypting and sending the
message back.
• Digital signatures are used to verify authenticity of data
– E.g., use private key (in reverse) to encrypt data, and anyone can verify
authenticity by using public key (in reverse) to decrypt data. Only holder
of private key could have created the encrypted data.
– Digital signatures also help ensure nonrepudiation: sender
cannot later claim to have not created the data
 Class Assignment Questions
1. List some benefits and drawbacks of connectionless protocols
over protocols that maintain connections?
2. List three ways in which caching can be used to speed up web
server performance?
3. Explain the terms CRUD and REST.
4. What are two advantages of encrypting data stored in the
database?
5. Explain what is a challenge – response system for authentication.
Why is it more secure than a traditional password-based system?