Databases Reference
In-Depth Information
P
UBLIC
KEY
AUTHENTICATION
Public key authentication uses what's known as
asymmetric cryptography
, where a user
has a pair of two mutually dependent keys. What's encrypted with one of these keys
can only be decrypted with the other. Typically, a user makes one of these keys public,
but keeps the other key completely private (never giving it out to anyone). For
authentication, the user encrypts a small piece of data with their private key and the
receiver verifies it using the user's public key. This is the same type of authentication
used with the secure shell (
SSH
) command. The drawback of this method is that if a
hacker breaks into your local computer and takes your private key, they could gain
access to the database. Your database is only as secure as the private keys.
M
ULTIFACTOR
AUTHENTICATION
Multifactor authentication relies on two or more forms of authentication. For exam-
ple, one factor might be something you have, such as a smart card, as well as some-
thing you know, like a
PIN
number. To gain access you must have both forms. One of
the most common methods is a secure hardware token that displays a new six-digit
number every 30 seconds. The sequences of passwords are synced to the database
using accurate clocks that are resynchronized each time they're used. The user types
in their password and the
PIN
from the token to gain access to the database. If either
the password or the
PIN
is incorrect, access is denied.
As an additional security measure, you can restrict database access to a range of
IP
addresses. The problem with this method is that the
IP
address assignments can
change frequently for remote users, and
IP
addresses can be “faked” using sophisti-
cated software. These types of filters are usually placed within firewalls that are in
front of your database. Most cloud hosting services allow these rules to be updated via
a web page.
K
ERBEROS
PROTOCOL
AUTHENTICATION
If you need to communicate in a secure way with other computers over an insecure
network, the Kerberos system should be considered. Kerberos uses cryptography and
trusted third-party services to authenticate a user's request. Once a trust network has
been set up, your database must forward the information to a server to validate the
user's credentials. This allows a central authority to control the access policy for each
session.
S
IMPLE
A
UTHENTICATION
AND
S
ECURITY
L
AYER
Simple Authentication and Security Layer (
SASL
) is a standardized framework for
authentication in communication protocols.
SASL
defines a series of challenges and
responses that can be used by any NoSQL database to authenticate incoming network
requests.
SASL
decouples the intent of validating a network request from the underly-
ing mechanism for validating the request. Many NoSQL systems simply define a
SASL
layer to indicate that at this layer a valid request has entered the database.
