71-84

8/10/2019 71-84

1/14

Security for GIS N-tier Architecture

Michael Govorov, Youry Khmelevsky, Vasiliy Ustimenko, and Alexei

Khorev

1 GIS Unit, Department of Geography, the University of the South Pacific,

PO Box 1168, Suva, Fiji Islands, [email protected];2

Computing Science Department, the University College of the Cariboo,

900 McGill Road, Kamloops, BC, Canada, [email protected];3 Department of Mathematics and Computer Science, The University of

the South Pacific, PO Box 1168, Suva, Fiji Islands, [email protected];

4 Institute of Computational Technologies, SBRAS, 6 Ac. Lavrentjev

Ave., Novosibirsk, 630090, Russia, [email protected]

Abstract

Security is an important topic in the Information Systems and their

applications, especially within the Internet environment. Security issue forgeospatial data is a relatively unexplored topic in Geographical

Information Systems (GIS). This paper analyzes the security solutions for

Geographical Information Storage Systems (GISS) within n-tier GIS

architecture. The first section outlines the application of the main

categories of database security for management spatial data. These

categories are then analyzed from a point of view of application within

GIS. AFile System within Database (FSDB) with traditional and new en-

cryption algorithms has been proposed to be used as a new GISS solution.

A FSDB provides more safe and secure storage for spatial files and sup-

port centralized authentication and access control mechanism in legacy

DBMS. Cryptography solutions as a topic of central importance to manyaspects of network security are discussed in detail. This part of the paper

describes several traditional and new symmetric, fast and nonlinear

encryption algorithms implementation with fixed and flexible key sizes.

8/10/2019 71-84

2/14

72 M.Govorov, Y.Khmelevsky, V.Ustimenko, and A.Khorev

1 N-tier Distributive GIS Architecture

Two major recent tendencies in the development of GIS technology are

relevant to security:

1. First is adaptation of IT technology, such as n-tier software architec-

ture. Existing GIS solutions started transition to the Web distributive and

open n-tier architecture a few years ago. But still in most existing GIS ap-

plications, the map server provides only cartographic rendering and simple

spatial data analysis on the client and back-end tiers. Current Web Map

Servers are a simplification of full functional application server at the mid-

dle of the 3-tier industry-standard architecture.

2. The second tendency is GISS transition from files spatial data ware-houses to full functionality ofspatial databases solutions with employment

of DBMS as a storage system within in Single Server or Distributed Envi-

ronment. The advantages of such transition are well-known to the IT in-

dustry. In global geo-network large amounts of data are still stored in spa-

tial warehouses as flat files (e.g. in .shp, .tab, .dxf, .img), which have

single user access, large size of files and no transaction based processing.

Fig. 1.The Feasible GIS n-tier Architecture

The purpose of this article is to analyze the security solutions for spatial

data management within GIS n-tier architecture. This section outlines the

feasible GIS n-tier architecture and role of GISS to store GIS spatial data.

The feasible GIS n-tier architecture is shown in Fig. 1.

GIS functionality, data, and metadata can be assigned to various tiers

(sometimes called layers) along a network and can be found on the server

8/10/2019 71-84

3/14

Security for GIS N-tier Architecture 73

side in one or more intermediate middleware layers, either on the back-end

or client side. All 3-tiers can be independently configured to meet the us-

ers' requirements and scaled to meet future requirements.

The feasible architecture includes a client tier in which user services re-

side. Client tier is represented by Web browser or wireless device (thin cli-

ent), and either Web browser with Java applets or ActiveX components or

a Java application (thick client) [9].

The middle tier is divided in two or more subsystems (layers) with dif-

ferent functions and security features, including SSL encryption, authenti-

cation, users validation, single-sign logon server, and digital signature.

GIS Web services perform specific GIS functions, and spatial queries; and

can be integrated as a part of the middle-tier application server [1].Spatial components have capabilities for accessing and bundling maps

and data into the appropriate format before sending the data back to a cli-

ent. These components support different functionalities: generate image

maps and stream vector spatial data for the client; return attribute data for

spatial and tabular queries; execute geo-coding and routing functions; ex-

tract and return spatial data in appropriate format; search a spatial metadata

repository for documents related to spatial data and services; and run spa-

tial and cartographic generalization techniques.

Data Management Layer (GISS) controls database storage and retrieval.

Data access logic describes transactions with a database. Data access is

normally performed as a functionality of business logic. Since many spa-

tial data are still stored in file format, the management of this data may besignificantly improved by storing data within a database system.

Critical security communication channels of information flows within

classical Application Server are between: a Web browser and a Web

Server; Web server and a business logic layer (cases of thin and medium

client configurations); and a business logic layer and a back-end tier. Also

attention should be focused on secure communication between all other

distributed components of middle tier. The first question is how to secure

flowing information, the second, how to maintain access control. Because

of the connectionless nature of the Web, security issues relate not only to

initial access, but to re-access also. For the case of the thick client, these

two problems can be addressed how to secure communication between

thick client and business logic layer.

8/10/2019 71-84

4/14


2 Security Controls within n-tier GIS Architecture

One of the primary reasons for deploying an n-tier system within Internet

environment is security improvement. Thus, application logic in the mid-

dle tier can provide a layer of isolation to sensitive data maintained in spa-

tial database. For GIS applications, the middle tier in n-tier system can fo-

cus on pre-presentation processing and cartographic presentation of spatial

data to the user, allowing the back-end tier to focus on management and

heavy processing of spatial data. However, n-tier architectures increase the

complexity of practical security deployment compared with 2-tier Cli-

ent/Server architecture.

For GIS n-tier architecture a general security framework should addressthe same requirements as for legacy n-tier systems, which include authen-

tication, authorization, identification, integrity, confidentiality, auditing,

non-repudiation, credential mapping, and availability [4, 15].

There are some specifics of spatial data management, which concern

protecting confidentiality, and integrity of data while in transit over the

Internet and when it is stored on internal servers and in databases. This

section outlines the general security framework for GIS Web based n-tier

architecture. In the next sections, solutions for confidentiality protection of

spatial data in storage are discussed.

A firewallcan be basically the first choice of defense within GIS Web

based n-tier architecture. One device or application can use more than one

basic firewall mechanisms such as stateful packet filtering, circuit-levelgateway, and proxy server and application gateway. Many configurations

are possible with placement of firewalls. Several layers of firewalls can be

added for security [10]. Ideal solution is to provide buffers of protection

between Internet, GIS Application Server and spatial database [12].

Most of the existing Web Map Servers use a low level authentication,

which supports minimal security and based on a password. Cryptographic

authentication in the form of digital certificates must to be used for

stronger authentication. Authentication protection can be implemented

within Web Server, JSP, servlet or ASP connector, business logic layer

and back-end tier.

The next defense line of security in GIS Application Server is proper

access control to business logic components and back-end recourses. Au-

thorization services determine what resources and files a user or applica-

tion has access to. There are at least three main access control models,

which can be used - mandatory, discretionary and role-and-policy based

authorization schemes [5].

8/10/2019 71-84

5/14


If the subsystems of n-tier architecture have different security infrastruc-

tures, they may need to convey authorization information dynamically by

propagating it along with an identity. GIS Application Server can dynami-

cally update users and roles by leveraging an external, centralized security

database or service, via LDAP server.

Determining whether a specific user could have access to a specific ta-

ble or file, but not access to specific data within the table or file usually en-

forces access control within the spatial database. Such a situation can be

interesting for accessing certain level of multi-detailed representation of

spatial features from spatial multi-scale database. If there is need to en-

force entity-level access control for data within tables, one has to rely on

database views, or program the access logic into stored procedures or ap-plications. If access logic is programmed into applications, then these ap-

plications must be rewritten if security policies change.

Another important feature of GIS n-tier architecture security is protec-

tion of GIS data and service confidentialityin exchanges between clients,

middle tier and back-end tier, and in a spatial storage. Encryption is the

standard mechanism for these purposes and can be used within GIS n-tier

architecture for different purposes of protection.

Firstpurpose of such protection is encryption of a users identity for au-

thentication and authorization services. For a typical case, this relies on the

transport layer for security via the SSL protocol, which also provides data

integrity and strong authentication of both clients and servers. Second, en-

cryption can be used for the protection of spatial data in transit. Next sec-tion of the article gives an overview of this security aspect. Third, cryptog-

raphy can be used to encrypt sensitive data stored on DSS, including

caches.

3 Web Services' Security of Spatial Message Protection

A GIS Web service is a software component that can provide spatial data

and geographic information system functionality via the Internet to GIS

and custom Web applications. GIS Web services to perform real-time

processing on the computers where they are located and return the results

to local application over the Internet. The protocols, which form the basis

of the Web service architecture, include SOAP, WSDL, and UDDI.

Current SOAP security model is based upon relying on the transport

layer for security and recently emerged security specifications that provide

message-level security that works end-to-end through intermediaries [14].

8/10/2019 71-84

6/14


XML-based security schemes for Web services include XML Digital

signature, XML Encryption, XML Key Management Specification,

Extensible Access Control Markup Language (XACML), Secure Assertion

Markup Language (SAML), Web Services Security, and ebXML Message

Service. The XML Signature (XMLSIG) in conjunction with security to-

kens supports multiple signers for a single XML document for proving the

origin of data and to protect against tampering during transit and storage.

The XML Encryption (XMLENC) specification supports the ability to en-

crypt or portions of an XML document for providing the confidentiality.

SAML specifies the XML format of asserting authentication, authoriza-

tion, and attributes for an entity. XACML out of the OASIS group speci-

fies how authorization information can be represented in an XML format.OpenGIS specifications are including Web Map Service, Web Feature

Service, Web Coverage Service, and Catalog Service/Web profile. The

SOAP message security approaches can be applied for protection of GIS

Web service. Thus, GIS applications, which are using XML (GML,

ArcXML) for a web services, can use XML digital signatures for verifica-

tion of the origins of messages. Important advantage for encryption of spa-

tial data (for large data streaming) with emerged XMLENC is encryption

of a part(s) of an XML document while leaving other parts open.

3.1 Internet File System (IFS) and Encryption Security

Solutions for Spatial Warehouses

Volumes of spatial information, which are stored in files, are growing at

explosive rates. According to some sources, the volume of such file stor-

age is doubled every year [7]. At the same time, many new formats are

used to store spatial and non-spatial data within files. The GIS users and

distributive applications demand to store, manage and retrieve information

in safe and secure manner. GIS users and applications should have univer-

sal secure access mechanism to the spatial files database.

A RDBMS is a core system in any organization or should be a core sys-

tem, which has powerful mechanism to store different type of information

with different access rights and sophisticated security mechanisms. Every

year new products have emerged on the market, which raise possibilities toutilize legacy RDBMS for unusual purposes. But idea of application of

these products is similar: to have only one universal system for informa-

tion storage, processing and retrieving within an organization.

8/10/2019 71-84

7/14


3.1.1 File System within RDBMS Instance as Storage for GISData Files

File System within Database (FSDB), a relatively new idea, can help solve

the above-mentioned problem effectively as follows:

FSDB raises the possibility for any file to be created, reviewed, cor-

rected, approved, and finally published with appropriate access restrictions

for user groups or simple users into DBMS. The files can be versioned,

checked in and checked out, and synchronized with the local copies [11].

At the same time FSDB can be replicated by standard replication proce-

dures of any sophisticated modern DBMS. The protocol servers that are

included, for example, with the Oracle IFS allow the FSDB to provide sup-

port for all common industry standard protocols through the Internet orapplication server and within the enterprise network [11].

A FSDB can provide a multi-level security model to ensure the privacy

and integrity of documents in a number of different ways, such as: leverag-

ing the security provided by the DBMS; user authentication; access rights

definition; access control at the file, version and folder level; support for

Internet security standards; and anti-virus protection [11].

A FSDB secures GIS files by storing them in a DBMS. The FSDB uses

authentication mechanism to get access into a DBMS or repository of

FSDB, regardless of the protocol or tool being used to access a file. New-

est versions of FSDB have more sophisticated authentication mechanisms,

such as SSO servers, Internet Directory and LDAP servers utilization.

Oracle IFS was used to test protection of the spatial data file while instorage and during an on-going processing [8]. Users can use their desktop

GIS and any other applications while spatial data is stored and managed by

database, thereby leveraging the reliability, scalability and availability that

come with the database, and at the same time have the familiarity and ease

of a standard file system.

Oracle IFS stores spatial data files in the form of Large Objects (LOBs)

inside of database, which lets GIS users store very large files. LOBs are

designed for fast access and optimized storage for large binary content.

Fig. 2 shows authentication and authorization processes between exter-

nal desktop GIS application and IFS storage.

Obviously FSDB while providing great possibility for security andmanagement of spatial data files also prompts several concerns:

Will the transition of spatial data files from standard OS file system (e.g.

NTFS or UFS) to FSDB affect the performance of input, retrieval and up-

dating of spatial data?

Will the size of spatial storage be increased?

8/10/2019 71-84

8/14


Fig. 2.IFS Security Model

Performance results (time differences) of input, retrieval and updating

GIS data files in desktop GIS software such as MapInfo and ArcView

from Oracle IFS 9i are shown in Fig. 3. Different sizes of vector GIS files

were used for the study. The large pool size buffer, cache size and proc-

esses components of IFS and Oracle 9i Application Server were optimized

to achieve the best performance of IFS.

Fig. 3.IFS NTFS Time Differences (in seconds)

The negative results are obtained for processing of small-size files using

Oracle Buffer Cache. All other results give difference of about 1-2 seconds

for processing data files with the sizes up to 100 MB by using IFS storage

to compare to native OS system.

The study of the changes in the spatial data file sizes, compare with the

amount of space that they take up in NTFS and IFS drives, shows that the

8/10/2019 71-84

9/14


Oracle IFS tablespace is increased in size by about 12% only. That differ-

ence can be reduced changing database storage parameters for IFS.

The results of IFS performance investigation show that this approach is

acceptable for data processing within GISS. Within this approach of spatial

file storage, the following authentication and authorization levels can be

used to secure spatial data files: OS Level (share permissions and folder

permissions) and IFS Level. Permissions remain the same regardless of the

protocol (e.g. HTTP, FTP, SMB) being used to access the content stored in

IFS repository.

3.2 Conventional Encryption for GIS Data Protection in Storage

It is noteworthy that the IFS within DBMS is capable enough to provide

sufficient security to spatial files. If necessary, encryption can be em-

ployed to provide additional security to confidential and sensitive GIS in-

formation. Oracle Advanced Security of the Oracle 9iAS supports industry

standard encryption algorithms including RSAs RC4, DES and 3DES and

can be used for spatial data encryption [6]. Custom external encryption al-

gorithms can be integrated into that security schema as well.

The data encryption can significantly degrade system performance and

application response time. For performance testing, the Oracle 9i

DBMS_OBFUSCATION.TOOLKIT was investigated (see Figure 4). Dif-

ferent key length gives different time results, for e.g. difference of time be-

tween 16 and 24 byte keys is about 10-20%, but time difference of 24 and

32 byte keys is about 5% only. Average speed 3 DES encryption is about

2.5 sec per megabyte, or about 1 hour to encrypt or decrypt 1 GB spatial

data on workstation (1.6 GHz Intel Processor within Window OS). To use

special multiprocessor UNIX servers, the encryption/decryption can be re-

duced to 10-20 minutes or in the best way to several minutes, what is ap-

plicable to real environment, when decryption/encryption of spatial data

should be performed once per session. To keep encrypted GIS data files

into IFS, standard encryption of Oracle and new developed encryption al-

gorithms were analyzed and investigated for performance.

To provide encryption or decryption of sensitive application data, de-

cryption procedures can be activated by database triggers for authenticatedusers (during log in). To log off, user will again fire the trigger that should

execute the procedure to encrypt all the modified files or to replace de-

crypted files by already encrypted files into IFS LOB objects from the

temporary storage within encrypted files. If connection to database is lost

by accident, changes to files should be committed or roll backed by DBMS

and modified data encrypted back into permanent LOB objects. Decryp-

8/10/2019 71-84

10/14


tion and encryption of spatial data files will slow down user interaction

with the system. These delays would occur at two occasions when user

logs in and logs out or there is session failure.

3.2.1 New Encryption Algorithm for GIS Data Protection inStorage

Special approaches were developed to use encryption for large files in

Oracle. To encrypt LOB data objects, the procedure splits the data into

smaller binary chunks, then encrypts and appends them to the LOB object

back. Once the encrypted spatial data files have been allocated into LOB

segments, they can be decrypted by chunks and written back to BLOB ob-

ject. For the read-only spatial data files, additional LOB object once en-

crypted should always be kept. It will save time for encryption procedure

during log off. The decrypted spatial data files will be simply replaced by

read-only encrypted spatial data files in the main permanent storage during

log off.

The algorithm of binary and text files encryption, which is more robust,

compared to DES and 3DES, has strong resistance to attacks, when adver-

sary has the image data and ciphertext proposed by V. Ustymenko [13].

This algorithm can be applied to encrypt spatial raster and vector data

types, which are commonly used in GIS.

The encryption algorithm is based on a combinatorial algorithm of

walking on a graph of high girth. The general idea was to treat vertices of agraph as messages and arcs of a certain length as encryption tools. The en-

cryption algorithm has a linear complexity and it uses nonlinear function

for encryption, thus it resists to different type of attacks of adversary. The

general idea was to treat vertices of a graph as messages and arcs of a cer-

tain length as encryption tools. The quality of such an encryption in case of

graphs of high girth by comparing the probability to guess the message

(vertex) at random with the probability to break the key, i.e. to guess the

encoding arc is good. In fact the quality is good for graphs, which are close

to the Erdos bound, defined by the Even Cycle Theorem [2, 3]. In the case

of algebraically defined graphs with special colorings of vertices there is a

uniform way to match arcs with strings in some alphabet. Among them can

be found ''linguistic graphs'' whose vertices (messages) and arcs (encodingtools) both could be naturally identified with vectors over GF(q), and

neighbors of the vertex defined by a system of linear equations. The en-

cryption algorithm is a private key cryptosystem, which uses a password to

encrypt the plain text, and produces a cipher text.

8/10/2019 71-84

11/14


The developed prototype model allows testing the resistance of the algo-

rithm to attacks of different types. The initial results from such tests are

encouraging.

In case for p=127 (size of ASCII alphabet minus delete character),

some values of t(k,l) [time needed to encrypt (or decrypt because of sym-

metry) file, size of which is k Kilobytes with password of length l (key

space roughly 27l

)], processed by an Intel Pentium 1.6 GHz processors

workstation (Oracle 9i DBMS Server, PL/SQL programming language),

can be represented by the matrix shown in Table 1.

Our results presented in Table 1 indicate that the encryption/decryption

time has linear correlation to the file size. Roughly it takes about 60 sec-

onds for 51 KB file encryption within 16 byte length password by usingPL/SQL functions, and for 1 MB - about 17 minutes. If more powerful 2-4

processors workstation and C++ or Macro Assembler programming lan-

guages are used to rewrite encryption/decryption functions, encryption

time will be further decreased by several dozen times, e.g. for 100 MB file

size it can reach 20-30 minutes encryption/decryption time, which can be

used for practical implementation. Taking into consideration that the 10-20

processors systems are practical industrial server solution (expected to be

common in near future), GISS encryption/decryption time can be reduced

to less than 5 minutes.

Table 1.Processing time t(k,l)for encryption/decryption by the New Algorithm as

compared with RC4

New Algorithm (s) RC4 (s)Difference

(times)

Kb/L 48 40 32 24 16 48 40 32 48 40 32

7.6 26 22 17 14 9 1 1 1 26 22 17

51.5 179 149 119 90 60 8 8 8 22.4 18.6 14.9

96.6 335 279 223 169 112 14 15 15 23.9 18.6 14.9

305.0 1061 883 706 529 353 45 47 24 23.6 18.8 14.9

397.0 1379 1145 913 685 458 59 62 31 23.4 18.5 14.9

Currently, program code and encryption algorithm optimization are un-

der investigation by the authors and will be the subject of our future publi-

cations.

8/10/2019 71-84

12/14


4 Conclusion

N-tier architectures and Web Services are making the application layer

more complex and fragmented. The solution in protection lies in applica-

tion of the security framework to all subsystems and components of n-tier

system. This framework has to comply with the industry security require-

ments of major application development models.

GIS data management and Mapping Services are primary considerations

when developing GIS n-tier architectures. There are several reasons for

supporting n-tier architectures for spatial applications. Major reasons in-

clude providing user access to data resources and GIS services through the

Web and at the same time providing better data and service protection.Framework of standard security mechanisms can be used to improve se-

curity within critical points of spatial information flows within GIS Appli-

cation Server. Security solutions for GIS distributive systems can be ap-

proached in ways similar to e-commerce applications, but can be specific

to spatial data security management as it relates to spatial data types, large

size of binary files and presentations logic.

Often, file servers are used to store GIS data. A file system within data-

base instance provides more safe and secure storage for spatial files within

centralized authentication and access control mechanism in legacy DBMS.

By using additional encryptions, a FSDB is able to guarantee that access

control is enforced in a consistent manner, regardless of which protocol or

tool is being used to access the repository. Our encryption model wouldprovide a secure working environment for GIS client to store and to trans-

fer spatial data over the network. For this purpose we utilize existing and

new fast nonlinear algorithms of encryption with flexible size of keys

based on the graph theoretical approach.

References

[1] ArcIMS 4 Architecture and Functionality (2002) An ESRI White Paper

[2] Biggs NL (1988)Graphs with large girth, Ars Combinatoria 25, pp 73-80

[3] Bollobas (1976) Extremal Graph Theory, Academic Press

[4] Computer Networking: A Top-Down Approach Featuring the Internet (2001)Addison Wesley Longman, Online Course

[5] De S, Eastman CM, Farkas C (2002) Secure Access Control in a Multi-userGeodatabase, 22nd Annual ESRI International User Conference

[6] Heimann J (2003) Oracle 9i Application Server, Release 2, Security

8/10/2019 71-84

13/14

8/10/2019 71-84

14/14

71-84

Documents