Encryption-based multilevel model for DBMS Ahmed I. Sallam, El-Sayed El-Rabaie, Osama S. Faragallah* Department of Computer Science & Engineering, Faculty of Electronic Engineering, Menouf 32952, Egypt article info Article history: Received 7 September 2011 Received in revised form 31 December 2011 Accepted 13 February 2012 Keywords: Database security Relational database Multilevel security SeaView model JajodiaeSandhu model SmitheWinslett model MLR model Belief-consistent model Multilevel database performance abstract In this paper, we propose an encryption-based multilevel model for database management systems. The proposed model is a combination of the Multilevel Relational (MLR) model and an encryption system. This encryption system encrypts each data in the tuple with different field-key according to a security class of the data element. Each field is decrypted individually by the field-key of which security class is higher than or equal to that of the encrypted field-key. The proposed model is characterized by three achievements: (1) utilizing an encryption system as an additional security layer over the multilevel security layer for the database, (2) reducing the multilevel database size, and (3) improving the response time of the data retrieval from the multilevel database. Also this paper summarizes our efforts in implementing a working multilevel secure database prototype. This prototype is used as a research tool for studying principles and mechanisms of the encryption-based multilevel model and multilevel secure database (MLS/DBMS) models (SeaView, JajodiaeSandhu, SmitheWinslett, MLR, and Belief-Consistent Model). This prototype is implemented to be used to perform a series of experiments to measure the performance cost for applying encryption in multilevel database security. ª 2012 Elsevier Ltd. All rights reserved. 1. Introduction In multilevel database systems, data items and subjects have been assigned to classification levels, such as TS (Top Secret), S (Secret), C (classified), U (Unclassified). The classification levels are ordered as TS > S > C > U. Access by subjects is restricted by mandatory access controls expressed as “no read up, no write down to follow the well-known Bell and LaPadula model. Subject can read the object that has the same classification level or lower and can write on the objects at the same level only” (Bertino and Sandhu, 2005; Imran and Hyder, 2009). Many models for extending the standard relational model to deal with multilevel relations have been proposed. The SeaView (Pranjic et al., 2002) model was the first formal MLS secure relational database designed to provide manda- tory security protection. The SeaView model extended the concept of a database relation to include the security labels. A relation that is extended with security classifications is called a multilevel relation. The JajodiaeSandhu (Cuppens and Gabillon, 1999) model was derived from the SeaView model. It was shown by Jajodia and Sandhu that the SeaView model can result in the proliferation of tuples on updates and the JajodiaeSandhu model addresses this shortcoming. The SmitheWinslett (Rjaibi and Bird, 2004) model was the first model to extensively address the semantics of an MLS data- base. The MLR (Lee et al., 2004; Sandhu and Chen, 1998) model is substantially based on the JajodiaeSandhu model, and also integrates the belief-based semantics of the SmitheWinslett model. It was shown that all of the aforementioned models can present users with some information that is difficult to interpret. Consequently, the Belief-Consistent MLS (BCMLS) (Pranjic et al., 2003; Jukic et al., 1999; Jukic and Vrbsky, 1997) model addresses these concerns by including the * Corresponding author. E-mail address: osam_sal@yahoo.com (O.S. Faragallah). Available online at www.sciencedirect.com journal homepage: www.elsevier.com/locate/cose computers & security 31 (2012) 437 e446 0167-4048/$ e see front matter ª 2012 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2012.02.008