Service-Oriented Encrypted Data Bank for Online Examination Systems

Archie P. Amparo

Chapter 1 Introduction to the Study

This chapter covers six (6) parts: (1)Background of the Study, (2) Objectives of the Study, (3) Conceptual Framework of the Study, (4) Significance of the Study, (5) Scope and Limitation and (6) Definition of Terms. Part one, Background of the Study, states the rationale behind the selection of the problem. Part two, Objectives of the Study, gives the general and specific goals of the study. Part three, Conceptual Framework, describes and illustrates the concepts upon which this study is anchored. Part four, Significance of the Study, discusses the benefits that might be drawn from the output of the study. Part five, Scope and Limitation, clarifies the scope and coverage of the study. Part six, Definition of Terms, enumerates the conceptual and operational meanings of essential terms used in the study.

Background of the Study

Online examination systems are common nowadays and are widely implemented by educational Online institutions systems Since and are these certification both web networks. and examination

usually implemented using client-server technologies using non-web approaches. implementations are deployed in a networked environment, such as local area network (LAN), wide area network (WAN), virtual private network (VPN), intranet and internet, thus the possibility of exposure to network threats is inevitable, not to mention internal attacks from within the network itself. To counter these threats security administrators

install and configure firewalls to protect the network from possible attacks. Ideal, however not all institutions have the proper infrastructure and the right people to handle this job. Another possible threat is the common practice of programmers and database administrators to leave the database security to their default or installation settings and the use of simple passwords. The growing trend of using common naming conventions in naming database tables and fields, which is a common practice for most if not all model view controller based (MVC) development platforms, i.e. the use of users in naming tables to store usernames and passwords, could give hackers a hint where to look for usernames and passwords when attacking these systems. Another threat to these systems is the failure of programmer to practice SQL query

sanitation injection.

that

could

leave

the

system

open

to

SQL

Installation of firewall does not solve this problem, since using time the most common target in does is the database and is and accessible via normally open ports. With growing trend of common most conventions programmers thus naming not the database use tables fields hackers can easily target these systems. At the same sanitized of an query SQL statements increasing likelihood

injection attack. Another common practice nowadays, not just in

examination systems, data stored in databases are in plain text, with the exception for passwords which are usually stored as hashes. Ideally one might suggest the use of hashes to store sensitive information, but it must be noted that hashes are irreversible in nature thus it cannot be used to store random data. In the case of examination managers or institutions, a compromised data leads to data leakage thus could lead to bad business and credibility. This is also one important reason why most of them are reluctant to put their database in centralized locations like data centers unless they are the ones managing hosting it. In This most cases not all other examination managers are systems or network administrators their respective organization. could create issues related to IT policies like back-up and disaster recovery strategies. The proposed system is aimed at solving these issues by providing a service to handle the encryption of the data before it will be stored to the database. The proposed

system

also

acts

as

middleware

to

eliminating

direct

connection to the database thus elimination the possibility of SQL injection and database related attacks.

Objectives of the Study

This study is aimed in developing a service-oriented encrypted implemented databank with framework that can be used to and online examination systems secure

storage of the confidential and sensitive information. Specifically, the study is aimed at accomplishing the following: 1. To create an encryption algorithm suitable for storing question and answer information in a database. 2. To design a service-oriented framework that can be accessed as a web service and can be accessed across different platforms including mobile, desktop and web clients. 3. To develop a common language syntax and semantic to facilitate the communication between the client and the examination server.

Conceptual Framework

The figure below describes for the proposed

the conceptual framework Encrypted Examination

Service-Oriented

Data Bank For Online Examination Systems.

Back-end Client

SOA Client

Input Input
- Login Credentials - Exam Data (Plain Text) - Login Credentials - Exam Query Parameters Decrypted Exam Data (JSON/XML)

Process
Encryption Module

Process

Output/Generate
SOA Module

Decryption Module

Ou tp ut Process
Decrypted Exam Data

Output/Generate

Encrypted Exam Data

Database

The conceptual framework of this study is based on the proposed system. A proposed system consists of the input, the processing and the output. In this study, the input refers to the login credentials, examination data and the examination query parameters.

The process

process in this

converts study

the

input to the

into

output.

The

refers

encryption

module,

decryption module and the SOA module. The process, output, this which is the the expected result exam of the the

includes

encrypted

data,

decrypted exam data in text format and the decrypted data in SOA client readable format.

Significance of the Study

This study will be significant in the following context: This study will beneficial to all educational and certification institutions that will use the proposed framework, for the finished product can be used to provide another level of protection and security to their existing system. The protection that will be provided by the endproduct will give the teachers, examination managers and the upper management a comforting level of assurance that the likelihood of information theft, which could lead to examination leakage, will be minimized if not totally eliminated. System administrators will also benefit from this study. The system can provide another layer of security which could improve the security measures provided by the existing infrastructure. The system being able to hide the

database implementation from client programs reduces the risk of SQL injection attacks. The implementing institution will have the greater benefit. As they become aware that the security measures provided by the system reduces if not eliminates the risk of information theft. And since the information stored in the databank is now encrypted, it also increase the level of trust between the instructors, examination managers and the IT personnel.

Scope and Limitation

This study is aimed at developing a framework to provide another layer of security for examination databank that can be used by online examination systems. The focus of this study is to develop a web-based framework that can be accessed via multiple platforms, including desktop, web and mobile clients. The study also includes the creation of algorithm and communication language syntax and semantics as stated in the objectives. This study will not cover the development of another layer within the database application or server, such as data encryption layer. However that layer will be provided as a middleware between the database application or server and the client, i.e. the examination system.

Definition of Terms

To facilitate a clearer understanding of the study, the following key concepts were defined: Algorithm - The American Heritage Dictionary defines an algorithm as "a step-by-step problem-solving procedure, especially an established, recursive computational procedure for solving a problem in a finite number of steps." In the context of encryption, an algorithm is the mathematical formula used to scramble and unscramble data. It typically has two elements: data (for example, an email message that you want to encrypt or decrypt) and a key. Client is an application or system that accesses a service made available by a server. Client-server is a computing model that acts as a distributed application which partitions tasks or workloads between the providers of a resource or service, called servers, and service requesters, called clients.[1] Often clients and servers communicate over a computer network on separate hardware, but both client and server may reside in the same system. Database is an organized collection of data, today typically in digital form. The data are typically organized to model relevant aspects of reality (for example, the availability of rooms in hotels), in a way that supports processes requiring this information (for example, finding a hotel with vacancies).

Database Server - is a computer program that provides database services to other computer programs or computers, as defined by the clientserver model. The term may also refer to a computer dedicated to running such a program. Database management systems frequently provide database server functionality, and some DBMSs (e.g., MySQL) rely exclusively on the clientserver model for database access Decryption the reverse transformation of ciphertext back to plaintext. Also known as deciphering. Encryption - a reversible transformation of data from plaintext to ciphertext. Also known as enciphering. Field is often used interchangeably with column, although many consider it more correct to use field (or field value) to refer specifically to the single item that exists at the intersection between one row and one column. Firewall can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. Hacker refer to someone with an advanced understanding of computers and computer networks. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge. Internet is a global system of interconnected computer networks that use the standard Internet protocol suite (often called TCP/IP, although not all applications use TCP) to serve billions of users worldwide.

Intranet - is a computer network that uses Internet Protocol technology to share information, operational systems, or computing services within an organization. JSON JSON, or JavaScript Object Notation, is a text-based open standard designed for human-readable data interchange. It is derived from the JavaScript scripting language for representing simple data structures and associative arrays, called objects. Despite its relationship to JavaScript, it is language-independent, with parsers available for many languages. LAN LAN or local area network, is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building using network media. Model-View-Controller (MVC) - is a type of computer user interface that separates the representation of information from the user's interaction with it. The model consists of application data and business rules, and the controller mediates input, converting it to commands for the model or view. A view can be any output representation of data, such as a chart or a diagram. Multiple views of the same data are possible, such as a pie chart for management and a tabular view for accountants. Online Examination System is a computer program used to create, administer and take online examinations. Semantic reveals the meaning of syntactically valid strings in a language. Server is a computer program running to serve the requests of other programs, the "clients". Thus, the

"server" performs some computational task on behalf of "clients". Service Oriented Architecture is a set of principles and methodologies for designing and developing software in the form of interoperable services. These services are well defined business functionalities that are built as software components (discrete pieces of code and/or data structures) that can be reused for different purposes. SQL SQL or Structured Query Language is a special-purpose programming language designed for managing data in relational database management systems (RDBMS). SQL Injection is a technique often used to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker). Syntax refers to the ways symbols may be combined to create well-formed sentences (or programs) in the language. Table is a set of data elements (values) that is organized using a model of vertical columns (which are identified by their name) and horizontal rows, the cell being the unit where a row and column intersect. VPN VPN or virtual private network, is a technology for using the Internet or another intermediate network to connect computers to isolated remote computer networks that would otherwise be inaccessible.

WAN WAN or wide area network, is a telecommunication network that covers a broad area (i.e., any network that links across metropolitan, regional, or national boundaries). XML XML or Extensible Mark-up Language is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machinereadable.