24 (IJCNS) International Journal of Computer and Network Security,
Vol. 1, No. 3, December 2009
Use of CASE-technology and provision of SQL-data
security for special transportation management
Lyazat Naizabayeva1,
1
Kazakh-British Technical University,
59 Tole-bi street, Almaty, 050000, Republic of Kazakhstan
naizabayeva@mail.ru
Abstract: Logical model of valuable cargo special
transportation management was developed, Computer-Aided
Software/System engineering (CASE) – “Entity-Relationship”
flowcharting technology – applied, physical database – created
in the MS SQL Server, SQL-data security – provided by built-in
Database management system (DBMS).
Keywords: Сomputer-Aided Software/System engineering,
AllFusion Erwin Data Modeler, create certificate, symmetric and
asymmetric key.
1. Introduction
Some types of goods make manufacturers’ head bang. How
to deliver perishable goods in time? How to transport OOG?
How to protect hazardous goods while transportation? How
to transport animals? If a transportation company,
responsible for delivery of such goods, fails to render such
services at a qualitative and professional level, the goods
owner will incur material losses. Perhaps, such an owner
will be able to cover losses due to poor services, but what
should be done with irretrievably damaged goods and
wasted time? This is why special goods shall be transported
at a highly professional level.
Special transportation is special delivery of special goods to
satisfy needs of highly defense and state essential
requirements.
The following shall be referred to special transportation:
delivery of hazardous goods, OOG, goods that require
special temperature conditions, highly valuable and fragile
goods, escorted transportation. Much attention should be
focused on delivery of general cargo to a destination point,
delivery of out-of-gauge (OOG), liquid, bulk, perishable,
LCL goods; goods storage at consolidated warehouses. To
transport hazardous goods, such as explosives, poisons,
chemicals, it is necessary to agree the route, transportation
conditions, and most likely, escort the goods and control its
temperature conditions, loading and unloading. It takes
additional time to obtain all approvals, so, it is required that
all employees, involved in goods transportation strictly
observe both delivery schedule and transportation route.
This document is dedicated to arrangement of software
system automation to control and provide security of special
vehicles movement information system, namely securities
delivery control.
2. Information system design
Today, in conditions of programming automation intensive
development, the problem of adequate reflection of a real
subject field against information model abstraction is very
acute today. If a project is incorrect, the system, designed
based thereon, will not satisfy users’ needs and will require
costly modifications or complete redesign [1]. Hence,
database logical design is required: design of a general
information model based on some users’ data models and
being independent of currently used DBMS and other
physical parameters.
Database design shall be a strategy as to determining
company’s information requirements during a long period of
time.
Database design, based on a relation model, has the
following advantages to other ones:
• Independence of a logical structure of physical
parameters and user’s opinion.
• Database structure flexibility – structural solutions do
not restrain future possibilities to meet different
requirements.
2.1 Use of Computer-Aided Software/System
engineering (CASE) technology
CASE technology is usually considered to be an information
system design method plus tools, which allow
• Visually simulating the subject field
• Analyzing its model at each stage of information system
design and support
• Developing users’ applications
The main objective of CASE systems and tools is to separate
software engineering from its coding and further
engineering stages (testing, filing, etc.), as well as to
computerize the entire software engineering process.
Engineering of advanced information systems requires
application of specials methods and tools. It is no wondering
that in recent years system analysts and designers are
considerably interested in CASE technologies and tools,
which allow integrating and automating all stages of
software engineering.
In this paper, logical database was designed by CASE tool
AllFusion Erwin Data Modeler (Erwin) [3], “Entity-
Relationship” was developed (Fig. 1).
This diagram shows project intuitive interface and may be
used by users for idea sharing.
 (IJCNS) International Journal of Computer and Network Security, 25
ERwin is a key solution for database for design and support
of data bases, data marks and data storage, as well as
company’s data resource model. ERwin models visualize
data structure to simplify data organization and
management, complicated data integration and database
design and development techniques. Thereby, data based
development is simplified and speeded up, and its quality
and reliability are improved significantly. ERwin
automatically generates tables and thousands of code lines,
stored procedures and flip-flops for advanced vendors’ data
bases. Complete-Compare technology, used in the system,
allows iteratively designing so that the model is always
synchronized with the data base. ERwin may be also used
for design and servicing of the entire database life cycle.
Figure 1. “Entity-Relationship” diagram for the specialized
transportation system database in ERwin
2.2 Conceptual data bank creation for special
transportation management in the SQL Server
The next step was the verification of any operational use of
organization’s data related to the data processing, and the
exclusion of all useless and repetitive data. In the process of
database design, to solve tasks of data doubling minimization
and facilitation of data processing and updating procedures, the
relations were normalized. The tables of designed database are
in 3rd normal form (3NF) accordingly to Dr.E.F.Codd [2].
The physical design phase consists of associating of database
logical structure and physical environment of storage with
purpose to ensure the most efficient data allocation that is the
mapping of the database logical structure in the storage
Vol. 1, No. 3, December 2009
structure. The following issues are in consideration: the stored
data allocation in the memory space and the selection of efficient
methods of access to different components of the “physical”
database. Solutions made within this phase make critical impact
on the system performance.
SQL Server has advantages over other DBMS, namely:
simplified installation, development and use, as well as
scalability, creation of data banks and system integration
with other server software.
Another factor, determining the choice of DBMS MS SQL
Server in this work is speed.
In relation DBMS, speed is time, required to running query
and return of query processing results to the user.
SQL Server is more than just simple query running tool, it
provides much more opportunities. All leading DBMS
providers prefer SQL. Relation database and software they
work with may be carried over from one DBMS to another
with minimum costs for modifications and staff training.
Software tools in DBMS in PC, such as query software,
report program and application generators, integrate with
relation data bases of different types. Thus, SQL provides
independence from certain DBMS and this is why it is in a high
demand.
The database has been designed for our system using the MS
SQL Server tools, and is based on eight tables:
Account contains data of the company by the business account,
Courier contains information of the route,
DT_Declaration – information of the orders,
DT_DeclareEvents – event codes in the course of order
processing, which may be as follows: order generation, sorting
out for the route, transfer to the courier, order rejection, shift of
the order by date, adjustments to details, closed-out, open, false
call, prohibited order, changed route;
DT_DeclareStatus contains information of possible statuses of
the order. The order status may be as follows: new, sorted out,
en route, shifted by date, adjusted, accepted, open, false call,
rejected, prohibited.
DT_DeclareEventScheme defines the flow chart related to order
processing. There is the order status BeforeStatus, which was
prior to an operation. After the operation with the order is
accomplished (the operation is determined by the Event Code),
the order status is changed to AfterStatus.
DT_Associative contains data of the company by the relevant
associative words. The associative words are used to automate
data entry – the logistician enters an associative word and fills
in all fields on a one-time basis, which contain data of the
company (company name, business account, telephone, contact
person, working time, lunch time, comments).
All information is stored in this table. When the associative
word is entered next time, the system finds it in the table and
automatically displays all data of the company.
The database table relation diagram [2] has been developed. The
diagram is shown on Figure 3.
One of the most important elements of the database design is the
development of the database protection. The protection has two
aspects: protection against failures and protection against
unauthorized access. The file back-up strategy is developed to
ensure the failure protection. To ensure the protection against
unauthorized access, each user will obtain the access only in
compliance with his/her access rights.
When developing distributed information systems of
transportation management as to the client-server
interrelation, the following criteria were focused on:
26
• Personal database carry-over to the server for its further
use as a corporate database;
• Query run for the corporate database in the server, on
the user’s PC;
• Development of the user’s application for remote access
to the corporate database from the user’s PC;
• Server administration from the user’s PC;
• And, finally, the most important section for special
information security: tabular data encryption.
Figure 2. The diagram of a database of a specialized -
transport in MS SQL Server
2.3 Use of data encryption methods in MS SQL Server
It is well known that one of the most important database
components is database security. Data security has two
aspects: protection against errors and unauthorized access
[4]. To protect from errors, a data back-up is developed. To
protect against unauthorized access, each user is provided
with access in compliance with his/her access rights only.
Starting with version 2005, MS SQL Server provides
opportunity of data encryption; this project demonstrates three
out of four data encryption methods by certificated, asymmetric
keys, symmetric keys, and standard encryption by passwords.
(IJCNS) International Journal of Computer and Network Security,
Vol. 1, No. 3, December 2009
2.3.1 Creation of certificates and use of cryptographic
functions
Certificate is present in the database in the form of an object,
SQL Server Management Studio provides current certificates,
symmetric and asymmetric keys (Fig. 3) in container of
Databases \data_base_name\ Security\ Certificates:
Figure 3. Review of all certificates.
Developed database DBI provides a table dbo.SecretTable
with only one column Secret of nvarchar type; you can input
a text, encrypted by a certificate. At first, a certificate is
created, using a CREATE CERTIFICATE COMMAND. A standard
option of this command is as follows:
USE DBI;
CREATE CERTIFICATE SelfSignedCertl
ENCRYPTION BY PASSWORD = 'P@sswOrd '
WITH SUBJECT = Проверка шифрования',
START_DATE = '03/10/2006';
Please note that to create a certificate you do not need any
certification center – all required tools are already built in the
SQL Server. However, you can download a certificate into the
database, which was generated by an external certification
center and stored in a file (a private key shall be in a separate
file), for instance:
USE DBI;
CREATE CERTIFICATE ExternalCertl
FROM FILE - 'C:\Certificates\Certl.cer'
WITH PRIVATE KEY (FILE – 'C:\Certificates\CertlKey.pvk',
DECRYPTION BY PASSWORD = 'P@sswOrd);
GO
Moreover, existing certificate may be extracted from setup
.NET, signed by this certificate or from signed used file.
DECRYPTION BY PASSWORD Parameter will request to provide
password, used for this certificate protection.
ENCRYPTION BY PASSWORD parameter will identify the password
required for data decryption and secured by the certificate (the
latter is not required for data encryption). If this parameter is
not used, existing certificate will be automatically secured by
the database master key. This key cannot be created
automatically. To get opportunity to use this key, it should be
created in advance:
USE DB1;
 (IJCNS) International Journal of Computer and Network Security, 27
CREATE MASTER KEY ENCRYPTION BY PASSWORD =
'P@sswOrd';
In addition to the password, database master key is also secured
by the service master key. This key is automatically generated
in SQL Server when being installed. When using the database
master key, a great care must be taken: if you reinstall the
server (hence, the service master key will be changed), in this
case, encrypted data may be lost. To prevent it, it is necessary to
back up the database master key or export the service master key
to a file, using a backup service master key command.
Obligatory parameter subject of a create certificate command
will identify a purpose of the certificate issue (its value will be
put into the relevant certificate cell in compliance with X.509vl
standard). Upon creation of a certificate, the latter may be used
for data encryption. A special function EncryptByCert is used
for purpose:
INSERT INTO SecretTable
values(EncryptByCert(Cert_ID('SelfSignedCertl'),N
'Секретные данные'));
If any user runs query for table SecretTable, he/she may be
astonished by the obtained results (Fig. 4).
Figure 4. Query result for table SecretTable
Please note that function EncryptByCert accepts not only the
certificate itself, but its identifier as an initial parameter.
Required identifier may be easily obtained, using Cert_ID
function.
Encrypted data may be decrypted by using a DecryptByCert
function. The only problem in using this function is that it
returns decrypted information with data of varbinary type, so it
is recommended to convert this data type to nvarchar:
SELECT (Convert(Nvarchar(100),
DecryptByCert(Cert_ID('SelfSignedCertl'), Secret,
N'P@sswOrd'))) FROM SecretTable;
Initial parameter, accepted by a DecryptByCert function is a
certificate identifier, returned with the same function cert_ID;
second parameter is a string value (or a variable, or a column
description, as in our case); the third parameter is a password,
securing the certificate, being generated.
2.3.2 Creation of asymmetric keys
Let’s review the following encryption method by asymmetric
keys.
An asymmetric key differs from the certificate by absence of
additional fields with information on who, for what purpose, for
what period, etc. this key was provided. Current asymmetric
keys are in a container Asymmetric Keys, placed in the same
place where the container Certificates is. The asymmetric key is
used almost in the same way. First of all, it is necessary to create
an asymmetric key:
Vol. 1, No. 3, December 2009
CREATE ASYMMETRIC KEY AsymKeyl WITH ALGORITHM =
RSA_512 ENCRYPTION BY PASSWORD = 'P@sswOrd';
Please note that when creating an asymmetric key, it is
necessary to provide such key length in addition to the
password. You have three options: 512, 1024 and 2048 bits.
Afterwards, you may encrypt and decrypt data by this key:
INSERT INTO SecretTable values (EncryptByAsymKey
(AsyrnKey_ID ('AsymKeyl') , N 'Секретные данные')) ;
SELECT (Convert(Nvarchar(100),
DecryptByAsymKey (AsyraKey_ID ('AsymKeyl'),Secret,
N'P@sswOrd') )) FROM SecretTable;
Figure 5. Query result for encrypt data by asymmetric key
2.3.3 Creation of symmetric keys
Let’s review the following encryption method by symmetric
keys.
Faster algorithms are used for symmetric keys creation.
Symmetric key themselves are also created as database objects
and may be secured by a certificate, other symmetric key,
asymmetric key or just a password. You can find them in a
Symmetric Keys container.
When using symmetric keys, data encryption process is
faster than when asymmetric algorithms are used, so
working with large databases, it is recommended to use
exactly symmetric keys. There are some differences in using
symmetric keys. Firstly, when creating a symmetric key, you
may secure it not only by a password, but also by other
symmetric key, asymmetric key or certificate. Secondly,
when creating a symmetric key, you may identify one of
eight encryption algorithms, supported by SQL Server [n].
Symmetric key creation procedure itself may be as follows:
CREATE SYMMETRIC KEY SymKeyl WITH ALGORITHM =
AES_128 ENCRYPTION BY PASSWORD = 'P@sswOrd';
Prior to any key use (for data encryption or decryption), it is
necessary to open it. If you open it once during the user’s
working session, it is more than enough:
OPEN SYMMETRIC KEY SymKeyl DECRYPTION BY
PASSWORD = 'P@sswOrd';
Afterwards, we use it as usually. Just function names differ:
INSERT INTO SecretTable
values(EncryptByKey(Key__GUID('SymKeyl'), N'Секретные
данные')); GO
Please note that while data decryption, it is unnecessary to
provide symmetric key name and password to the
DecryptByKey function. Key data, opened by an OPEN
SYMMETRIC KEY command will be provided automatically:
SELECT (Convert(Nvarchar(100), DecryptByKey(Secret))) FROM
SecretTable;
28
Figure 6. Encrypted data query run results
SQL Server also allows encrypting data so easily, using a
password. For this purpose, an EncryptByPassPhrase
function is used. In case of a standard option, this function
requires only password and data to be encrypted.
INSERT INTO SecretTable
values(EncryptByPassphrase(' P@sswOrd', N'Секретные
данные') ) ; GO
Data shall be decrypted by a DecryptByPassphrase
function:
SELECT(Convert(Nvarchar(100),
DecryptByPassphrase('P@sswOrd', Secret))) FROM
SecretTable;
Figure 7. Data decryption results
It is worth noticing that it is unnecessary to limit oneself by
built-in SQL Server tools only. This server also allows using
queries to setup .NET in the Transact-SQL code. So, for
purposes of data encryption, classes from
System.Security.Cryptography namespace in .NET
Framework or own setups may be used [6].
3. CONCLUSION
As a result of developed information model for special goods
transportation safety and efficient management in the course of
the optimization process, the following tasks shall be solved:
city traffic analysis, identification of an efficient route for
securities delivery in a city, considering city traffic, option
efficiency assessment; reliable information system protection
was provided; considered efficient operation of specialized
vehicles.
(IJCNS) International Journal of Computer and Network Security,
Vol. 1, No. 3, December 2009
Information model, adapted for the goods transportation
standards, was developed, implemented and is used now for
courier services [5]. It allows automating staff work and render
more qualitative services to customers.
References
[1] A.J. Brast, S. Forte. Development of Microsoft-Based
Applications. Master Class./ Translated from
English.-Moscow: Russian Redaktsiya Publishing
House, 2007.
[2] T. Connoli, K. Begg. Databases. Designing, realization
and support. Theory and practice. 3rd edition,
“Williams” publishing house, Moscow, 2003.
[3] S.V. Maklakov Creation of information systems with
an AllFusing Modeling Suite. – M.: Dialogue - MIFI,
2003.
[4] R.N. Mikheyev MS SQL Server for administrators.-
SPb.: BKhB-Petersburg, 2006.
[5] L.Naizabayeva. “Information System Modeling to
Control Transport Operations Process”. In
Proceedings of the International MultiConference of
Engineers and Computer Scientists (IMECS), Hong
Kong, рр. 1813-1816, 2009
[6] A. Troelsen, PRO C# 2005 and The .NET 2.0
Platform, Third Edition, après, Sankt- Petergburg -
Kiev, 2007.
Author Profile
Lyazat Naizabayeva majors in math,
Kazakh State University after S.M.Kirov
(1986); was awarded degree of Ph.D.
(candidate) Physical and mathematical
sciences (High Academic Attestation
Committee of USSR, 1992); Academic title
Associate-professor of Informatics, Computer
Systems and Management (High Attestation
Committee of Republic of Kazakhstan, 2003 ).
Now, she is an Assistant - Professor in Kazakh-British University.