Subject Re: Re: [firebird-support] Database Security
Author Jim McKay
Hello Geoff Worboys:

======= At 2004-01-06, 14:47:00 Geoff Worboys wrote: =======

>>>Some people have requested that FB provide the ability to
>>>encrypt the database. But even if it did this you cannot
>>>protect the database from authorised users.
>> here here!
>>> You could obscure the decryption key inside the executable,
>> Usually, it's stored elsewhere... hardware or certificate/ASN
>> schemes for most part.
>> AFAIC, this is doable. It's also important:
>I am not clear what you mean here.
> Are you suggesting that
>such schemes could somehow assist in the original question
>(protecting against users accessing metdata)?

You mentioned to him that "some people" want native
db encryption, but "even if it did this you cannot
protect the database from authorised users."

Unless I mis-read you, I was left w/impression you suggest
that encrypted DB keys were easily accessable as matter of fact.

That's definately not the case.

I responded to that.

>>From the earlier "here here!" I am guessing you are simply
>clarifying the fact that my security by obscurity suggestion
>is not a good idea.

Well... no, I don't think it's very good idea.
But I wouldn't post just to tell you your idea sucked. <g>

For whatever reason, notion that someone may take to
heart idea that DB encryption is inherently insecure moved
be to speak. :)

>I was not trying to suggest that it was a properly secure
>implementation. In some limited circumstances security by
>obscurity can be enough to prevent uneducated users from
>tampering, just dont use it to hide your credit card details
>on the net ;-)

Again, I'm only speaking to notion of encrypting database in general.

There are 3rd party add ons that handle the task (although, probably
too pricey to make sense for FB users), and quite a few good papers
on the subject.

I probably should say DB encryption happens to be of major importance
for me. Most of our work these days is medical. The fastest, slickest,
fullest featured DB on the planet I couldn't use if there was no
encryption. I understand this is not primary concern for many.

For what it's worth, I've used StreamSecII encryption suite
quite a bit... mostly for middle tier RPC SSL/TLS implementation.
Excellent library. I'm pretty sure it could be used to build viable
DB encryption... secure keys and all. Not a trivial task, however.

>Geoff Worboys
>Telesis Computing
>Yahoo! Groups Links
>To visit your group on the web, go to:
>To unsubscribe from this group, send an email to:
>Your use of Yahoo! Groups is subject to:
>Incoming mail is certified Virus Free.
>Checked by AVG Anti-Virus (
>Version: 7.0.209 / Virus Database: 261.5.6 - Release Date: 1/2/2004
= = = = = = = = = = = = = = = = = = = =

Best regards.
Jim McKay
2004-01-05 20:02:46

Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (
Version: 7.0.209 / Virus Database: 261.5.6 - Release Date: 1/2/2004