| Subject | Firebird security, what is the way? - Was: Firebird security, another way |
|---|---|
| Author | Salvatore Besso |
| Post date | 2004-12-15T12:25:10Z |
hello Geoff and all,
I'm absolutely not an expert on this matter, but I would give an example. Ex
Turbopower FlashFiler client/server database can make encrypted tables on
demand. You, the developer, decide what encryption method to use (SHA, DES,
triple DES and many more well known and strong methods, I don't remember all of
them but you are also allowed to use another ex TP encryption product for this
purpose - LockBox - that makes use of these strong encryption methods) and above
all, you, the developer, decide the encryption key before compiling FlashFiler
code, so it is reasonable that only you know the key that you have chosen. Add
to this scenario an application protected with one of the possible software
protection systems, possibly bound to that particular machine and maybe you'll
have a system that will be not so easy to crack since the application copied in
full onto another machine won't work at all and the database file taken by
itself will be unreadable outside of that machine since only you know the key
with which the database source code has been encrypted and having the
possibility to recompile the database source code is hopeless for a cracker
since he doesn't know the key that might be very hard and time consuming to
guess, depending on the encryption system chosen.
What I mean to say with that is not a criticism to Firebird, absolutely not (I'm
using Firebird and not FF :-), what I mean and i think is that in a future
version of Firebird (maybe 2 or 3) it would not that difficult to implement such
a native mechanism, but giving the user the possibility to choose the encryption
key otherwise, using a common key for all vanishes all security efforts. On the
other hand, using this method will force the developer to always distribute his
own compiled version of Firebird, but I don't think it would be a big problem.
I say this because sometimes it's not that important to protect the metadata,
but rather the data contained into the database.
What do you think about? If I remember well there was a poll on Firebird some
time ago and the protection/encryption of the database was one of the most
requested enhancements.
Merry Christmas
Salvatore
I'm absolutely not an expert on this matter, but I would give an example. Ex
Turbopower FlashFiler client/server database can make encrypted tables on
demand. You, the developer, decide what encryption method to use (SHA, DES,
triple DES and many more well known and strong methods, I don't remember all of
them but you are also allowed to use another ex TP encryption product for this
purpose - LockBox - that makes use of these strong encryption methods) and above
all, you, the developer, decide the encryption key before compiling FlashFiler
code, so it is reasonable that only you know the key that you have chosen. Add
to this scenario an application protected with one of the possible software
protection systems, possibly bound to that particular machine and maybe you'll
have a system that will be not so easy to crack since the application copied in
full onto another machine won't work at all and the database file taken by
itself will be unreadable outside of that machine since only you know the key
with which the database source code has been encrypted and having the
possibility to recompile the database source code is hopeless for a cracker
since he doesn't know the key that might be very hard and time consuming to
guess, depending on the encryption system chosen.
What I mean to say with that is not a criticism to Firebird, absolutely not (I'm
using Firebird and not FF :-), what I mean and i think is that in a future
version of Firebird (maybe 2 or 3) it would not that difficult to implement such
a native mechanism, but giving the user the possibility to choose the encryption
key otherwise, using a common key for all vanishes all security efforts. On the
other hand, using this method will force the developer to always distribute his
own compiled version of Firebird, but I don't think it would be a big problem.
I say this because sometimes it's not that important to protect the metadata,
but rather the data contained into the database.
What do you think about? If I remember well there was a poll on Firebird some
time ago and the protection/encryption of the database was one of the most
requested enhancements.
Merry Christmas
Salvatore