Subject Re: [firebird-support] how to protect DATA
Author Alexandre Benson Smith
jesus martinez wrote:
> hello!
> i am developing a win32 application that uses
> FB-embedded version v2.0.1
> that application is a program that only let users
> to make "complex" SELECTs to the database
> (there are no inserts, updates or deletes)
> the data of the database is currently being stored
> using "SYSDBA/masterkey".

not so important, since if the database could be copied to another
machine, it could be opened with a valid user/password on that machine.

> since this application will be delivered to different
> clients, people who is storing data (confidential) are
> afraid of being stolen. (i mean, anyone can open the
> database and extract the information)

Yes, if someone could get the physical file, he/she would be allowed to
see the data.

> unaffortunately i didnt find how to encrypt FB record,
> it cant be done, rigth ?

You should do it on your own. FB has no internal encrypt method.

But if you would encrypt the data then the encrypt/decrypt key would be
hard coded on your app ? how easy would be to someone reverse engineer
your app to know the key ? If the key would be provided on at app
start-up time, it would give more security, but be aware that you will
loose the ability to search for inequality operators (<>, >, <) since
once encrypted only equality means something. Perhaps you could use an
UDF to decrypt the data, but your searches would be natural (no index used)

> so, how can i protect the records ?


> after storing the data, do i have to delete sysdba
> username ?

It offers no practical security

> do i have to set tables to be only accesible by
> another user ?

Offers no practical security, since a malicious guy could recompile FB
without the security check for grants

> may i change the user who has access to the records
> after storing then with sysdba ?

The same as above

> will the new configuration remain using embedded
> version of FB ?

Does not understand what you mean here

> to create the database i exec this script:
> CREATE DATABASE 'C:\test.fdb'
> USER 'SYSDBA' PASSWORD 'masterkey'
> PAGE_SIZE = 4096
> connect 'C:\test.fdb'
> USER 'SYSDBA' PASSWORD 'masterkey';
> );
> then i store houndred of records.
> is this ok ? or i have to create the database
> using another dba ?

Does not change the scenario.

> i want that record not to be accessible to anybody
> instead of somebody that has the correct password
> (i mean, also if he copies the db file into another
> computer)

Only if you encrypt your data in someway.

> thanks in advance,
> j.-

see you !

Alexandre Benson Smith
THOR Software e Comercial Ltda
Santo Andre - Sao Paulo - Brazil