| Subject | RE: [firebird-support] Re: how to protect DATA |
|---|---|
| Author | Dean Harding |
| Post date | 2007-07-13T05:58:46Z |
Actually, one problem with this solution would be that they could just over
write the service executable you provide with one of their own choosing and
gain access to the database that way. But you could counter that by saying,
for example, if the service doesnt respond to your client applications
commands as you expect it to (which is what would happen if they overwrote
it) you could just kill it from the client app. That would give them only a
limited amount of time to do their work before the client detects a problem
and kills it...
Dean.
From: firebird-support@yahoogroups.com
[mailto:firebird-support@yahoogroups.com] On Behalf Of Dean Harding
Sent: Friday, 13 July 2007 3:43 PM
To: firebird-support@yahoogroups.com
Subject: RE: [firebird-support] Re: how to protect DATA
How much control do you have over the clients machine? Can you, for
example, create a new user on it (perhaps during the installation process)?
Can you run a service?
If so, one possibility is to have the FB-accessing code run as a service
under a different user account and then use the encryption built into NTFS
to encrypt the database file.
Basically, the steps would be, during installation:
1. Create a new user account with a random password.
2. Create a service that runs under this account, set it to Manual
start.
3. Copy the database file under the new users profile path and set it
to encrypted.
4. You can discard the random password once installation is complete.
Now the client program can simply start the service when it starts up, and
talk to the database via that service. It can stop the service when it shuts
down. Its then up to you to ensure the communication mechanism is secure,
but if you simply provide a read-only interface from that point, you
should be OK.
A couple of problems that I can this of:
· It requires an NTFS partition. 99% of people will have one these
days, but you may run into the odd person who does not.
· If the user changes the password of the services user account,
the database will be inaccessible (although this could be seen as a feature
J).
· You have to be careful with the access rights you grant on the
service object: youll want to allow limited user accounts to start and stop
the service, but you cannot allow anyone to change the services
configuration.
When you want to give them a new database, you can simply generate a new
random password for the user, copy the file, update the service to start
with the new password, and discard the password.
Dean.
From: firebird-support@yahoogroups.com
<mailto:firebird-support%40yahoogroups.com>
[mailto:firebird-support@yahoogroups.com
<mailto:firebird-support%40yahoogroups.com> ] On Behalf Of jesus martinez
Sent: Friday, 13 July 2007 3:18 PM
To: firebird-support@yahoogroups.com
<mailto:firebird-support%40yahoogroups.com>
Subject: Re: [firebird-support] Re: how to protect DATA
Anderson, thanks for your reply.
i cant do this, because i have to make searches
inside the records
select .... where containing ....
about the other suggestion about using TrueCrypt,
written disadvanges are so clear that it is not
an option.
thanks in advance to both,
j.-
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
[Non-text portions of this message have been removed]
[Non-text portions of this message have been removed]
write the service executable you provide with one of their own choosing and
gain access to the database that way. But you could counter that by saying,
for example, if the service doesnt respond to your client applications
commands as you expect it to (which is what would happen if they overwrote
it) you could just kill it from the client app. That would give them only a
limited amount of time to do their work before the client detects a problem
and kills it...
Dean.
From: firebird-support@yahoogroups.com
[mailto:firebird-support@yahoogroups.com] On Behalf Of Dean Harding
Sent: Friday, 13 July 2007 3:43 PM
To: firebird-support@yahoogroups.com
Subject: RE: [firebird-support] Re: how to protect DATA
How much control do you have over the clients machine? Can you, for
example, create a new user on it (perhaps during the installation process)?
Can you run a service?
If so, one possibility is to have the FB-accessing code run as a service
under a different user account and then use the encryption built into NTFS
to encrypt the database file.
Basically, the steps would be, during installation:
1. Create a new user account with a random password.
2. Create a service that runs under this account, set it to Manual
start.
3. Copy the database file under the new users profile path and set it
to encrypted.
4. You can discard the random password once installation is complete.
Now the client program can simply start the service when it starts up, and
talk to the database via that service. It can stop the service when it shuts
down. Its then up to you to ensure the communication mechanism is secure,
but if you simply provide a read-only interface from that point, you
should be OK.
A couple of problems that I can this of:
· It requires an NTFS partition. 99% of people will have one these
days, but you may run into the odd person who does not.
· If the user changes the password of the services user account,
the database will be inaccessible (although this could be seen as a feature
J).
· You have to be careful with the access rights you grant on the
service object: youll want to allow limited user accounts to start and stop
the service, but you cannot allow anyone to change the services
configuration.
When you want to give them a new database, you can simply generate a new
random password for the user, copy the file, update the service to start
with the new password, and discard the password.
Dean.
From: firebird-support@yahoogroups.com
<mailto:firebird-support%40yahoogroups.com>
[mailto:firebird-support@yahoogroups.com
<mailto:firebird-support%40yahoogroups.com> ] On Behalf Of jesus martinez
Sent: Friday, 13 July 2007 3:18 PM
To: firebird-support@yahoogroups.com
<mailto:firebird-support%40yahoogroups.com>
Subject: Re: [firebird-support] Re: how to protect DATA
Anderson, thanks for your reply.
i cant do this, because i have to make searches
inside the records
select .... where containing ....
about the other suggestion about using TrueCrypt,
written disadvanges are so clear that it is not
an option.
thanks in advance to both,
j.-
> Hi,__________________________________________________
>
> 1) Encrypt the data on the client side then store
> into FB.
> 2) Read the encrypted data from FB, decrypt on the
> client and display.
>
> Does it make sense? (that's what I do when need some
> info to be encripted)
>
>
> Regards,
> Anderson
>
> [Non-text portions of this message have been
> removed]
>
>
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
[Non-text portions of this message have been removed]
[Non-text portions of this message have been removed]