Subject Re: Undocumented internal encrypt/decrypt in FB
Author mspencewasunavailable
--- In firebird-support@yahoogroups.com, Geoff Worboys <geoff@...>
wrote:
>
> > ...
> > I could do many things, depending on the level of difficulty
> > I want to achieve. I would have choice. Right now, I don't
> > have anything - Firebird developers decided that since
> > PERFECT security is not possible, it makes no sense to
> > attempt ANY security.
>
> Please read some of my previous comments on this list and the
> article on the subject referenced several times.
>
> To paraphrase myself:
>
> Firebird is an open-source project. Any attempt to put data
> obfuscation code into open source means that the result is no
> longer obscure. It becomes fast and easy to break any
> "security" achieved, indeed someone will probably build such
> a solution and make it available for download.
>
> If you want any chance of security by obscurity you must do it
> outside the open source - the Firebird developers cannot do it
> for you.
>
> --
> Geoff Worboys
> Telesis Computing

Exactly right. Which is why I originally asked about the
possibility of having a hook of some sort to a .dll that *wouldn't*
be open source. Then all of this would be up to the user.

Securing the code and keys and such would then not be Firebird's
problem, and could be as simple as encryption with an embedded key
or as outlandish as a forwarded call to some bit of custom USB-plug-
based hardware (something you have) with code in ROM (so it couldn't
be hacked) and a keypad so you could enter a key directly (something
you know). The point is, the user could choose.

The routines that this .dll would provide would need to be worked
out, but securing it would *not* be Firebird's problem.

Michael D. Spence
Mockingbird Data Systems, Inc.