Subject Re: [firebird-support] Re: Undocumented internal encrypt/decrypt in FB
Author Geoff Worboys
Hi Andreas,

> I'm using a solution for years that's combining copy
> protection and encryption. So I use a solution of my
> dongle distributor [1] that is limited to windows only
> system and server installation of FB:

Assuming you have an answer for Adam's question (there must
be some way to prevent unauthorised software from gaining
inappropriate access to your server) this is an example of
good obfuscation...

while ever it is ONLY your application using it.

To break this I would have to fiddle around for a quite a
while with length direct access to the server computer (such as
the access that your client has). Depending on the value of
the data it may not be worth the effort for one installation.

But be certain it is breakable, and generically breakable.
That is; if I break it once then the break will work for all
installations. So if your solution became the common solution
and everyone used some pre-patched version of fbserver, then
the break would only have to be created the one time and could
then re-used on every system. And if your patch code (or even
just the detail of how it was done) was open source then
creating the break would probably be trivial.

I am not aware of there being anything wrong with the HASP
system but I would be concerned about possible generic breaks
(or if existing breaks were already available on the internet).
For example by replacing the USB driver with one designed to
pull out the desired data.

However such an attack (even if already available for download)
is likely to be much more difficult to use to obtain useful
results than and attack on the Firebird server itself - because
there I have the original source code and an idea where I need
to patch in in order to obtain what I want.

So my advice: This sounds pretty good, but dont be tempted to
share it too widely or you may lose what you currently have;

Geoff Worboys
Telesis Computing