| Subject | Re: [firebird-support] Field level encryption with UDF? |
|---|---|
| Author | Milan Babuskov |
| Post date | 2009-05-05T16:19:21Z |
Myles Wakeham wrote:
database, your security remains on the same "level" and Firebird does
not have GRANTs for UDFs so anyone can try to use it, and perhaps
brute-force the key used for encryption. All that is needed is that
attacker knows one CC number and some time.
If you really want to keep it in the database, then constraining access
via views or stored procedures should suffice (REVOKE on table, GRANT on
VIEW or procedure).
I'd use database for storage of encrypted data and decrypt it in the
application code - the same point where I'd ask user for decryption key.
Even if someone hijacks the database, he'd have a hard time decrypting
data, because he would have to determine which algorithm was used in the
first place. This would also mean that data is not traveling in plain
text form between client and Firebird server.
libraries available. For example, for C++, Crypto++ comes to mind:
http://www.cryptopp.com/
which supports a lot of algorithms.
--
Milan Babuskov
http://www.flamerobin.org
http://www.guacosoft.com
> Has anyone used an UDFs to do field level string encryption like this?I would not follow that road if I were you. By registering UDF in the
database, your security remains on the same "level" and Firebird does
not have GRANTs for UDFs so anyone can try to use it, and perhaps
brute-force the key used for encryption. All that is needed is that
attacker knows one CC number and some time.
If you really want to keep it in the database, then constraining access
via views or stored procedures should suffice (REVOKE on table, GRANT on
VIEW or procedure).
I'd use database for storage of encrypted data and decrypt it in the
application code - the same point where I'd ask user for decryption key.
Even if someone hijacks the database, he'd have a hard time decrypting
data, because he would have to determine which algorithm was used in the
first place. This would also mean that data is not traveling in plain
text form between client and Firebird server.
> I don't need anything incredibly sophisticated, but rather thanDepending on your programming language, I'm sure there are many
> attempting to build my own, I was wondering if there are any out there
> that others have used that I could adopt for this application?
libraries available. For example, for C++, Crypto++ comes to mind:
http://www.cryptopp.com/
which supports a lot of algorithms.
--
Milan Babuskov
http://www.flamerobin.org
http://www.guacosoft.com