Elmar... My current concept for making a Firebird Embedded Edition somewhat secure without a password (and as you say, using password means little if people already know a database;s internal structure) is to offer two levels of encryption. The first would be using DotNetZip to compress and encrypt the Firebird database file into a zip file with a pass word. The next level of encryption would be to take the zip file and encrypt it again using standard file encryption technologies (ie: AES) Each set of compression\encryption processes would use a different internally generated key every time the process is initiated.
This may not be a perfect solution but I have it working to a point where the response time of these processes are acceptable on a Firebird database file of 1.5 gigs. However, it will be up to the user to set what they want through my application's security options, which will provide the option to do one or both security processes upon opening and closing the application or upon demand. My concept is distantly related to your own Encryption schemes in Firebird 3.0 where your security is supported by third-party plugins instead of using a singular security scheme built in to the database engine. Steve Naidamast Sr. Software Engineer blackfalconsoftw...@outlook.com [cid:8036d6f0-36cc-4285-90d6-ba5982a222e5] ________________________________ From: firebird-support@yahoogroups.com <firebird-support@yahoogroups.com> on behalf of Elmar Haneke el...@haneke.de [firebird-support] <firebird-support@yahoogroups.com> Sent: Friday, December 20, 2019 4:35 AM To: firebird-support@yahoogroups.com <firebird-support@yahoogroups.com> Subject: Re: [firebird-support] Re: Securing Firebird Embedded database > All other database engines that I have worked with provide password > protection, even SQLite, which is used primarily for desktop and device > applications. I'm not familiar which the technique SQLite uses. But either they are using the password to encrypt database or it is an fake protection and anyone can use an modified SQLite to access that database which is simply ignoring password. > I agree that the best way to protect any such database file is either through > internalized encryption, which I believe is now offered with Firebird 3.xx or > complete file encryption. However, would it not be easy enough for the > Firebird Development Group to simply implement the security constructs for > the embedded edition as it is for its server-side siblings given that all > such editions are primarily the same? Even the "server side security" is meaningless once the illegitimate user does have direct access to database file. Your idea sounds like the "security by obscurity" approach used in some closed-source systems as e.g. MS-Access - ask google how to remove that password protection. That approach is worth nothing in an open source context. Elmar [Non-text portions of this message have been removed] ------------------------------------ ------------------------------------ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Visit http://www.firebirdsql.org and click the Documentation item on the main (top) menu. Try FAQ and other links from the left-side menu there. Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------------ Yahoo Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/firebird-support/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/firebird-support/join (Yahoo! ID required) <*> To change settings via email: firebird-support-dig...@yahoogroups.com firebird-support-fullfeatu...@yahoogroups.com <*> To unsubscribe from this group, send an email to: firebird-support-unsubscr...@yahoogroups.com <*> Your use of Yahoo Groups is subject to: https://info.yahoo.com/legal/us/yahoo/utos/terms/
