Re: [Firebird-devel] User password for encryption
25.04.2016 17:03, Alex Peshkoff wrote: > Unlike other methods key in this case is not touched by open source code > making possibility of stealing it much smaller. It doesn't matter if engine will decrypt whole database for you after changing couple of bytes in header. Key is pointless, database is a real target. -- WBR, SD. -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] User password for encryption
On 04/25/2016 03:51 PM, Emil Totev wrote: >> From: Alex Peshkoff >> Subject: Re: [Firebird-devel] User password for encryption >> To: firebird-devel@lists.sourceforge.net >> Message-ID: <571e0924.3010...@mail.ru> >> Content-Type: text/plain; charset=windows-1252; format=flowed >> >> On 04/25/2016 11:28 AM, Emil Totev wrote: >>> How difficult would it be to get the user password to the encryption / >>> key holder plugin, especially for an embedded connection? >> I will start from the most simple part - embedded connection. As far as >> I understand you ask about password which is used to login to the server >> (isc_dpb_password) Unfortunately question makes no sense - for embedded >> connection password is not needed at all and no authentication plugin is >> used (even when password is present in DPB it's just ignored). On the >> other hand it's not too hard to add to firebird engine a code, passing >> isc_dpb_password value to key holder plugin (as one of a keys for >> example). But that hardly makes much sense on my mind. > Then, how would you pass a key to the engine in the embedded case? If the key to be passed from application the best way is to use callback. Unlike other methods key in this case is not touched by open source code making possibility of stealing it much smaller. -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] User password for encryption
> From: Alex Peshkoff > Subject: Re: [Firebird-devel] User password for encryption > To: firebird-devel@lists.sourceforge.net > Message-ID: <571e0924.3010...@mail.ru> > Content-Type: text/plain; charset=windows-1252; format=flowed > > On 04/25/2016 11:28 AM, Emil Totev wrote: >> How difficult would it be to get the user password to the encryption / >> key holder plugin, especially for an embedded connection? > > I will start from the most simple part - embedded connection. As far as > I understand you ask about password which is used to login to the server > (isc_dpb_password) Unfortunately question makes no sense - for embedded > connection password is not needed at all and no authentication plugin is > used (even when password is present in DPB it's just ignored). On the > other hand it's not too hard to add to firebird engine a code, passing > isc_dpb_password value to key holder plugin (as one of a keys for > example). But that hardly makes much sense on my mind. Then, how would you pass a key to the engine in the embedded case? > What about remote case - passing password in current state f code is > close to impossible. Password NEVER travels over the wire (except of > legacy authentication). Certainly one can write plugin which will send > password from client to server but that's definitely very bad idea from > security POV. Certainly a trick similar to embedded can help (and > password will be sent over already encrypted line in that case) but I'm > afraid that's a bit not what you were asking about. OK. I fully agree. Let's forget about remote and stick to embedded. >> If possible >> at all, would this require new authentication plugin or key holder >> plugin or both? > > New key holder plugin and some changes in it's interfaces. > >> Applications using embedded connections would benefit most from >> database encryption, and using the password (which can be supplied, >> but is not used for authentication) for this seems to be an easy way >> to seamlessly integrate it. > > Don't think so. Sending a key (password will be a key in this case, > yes?) in DPB is the best way to help malicious user steal it. > There is no "sending" in the embedded case. Most current software has the ability to collect a password from the user and pass it to the provider. Why not use this to add database encryption almost transparently? Do you see any problems with it? Regards Emil -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
Re: [Firebird-devel] User password for encryption
On 04/25/2016 11:28 AM, Emil Totev wrote: > How difficult would it be to get the user password to the encryption / > key holder plugin, especially for an embedded connection? I will start from the most simple part - embedded connection. As far as I understand you ask about password which is used to login to the server (isc_dpb_password) Unfortunately question makes no sense - for embedded connection password is not needed at all and no authentication plugin is used (even when password is present in DPB it's just ignored). On the other hand it's not too hard to add to firebird engine a code, passing isc_dpb_password value to key holder plugin (as one of a keys for example). But that hardly makes much sense on my mind. What about remote case - passing password in current state f code is close to impossible. Password NEVER travels over the wire (except of legacy authentication). Certainly one can write plugin which will send password from client to server but that's definitely very bad idea from security POV. Certainly a trick similar to embedded can help (and password will be sent over already encrypted line in that case) but I'm afraid that's a bit not what you were asking about. > If possible > at all, would this require new authentication plugin or key holder > plugin or both? New key holder plugin and some changes in it's interfaces. > Applications using embedded connections would benefit most from > database encryption, and using the password (which can be supplied, > but is not used for authentication) for this seems to be an easy way > to seamlessly integrate it. Don't think so. Sending a key (password will be a key in this case, yes?) in DPB is the best way to help malicious user steal it. -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
[Firebird-devel] User password for encryption
How difficult would it be to get the user password to the encryption / key holder plugin, especially for an embedded connection? If possible at all, would this require new authentication plugin or key holder plugin or both? Applications using embedded connections would benefit most from database encryption, and using the password (which can be supplied, but is not used for authentication) for this seems to be an easy way to seamlessly integrate it. Emil -- Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel
