Re: [firebird-support] Re: Securing Firebird Embedded database
Am 20.12.19 um 22:59 schrieb Steve Naidamast blackfalconsoftw...@outlook.com [firebird-support]: > The first would be using DotNetZip to compress and encrypt the Firebird > database file into a zip file with a pass word. The next level of encryption > would be to take the zip file and encrypt it again using standard file > encryption technologies (ie: AES) Each set of compression\encryption > processes would use a different internally generated key every time the > process is initiated. This is acceptable for transporting database file, it does not really work while your application is using database. > This may not be a perfect solution but I have it working to a point where the > response time of these processes are acceptable on a Firebird database file > of 1.5 gigs. However, it will be up to the user to set what they want > through my application's security options, which will provide the option to > do one or both security processes upon opening and closing the application or > upon demand. Really pack 1.5GB on start/close? The user still can Copy FDB-file while it is unpacked... > My concept is distantly related to your own Encryption schemes in Firebird > 3.0 where your security is supported by third-party plugins instead of using > a singular security scheme built in to the database engine. "third-party" does mean that this code is not part of firebird package.it should be possible to write an plugin of your own. Elmar
Re: [firebird-support] Re: Securing Firebird Embedded database
On 20/12/2019 16:43, Steve Naidamast blackfalconsoftw...@outlook.com [firebird-support] wrote: > I am curious regarding your suggestion to use Firebird Server instead of the > embedded edition. > > Is there a way to silently install the Firebird Server without any user > intervention during my application's installation? See https://github.com/FirebirdSQL/firebird/blob/B3_0_Release/builds/install/arch-specific/win32/installation_scripted.txt Mark -- Mark Rotteveel
Re: [firebird-support] Re: Securing Firebird Embedded database
Elmar... My current concept for making a Firebird Embedded Edition somewhat secure without a password (and as you say, using password means little if people already know a database;s internal structure) is to offer two levels of encryption. The first would be using DotNetZip to compress and encrypt the Firebird database file into a zip file with a pass word. The next level of encryption would be to take the zip file and encrypt it again using standard file encryption technologies (ie: AES) Each set of compression\encryption processes would use a different internally generated key every time the process is initiated. This may not be a perfect solution but I have it working to a point where the response time of these processes are acceptable on a Firebird database file of 1.5 gigs. However, it will be up to the user to set what they want through my application's security options, which will provide the option to do one or both security processes upon opening and closing the application or upon demand. My concept is distantly related to your own Encryption schemes in Firebird 3.0 where your security is supported by third-party plugins instead of using a singular security scheme built in to the database engine. Steve Naidamast Sr. Software Engineer blackfalconsoftw...@outlook.com [cid:8036d6f0-36cc-4285-90d6-ba5982a222e5] From: firebird-support@yahoogroups.com on behalf of Elmar Haneke el...@haneke.de [firebird-support] Sent: Friday, December 20, 2019 4:35 AM To: firebird-support@yahoogroups.com Subject: Re: [firebird-support] Re: Securing Firebird Embedded database > All other database engines that I have worked with provide password > protection, even SQLite, which is used primarily for desktop and device > applications. I'm not familiar which the technique SQLite uses. But either they are using the password to encrypt database or it is an fake protection and anyone can use an modified SQLite to access that database which is simply ignoring password. > I agree that the best way to protect any such database file is either through > internalized encryption, which I believe is now offered with Firebird 3.xx or > complete file encryption. However, would it not be easy enough for the > Firebird Development Group to simply implement the security constructs for > the embedded edition as it is for its server-side siblings given that all > such editions are primarily the same? Even the "server side security" is meaningless once the illegitimate user does have direct access to database file. Your idea sounds like the "security by obscurity" approach used in some closed-source systems as e.g. MS-Access - ask google how to remove that password protection. That approach is worth nothing in an open source context. Elmar [Non-text portions of this message have been removed] ++ Visit http://www.firebirdsql.org and click the Documentation item on the main (top) menu. Try FAQ and other links from the left-side menu there. Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/ ++ Yahoo Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/firebird-support/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/firebird-support/join (Yahoo! ID required) <*> To change settings via email: firebird-support-dig...@yahoogroups.com firebird-support-fullfeatu...@yahoogroups.com <*> To unsubscribe from this group, send an email to: firebird-support-unsubscr...@yahoogroups.com <*> Your use of Yahoo Groups is subject to: https://info.yahoo.com/legal/us/yahoo/utos/terms/
Re: [firebird-support] Re: Securing Firebird Embedded database
Mark... I am curious regarding your suggestion to use Firebird Server instead of the embedded edition. Is there a way to silently install the Firebird Server without any user intervention during my application's installation? Thank you... Steve Naidamast Sr. Software Engineer blackfalconsoftw...@outlook.com [cid:075acb9c-c9a9-4a54-a258-c1892b39d161] From: firebird-support@yahoogroups.com on behalf of Mark Rotteveel m...@lawinegevaar.nl [firebird-support] Sent: Thursday, December 19, 2019 9:37 AM To: firebird-support@yahoogroups.com Subject: Re: [firebird-support] Re: Securing Firebird Embedded database On 2019-12-18 16:30, Steve Naidamast blackfalconsoftw...@outlook.com [firebird-support] wrote: > Is there any way to secure the FDB file from unauthorized access > (other than compression and encryption, which I am starting to > implement in my project) and if not, is there expected to be at least > password protection for the Embedded edition in Firebird 4.0? If you don't want a user to access a database, then use file system permission to prevent the user from opening the database. Otherwise, you should use Firebird server instead. Firebird 4 Embedded works the same as Firebird 3 Embedded, so there won't be password protection for Embedded in that version. Mark [Non-text portions of this message have been removed] ++ Visit http://www.firebirdsql.org and click the Documentation item on the main (top) menu. Try FAQ and other links from the left-side menu there. Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/ ++ Yahoo Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/firebird-support/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/firebird-support/join (Yahoo! ID required) <*> To change settings via email: firebird-support-dig...@yahoogroups.com firebird-support-fullfeatu...@yahoogroups.com <*> To unsubscribe from this group, send an email to: firebird-support-unsubscr...@yahoogroups.com <*> Your use of Yahoo Groups is subject to: https://info.yahoo.com/legal/us/yahoo/utos/terms/
Re: [firebird-support] Re: Securing Firebird Embedded database
> All other database engines that I have worked with provide password > protection, even SQLite, which is used primarily for desktop and device > applications. I'm not familiar which the technique SQLite uses. But either they are using the password to encrypt database or it is an fake protection and anyone can use an modified SQLite to access that database which is simply ignoring password. > I agree that the best way to protect any such database file is either through > internalized encryption, which I believe is now offered with Firebird 3.xx or > complete file encryption. However, would it not be easy enough for the > Firebird Development Group to simply implement the security constructs for > the embedded edition as it is for its server-side siblings given that all > such editions are primarily the same? Even the "server side security" is meaningless once the illegitimate user does have direct access to database file. Your idea sounds like the "security by obscurity" approach used in some closed-source systems as e.g. MS-Access - ask google how to remove that password protection. That approach is worth nothing in an open source context. Elmar
Re: [firebird-support] Re: Securing Firebird Embedded database
Elmar... Thank you for your reply regarding protecting a Firebird Embedded Database. However, why is it assumed that a database file that is stored locally cannot be breached by unauthorized access? Given the nature of sophisticated security breaches and hacking endeavors today, such data files can be breached by determined specialists even if they are not on site. All other database engines that I have worked with provide password protection, even SQLite, which is used primarily for desktop and device applications. I agree that the best way to protect any such database file is either through internalized encryption, which I believe is now offered with Firebird 3.xx or complete file encryption. However, would it not be easy enough for the Firebird Development Group to simply implement the security constructs for the embedded edition as it is for its server-side siblings given that all such editions are primarily the same? In any event, thank you once again for your quick reply... Steve Naidamast Sr. Software Engineer blackfalconsoftw...@outlook.com [cid:5dd563dd-e1c8-41ff-8c06-9187c92572a5] From: firebird-support@yahoogroups.com on behalf of Elmar Haneke el...@haneke.de [firebird-support] Sent: Thursday, December 19, 2019 4:15 AM To: firebird-support@yahoogroups.com Subject: Re: [firebird-support] Re: Securing Firebird Embedded database > Is there any way to secure the FDB file from unauthorized access (other than > compression and encryption, which I am starting to implement in my project) > and if not, is there expected to be at least password protection for the > Embedded edition in Firebird 4.0? Password protection does assume the database file stored out of reach of illegitimate users. Legitimate server admin can always access database. Encryption is the only method to make illegitimate access to database content more difficult - its not really impossible if you have to store encryption keys within your application. Elmar [Non-text portions of this message have been removed]
Re: [firebird-support] Re: Securing Firebird Embedded database
On 2019-12-18 16:30, Steve Naidamast blackfalconsoftw...@outlook.com [firebird-support] wrote: > Is there any way to secure the FDB file from unauthorized access > (other than compression and encryption, which I am starting to > implement in my project) and if not, is there expected to be at least > password protection for the Embedded edition in Firebird 4.0? If you don't want a user to access a database, then use file system permission to prevent the user from opening the database. Otherwise, you should use Firebird server instead. Firebird 4 Embedded works the same as Firebird 3 Embedded, so there won't be password protection for Embedded in that version. Mark
Re: [firebird-support] Re: Securing Firebird Embedded database
18.12.2019 16:30, Steve Naidamast blackfalconsoftw...@outlook.com [firebird-support] wrote: > Is there any way to secure the FDB file from unauthorized access (other than > compression > and encryption, which I am starting to implement in my project) No. Firebird is an open source project, the structure of database is well known and it is easy to read data from the file directly so password check in embedded server is meaningless. -- WBR, SD. ++ Visit http://www.firebirdsql.org and click the Documentation item on the main (top) menu. Try FAQ and other links from the left-side menu there. Also search the knowledgebases at http://www.ibphoenix.com/resources/documents/ ++ Yahoo Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/firebird-support/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/firebird-support/join (Yahoo! ID required) <*> To change settings via email: firebird-support-dig...@yahoogroups.com firebird-support-fullfeatu...@yahoogroups.com <*> To unsubscribe from this group, send an email to: firebird-support-unsubscr...@yahoogroups.com <*> Your use of Yahoo Groups is subject to: https://info.yahoo.com/legal/us/yahoo/utos/terms/
Re: [firebird-support] Re: Securing Firebird Embedded database
> Is there any way to secure the FDB file from unauthorized access (other than > compression and encryption, which I am starting to implement in my project) > and if not, is there expected to be at least password protection for the > Embedded edition in Firebird 4.0? Password protection does assume the database file stored out of reach of illegitimate users. Legitimate server admin can always access database. Encryption is the only method to make illegitimate access to database content more difficult - its not really impossible if you have to store encryption keys within your application. Elmar
