Connecting to encrypted databases

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Connecting to encrypted databases

Jiří Činčura-2
Hi *,

thanks to IBPhoenix I have an plugin
(http://www.ibphoenix.com/products/software/encryptionplugin) to create
encrypted database and I have a working prototype for passing the key.
Now the question of the day. :)

How to pass the key? The two obvious options are in connection string
and callback on i.e. FbConnection. The callback seems to be an obvious
choice, because it's most versatile. But I'd like to hear some other
opinions as well.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connecting to encrypted databases

Gerdus van Zyl
I think it makes more sense on the connection string. It already contains sensitive info (username,password) and needing to provide connection related info by another method would be counter intuitive.


On 12 July 2017 at 08:55, Jiří Činčura <[hidden email]> wrote:
Hi *,

thanks to IBPhoenix I have an plugin
(http://www.ibphoenix.com/products/software/encryptionplugin) to create
encrypted database and I have a working prototype for passing the key.
Now the question of the day. :)

How to pass the key? The two obvious options are in connection string
and callback on i.e. FbConnection. The callback seems to be an obvious
choice, because it's most versatile. But I'd like to hear some other
opinions as well.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connecting to encrypted databases

Jiří Činčura-2
> I think it makes more sense on the connection string. It already contains
> sensitive info (username,password) and needing to provide connection
> related info by another method would be counter intuitive.

Good point.

In my thinking I saw two problems, slightly different from what password
does. The key can be binary data and that's difficult to pass in string.
And the key might be stored on some HSM.

Not that it would rule out connection string completely, it just makes
fit less, IMO.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connecting to encrypted databases

Gerdus van Zyl
What about a callback on Connection that returns a Connection Info (ConnectionStringBuilder-like) object.
Could also add a connection constructor overload that accepts a Connection Info object.
Can then provide all connection data in one place with convenience of not converting from/to a string.


On 12 July 2017 at 10:44, Jiří Činčura <[hidden email]> wrote:
> I think it makes more sense on the connection string. It already contains
> sensitive info (username,password) and needing to provide connection
> related info by another method would be counter intuitive.

Good point.

In my thinking I saw two problems, slightly different from what password
does. The key can be binary data and that's difficult to pass in string.
And the key might be stored on some HSM.

Not that it would rule out connection string completely, it just makes
fit less, IMO.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connecting to encrypted databases

Jiří Činčura-2
> What about a callback on Connection that returns a Connection Info
> (ConnectionStringBuilder-like) object.
> Could also add a connection constructor overload that accepts a
> Connection
> Info object.
> Can then provide all connection data in one place with convenience of not
> converting from/to a string.

Then the ConnectionStringBuilder can be used right away, no?

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connecting to encrypted databases

Daniel Rail
In reply to this post by Jiří Činčura-2
Hi,

At July 12, 2017, 5:44 AM, Jiří Činčura wrote:

>> I think it makes more sense on the connection string. It already contains
>> sensitive info (username,password) and needing to provide connection
>> related info by another method would be counter intuitive.

> Good point.

> In my thinking I saw two problems, slightly different from what password
> does. The key can be binary data and that's difficult to pass in string.
> And the key might be stored on some HSM.

> Not that it would rule out connection string completely, it just makes
> fit less, IMO.


Binary  data  should be able to be represented with hexadecimal.  And,
don't forget that whatever is chosen has to be easily implemented when
using Entity Framework.

We are looking at implementing our own encryption plugin, but still
undecided how the key will be passed, since our application uses a mix
of Delphi(IBDAC) and C#(EF6). Our initial thought is that it will have
to be on the server with the database, since we can't find proper
documentation on how to pass it from the client, even with the
database management tools, although it is part of Firebird's
architecture. It seems to be one area that third-party tools and
components haven't taken much time implementing, maybe because that
there is no disk encryption plugin provided out-of-the-box with
Firebird, and not enough user interest.

Having said that, keep up the excellent work Jiri.

And, I'm hoping that I will have the time in the next few weeks to
create a VSIX installer for DDEX, because the registry entries are not
staying and I have to add them everytime that I need to add EF6 classes
to  represent  tables.  Once created, it will surely be contributed to
the project.

--
Best regards,
 Daniel Rail
 Senior Software Developer
 ACCRA Solutions Inc. (www.accra.ca)
 ACCRA Med Software Inc. (www.filopto.com)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connecting to encrypted databases

Gerdus van Zyl
In reply to this post by Jiří Činčura-2
Not exactly sure what you mean with right away. The reason to not use the existing ConnectionStringBuilder is that it is implicit that it can be converted to a string.
Which would not be true anymore, except if you add EncryptionKey to connection string parsing anyway.

On 12 July 2017 at 13:51, Jiří Činčura <[hidden email]> wrote:
> What about a callback on Connection that returns a Connection Info
> (ConnectionStringBuilder-like) object.
> Could also add a connection constructor overload that accepts a
> Connection
> Info object.
> Can then provide all connection data in one place with convenience of not
> converting from/to a string.

Then the ConnectionStringBuilder can be used right away, no?

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connecting to encrypted databases

Jiří Činčura-2
> Which would not be true anymore, except if you add EncryptionKey to
> connection string parsing anyway.

Of course I would. The builder and connection string options are in
sync.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Connecting to encrypted databases

Jiří Činčura-2
In reply to this post by Daniel Rail
> Binary  data  should be able to be represented with hexadecimal.  And,

Good point.

> We are looking at implementing our own encryption plugin, but still
> undecided how the key will be passed, since our application uses a mix
> of Delphi(IBDAC) and C#(EF6). Our initial thought is that it will have
> to be on the server with the database, since we can't find proper
> documentation on how to pass it from the client, even with the
> database management tools, although it is part of Firebird's
> architecture. It seems to be one area that third-party tools and

Look at op_crypt_key_callback.

> And, I'm hoping that I will have the time in the next few weeks to
> create a VSIX installer for DDEX, because the registry entries are not
> staying and I have to add them everytime that I need to add EF6 classes
> to  represent  tables.  Once created, it will surely be contributed to
> the project.

Great.

--
Mgr. Jiří Činčura
https://www.tabsoverspaces.com/

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Firebird-net-provider mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/firebird-net-provider
Loading...