Encrypting Data in a DB

Discussion in 'OT Technology' started by Peyomp, Jul 21, 2006.

  1. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Anyone ever had to encrypt data in a DB?

    Say you've got SQLite or MySQL, and you don't want the data sitting there in plaintext.

    You can:

    1) Encrypt the filesystem the DB file sits on.

    2) Encrypt the values before you store them.

    3) Encrypt the storage engine.

    Anyone ever done 1, 2 or 3?
     
  2. SLED

    SLED build an idiot proof device and someone else will

    Joined:
    Sep 20, 2001
    Messages:
    28,118
    Likes Received:
    0
    Location:
    AZ, like a bauce!
    i typically encrypt the actual data before storage, and store it in an ecrypted binary field (pick your own encryption). I just find that if I'm storing encrypted data, then I'd also want it to be secure over the wire as well. Which throws out using a storage engine or filesystem solution. Both are decent options, however. If it suits your needs.

    EDIT: I guess you could use the other two methods in conjunction with a mysql ssl connection on the client side to the server. :dunno:
     
  3. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Actually, SQLite has an encryption enhancement thats really easy to use for a one time fee of $2000, which is peanuts on this budget. Plus I really like the idea of supporting SQLite dude. He RULES.
     
  4. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    Here's a tough question:

    If you're distributing this with shrink-wrapped software and you wish to hide the contents of the DB from your user, then how do you create a scheme to do so that will hold up to a Russian teenager with a decompiler?

    Anyone?

    This is really hard.
     
  5. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    nothing is 100% secure. Memory dump usually kills any idea of security.
     
  6. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    I know if companies like Microsoft, Adobe, etc. who spend alot of time trying to end piracy can't keep a teenager with a decompiler from subverting their copy protections, then I can't do better.

    Still, does anyone have a good source on what techniques are out there to make things as obscure as possible to subvert?
     
  7. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    How about using the .NETfuscator? That only works if you're programming in .NET, but there's gotta be precompiler obfuscators available for other languages.

    One way might be to use GOTOs instead of function calls. :rofl:
     
  8. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    well, as an example, goto was removed from .net....
     
  9. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    If you're coding in perl, ActivePerl can bundle your CGI in an executable, which is nice if you want to hide your code. Obfuscation is just as subject to decompiling as unobfuscated, right? Writing bad code just isn't an option.

    It talked to the SQLite guy, Richard. He's cool. He said SQLite's encryption thing uses RC4, and that he'll add AES at some point and you get a free upgrade.
     
  10. hsmith

    hsmith OT Supporter

    Joined:
    Feb 24, 2002
    Messages:
    124,570
    Likes Received:
    658
    Location:
    Your mother.
    well it still uses them when it builds the DLL's :o
     
  11. hsmith

    hsmith OT Supporter

    Joined:
    Feb 24, 2002
    Messages:
    124,570
    Likes Received:
    658
    Location:
    Your mother.
    fucking gotos are littered all over the god damned assemblies
     
  12. aphoric

    aphoric Even if god did exist, it would be necessary to ab

    Joined:
    Aug 29, 2003
    Messages:
    918
    Likes Received:
    0
    Location:
    Leaving Afghanistan
    Where I work we build an application that works with lots of different DB's, for our security management, we encrypt passwords and usernames and stuff like that and store them in the DB as text. Of course, there is some data bloat due to this, but it works everywhere with the same code. Depending on what level of encryption you want to do, it could be pretty simple to just do a digest of the data before putting it in and just pulling it apart when you read it out. Of course if you are doing millions of transactions a day, this will be too much overhead, so a proprietary DB extension may be the answer.
     
  13. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    The data must not sit on the disk in plaintext format.
     
  14. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Try passing the text strings through ZLIB.DLL first. You'll save space and it will be impossible to read without knowing how to unzip a text string that isn't contained in a ZIP file. I may be able to supply you with some VB6 code that can pass ASCII text through ZLIB -- it's not terribly complicated, so it wouldn't be too hard to transcode into whatever language you want.
     
  15. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    SQLite's encryption engine is a better solution for us. It simply encrypts via the storage engine using RC4 with the first half K of the key tossed. And it is only $2000 for a corporate license with no other royalty.
     
  16. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    My solution is free. :dunno:
     
  17. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    How would I use that DLL from perl?

    Keeping in mind that my time is expensive, and that the time of others who seek to integrate with this system later is expensive, a $2000 database with an encrypted storage engine is very, very cheap. The worst thing would be for someone to roll their own solution and then make it a nightmare for someone else to connect to it or deal with it in the future.
     
  18. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Point conceded.
     
  19. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    I might have uh... actually run into a situation in my career where someone DID roll their own encrypted database, and it was impossible for me to query it without creating a custom client. Using off the shelf components is sooooo much better in this case. :)
     
  20. RaginBajin

    RaginBajin Have you punched a donkey today?

    Joined:
    Dec 24, 2001
    Messages:
    8,740
    Likes Received:
    0
    Location:
    NoVA
    Does all the data have to be encrypted or just peices of it?

    The reason I ask is because where I work we charge customers for our service. Since we bill people, we have to encrypt their credit card #'s. One system I have seen uses a trigger to encrypt data coming into the table, and then have a stored procedure to decrypt data when it comes out.

    Another idea, depending on how your application works is to just encrypt via stored procedure both in and out.. That might involve changing any web services that you might have, but it isn't that bad to do. Plus, you can encrypt the stored procedure if you are using the bigger DB's, but probably can't do it in Mysql.
     
  21. Peyomp

    Peyomp New Member

    Joined:
    Jan 11, 2002
    Messages:
    14,017
    Likes Received:
    0
    All of it will be encrypted. The SQLite thing is just ideal for us.
     

Share This Page