Re: database password and encryption

From: Valery Pryamikov (Valery_at_nospam.harper.no)
Date: 12/22/04 

Date: Wed, 22 Dec 2004 19:44:19 +0100

I send you a link because that's describes exaclty what you are trying to
achieve:
you want to give a piece of encrypted information (database) together with
information sufficient to derive encription keys and decryption code itself
to the user and hope that would protect your data... That's exactly what
Cory Doctorow was talking about...
And btw, encryption is not about protection of information. It's about
REDUCING problem of protection of big pieces of information to the problem
of protecting much smaller pieces of data (encryption keys or any entropy
used for deriving these encryption keys). Using 256 bit AES doesn't protect
anything as long as keys are not apropriately protected, and you simply
can't properly protect them when you need them to be used on end user
computers.

-Valery.
http://www.harper.no/valery

"Zachovich" <Zachovich@discussions.microsoft.com> wrote in message
news:FB0C50D8-C17E-4DE7-A591-14B6E9896FF5@microsoft.com...
> Excellent read! Thanks!
>
> But thats not what I asked and it doesn't answer my questions.
>
> I know the basic concepts about encryption.
>
> I know when and where to use it.
>
> I know when and where not to use it.
>
> I know when there is no point in using it.
>
> I take all that in consideration when I design applications.
>
> In this application, I need a relational database that is accessible by my
> application only. Yes, I realize, anything that is protected can be
> unprotected, but this application will not see a very wide audience, so I
> don't think it will see any very advanced software crackers.
>
> So, if I can get a relational database encrypted with 256 bit Rijaendel...
> that would be fine...
>
> thanks
>
>
> "Valery Pryamikov" wrote:
>
>> Here is the link to a great answer to your question by Cory Doctorow:
>> http://craphound.com/msftdrm.txt
>>
>> -Valery.
>> http://www.harper.no/valery
>>
>> "Zachovich" <Zachovich@discussions.microsoft.com> wrote in message
>> news:E7779A22-2693-438D-A766-41983AD94DBE@microsoft.com...
>> >I am planning an application that uses a relational database. the
>> >database
>> > has to be secure.
>> >
>> > When a user installs my program on their PC I don't want them to have
>> > access
>> > to my database except through the program. That is a problem I ran into
>> > with
>> > MSDE. Since the database is not actually encrypted with a key based on
>> > the
>> > password, but in a way that the "administrator" can at all times access
>> > it,
>> > the owner of the PC (naturally the administrator) can easily open my
>> > database
>> > without any special tools or knowledge.
>> >
>> > When my program will install, it will automatically copy a new database
>> > file
>> > to the disk. Will there be any way I can prevent the owner from logging
>> > onto
>> > the SQL Server as the administrator and help himself? Can I lock the
>> > administrator out of my database? What I was anticipating is that each
>> > database will optionally have an additional password that you need in
>> > order
>> > to open it, regardless of which user you are logged on as. Currently
>> > the
>> > only
>> > way to do that would be to "hog" the MSDE installation by changing the
>> > <SA>
>> > password. But then I would be locking out any other programs wanting to
>> > use
>> > the MSDE.
>> >
>> > I would like to know some technical security details of the SQL Server
>> > 2005
>> > Express. Will I be able to select the encryption algorithm a data base
>> > uses?
>> > Will I be able to disable Windows authentication for my database? Where
>> > will
>> > the password to the database be stored? Will the password be stored as
>> > a
>> > hash
>> > or two-way encrypted? I read that the databases may be moved like any
>> > typical
>> > file (unlike MSDE), that almost makes me jump to the conclusion that
>> > all
>> > the
>> > security information (password, etc.) must reside in a single file, it
>> > that
>> > true?
>> >
>> > I appreciate any assistance applied to this issue.
>>
>>
>>

Relevant Pages

  • Re: Securing data to a process principal
    ... reasonable controls that protect against "casual" abuse. ... hooks into your encryption function) and you cannot prevent an admin using ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ...
    (microsoft.public.platformsdk.security)
  • SQL server data protection
    ... Hello does someone knows how i can protect my data if deployed in a MSDE / ... Currently i use a Encrypted MS accesss 2000 database with a workgroup file ... encryption dll stuff) ...
    (microsoft.public.sqlserver)
  • Re: Password protect access DB?
    ... those that are determined to hack you database... ... you are trying to protect sensitive data ... There are cracks even for SQL Server admin passwords. ... Access or implement field level encryption for the sensitive data (ie ...
    (microsoft.public.dotnet.languages.vb)
  • Re: encrypted source file support in jdk?
    ... Encryption is a solution to a problem. ... You want to protect your source files. ... C++ with a highly optimising compiler will do ...
    (comp.lang.java.help)
  • Re: database password and encryption
    ... I know the basic concepts about encryption. ... This database should be encrypted with a strong, ... way you can protect the database AT ALL. ... I could encrypt the key several times and hide the new, resulting, keys on ...
    (microsoft.public.platformsdk.security)