Re: Newbie Salt and Pass Phrase Question.

Paul Rubin wrote:
Larry Lindstrom <nobody@xxxxxxxxxxx> writes:
How do I accommodate an organization that chooses to share member
data among it's users, while encrypting the personal fields?

You have a security problem, not especially a cryptography problem.

If you describe your application more specifically, we may be able
to help you more. For example, is it a server side application?

Thanks Paul, and everybody:

The database contains private(names, addresses, phone numbers etc.)
info on club members. I'm not selecting on this personal data with
queries, so these fields will be encrypted. Fields that will be used
for SQL WHERE clauses will be kept in plain text. For this reason
certain items that might be considered personal, age, proficiency in
a particular activity, and perhaps postal zip codes, will be in clear
text.

Database engine:

The database is Firebird, a freeware open source project.

Firebird Windows package offers a choice of two DLLs. Client-
server, with the database living on a central server, or embedded
server, with the server living in a DLL on the client's computer.
The embedded server can also be used in client-server mode.

I've installed the server on Solaris, and plan on supporting
other Unix and Linux servers.

In the first version of this software, a base version sold by my
client, the embedded setup is transparent to the user, they don't
even know there is a database.

If the Firebird database file is copied to any computer running
Firebird embedded, there is nothing to prevent every field of every
table from being read.

Application:

My biggest problem right now is my ignorance of crypto and
security issues.

The second biggest problem confronting me is that security was
not on the table when I built my client's product. In exchange for
me delivering 60 thousand lines of C++ for very little cash I've
been given the right to sell this product outside of his business
sector. To do that I need to add features, and one feature is
security for the personal information in the database.

So now I'm sticking security on like a Band Aid, as opposed to
designing it into the fabric of this product.

My client, a tennis coach, tells me other coaches at the same
facility may attempt to poach clients from their co-workers. So some
situations may involve protection of data from others in the
organization.

I'm describing a complex web of security issues. Think of these
as items on a wish list. I don't need to solve all of them now. I
would like a product I can market pretty soon.

For example, I'd like to allow users to share data on a central
server while protecting it from unauthorised access. I hope I can
offer this, but if that goal requires a month of coding, it can
wait for version 1.1.

I do need to offer a reasonable level of protection to my users
and the people who are represented in the database, and I need to
cover my own behind legally when someone compromises the database's
security.

I'm not sure what you want to know, but I hope this is useful.

Again, and again, and again, I appreciate all of the advice I've
received.

Thanks
Larry.
.

Relevant Pages

  • Re: Help with first VB application - Data Entry form
    ... I assumed a desktop / winform client application ... time' stamp from the database machine - control machine ... ... problem solved - web server is control system. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Help with first VB application - Data Entry form
    ... I assumed a desktop / winform client application ... time' stamp from the database machine - control machine ... ... problem solved - web server is control system. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Remobjects v KBM
    ... >> client query components) follow from that. ... Then, connections can be created to say SQL Server, Oracle, Interbase and ... can then be created from the abstract dataset definition in 'customers' to ... implicitly - this makes your code not be database connection specific). ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: Help with first VB application - Data Entry form
    ... stamp from the database machine - control machine ... ... unnecessary data to the client ... ... and when building a database independent UI / Client - Server application, ... JavaScript, for example) and thus, will get the time from the web server, ...
    (microsoft.public.dotnet.languages.vb)
  • Re: UnauthorizedAccessException when using MSDTC
    ... dispatcher2 is the user logged on the client pc. ... Event Source: Security ... Object Server: SC Manager ... Primary Domain: BLITZ ...
    (microsoft.public.data.ado)