Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: Secure DB

  1. #1
    Join Date
    Nov 2003
    Location
    Right next to you...
    Posts
    8

    Question Unanswered: Secure DB

    I want to secure a database that is to be used on a client computer.

    I only want my application to be able to access it. Not even a "sa" or a computer administrator should be able to access it.

    As of now it's a MSDE database with stored procedures. Do Microsoft provide this feature?
    Maybe an other DB-provider is an option?
    Or cryptate the content perhaps? (not my favourite choice)

    Best Regards.
    Erik

  2. #2
    Join Date
    Nov 2002
    Location
    Jersey
    Posts
    10,322
    Seriously?
    Brett
    8-)

    It's a Great Day for America everybody!

    dbforums Yak CorralRadio 'Rita
    dbForums Member List
    I'm Good Once as I ever was

    The physical order of data in a database has no meaning.

  3. #3
    Join Date
    Nov 2003
    Location
    Right next to you...
    Posts
    8
    Originally posted by Brett Kaiser
    Seriously?
    Yes Brett...

  4. #4
    Join Date
    Jul 2003
    Location
    The Dark Planet
    Posts
    1,401
    MOO :
    You can make a Database only as secure as the filesystem. There is no way you can prevent a computer administrator from copying the files of the DB.


    Seriously?
    That was a good one ... Brett.
    Last edited by Enigma; 11-26-03 at 23:25.
    Get yourself a copy of the The Holy Book

    order has no physical Brett in The meaning of a Kaiser . -database data

  5. #5
    Join Date
    Nov 2003
    Location
    Right next to you...
    Posts
    8

    Missunderstanding?

    Sorry, maybe I've been unclear...
    If I get the solution that I want, I don't care if they copy the db-file itself, since they can't read it.

    Ok... Easier example: Picture a password protected .zip file. Only my app has the password to get the data inside it. Everyone can copy the zip file, but no one else can open and read the data from it except my app (since it's the only one that got the password). I want the same thing with the db.

    / Erik

  6. #6
    Join Date
    Jul 2003
    Location
    The Dark Planet
    Posts
    1,401

    Re: Missunderstanding?

    Originally posted by Overone
    Sorry, maybe I've been unclear...
    If I get the solution that I want, I don't care if they copy the db-file itself, since they can't read it.

    Ok... Easier example: Picture a password protected .zip file. Only my app has the password to get the data inside it. Everyone can copy the zip file, but no one else can open and read the data from it except my app (since it's the only one that got the password). I want the same thing with the db.

    / Erik
    Lets say ... i get the ldf and mdf files after stopping the services on SQL Server. I copy thos onto another machine having SQL server and attatch the files. Now i can read what ever is in the db using dbo of the new sql server.

    Point made : Database files are not like password protected zip files (al least MOO)
    Get yourself a copy of the The Holy Book

    order has no physical Brett in The meaning of a Kaiser . -database data

  7. #7
    Join Date
    Nov 2003
    Location
    Right next to you...
    Posts
    8

    Point made: obvious...

    Yes, exactly... I know that. That's one of the problems I want to avoid...

    So, to my original question...
    Can I somehow protect / lock my db?
    Or do I have to encrypt the content?
    Or do I have to change datasource / db-provider?

    This is to be a client application, and I don't want "anybody" to have access to the content of the db, except from using the application.

  8. #8
    Join Date
    Sep 2003
    Posts
    65
    If you don't want anyone to be able to read the contents.

    You need to use encryption on each piece of data.

    so, one way hash where you can, and where you need to decrypt, use some other encryption.

    However, the administrator of the server where your web content is, can open your config files, find the db connection string, and the decrypt method, and grab all your data.

    So, if your trying to hide this data from everyone, try and learn to trust the administrators ;-).

    If, however, the web content is hosted else where, and you just don't trust the host of the database. Encrypting everything is a possible solution.

    It isn't pretty, but put the decryptions method in a dll file, and just send everything through it before use.
    -Ashleigh

  9. #9
    Join Date
    Jul 2003
    Location
    The Dark Planet
    Posts
    1,401
    Though i think there are decryptors availible for SQL Server encryption.
    Get yourself a copy of the The Holy Book

    order has no physical Brett in The meaning of a Kaiser . -database data

  10. #10
    Join Date
    Nov 2003
    Location
    Right next to you...
    Posts
    8
    Thanx Ashleigh...

    I'm gonna look at some 3rd party encrypting software now... I'm also gonna ta a look at some other db-provider. (Someone said that mySQL could provide a similar feature.)

    The reason I can't trust the administrator is that there won't be any administrators around. Just a simple client installation for "anyone" to use.
    So, it's not an everyday SQL-server that's managed by someone and just provide answers through ie; webservices. The db will be on every client machine. And the only way I want people to get the information in the db is through my app.


    / Erik

  11. #11
    Join Date
    Nov 2003
    Location
    Right next to you...
    Posts
    8
    enigma:
    SQL-Server own encryption is not the way to go. As you said there are numourous decryptors around.

    The reason for my original question was to avoid encryption in the first place, since it's a pain in the ass. I just thought that maybe someone has had the same "problem" that I got, and found an easy solution...

  12. #12
    Join Date
    Jul 2003
    Location
    The Dark Planet
    Posts
    1,401
    This might help you ...

    Here

    Though its again a encryption algorithm only !!!
    Get yourself a copy of the The Holy Book

    order has no physical Brett in The meaning of a Kaiser . -database data

  13. #13
    Join Date
    Nov 2003
    Location
    Right next to you...
    Posts
    8
    They have a tool called xp_crypt that i've looked at that supports both encrypt and decrypt of data, but still it's a bit "too much" work to implement...

  14. #14
    Join Date
    Sep 2003
    Posts
    65
    What are you using?

    I have a dll compiled from a c# source code which encrypts and decrypts data.

    It is kinda long, so I won't paste it in here.

    It is very very easy to use though.
    You just send it a string and a key (8 character string, which is used to encrypt and decrypt the data, you make the key up yourself).

    If you want it (and anyone else) just mail me ashgreen@platypussoftware.com.au

    and I'll mail you the files

    -Ashleigh
    -Ashleigh

  15. #15
    Join Date
    Nov 2003
    Location
    Right next to you...
    Posts
    8
    Thanx Asleigh...

    Unfortunatly it's written in VB...
    I think I'll have a better look at xp_crypt. I seems to be pretty fast as well...


    / Erik

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •