[Firebird-devel] ODP: Re: Several connections to encrypted database in SS mode

hi, i am really surprised why db file itself contain info about i am encrypted or not. this should be configured by databaseName.conf file. if this file not exists then server should try to work with database as it is unencrypted. plugin should process db config info throught interface

Re: [Firebird-devel] Struggling with authentication

fbclient.dll is a dependency that we try to avoid in pure drivers : Java , .Net , python , javascript , golang ... we need a clear spec for the protocol so it can be implemented in other languages like pascal ... On Wed, Nov 18, 2015 at 6:04 PM, Dimitry Sibiryakov wrote: >

Re: [Firebird-devel] Struggling with authentication

Because most java developers don't want native dependencies, as they are annoying when your application is deployed on systems with different architectures, it has a performance overhead, bugs in native dependencies can crash the jvm. I really want a overview of the messages exchanged and the

Re: [Firebird-devel] Several connections to encrypted database in SS mode

> > Again, I feel that they issue of client/server connection encryption and > database encryption are being co-mingled. > > > > Database encryption is about the engine's ability to access/work with a > database, there should be absolutely no client dependency. > > More than 80% of encryption

Re: [Firebird-devel] Several connections to encrypted database in SS mode

18.11.2015 20:27, Leyne, Sean wrote: > > Are you saying that the only mode that database encryption will work, is the > one which satisfies only 80% of the installs? Nope. You've been told that *both* key management modes (purely server-side and via client callback) are supported. You asked why

Re: [Firebird-devel] Several connections to encrypted database in SS mode

> Sometimes it's highly desired not to let standard tools access encrypted > database - first of all for distributed databases. That is what user credentials/grants are for. That is not the role of database encryption. Sean

[Firebird-devel] [FB-Tracker] Created: (CORE-5022) Regression(?): UNION allows to select data of different types (null, date, double precision, string)

Regression(?): UNION allows to select data of different types (null, date, double precision, string) Key: CORE-5022 URL:

Re: [Firebird-devel] Several connections to encrypted database in SS mode

> 2 main usages of database encryption: > - protect distributed database from unauthorized access, Actually, no! Access control is not what database encryption is about. > - protect database from access if server became physically available to third > party (something like stolen). Physical

Re: [Firebird-devel] Several connections to encrypted database in SS mode

18.11.2015 18:27, Leyne, Sean wrote: > this is solution should be described in the context of how the embedded > engine will support encryption. This thread was about SS/other engines. There is no such things in Firebird 3. Only one engine is used everywhere. -- WBR, SD.

[Firebird-devel] [FB-Tracker] Created: (CORE-5021) Extend the "update conflict" message

Extend the "update conflict" message Key: CORE-5021 URL: http://tracker.firebirdsql.org/browse/CORE-5021 Project: Firebird Core Issue Type: Improvement Components: Engine Reporter:

[Firebird-devel] Authentication, Encryption, Plugins, and All That

From a developmental perspective, I think it makes more sense to first develop an integrated authentication/encryption feature, then later, if warranted, generalize it as a plugin. Trying to design a plugin interface to subsystem that is not well understood awkward, difficult, and likely to

Re: [Firebird-devel] Struggling with authentication

On 11/18/2015 02:09 PM, Mark Rotteveel wrote: > I am still working with implementing the authentication for Firebird 3. > And I want some one to document and describe the exact exchange of > messages to me **without referring to the C++ code**, especially with > regard to multiple authentication

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 11/18/2015 05:45 PM, Adriano dos Santos Fernandes wrote: > On 18/11/2015 12:36, Alex Peshkoff wrote: >> On 11/18/2015 04:44 PM, Adriano dos Santos Fernandes wrote: >>> On 18/11/2015 11:40, Alex Peshkoff wrote: On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote: > On 17/11/2015

Re: [Firebird-devel] Struggling with authentication

18.11.2015 16:48, Mark Rotteveel wrote: > You don't seem to realise how hard it is to implement a protocol if you > only have hard to follow source code available in a language you are not > fluent in, and when some cases seem to work and others don't. I am > seriously considering to quit

Re: [Firebird-devel] ODP: Re: Database UUID

18.11.2015 19:06, Dimitry Sibiryakov wrote: > 18.11.2015 16:37, liviuslivius wrote: >> what is the purpose of this uuid? >> I disconnect all users and copy db file and i have now two db with same uuid. > > Yes. And then database encryption and replication subsystems (or any other > code that >

Re: [Firebird-devel] Struggling with authentication

On 11/18/2015 07:04 PM, Dimitry Sibiryakov wrote: > 18.11.2015 16:48, Mark Rotteveel wrote: >> You don't seem to realise how hard it is to implement a protocol if you >> only have hard to follow source code available in a language you are not >> fluent in, and when some cases seem to work and

[Firebird-devel] ODP: Re: Database UUID

Hi, what is the purpose of this uuid?I disconnect all users and copy db file and i have now two db with same uuid. regards,Karol Bieniaszewski Pozdrawiam Oryginalna wiadomość Od: Dmitry Yemanov Data: 18.11.2015 12:38 (GMT+01:00) Do: For

Re: [Firebird-devel] Struggling with authentication

On 18-11-2015 16:35, Alex Peshkoff wrote: > On 11/18/2015 02:09 PM, Mark Rotteveel wrote: >> I am still working with implementing the authentication for Firebird 3. >> And I want some one to document and describe the exact exchange of >> messages to me **without referring to the C++ code**,

Re: [Firebird-devel] Several connections to encrypted database in SS mode

> > Are you saying that the only mode that database encryption will work, is > the one which satisfies only 80% of the installs? > > Nope. You've been told that *both* key management modes (purely server- > side and via client callback) are supported. You asked why client needs to be > in the

Re: [Firebird-devel] Several connections to encrypted database in SS mode

18.11.2015 18:55, Leyne, Sean wrote: > What is the sequence of operations for server-side key management? Crypt plugin either get the key somehow itself, or ask all configured key holder plugins for it. -- WBR, SD.

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 11/18/2015 08:27 PM, Leyne, Sean wrote: > >>> Again, I feel that they issue of client/server connection encryption and >> database encryption are being co-mingled. >>> Database encryption is about the engine's ability to access/work with a >> database, there should be absolutely no client

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 11/18/2015 08:45 PM, Leyne, Sean wrote: >> 2 main usages of database encryption: >> - protect distributed database from unauthorized access, > Actually, no! Access control is not what database encryption is about. Sean, may be "access" is bad word here. I've meant that _only_ special

Re: [Firebird-devel] Database UUID

On 11/18/2015 09:11 PM, Leyne, Sean wrote: >>> How should it be retrieved by the client? >> No way. If someone ask for it, new item can be added to >> isc_get_database_info(). > Should be added as virtual column of RDB$Database table I suppose Dmitry wanted to use uuid (except other) as an

Re: [Firebird-devel] Database UUID

> > How should it be retrieved by the client? > >No way. If someone ask for it, new item can be added to > isc_get_database_info(). Should be added as virtual column of RDB$Database table > > When/how should it be created for already existing ODS12 databases? > >At restore. Agree >

Re: [Firebird-devel] Database UUID

> >> Should nbackup preserve or reset it? > > > > Preserve because technically it is the same database. > > Here we disagree. It becomes a different database after fixup/restore, even > being a page-level copy of the original one. While I see your point about the database being different,

Re: [Firebird-devel] Several connections to encrypted database in SS mode

18.11.2015 19:05, Alex Peshkoff wrote: > In remote case it will have to send secret key over > the wire to probably modified engine. No idea how can it be secure. Server security is not our thing. -- WBR, SD. --

Re: [Firebird-devel] Struggling with authentication

On 11/18/2015 07:59 PM, Mark Rotteveel wrote: > Because most java developers don't want native dependencies, as they are > annoying when your application is deployed on systems with different > architectures, it has a performance overhead, bugs in native dependencies can > crash the jvm. > I

Re: [Firebird-devel] Database UUID

18.11.2015 19:36, Alex Peshkoff wrote: > But Iagree, from all other aspects placing databases ID in RDB$Database > table is better. MON$DATABASE if you wish. > For example it's stored encrypted. What's the point? -- WBR, SD.

Re: [Firebird-devel] Database UUID

18.11.2015 21:17, Leyne, Sean wrote: > > Consider: I want to restore a copy of my production database to my testing > system and have the same UUID as Live because I have defined a number of > config/operational values based on the UUID. Consider: I have a replication set up with replica B

Re: [Firebird-devel] Database UUID

Hi, but why to store something into database? 1. This should be in config file for database e.g. my_fb.db my_fb.db.conf and in my_fb.db.conf UUID=something 2. in the same config file CRYPT_PLUGIN=my_crypt_plugin 3. if more then one database should use some crypt plugin then something

Re: [Firebird-devel] Database UUID

Dmitry, > > Consider: I want to restore a copy of my production database to my testing > system and have the same UUID as Live because I have defined a number of > config/operational values based on the UUID. > > Consider: I have a replication set up with replica B linked to source database > A

Re: [Firebird-devel] Database UUID

18.11.2015 13:59, Dimitry Sibiryakov wrote: > > Do I understand right that clumplets in header page are not a part of ODS, so > subj can > be added to them even now? What do you mean by "now"? v3 RC2? Dmitry --

Re: [Firebird-devel] Database UUID

18.11.2015 14:24, Dimitry Sibiryakov wrote: >> What do you mean by "now"? v3 RC2? > > Tomorrow. ;) Yes, in v3 RC2. Adding it is one part of the deal. How should it be retrieved by the client? When/how should it be created for already existing ODS12 databases? What if application relies on it

Re: [Firebird-devel] Database UUID

18.11.2015 13:45, Dimitry Sibiryakov wrote: > 18.11.2015 12:38, Dmitry Yemanov wrote: ... >> When/how should it be created for already existing ODS12 >> databases? > > At restore. May be - on "alter database encrypt". As you really need way to identify encryption key (not a database

Re: [Firebird-devel] Database UUID

18.11.2015 14:45, Dimitry Sibiryakov wrote: >> How should it be retrieved by the client? > > No way. Why do we need something that nobody can use? >> Should nbackup preserve or reset it? > > Preserve because technically it is the same database. Here we disagree. It becomes a

Re: [Firebird-devel] Database UUID

18.11.2015 13:17, Dmitry Yemanov wrote: > 18.11.2015 14:45, Dimitry Sibiryakov wrote: >>> >> How should it be retrieved by the client? >> > >> > No way. > Why do we need something that nobody can use? To use it at server side. At least the ID should be in gstat output. This way a user

Re: [Firebird-devel] Database UUID

18.11.2015 14:05, Alex Peshkoff wrote: >> Leave it to crypto-plugin. Key holder has a way to receive the >> information from it if >> >needed. >> > > No, I will not. Holder may need this info before crypto-plugin started. Why? At this point a key holder doesn't even know if a key will be

[Firebird-devel] Database UUID

Hello, All. Do I understand right that clumplets in header page are not a part of ODS, so subj can be added to them even now? -- WBR, SD. -- Firebird-Devel mailing list, web interface at

Re: [Firebird-devel] Is security3.fdb mandatory always?

2015.11.18. 10:16 keltezéssel, Gabor Boros írta: > Hi All, > > My whole databases.conf: > > MYDB = /home/DB/MYDB.FDB > { > SecurityDatabase = MYDB > } > > > MYDB initialized correctly(users created) and works like a charm but > only when security3.fdb exists. If rename to security3_fdb I got

Re: [Firebird-devel] Database UUID

18.11.2015 12:15, Dmitry Yemanov wrote: > What do you mean by "now"? v3 RC2? Tomorrow. ;) Yes, in v3 RC2. -- WBR, SD. -- Firebird-Devel mailing list, web interface at

Re: [Firebird-devel] Database UUID

18.11.2015 14:04, Dimitry Sibiryakov wrote: > 18.11.2015 13:00, Vlad Khorsun wrote: >> As you really need way to identify encryption key (not a database >> itself) i >> suggest you to ask for key name (key ID) stored at header page. And it >> already >> was discussed recently. > > This

Re: [Firebird-devel] Database UUID

On 11/18/2015 03:04 PM, Dimitry Sibiryakov wrote: > 18.11.2015 13:00, Vlad Khorsun wrote: >> As you really need way to identify encryption key (not a database >> itself) i >> suggest you to ask for key name (key ID) stored at header page. And it >> already >> was discussed recently. >

Re: [Firebird-devel] Database UUID

On 11/18/2015 03:36 PM, Vlad Khorsun wrote: > 18.11.2015 14:04, Dimitry Sibiryakov wrote: >> 18.11.2015 13:00, Vlad Khorsun wrote: >>> As you really need way to identify encryption key (not a database >>> itself) i >>> suggest you to ask for key name (key ID) stored at header page. And it

Re: [Firebird-devel] Database UUID

18.11.2015 12:38, Dmitry Yemanov wrote: > How should it be retrieved by the client? No way. If someone ask for it, new item can be added to isc_get_database_info(). > When/how should it be created for already existing ODS12 > databases? At restore. May be - on "alter database encrypt".

Re: [Firebird-devel] Database UUID

18.11.2015 13:00, Vlad Khorsun wrote: > As you really need way to identify encryption key (not a database itself) > i > suggest you to ask for key name (key ID) stored at header page. And it already > was discussed recently. This solution has one problem: where this key ID must come from?

Re: [Firebird-devel] Database UUID

18.11.2015 13:36, Vlad Khorsun wrote: > Key name could be generated by crypto-plugin (or key holder ?) when > database is about to be > encrypted. Engine then must store it at header page. When attachment to the > encrypted db is > established engine extract key name and pass it to the

Re: [Firebird-devel] class ValueListNode in Nodes.h => Performance issues

On 18/11/2015 06:10, Arno Brinkman wrote: > Hi Adriano, > >> Arno, can you please verify now? >> It should still reset the array, but much less than before. > Yes!, this makes a big difference, for my sample the speed difference > between FB2.5 and FB3.0 now dropped from 125x to 3x slower for

[Firebird-devel] Struggling with authentication

I am still working with implementing the authentication for Firebird 3. And I want some one to document and describe the exact exchange of messages to me **without referring to the C++ code**, especially with regard to multiple authentication plugins and acceptance or reject of the

Re: [Firebird-devel] Database UUID

18.11.2015 13:45, Alex Peshkoff wrote: >> Engine then must store it at header page. When attachment to the encrypted >> db is >> >established engine extract key name and pass it to the crypto-plugin (or >> >key holder ?) > May be better both? Leave it to crypto-plugin. Key holder has a way

Re: [Firebird-devel] Database UUID

On 11/18/2015 03:52 PM, Dimitry Sibiryakov wrote: > 18.11.2015 13:45, Alex Peshkoff wrote: >>> Engine then must store it at header page. When attachment to the encrypted >>> db is established engine extract key name and pass it to the crypto-plugin (or key holder ?) >> May be better

Re: [Firebird-devel] Database UUID

On 11/18/2015 03:44 PM, Dimitry Sibiryakov wrote: > 18.11.2015 13:36, Vlad Khorsun wrote: >> Key name could be generated by crypto-plugin (or key holder ?) when >> database is about to be >> encrypted. Engine then must store it at header page. When attachment to the >> encrypted db is >>

Re: [Firebird-devel] class ValueListNode in Nodes.h => Performance issues

Hi Adriano, > Arno, can you please verify now? > It should still reset the array, but much less than before. Yes!, this makes a big difference, for my sample the speed difference between FB2.5 and FB3.0 now dropped from 125x to 3x slower for "prepare time". I've been looking at the code to,

[Firebird-devel] Is security3.fdb mandatory always?

Hi All, My whole databases.conf: MYDB = /home/DB/MYDB.FDB { SecurityDatabase = MYDB } MYDB initialized correctly(users created) and works like a charm but only when security3.fdb exists. If rename to security3_fdb I got "Unable to complete..." error at remote connection. security3.fdb

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 18/11/2015 11:40, Alex Peshkoff wrote: > On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote: >> On 17/11/2015 14:48, Dimitry Sibiryakov wrote: >>> 17.11.2015 17:40, Leyne, Sean wrote: For me, the sequence of operations for accessing a database would be: - Client initiates

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 11/17/2015 07:48 PM, Dimitry Sibiryakov wrote: > 17.11.2015 17:40, Leyne, Sean wrote: >> For me, the sequence of operations for accessing a database would be: >> >> - Client initiates connection to remote server, requesting access to >> database XYZ.fdb (there is nothing new in the connection

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote: > On 17/11/2015 14:48, Dimitry Sibiryakov wrote: >> 17.11.2015 17:40, Leyne, Sean wrote: >>> For me, the sequence of operations for accessing a database would be: >>> >>> - Client initiates connection to remote server, requesting access

Re: [Firebird-devel] Database UUID

18.11.2015 14:21, Alex Peshkoff wrote: > If you do not want to use it in your plugin you are free to ignore it. > For other plugins it's OK to load the key at once if it's name is stored > in database in order to avoid callback to client in some funny place > like AST. Say, we have in

Re: [Firebird-devel] Database UUID

On 11/18/2015 04:10 PM, Dimitry Sibiryakov wrote: > 18.11.2015 14:05, Alex Peshkoff wrote: >>> Leave it to crypto-plugin. Key holder has a way to receive the >>> information from it if needed. >> No, I will not. Holder may need this info before crypto-plugin started. > Why? At

Re: [Firebird-devel] Several connections to encrypted database in SS mode

18.11.2015 15:20, Adriano dos Santos Fernandes wrote: > What about the callback set in the dispatcher? Utilities that are not aware of crypt key don't ever set it. Besides, it is up to key holder plugin whether to call it. -- WBR, SD.

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 11/18/2015 04:44 PM, Adriano dos Santos Fernandes wrote: > On 18/11/2015 11:40, Alex Peshkoff wrote: >> On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote: >>> On 17/11/2015 14:48, Dimitry Sibiryakov wrote: 17.11.2015 17:40, Leyne, Sean wrote: > For me, the sequence of

Re: [Firebird-devel] Several connections to encrypted database in SS mode

18.11.2015 15:36, Alex Peshkoff wrote: > In second > case it should work, but it's not reasonable to store key on clients > cause it will be enough to have single client machine (together with > server) to solve access problem. Another way to provide a key should be > used. It is enough to

Re: [Firebird-devel] Several connections to encrypted database in SS mode

18.11.2015 14:44, Adriano dos Santos Fernandes wrote: > Applications developers will need to develop their own tools to work > with encrypted databases outside their applications? No, just use appropriate key holder to provide the key for every connect, including standard utilities. --

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 18/11/2015 11:57, Dimitry Sibiryakov wrote: > 18.11.2015 14:44, Adriano dos Santos Fernandes wrote: >> Applications developers will need to develop their own tools to work >> with encrypted databases outside their applications? >No, just use appropriate key holder to provide the key for

Re: [Firebird-devel] Several connections to encrypted database in SS mode

On 18/11/2015 12:36, Alex Peshkoff wrote: > On 11/18/2015 04:44 PM, Adriano dos Santos Fernandes wrote: >> On 18/11/2015 11:40, Alex Peshkoff wrote: >>> On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote: On 17/11/2015 14:48, Dimitry Sibiryakov wrote: > 17.11.2015 17:40, Leyne,

Re: [Firebird-devel] Database UUID

18.11.2015 23:20, Leyne, Sean wrote: > > as long as UUID and Crypt Database ID are understood to be separate values Here I completely agree. Dmitry -- Firebird-Devel mailing list, web interface at