hi,
i am really surprised why db file itself contain info about i am encrypted or
not. this should be configured by databaseName.conf file.
if this file not exists then server should try to work with database as it is
unencrypted.
plugin should process db config info throught interface
fbclient.dll is a dependency that we try to avoid in pure drivers : Java ,
.Net , python , javascript , golang ...
we need a clear spec for the protocol so it can be implemented in other
languages like pascal ...
On Wed, Nov 18, 2015 at 6:04 PM, Dimitry Sibiryakov
wrote:
>
Because most java developers don't want native dependencies, as they are
annoying when your application is deployed on systems with different
architectures, it has a performance overhead, bugs in native dependencies can
crash the jvm.
I really want a overview of the messages exchanged and the
> > Again, I feel that they issue of client/server connection encryption and
> database encryption are being co-mingled.
> >
> > Database encryption is about the engine's ability to access/work with a
> database, there should be absolutely no client dependency.
>
> More than 80% of encryption
18.11.2015 20:27, Leyne, Sean wrote:
>
> Are you saying that the only mode that database encryption will work, is the
> one which satisfies only 80% of the installs?
Nope. You've been told that *both* key management modes (purely
server-side and via client callback) are supported. You asked why
> Sometimes it's highly desired not to let standard tools access encrypted
> database - first of all for distributed databases.
That is what user credentials/grants are for.
That is not the role of database encryption.
Sean
Regression(?): UNION allows to select data of different types (null, date,
double precision, string)
Key: CORE-5022
URL:
> 2 main usages of database encryption:
> - protect distributed database from unauthorized access,
Actually, no! Access control is not what database encryption is about.
> - protect database from access if server became physically available to third
> party (something like stolen).
Physical
18.11.2015 18:27, Leyne, Sean wrote:
> this is solution should be described in the context of how the embedded
> engine will support encryption. This thread was about SS/other engines.
There is no such things in Firebird 3. Only one engine is used everywhere.
--
WBR, SD.
Extend the "update conflict" message
Key: CORE-5021
URL: http://tracker.firebirdsql.org/browse/CORE-5021
Project: Firebird Core
Issue Type: Improvement
Components: Engine
Reporter:
From a developmental perspective, I think it makes more sense to first
develop an integrated authentication/encryption feature, then later, if
warranted, generalize it as a plugin. Trying to design a plugin
interface to subsystem that is not well understood awkward, difficult,
and likely to
On 11/18/2015 02:09 PM, Mark Rotteveel wrote:
> I am still working with implementing the authentication for Firebird 3.
> And I want some one to document and describe the exact exchange of
> messages to me **without referring to the C++ code**, especially with
> regard to multiple authentication
On 11/18/2015 05:45 PM, Adriano dos Santos Fernandes wrote:
> On 18/11/2015 12:36, Alex Peshkoff wrote:
>> On 11/18/2015 04:44 PM, Adriano dos Santos Fernandes wrote:
>>> On 18/11/2015 11:40, Alex Peshkoff wrote:
On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote:
> On 17/11/2015
18.11.2015 16:48, Mark Rotteveel wrote:
> You don't seem to realise how hard it is to implement a protocol if you
> only have hard to follow source code available in a language you are not
> fluent in, and when some cases seem to work and others don't. I am
> seriously considering to quit
18.11.2015 19:06, Dimitry Sibiryakov wrote:
> 18.11.2015 16:37, liviuslivius wrote:
>> what is the purpose of this uuid?
>> I disconnect all users and copy db file and i have now two db with same uuid.
>
> Yes. And then database encryption and replication subsystems (or any other
> code that
>
On 11/18/2015 07:04 PM, Dimitry Sibiryakov wrote:
> 18.11.2015 16:48, Mark Rotteveel wrote:
>> You don't seem to realise how hard it is to implement a protocol if you
>> only have hard to follow source code available in a language you are not
>> fluent in, and when some cases seem to work and
Hi,
what is the purpose of this uuid?I disconnect all users and copy db file and i
have now two db with same uuid.
regards,Karol Bieniaszewski
Pozdrawiam
Oryginalna wiadomość
Od: Dmitry Yemanov
Data: 18.11.2015 12:38 (GMT+01:00)
Do: For
On 18-11-2015 16:35, Alex Peshkoff wrote:
> On 11/18/2015 02:09 PM, Mark Rotteveel wrote:
>> I am still working with implementing the authentication for Firebird 3.
>> And I want some one to document and describe the exact exchange of
>> messages to me **without referring to the C++ code**,
> > Are you saying that the only mode that database encryption will work, is
> the one which satisfies only 80% of the installs?
>
> Nope. You've been told that *both* key management modes (purely server-
> side and via client callback) are supported. You asked why client needs to be
> in the
18.11.2015 18:55, Leyne, Sean wrote:
> What is the sequence of operations for server-side key management?
Crypt plugin either get the key somehow itself, or ask all configured key
holder
plugins for it.
--
WBR, SD.
On 11/18/2015 08:27 PM, Leyne, Sean wrote:
>
>>> Again, I feel that they issue of client/server connection encryption and
>> database encryption are being co-mingled.
>>> Database encryption is about the engine's ability to access/work with a
>> database, there should be absolutely no client
On 11/18/2015 08:45 PM, Leyne, Sean wrote:
>> 2 main usages of database encryption:
>> - protect distributed database from unauthorized access,
> Actually, no! Access control is not what database encryption is about.
Sean, may be "access" is bad word here. I've meant that _only_ special
On 11/18/2015 09:11 PM, Leyne, Sean wrote:
>>> How should it be retrieved by the client?
>> No way. If someone ask for it, new item can be added to
>> isc_get_database_info().
> Should be added as virtual column of RDB$Database table
I suppose Dmitry wanted to use uuid (except other) as an
> > How should it be retrieved by the client?
>
>No way. If someone ask for it, new item can be added to
> isc_get_database_info().
Should be added as virtual column of RDB$Database table
> > When/how should it be created for already existing ODS12 databases?
>
>At restore.
Agree
>
> >> Should nbackup preserve or reset it?
> >
> > Preserve because technically it is the same database.
>
> Here we disagree. It becomes a different database after fixup/restore, even
> being a page-level copy of the original one.
While I see your point about the database being different,
18.11.2015 19:05, Alex Peshkoff wrote:
> In remote case it will have to send secret key over
> the wire to probably modified engine. No idea how can it be secure.
Server security is not our thing.
--
WBR, SD.
--
On 11/18/2015 07:59 PM, Mark Rotteveel wrote:
> Because most java developers don't want native dependencies, as they are
> annoying when your application is deployed on systems with different
> architectures, it has a performance overhead, bugs in native dependencies can
> crash the jvm.
> I
18.11.2015 19:36, Alex Peshkoff wrote:
> But Iagree, from all other aspects placing databases ID in RDB$Database
> table is better.
MON$DATABASE if you wish.
> For example it's stored encrypted.
What's the point?
--
WBR, SD.
18.11.2015 21:17, Leyne, Sean wrote:
>
> Consider: I want to restore a copy of my production database to my testing
> system and have the same UUID as Live because I have defined a number of
> config/operational values based on the UUID.
Consider: I have a replication set up with replica B
Hi,
but why to store something into database?
1.
This should be in config file for database
e.g.
my_fb.db
my_fb.db.conf
and in my_fb.db.conf
UUID=something
2. in the same config file
CRYPT_PLUGIN=my_crypt_plugin
3.
if more then one database should use some crypt plugin then
something
Dmitry,
> > Consider: I want to restore a copy of my production database to my testing
> system and have the same UUID as Live because I have defined a number of
> config/operational values based on the UUID.
>
> Consider: I have a replication set up with replica B linked to source database
> A
18.11.2015 13:59, Dimitry Sibiryakov wrote:
>
> Do I understand right that clumplets in header page are not a part of ODS, so
> subj can
> be added to them even now?
What do you mean by "now"? v3 RC2?
Dmitry
--
18.11.2015 14:24, Dimitry Sibiryakov wrote:
>> What do you mean by "now"? v3 RC2?
>
> Tomorrow. ;) Yes, in v3 RC2.
Adding it is one part of the deal. How should it be retrieved by the
client? When/how should it be created for already existing ODS12
databases? What if application relies on it
18.11.2015 13:45, Dimitry Sibiryakov wrote:
> 18.11.2015 12:38, Dmitry Yemanov wrote:
...
>> When/how should it be created for already existing ODS12
>> databases?
>
> At restore. May be - on "alter database encrypt".
As you really need way to identify encryption key (not a database
18.11.2015 14:45, Dimitry Sibiryakov wrote:
>> How should it be retrieved by the client?
>
> No way.
Why do we need something that nobody can use?
>> Should nbackup preserve or reset it?
>
> Preserve because technically it is the same database.
Here we disagree. It becomes a
18.11.2015 13:17, Dmitry Yemanov wrote:
> 18.11.2015 14:45, Dimitry Sibiryakov wrote:
>>> >> How should it be retrieved by the client?
>> >
>> > No way.
> Why do we need something that nobody can use?
To use it at server side.
At least the ID should be in gstat output. This way a user
18.11.2015 14:05, Alex Peshkoff wrote:
>> Leave it to crypto-plugin. Key holder has a way to receive the
>> information from it if
>> >needed.
>> >
> No, I will not. Holder may need this info before crypto-plugin started.
Why? At this point a key holder doesn't even know if a key will be
Hello, All.
Do I understand right that clumplets in header page are not a part of ODS,
so subj can
be added to them even now?
--
WBR, SD.
--
Firebird-Devel mailing list, web interface at
2015.11.18. 10:16 keltezéssel, Gabor Boros írta:
> Hi All,
>
> My whole databases.conf:
>
> MYDB = /home/DB/MYDB.FDB
> {
> SecurityDatabase = MYDB
> }
>
>
> MYDB initialized correctly(users created) and works like a charm but
> only when security3.fdb exists. If rename to security3_fdb I got
18.11.2015 12:15, Dmitry Yemanov wrote:
> What do you mean by "now"? v3 RC2?
Tomorrow. ;) Yes, in v3 RC2.
--
WBR, SD.
--
Firebird-Devel mailing list, web interface at
18.11.2015 14:04, Dimitry Sibiryakov wrote:
> 18.11.2015 13:00, Vlad Khorsun wrote:
>> As you really need way to identify encryption key (not a database
>> itself) i
>> suggest you to ask for key name (key ID) stored at header page. And it
>> already
>> was discussed recently.
>
> This
On 11/18/2015 03:04 PM, Dimitry Sibiryakov wrote:
> 18.11.2015 13:00, Vlad Khorsun wrote:
>> As you really need way to identify encryption key (not a database
>> itself) i
>> suggest you to ask for key name (key ID) stored at header page. And it
>> already
>> was discussed recently.
>
On 11/18/2015 03:36 PM, Vlad Khorsun wrote:
> 18.11.2015 14:04, Dimitry Sibiryakov wrote:
>> 18.11.2015 13:00, Vlad Khorsun wrote:
>>> As you really need way to identify encryption key (not a database
>>> itself) i
>>> suggest you to ask for key name (key ID) stored at header page. And it
18.11.2015 12:38, Dmitry Yemanov wrote:
> How should it be retrieved by the client?
No way. If someone ask for it, new item can be added to
isc_get_database_info().
> When/how should it be created for already existing ODS12
> databases?
At restore. May be - on "alter database encrypt".
18.11.2015 13:00, Vlad Khorsun wrote:
> As you really need way to identify encryption key (not a database itself)
> i
> suggest you to ask for key name (key ID) stored at header page. And it already
> was discussed recently.
This solution has one problem: where this key ID must come from?
18.11.2015 13:36, Vlad Khorsun wrote:
> Key name could be generated by crypto-plugin (or key holder ?) when
> database is about to be
> encrypted. Engine then must store it at header page. When attachment to the
> encrypted db is
> established engine extract key name and pass it to the
On 18/11/2015 06:10, Arno Brinkman wrote:
> Hi Adriano,
>
>> Arno, can you please verify now?
>> It should still reset the array, but much less than before.
> Yes!, this makes a big difference, for my sample the speed difference
> between FB2.5 and FB3.0 now dropped from 125x to 3x slower for
I am still working with implementing the authentication for Firebird 3.
And I want some one to document and describe the exact exchange of
messages to me **without referring to the C++ code**, especially with
regard to multiple authentication plugins and acceptance or reject of
the
18.11.2015 13:45, Alex Peshkoff wrote:
>> Engine then must store it at header page. When attachment to the encrypted
>> db is
>> >established engine extract key name and pass it to the crypto-plugin (or
>> >key holder ?)
> May be better both?
Leave it to crypto-plugin. Key holder has a way
On 11/18/2015 03:52 PM, Dimitry Sibiryakov wrote:
> 18.11.2015 13:45, Alex Peshkoff wrote:
>>> Engine then must store it at header page. When attachment to the encrypted
>>> db is
established engine extract key name and pass it to the crypto-plugin (or
key holder ?)
>> May be better
On 11/18/2015 03:44 PM, Dimitry Sibiryakov wrote:
> 18.11.2015 13:36, Vlad Khorsun wrote:
>> Key name could be generated by crypto-plugin (or key holder ?) when
>> database is about to be
>> encrypted. Engine then must store it at header page. When attachment to the
>> encrypted db is
>>
Hi Adriano,
> Arno, can you please verify now?
> It should still reset the array, but much less than before.
Yes!, this makes a big difference, for my sample the speed difference
between FB2.5 and FB3.0 now dropped from 125x to 3x slower for "prepare
time".
I've been looking at the code to,
Hi All,
My whole databases.conf:
MYDB = /home/DB/MYDB.FDB
{
SecurityDatabase = MYDB
}
MYDB initialized correctly(users created) and works like a charm but
only when security3.fdb exists. If rename to security3_fdb I got "Unable
to complete..." error at remote connection. security3.fdb
On 18/11/2015 11:40, Alex Peshkoff wrote:
> On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote:
>> On 17/11/2015 14:48, Dimitry Sibiryakov wrote:
>>> 17.11.2015 17:40, Leyne, Sean wrote:
For me, the sequence of operations for accessing a database would be:
- Client initiates
On 11/17/2015 07:48 PM, Dimitry Sibiryakov wrote:
> 17.11.2015 17:40, Leyne, Sean wrote:
>> For me, the sequence of operations for accessing a database would be:
>>
>> - Client initiates connection to remote server, requesting access to
>> database XYZ.fdb (there is nothing new in the connection
On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote:
> On 17/11/2015 14:48, Dimitry Sibiryakov wrote:
>> 17.11.2015 17:40, Leyne, Sean wrote:
>>> For me, the sequence of operations for accessing a database would be:
>>>
>>> - Client initiates connection to remote server, requesting access
18.11.2015 14:21, Alex Peshkoff wrote:
> If you do not want to use it in your plugin you are free to ignore it.
> For other plugins it's OK to load the key at once if it's name is stored
> in database in order to avoid callback to client in some funny place
> like AST.
Say, we have in
On 11/18/2015 04:10 PM, Dimitry Sibiryakov wrote:
> 18.11.2015 14:05, Alex Peshkoff wrote:
>>> Leave it to crypto-plugin. Key holder has a way to receive the
>>> information from it if
needed.
>> No, I will not. Holder may need this info before crypto-plugin started.
> Why? At
18.11.2015 15:20, Adriano dos Santos Fernandes wrote:
> What about the callback set in the dispatcher?
Utilities that are not aware of crypt key don't ever set it. Besides, it is
up to key
holder plugin whether to call it.
--
WBR, SD.
On 11/18/2015 04:44 PM, Adriano dos Santos Fernandes wrote:
> On 18/11/2015 11:40, Alex Peshkoff wrote:
>> On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote:
>>> On 17/11/2015 14:48, Dimitry Sibiryakov wrote:
17.11.2015 17:40, Leyne, Sean wrote:
> For me, the sequence of
18.11.2015 15:36, Alex Peshkoff wrote:
> In second
> case it should work, but it's not reasonable to store key on clients
> cause it will be enough to have single client machine (together with
> server) to solve access problem. Another way to provide a key should be
> used.
It is enough to
18.11.2015 14:44, Adriano dos Santos Fernandes wrote:
> Applications developers will need to develop their own tools to work
> with encrypted databases outside their applications?
No, just use appropriate key holder to provide the key for every connect,
including
standard utilities.
--
On 18/11/2015 11:57, Dimitry Sibiryakov wrote:
> 18.11.2015 14:44, Adriano dos Santos Fernandes wrote:
>> Applications developers will need to develop their own tools to work
>> with encrypted databases outside their applications?
>No, just use appropriate key holder to provide the key for
On 18/11/2015 12:36, Alex Peshkoff wrote:
> On 11/18/2015 04:44 PM, Adriano dos Santos Fernandes wrote:
>> On 18/11/2015 11:40, Alex Peshkoff wrote:
>>> On 11/17/2015 07:52 PM, Adriano dos Santos Fernandes wrote:
On 17/11/2015 14:48, Dimitry Sibiryakov wrote:
> 17.11.2015 17:40, Leyne,
18.11.2015 23:20, Leyne, Sean wrote:
>
> as long as UUID and Crypt Database ID are understood to be separate values
Here I completely agree.
Dmitry
--
Firebird-Devel mailing list, web interface at
65 matches
Mail list logo