Re: [sqlite] SQLite file security

[Kees Nuyt]

On Thu, 20 Nov 2008 12:47:26 +0530,
<[EMAIL PROTECTED]> wrote in General
Discussion of SQLite Database :

>I think the question by the original poster was about data security and
>not file security.  He probably does not mind if the file is copied, but
>the data should be decipherable only by his application.

The OP wrote:

>>> my issue is if any one finds my application is using 
>>> SQLite database they can [1] corrupt my database
>>> or they can [2] see the contents of my database using 
>>> a program(they can open my SQLite file).

So, he has two issues. The second issue was discussed a lot
already.

My point was about [1]: anyone with write access to the
databasefile can corrupt it, encrypted or not.

>-Shibu
-- 
  (  Kees Nuyt
  )
c[_]
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite file security

[Timothy A. Sawyer]

I agree with that. However if I were writing such an application I would
worry about folks copying the database and possibly rendering the database
useless.

There are a few things that I would recommend.

To keep others from reading the database you will have to write some sort of
encryption routine into your application that uses a symmetric key - I would
recommend something that uses AES since this is the adopted standard,
however there are plenty of reasonable encryption routines available in the
public domain. Either the user has to type a password to unlock the key and
decrypt the database or you will have to store the key in a hash file that
is read when the application is open. I recommend that you get a copy of
"Applied Cryptography" by Bruce Schneier for more information on this
subject.

This will not prevent anyone from opening the encrypted database, however,
so you have to take care that your NTFS file permissions grant access to
only those authorized to access the database. Otherwise you would subject
the database to denial of service attacks by means of editing the encrypted
database and possibly corrupting it.

Bear in mind that no security controls are foolproof. If someone really
wants access, they are going to get it. All you are trying to do is make it
costly for potential attackers to access your data to a point where they
consider that the cost outweighs the value.

Timothy A. Sawyer, CISSP
Managing Director
MBD Solutions
Phone: (603) 546-7132
Web: http://www.mybowlingdiary.com
Email: [EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, November 20, 2008 2:17 AM
To: sqlite-users@sqlite.org
Subject: Re: [sqlite] SQLite file security

I think the question by the original poster was about data security and
not file security.  He probably does not mind if the file is copied, but
the data should be decipherable only by his application.

-Shibu

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kees Nuyt
Sent: Thursday, November 20, 2008 2:17 AM
To: General Discussion of SQLite Database
Subject: Re: [sqlite] SQLite file security

On Wed, 19 Nov 2008 12:31:22 +0530, "Satish"
<[EMAIL PROTECTED]> wrote in General Discussion of SQLite
Database <sqlite-users@sqlite.org>:

>Hi!
>
>  
>
>I am basically a windows application developer. I am developing an
>application for desktop which uses a database. I choose SQLite as my
>database and my issue is if any one finds my application is using
SQLite
>database they can corrupt my database or they can see the contents of
my
>database using a program(they can open my SQLite file).

The SQLite database is a normal file. The only thing that
can protect it is the security the Windows filesystem
offers. With NTFS, you have fine grained control over file
access.

>  Now my question is how I can provide security to my database for
>example no one can access my database except my application .how can I
>provide security
>
>Plz provide me best solution to provide security to my database without
any
>Data loss.

Use ACL. Run the application in an account that has access
to the file, Refuse access to all other accounts.

>Regards,
>
>Satish.G
-- 
  (  Kees Nuyt
  )
c[_]
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


DISCLAIMER:
This message contains privileged and confidential information and is
intended only for an individual named. If you are not the intended
recipient, you should not disseminate, distribute, store, print, copy or
deliver this message. Please notify the sender immediately by e-mail if you
have received this e-mail by mistake and delete this e-mail from your
system. E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive late
or incomplete or contain viruses. The sender, therefore,  does not accept
liability for any errors or omissions in the contents of this message which
arise as a result of e-mail transmission. If verification is required,
please request a hard-copy version.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite file security

[Shibu.Narayanan]

I think the question by the original poster was about data security and
not file security.  He probably does not mind if the file is copied, but
the data should be decipherable only by his application.

-Shibu

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kees Nuyt
Sent: Thursday, November 20, 2008 2:17 AM
To: General Discussion of SQLite Database
Subject: Re: [sqlite] SQLite file security

On Wed, 19 Nov 2008 12:31:22 +0530, "Satish"
<[EMAIL PROTECTED]> wrote in General Discussion of SQLite
Database <sqlite-users@sqlite.org>:

>Hi!
>
>  
>
>I am basically a windows application developer. I am developing an
>application for desktop which uses a database. I choose SQLite as my
>database and my issue is if any one finds my application is using
SQLite
>database they can corrupt my database or they can see the contents of
my
>database using a program(they can open my SQLite file).

The SQLite database is a normal file. The only thing that
can protect it is the security the Windows filesystem
offers. With NTFS, you have fine grained control over file
access.

>  Now my question is how I can provide security to my database for
>example no one can access my database except my application .how can I
>provide security
>
>Plz provide me best solution to provide security to my database without
any
>Data loss.

Use ACL. Run the application in an account that has access
to the file, Refuse access to all other accounts.

>Regards,
>
>Satish.G
-- 
  (  Kees Nuyt
  )
c[_]
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


DISCLAIMER:
This message contains privileged and confidential information and is intended 
only for an individual named. If you are not the intended recipient, you should 
not disseminate, distribute, store, print, copy or deliver this message. Please 
notify the sender immediately by e-mail if you have received this e-mail by 
mistake and delete this e-mail from your system. E-mail transmission cannot be 
guaranteed to be secure or error-free as information could be intercepted, 
corrupted, lost, destroyed, arrive late or incomplete or contain viruses. The 
sender, therefore,  does not accept liability for any errors or omissions in 
the contents of this message which arise as a result of e-mail transmission. If 
verification is required, please request a hard-copy version.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite file security

[Kees Nuyt]

On Wed, 19 Nov 2008 12:31:22 +0530, "Satish"
<[EMAIL PROTECTED]> wrote in General Discussion of SQLite
Database :

>Hi!
>
>  
>
>I am basically a windows application developer. I am developing an
>application for desktop which uses a database. I choose SQLite as my
>database and my issue is if any one finds my application is using SQLite
>database they can corrupt my database or they can see the contents of my
>database using a program(they can open my SQLite file).

The SQLite database is a normal file. The only thing that
can protect it is the security the Windows filesystem
offers. With NTFS, you have fine grained control over file
access.

>  Now my question is how I can provide security to my database for
>example no one can access my database except my application .how can I
>provide security
>
>Plz provide me best solution to provide security to my database without any
>Data loss.

Use ACL. Run the application in an account that has access
to the file, Refuse access to all other accounts.

>Regards,
>
>Satish.G
-- 
  (  Kees Nuyt
  )
c[_]
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite file security

[MikeW]

Satish <[EMAIL PROTECTED]> writes:

> 
> Hi!
> 
> I am basically a windows application developer. I am developing an
> application for desktop which uses a database. I choose SQLite as my
> database and my issue is if any one finds my application is using SQLite
> database they can corrupt my database or they can see the contents of my
> database using a program(they can open my SQLite file).
> 
>   Now my question is how I can provide security to my database for
> example no one can access my database except my application .how can I
> provide security
> 
> Plz provide me best solution to provide security to my database without any
> Data loss.
> 
> Regards,
> 
> Satish.G

A possibility would be to store the file on disc in encrypted/scrambled form.
When your app starts, it loads the DB file into memory and descrambles it,
then uses SQLite on an in-memory DB.
When it closes after any DB changes it rescrambles it and writes back to disc.

Obviously anyone analysing your app would eventually be able to work out
the process ... the devil is in the detail !!

Cheers,
MikeW

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite file security

[Marcus Grimm]

Hi,

beside the other replys:

If you design a new database application:

You may simply change the sqlite fileformat header and
recompile your sqlite library. Look into the code, it
is mentioned there how to do this.

This will avoid that other standard sqlite application will
be able to read your table without recompiling their sqlite
library.

The more secure way of course would be to purchase the
encrypted option from hwaci.

kind regards

Marcus

Satish wrote:
> Hi!
> 
>   
> 
> I am basically a windows application developer. I am developing an
> application for desktop which uses a database. I choose SQLite as my
> database and my issue is if any one finds my application is using SQLite
> database they can corrupt my database or they can see the contents of my
> database using a program(they can open my SQLite file).
> 
>   
> 
>   Now my question is how I can provide security to my database for
> example no one can access my database except my application .how can I
> provide security
> 
> Plz provide me best solution to provide security to my database without any
> Data loss.
> 
>  
> 
> Regards,
> 
> Satish.G
> 
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
> 
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite file security

[Roger Binns]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Satish wrote:
> Plz provide me best solution to provide security to my database without any
> Data loss.

You would have to store the database on another machine over the network
that you control.  The application would have to send you a request for
each record and you would need to check if the access is ok and return
the data.  There is still nothing stopping something malicious on the
client machine then copying that returned data elsewhere.

What you are trying to do is the same as DRM.  If an application has to
be able to actually use the data then it has to have it in clear text
form.  No matter how many layers of obfuscation and encryption you use,
it will eventually have to be in a usable form.  Another malicious
process will then also be able to access it.

Roger
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkjzB8ACgkQmOOfHg372QTSzQCg0Yje04N5TZSbVn+yARkSV3NG
R4EAoL25fiKZKC9QC4FelNnrFXC2d+AX
=TnlB
-END PGP SIGNATURE-
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] SQLite file security

[Michael Knigge]

>   Now my question is how I can provide security to my database for
> example no one can access my database except my application .how can I
> provide security

o encrypt data by yourself

o buy the properitary encryption add-on from hwaci.com

o code your appl with .NET and use the ADO-Provider (supports 
encryption, see http://sqlite.phxsoftware.com/)


Bye,
Michael
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] SQLite file security

[Satish]

Hi!

  

I am basically a windows application developer. I am developing an
application for desktop which uses a database. I choose SQLite as my
database and my issue is if any one finds my application is using SQLite
database they can corrupt my database or they can see the contents of my
database using a program(they can open my SQLite file).

  

  Now my question is how I can provide security to my database for
example no one can access my database except my application .how can I
provide security

Plz provide me best solution to provide security to my database without any
Data loss.

 

Regards,

Satish.G

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users