Re: [sqlite] SQLite file security
On Thu, 20 Nov 2008 12:47:26 +0530, <[EMAIL PROTECTED]> wrote in General Discussion of SQLite Database: >I think the question by the original poster was about data security and >not file security. He probably does not mind if the file is copied, but >the data should be decipherable only by his application. The OP wrote: >>> my issue is if any one finds my application is using >>> SQLite database they can [1] corrupt my database >>> or they can [2] see the contents of my database using >>> a program(they can open my SQLite file). So, he has two issues. The second issue was discussed a lot already. My point was about [1]: anyone with write access to the databasefile can corrupt it, encrypted or not. >-Shibu -- ( Kees Nuyt ) c[_] ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite file security
I agree with that. However if I were writing such an application I would worry about folks copying the database and possibly rendering the database useless. There are a few things that I would recommend. To keep others from reading the database you will have to write some sort of encryption routine into your application that uses a symmetric key - I would recommend something that uses AES since this is the adopted standard, however there are plenty of reasonable encryption routines available in the public domain. Either the user has to type a password to unlock the key and decrypt the database or you will have to store the key in a hash file that is read when the application is open. I recommend that you get a copy of "Applied Cryptography" by Bruce Schneier for more information on this subject. This will not prevent anyone from opening the encrypted database, however, so you have to take care that your NTFS file permissions grant access to only those authorized to access the database. Otherwise you would subject the database to denial of service attacks by means of editing the encrypted database and possibly corrupting it. Bear in mind that no security controls are foolproof. If someone really wants access, they are going to get it. All you are trying to do is make it costly for potential attackers to access your data to a point where they consider that the cost outweighs the value. Timothy A. Sawyer, CISSP Managing Director MBD Solutions Phone: (603) 546-7132 Web: http://www.mybowlingdiary.com Email: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, November 20, 2008 2:17 AM To: sqlite-users@sqlite.org Subject: Re: [sqlite] SQLite file security I think the question by the original poster was about data security and not file security. He probably does not mind if the file is copied, but the data should be decipherable only by his application. -Shibu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kees Nuyt Sent: Thursday, November 20, 2008 2:17 AM To: General Discussion of SQLite Database Subject: Re: [sqlite] SQLite file security On Wed, 19 Nov 2008 12:31:22 +0530, "Satish" <[EMAIL PROTECTED]> wrote in General Discussion of SQLite Database <sqlite-users@sqlite.org>: >Hi! > > > >I am basically a windows application developer. I am developing an >application for desktop which uses a database. I choose SQLite as my >database and my issue is if any one finds my application is using SQLite >database they can corrupt my database or they can see the contents of my >database using a program(they can open my SQLite file). The SQLite database is a normal file. The only thing that can protect it is the security the Windows filesystem offers. With NTFS, you have fine grained control over file access. > Now my question is how I can provide security to my database for >example no one can access my database except my application .how can I >provide security > >Plz provide me best solution to provide security to my database without any >Data loss. Use ACL. Run the application in an account that has access to the file, Refuse access to all other accounts. >Regards, > >Satish.G -- ( Kees Nuyt ) c[_] ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users DISCLAIMER: This message contains privileged and confidential information and is intended only for an individual named. If you are not the intended recipient, you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite file security
I think the question by the original poster was about data security and not file security. He probably does not mind if the file is copied, but the data should be decipherable only by his application. -Shibu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kees Nuyt Sent: Thursday, November 20, 2008 2:17 AM To: General Discussion of SQLite Database Subject: Re: [sqlite] SQLite file security On Wed, 19 Nov 2008 12:31:22 +0530, "Satish" <[EMAIL PROTECTED]> wrote in General Discussion of SQLite Database <sqlite-users@sqlite.org>: >Hi! > > > >I am basically a windows application developer. I am developing an >application for desktop which uses a database. I choose SQLite as my >database and my issue is if any one finds my application is using SQLite >database they can corrupt my database or they can see the contents of my >database using a program(they can open my SQLite file). The SQLite database is a normal file. The only thing that can protect it is the security the Windows filesystem offers. With NTFS, you have fine grained control over file access. > Now my question is how I can provide security to my database for >example no one can access my database except my application .how can I >provide security > >Plz provide me best solution to provide security to my database without any >Data loss. Use ACL. Run the application in an account that has access to the file, Refuse access to all other accounts. >Regards, > >Satish.G -- ( Kees Nuyt ) c[_] ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users DISCLAIMER: This message contains privileged and confidential information and is intended only for an individual named. If you are not the intended recipient, you should not disseminate, distribute, store, print, copy or deliver this message. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version. ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite file security
On Wed, 19 Nov 2008 12:31:22 +0530, "Satish" <[EMAIL PROTECTED]> wrote in General Discussion of SQLite Database: >Hi! > > > >I am basically a windows application developer. I am developing an >application for desktop which uses a database. I choose SQLite as my >database and my issue is if any one finds my application is using SQLite >database they can corrupt my database or they can see the contents of my >database using a program(they can open my SQLite file). The SQLite database is a normal file. The only thing that can protect it is the security the Windows filesystem offers. With NTFS, you have fine grained control over file access. > Now my question is how I can provide security to my database for >example no one can access my database except my application .how can I >provide security > >Plz provide me best solution to provide security to my database without any >Data loss. Use ACL. Run the application in an account that has access to the file, Refuse access to all other accounts. >Regards, > >Satish.G -- ( Kees Nuyt ) c[_] ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite file security
Satish <[EMAIL PROTECTED]> writes: > > Hi! > > I am basically a windows application developer. I am developing an > application for desktop which uses a database. I choose SQLite as my > database and my issue is if any one finds my application is using SQLite > database they can corrupt my database or they can see the contents of my > database using a program(they can open my SQLite file). > > Now my question is how I can provide security to my database for > example no one can access my database except my application .how can I > provide security > > Plz provide me best solution to provide security to my database without any > Data loss. > > Regards, > > Satish.G A possibility would be to store the file on disc in encrypted/scrambled form. When your app starts, it loads the DB file into memory and descrambles it, then uses SQLite on an in-memory DB. When it closes after any DB changes it rescrambles it and writes back to disc. Obviously anyone analysing your app would eventually be able to work out the process ... the devil is in the detail !! Cheers, MikeW ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite file security
Hi, beside the other replys: If you design a new database application: You may simply change the sqlite fileformat header and recompile your sqlite library. Look into the code, it is mentioned there how to do this. This will avoid that other standard sqlite application will be able to read your table without recompiling their sqlite library. The more secure way of course would be to purchase the encrypted option from hwaci. kind regards Marcus Satish wrote: > Hi! > > > > I am basically a windows application developer. I am developing an > application for desktop which uses a database. I choose SQLite as my > database and my issue is if any one finds my application is using SQLite > database they can corrupt my database or they can see the contents of my > database using a program(they can open my SQLite file). > > > > Now my question is how I can provide security to my database for > example no one can access my database except my application .how can I > provide security > > Plz provide me best solution to provide security to my database without any > Data loss. > > > > Regards, > > Satish.G > > ___ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite file security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Satish wrote: > Plz provide me best solution to provide security to my database without any > Data loss. You would have to store the database on another machine over the network that you control. The application would have to send you a request for each record and you would need to check if the access is ok and return the data. There is still nothing stopping something malicious on the client machine then copying that returned data elsewhere. What you are trying to do is the same as DRM. If an application has to be able to actually use the data then it has to have it in clear text form. No matter how many layers of obfuscation and encryption you use, it will eventually have to be in a usable form. Another malicious process will then also be able to access it. Roger -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkkjzB8ACgkQmOOfHg372QTSzQCg0Yje04N5TZSbVn+yARkSV3NG R4EAoL25fiKZKC9QC4FelNnrFXC2d+AX =TnlB -END PGP SIGNATURE- ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite file security
> Now my question is how I can provide security to my database for > example no one can access my database except my application .how can I > provide security o encrypt data by yourself o buy the properitary encryption add-on from hwaci.com o code your appl with .NET and use the ADO-Provider (supports encryption, see http://sqlite.phxsoftware.com/) Bye, Michael ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] SQLite file security
Hi! I am basically a windows application developer. I am developing an application for desktop which uses a database. I choose SQLite as my database and my issue is if any one finds my application is using SQLite database they can corrupt my database or they can see the contents of my database using a program(they can open my SQLite file). Now my question is how I can provide security to my database for example no one can access my database except my application .how can I provide security Plz provide me best solution to provide security to my database without any Data loss. Regards, Satish.G ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users