tags:

views:

1339

answers:

4
+12  Q: 

How can I protect MySQL username and password from decompiling?

sadly Java Classes can be decompiled pretty well, how can I protect my database if I have to use the login data in the code?

+11  A: 

Put the password into a file that the application will read. NEVER embed passwords in a source file. Period.

Ruby has a little-known module called DBI::DBRC for such usage. I have no doubt that Java has an equivalent. Anyway, it is not difficult to write one.

Keltia  2009-01-14 13:07:38
While that makes it slightly easier to change the passwords later on, it doesn't solve the basic security issue.
Brian Knoblauch  2009-01-14 13:21:00
Yes it does. See also the answer from William Brendel.
Keltia  2009-01-14 13:23:31
The method Keltia and I pointed out is the accepted way of dealing with this problem. Decoupling your login credentials from your compiled code is one of the most basic software security practices. Putting the login credentials in a separate file is an effective way to achieve this.
William Brendel  2009-01-14 13:27:45
Furthermore, the fact that your configuration information is in a plaintext file should be canceled by operating system restrictions. For example, in UNIX, the plaintext file should be owned by the user running the program and have permissions 0600, so only the owner can read it.
William Brendel  2009-01-14 13:30:18
OK, so the file can only be read by the user running the program. Great. That solves nothing. :-) I, the user who we're trying to keep the password secret from, can read it just as easily as the app...
Brian Knoblauch  2009-01-14 14:24:06
@Brian: You're trying to give *untrusted* users *trusted* access to a system, and you want it to be secure? That's just not possible. In that case, you really need to rethink your architecture. This is why copy protection doesn't work (it must give untrusted parties the ability to decrypt content).
William Brendel  2009-01-14 14:29:15
+23  A: 

Never hard-code passwords into your code. This was brought up recently in the Top 25 Most Dangerous Programming Mistakes:

Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.

You should store configuration information, including passwords, in a separate file that the application reads when it starts. That is the only real way to prevent the password from leaking as a result of decompilation (never compile it into the binary to begin with).

For more information about this common mistake, you can read the CWE-259 article. The article contains a more thorough definition, examples, and lots of other information about the problem.

In Java, one of the easiest ways to do this is to use the Preferences class. It is designed to store all sorts of program settings, some of which could include a username and password.

import java.util.prefs.Preferences;

public class DemoApplication {
  Preferences preferences = 
      Preferences.userNodeForPackage(DemoApplication.class);

  public void setCredentials(String username, String password) {
    preferences.put("db_username", username);
    preferences.put("db_password", password);
  }

  public String getUsername() {
    return preferences.get("db_username", null);
  }

  public String getPassword() {
    return preferences.get("db_password", null);
  }

  // your code here
}

In the above code, you could call the setCredentials method after showing a dialog askign for the username and password. When you need to connect to the database, you can just use the getUsername and getPassword methods to retrieve the stored values. The login credentials will not be hard-coded into your binaries, so decompilation will not pose a security risk.

Important Note: The preference files are just plain text XML files. Make sure you take appropriate steps to prevent unauthorized users from viewing the raw files (UNIX permissions, Windows permissions, et cetera). In Linux, at least, this isn't a problem, because calling Preferences.userNodeForPackage will create the XML file in the current user's home directory, which is non-readable by other users anyway. In Windows, the situation might be different.

More Important Notes: There has been a lot of discussion in the comments of this answer and others about what the correct architecture is for this situation. The original question doesn't really mention the context in which the application is being used, so I will talk about the two situations I can think of. The first is the case in which the person using the program already knows (and is authorized to know) the database credentials. The second is the case in which you, the developer, are trying to keep the database credentials secret from the person using the program.

First Case: User is authorized to know the database login credentials

In this case, the solution I mentioned above will work. The Java Preference class will stored the username and password in plain text, but the preferences file will only be readable by the authorized user. The user can simply open the preferences XML file and read the login credentials, but that is not a security risk because the user knew the credentials to begin with.

Second Case: Trying to hide login credentials from the user

This is the more complicated case: the user should not know the login credentials but still needs access to the database. In this case, the user running the application has direct access to the database, which means the program needs to know the login credentials ahead of time. The solution I mentioned above is not appropriate for this case. You can store the database login credentials in a preferences file, but he user will be able to read that file, since they will be the owner. In fact, there is really no good way to use this case in a secure way.

Correct Case: Using a multi-tier architecture

The correct way to do it is to have a middle layer, in between your database server and your client application, that authenticates individual users and allows a limited set of operations to be performed. Each user would have their own login credentials, but not for the database server. The credentials would allow access to the middle layer (the business logic tier) and would be different for each user.

Every user would have their own username and password, which could be stored locally in a preferences file without any security risk. This is called a three-tier architecture (the tiers being your database server, business logic server, and client application). It is more complex, but it really is the most secure way to do this sort of thing.

The basic order of operations is:

  1. Client authenticates with business logic tier using the user's personal username/password. The username and password are known to the user and are not related to the database login credentials in any way.
  2. If authentication succeeds, the client makes a request to the business logic tier asking for some information from the database. For example, an inventory of products. Note that the client's request is not a SQL query; it is a remote procedure call such as getInventoryList.
  3. The business logic tier connects to the database and retrieves the requested information. The business logic tier is in charge of forming a secure SQL query based on the user's request. Any parameters to the SQL query should be sanitized to prevent SQL injection attacks.
  4. The business logic tier sends the inventory list back to the client application.
  5. The client displays the inventory list to the user.

Note that in the entire process, the client application never connects directly to the database. The business logic tier receives a request from an authenticated user, processes the client's request for an inventory list, and only then executes a SQL query.

William Brendel  2009-01-14 13:08:42
How exactly does this keep someone from getting the username/password? Can't you just read it from the file then?
Joe Philllips  2009-01-14 13:55:16
As I said in my answer, if your file permissions are set properly, only the user running the program has read access to that preferences file. In UNIX environments, this is done automatically. Windows might require additional steps (I'm really not sure, since I don't use Windows much).
William Brendel  2009-01-14 13:58:19
I think the idea is that the user running the app isn't the one you are trying to keep it from. If that's the case, then you'd have to encrypt it.
Michael Haren  2009-01-14 13:58:33
Yes, Michael is correct. Essentially the idea is that you already know the username/password, so there is no need to hide it from yourself. It will be hidden from other users, however, through file permissions.
William Brendel  2009-01-14 13:59:46
@Michael - encryption won't help in keeping the password from the user running the app. It just pushes the problem onto trying to protect the key, and in any case the user will need some API somewhere to use the password.
frankodwyer  2009-01-14 14:01:22
If you are deploying (example) a DB editing application to a user and you don't want them to know the database username and password, then you've architected the solution wrong, and the client software should be communicating with a server (via e.g., a web service) that does the DB stuff.
JeeBee  2009-01-14 14:31:15
@JeeBee: Exactly correct. In my answer I assumed the user knows the credentials, and the problem is finding a way to store that information outside of the compiled code. Attempts to give *untrusted* users *trusted* access to any system will always fail. Nice comment, JeeBee.
William Brendel  2009-01-14 14:36:12
I added more information to my original answer. It covers the basics of using a three-tier architecture, which is probably best for what the original poster wanted.
William Brendel  2009-01-14 15:12:14
That's a lovely comprehensive answer indeed now.
JeeBee  2009-01-14 19:33:13
+1  A: 

Are you writing a web application? If so, use JNDI to configure it externally to the application. An overview is available here:

JNDI provides a uniform way for an application to find and access remote services over the network. The remote service may be any enterprise service, including a messaging service or an application-specific service, but, of course, a JDBC application is interested mainly in a database service. Once a DataSource object is created and registered with a JNDI naming service, an application can use the JNDI API to access that DataSource object, which can then be used to connect to the data source it represents.

Tim Howland  2009-01-14 13:28:15
A: 

MD5 is a hash algorithm, not an encryption algorithm, in short u cant get back wat u hashed, u can only compare. It should ideally be used when storing the user authentication information and not db username and password. db username and pwd should be encrypted and kept in a config file, to do the least.

renegadeMind  2009-01-14 13:29:32

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL