tags:

views:

542

answers:

3
+2  Q: 

Firebird Database Password

I really want to know, how to secure a firebird database from being opened by any user but from the application it self. If I distribute a desktop application with a single file Firebird database (not embedded), how to protect the database from being copied to another machine running Firebird with known sysdba password?

I have searched the question related with this subject, and only find this: http://stackoverflow.com/questions/685420/finding-a-legacy-firebird-interbase-database-password

If the answer in that post was true, how to use desktop application with firebird database and forbid any user to open it using another machine? Or should I use other database like mySQL or PostgreSQL?

PS: I use Delphi 2006 to develop the GUI.

+2  A: 

how to use desktop application with firebird database and forbid any user to open it using another machine

If you mean that user has both the enrypted data and the key, you are doing DRM. The definitive answer is: you can't. You can slow down the user by hiding the key with different methods, but you can't stop them.

abababa22  2009-03-30 05:18:54
A: 

You don't.

This is more or less the same problem as Pidgin has in http://developer.pidgin.im/wiki/PlainTextPasswords, except that's protecting it from some users and not others, rather than your application and not any end users.

Ben Alpert  2009-03-30 05:38:13
+2  A: 

You are missing the point when thinking about the password to the Firebird database - the server is open source, so there's no way to do what you want. The user can simply recompile the server with password checking commented out.

Basically there's only two things you could do:

  • Write your own modifications to the Firebird server, so that it writes a database file that is incompatible with all other servers. It doesn't matter then that people can transfer the database to another machine, as the standard server executables won't be able to access the data in the database.

  • Write only encrypted data to the file, so that it doesn't matter that access to the database is possible.

Both are of course not fool-proof either, as a determined cracker can simply use your own application to get at the data. Having permission to attach a debugger to the running process can be enough to halt execution of your application at any point in time and to examine the (decrypted) data in RAM. See also the SO question "How can I increase memory security in Delphi?", especially this answer, for more information on this topic.

BTW: this is something that can be done whatever database engine you choose, to answer the last part of your question.

mghie  2009-04-05 13:06:47

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL