Recent

Author Topic: Security Question  (Read 104276 times)

goodname

  • Sr. Member
  • ****
  • Posts: 297
Re: Security Question
« Reply #30 on: July 29, 2012, 06:54:48 pm »
So Elmug the password 573E45698F6B00C43C7B35A98B8BD852 found by the client binary application cannot be decrypted as it was created using a public key. The application must be sending 73E45698F6B00C43C7B35A98B8BD852 in it's connection string and the decryption is done by a server and forwarded to the database. This is a good as having no encryption at all.

Perhaps you mean the application decrypts 573E45698F6B00C43C7B35A98B8BD852 to the valid password before sending. This means the client binary application has access to a valid private key that can be cracked/reverse-engineered.

I do not see a third possibility.

This is starting to go in circles. The basic logic is that an application needs valid password, encryption keys, ... to login, communicate, ... This information can come from a user or be found by the binary application. The more difficult it is for a cracker/reverse-engineer to discover this valid data the more secure the program is.

If you cannot see this basic requirement Elmug then I give up.

Elmug

  • Hero Member
  • *****
  • Posts: 849
Re: Security Question
« Reply #31 on: July 29, 2012, 07:42:21 pm »
So Elmug the password 573E45698F6B00C43C7B35A98B8BD852 found by the client binary application cannot be decrypted as it was created using a public key. The application must be sending 73E45698F6B00C43C7B35A98B8BD852 in it's connection string and the decryption is done by a server and forwarded to the database. This is a good as having no encryption at all.

Perhaps you mean the application decrypts 573E45698F6B00C43C7B35A98B8BD852 to the valid password before sending. This means the client binary application has access to a valid private key that can be cracked/reverse-engineered.

I do not see a third possibility.

This is starting to go in circles. The basic logic is that an application needs valid password, encryption keys, ... to login, communicate, ... This information can come from a user or be found by the binary application. The more difficult it is for a cracker/reverse-engineer to discover this valid data the more secure the program is.

If you cannot see this basic requirement Elmug then I give up.

Goodname,

You shouldn't put the password in the application. Use a database to store data and passwords.

Applications open databases. Databases store passwords and data. Let the database handle the security issue.

Once you have the data, then applications do whatever is needed to data.

If you want to do it differently, up to you.

BigChimp

  • Hero Member
  • *****
  • Posts: 5740
  • Add to the wiki - it's free ;)
    • FPCUp, PaperTiger scanning and other open source projects
Re: Security Question
« Reply #32 on: July 29, 2012, 07:59:23 pm »
And how do you secure the password to the database?
Want quicker answers to your questions? Read http://wiki.lazarus.freepascal.org/Lazarus_Faq#What_is_the_correct_way_to_ask_questions_in_the_forum.3F

Open source including papertiger OCR/PDF scanning:
https://bitbucket.org/reiniero

Lazarus trunk+FPC trunk x86, Windows x64 unless otherwise specified

goodname

  • Sr. Member
  • ****
  • Posts: 297
Re: Security Question
« Reply #33 on: July 29, 2012, 08:06:21 pm »
This reminds me of an old computer joke.
Me: I just got this great new dvd player for my computer.
Friend: Great lets try it.
Me: Have to install the driver, but having problems doing that.
Friend: What is the problem?
Me: The driver is on a dvd disk and I can't read it until I install the driver.

I know that all systems come with basic read capability but the conflicting logic make me laugh.

EDIT: In this case it would be.
The password is in the database and I can't open the database until I get the password.
« Last Edit: July 30, 2012, 02:44:14 pm by goodname »

Elmug

  • Hero Member
  • *****
  • Posts: 849
Re: Security Question
« Reply #34 on: July 29, 2012, 08:07:43 pm »
And how do you secure the password to the database?

Same way business does it in the internet: Ebay, Yahoo, Google, Amazon, Banks, Government, Academy, etc., and me too.
 
« Last Edit: July 29, 2012, 08:29:46 pm by Elmug »

taazz

  • Hero Member
  • *****
  • Posts: 5368
Re: Security Question
« Reply #35 on: July 29, 2012, 10:07:38 pm »
And how do you secure the password to the database?

Same way business does it in the internet: Ebay, Yahoo, Google, Amazon, Banks, Government, Academy, etc., and me too.

all those business do not share the database with their users it is kept in their offices and provide only controlled access to it, any employee with appropriate rights can easily use those passwords to scum any customer.

how do you protect a password for a database that it is shared to all your customers and it is required to connect and access that database. the database does not contain any user name password data and it is single user database.
Good judgement is the result of experience … Experience is the result of bad judgement.

OS : Windows 7 64 bit
Laz: Lazarus 1.4.4 FPC 2.6.4 i386-win32-win32/win64

Elmug

  • Hero Member
  • *****
  • Posts: 849
Re: Security Question
« Reply #36 on: July 30, 2012, 03:05:28 am »
And how do you secure the password to the database?

Same way business does it in the internet: Ebay, Yahoo, Google, Amazon, Banks, Government, Academy, etc., and me too.

all those business do not share the database with their users it is kept in their offices and provide only controlled access to it, any employee with appropriate rights can easily use those passwords to scum any customer.

how do you protect a password for a database that it is shared to all your customers and it is required to connect and access that database. the database does not contain any user name password data and it is single user database.

I am not familiar with businesses that use a single-user database that uses no passwords nor user names, and yet is used by various employees. .

Sound like an improper practice, to me. So, I don't know how they protect that, sorry.

Databases that I developed for large corporations all had user name, and each user a password.


taazz

  • Hero Member
  • *****
  • Posts: 5368
Re: Security Question
« Reply #37 on: July 30, 2012, 05:14:11 am »
And how do you secure the password to the database?

Same way business does it in the internet: Ebay, Yahoo, Google, Amazon, Banks, Government, Academy, etc., and me too.

all those business do not share the database with their users it is kept in their offices and provide only controlled access to it, any employee with appropriate rights can easily use those passwords to scum any customer.

how do you protect a password for a database that it is shared to all your customers and it is required to connect and access that database. the database does not contain any user name password data and it is single user database.

I am not familiar with businesses that use a single-user database that uses no passwords nor user names, and yet is used by various employees. .

Sound like an improper practice, to me. So, I don't know how they protect that, sorry.

Databases that I developed for large corporations all had user name, and each user a password.

You are puting words in my mouth sorry re read my previous post. Think of it this way
DB1 :user name = xxx; password = yyyyy

this should be unique per client?
each client should provide its own password?

the point is that this database is protected from direct access from the client and must be accessed only through my application.
It is a single user database ee no multiple user access only 1 user at a time.

Please provide specific methods to protect that database with out saving the UN and password of the db in application.

Please keep in mind that this database must be decrypted before accessing any data in it including any application user or passwords

Good judgement is the result of experience … Experience is the result of bad judgement.

OS : Windows 7 64 bit
Laz: Lazarus 1.4.4 FPC 2.6.4 i386-win32-win32/win64

BigChimp

  • Hero Member
  • *****
  • Posts: 5740
  • Add to the wiki - it's free ;)
    • FPCUp, PaperTiger scanning and other open source projects
Re: Security Question
« Reply #38 on: July 30, 2012, 07:04:19 am »
Nice one, goodname ;)

If Elmug doesn't want to understand that changing from (secret to be protected is handled by application) to (secret to be protected is handled by database+application along with a password to the database handled by the application)[1] means you're basically replacing the secret with the database password as an attack target and adding the database[2] as a target as well.... I'll leave it.

[1] and that's not considering the fact that there are probably multiple users defined in this db
[2] e.g. using db protocol vulnerabilities, privilege escalation attacks, access to the db via the OS, attacks to the db data files via the OS, attacks on administrative accounts, e.g. using brute force attacks etc.
Want quicker answers to your questions? Read http://wiki.lazarus.freepascal.org/Lazarus_Faq#What_is_the_correct_way_to_ask_questions_in_the_forum.3F

Open source including papertiger OCR/PDF scanning:
https://bitbucket.org/reiniero

Lazarus trunk+FPC trunk x86, Windows x64 unless otherwise specified

Elmug

  • Hero Member
  • *****
  • Posts: 849
Re: Security Question
« Reply #39 on: July 30, 2012, 09:36:32 am »
And how do you secure the password to the database?

Same way business does it in the internet: Ebay, Yahoo, Google, Amazon, Banks, Government, Academy, etc., and me too.

all those business do not share the database with their users it is kept in their offices and provide only controlled access to it, any employee with appropriate rights can easily use those passwords to scum any customer.

how do you protect a password for a database that it is shared to all your customers and it is required to connect and access that database. the database does not contain any user name password data and it is single user database.

I am not familiar with businesses that use a single-user database that uses no passwords nor user names, and yet is used by various employees. .

Sound like an improper practice, to me. So, I don't know how they protect that, sorry.

Databases that I developed for large corporations all had user name, and each user a password.

You are puting words in my mouth sorry re read my previous post. Think of it this way
DB1 :user name = xxx; password = yyyyy

this should be unique per client?
each client should provide its own password?

the point is that this database is protected from direct access from the client and must be accessed only through my application.
It is a single user database ee no multiple user access only 1 user at a time.

Please provide specific methods to protect that database with out saving the UN and password of the db in application.

Please keep in mind that this database must be decrypted before accessing any data in it including any application user or passwords

Hi Taazz,

I am not intending to put words in anyone's mouth. I answered on my own, I believe.

You have:
Think of it this way
DB1 :user name = xxx; password = yyyyy

this should be unique per client?
each client should provide its own password?


I can not speak for others, but I have already stated about databases for business I have done, that each user has his own name and password. Of course, "his" is meant to imply "unique".

Also, this:
the point is that this database is protected from direct access from the client and must be accessed only through my application.
It is a single user database ee no multiple user access only 1 user at a time.


I believe that I also stated that I do not do for businesses database that are single-user, accessible only through a specific application, and that I would not know how those who do would protect that setup, which I also said, I belive is an improper practice (to allow a single user control of business data, in this case). There may be cases, though, that I have not seen, not attended to, though.
...............................

As to this:
Please provide specific methods to protect that database with out saving the UN and password of the db in application.

Please keep in mind that this database must be decrypted before accessing any data in it including any application user or passwords


Databases that are centralized, intended for business or critical use, have their mechanisms for storing name and user passwords, and ALSO control user's priviledges (access righte) both on the individual or group basis. Applications for access NEVER have the password in the code. Earlier in the thread, I have also stated that paswords are gathered by the application by prompt, or by filling UserName and Password boxes. This gathering of UserName and password are sent immediately to the database (which is a database server) and has is itself THE APPLICATION that provides or denies access. If the client application is written, say in Lazarus, a Try block would be a natural way to do the gathering and sending of the UserName and password, and the Finally clause would delete the password from the variable. It should be clear that the application NEVER stores UserName nor his/her password.

Besides, it would be an oxymoron, because since those applications are meant to be used by multiple users, it would imply to store every user and every password in the application, and each new user would require a recompiling of the application. Therefore, it is not even considered. I've never even heard of that being a possibility. But that's me. I have not been everywhere, of course.

I hope this is sufficient detail, as you request.
.......................................

And this also:
Please keep in mind that this database must be decrypted before accessing any data in it including any application user or passwords

I have not yet used databases that encrypt the data, but all that I have done, and know about and consider robust, do encrypt the passwords in their system tables. The security of the system tables, as well as the database itself (with all its data, of course) belongs to the system administrator, or to the database administrator. That level of security, of course, does not belong to any client application.

Encryption of user data, should be realized, is complex to implement, since one first question would be: would data be encrypted at the individual end-user level (the ideal), or at a global level (not much needed if the system is well taken care of, as said, by reliable personnel, using well established policy). And, now, if the database is centralized, it should also be realized that precisely it is centralized TO SHARE data allowed, via reports, and ad-hoc SQL query, making that pretty much if no impossible, very very difficult.  Therefore, at high monetary cost, perhaps some databases use encryption of data. Cost, let's not forget, would include support.
.........................

I repeat, again, that I would never intend to put words on anyone's mouth, nor mean to antagonize on this issue. These practices I mention, are not mine to defend, actually. They are well established business practices that I have myself found to be the correct ones.

If the argument be that nothing is guaranteed absolutely secure or safe, I agree.

But using driving a vehicle as a comparison, I still advocate that driving follow established safety practices.
« Last Edit: July 30, 2012, 09:50:29 am by Elmug »

Elmug

  • Hero Member
  • *****
  • Posts: 849
Re: Security Question
« Reply #40 on: July 30, 2012, 10:02:17 am »
BigChimp, you have this:

If Elmug doesn't want to understand that changing from (secret to be protected is handled by application) to (secret to be protected is handled by database+application along with a password to the database handled by the application)[1] means you're basically replacing the secret with the database password as an attack target and adding the database[2] as a target as well.... I'll leave it.

I can not undertand what you stated as such, since I know for a fact that databases that have UserName and password management are THEMSELVES the APPLICATION that handles the encrypting/decrypgint needed for that facility, not the client application. In such schemes, a client application knows NOTHING about passwords, other than gather it temporarily and send it to the database.

Databases that do not handle UserName, nor passwords, I already stated are not good choices for business or critical data use.

If you would be kind enough to specify what you think I do not wish to understand, please let me know, and I would certainly make an effort to.

BigChimp

  • Hero Member
  • *****
  • Posts: 5740
  • Add to the wiki - it's free ;)
    • FPCUp, PaperTiger scanning and other open source projects
Re: Security Question
« Reply #41 on: July 30, 2012, 10:36:44 am »
Elmug,

The OP was talking about how to secure encryption keys etc. Presumably these keys are used for communication (sending/receiving data) or storing/retrieving files:
Quote
Yesterday, using a disassembler, I got all cryptographic keys that were declared as const in my program.
This is really dangerous.

Does anyone know how to protect my cryptographic keys of a disassembler?

The database can be used to store the encryption keys/secrets, to be retrieved by the application (for e.g. securing network communication). Now additional targets for attack are both the database password and the database security itself.

An alternative is that the OP wanted to only store/retrieve encrypted data and would be happy with a database. He could then use a database (that has encryption facilities) but the same additional targets are present.

Does this make sense?
Want quicker answers to your questions? Read http://wiki.lazarus.freepascal.org/Lazarus_Faq#What_is_the_correct_way_to_ask_questions_in_the_forum.3F

Open source including papertiger OCR/PDF scanning:
https://bitbucket.org/reiniero

Lazarus trunk+FPC trunk x86, Windows x64 unless otherwise specified

Elmug

  • Hero Member
  • *****
  • Posts: 849
Re: Security Question
« Reply #42 on: July 30, 2012, 11:21:38 am »
Elmug,

The OP was talking about how to secure encryption keys etc. Presumably these keys are used for communication (sending/receiving data) or storing/retrieving files:
Quote
Yesterday, using a disassembler, I got all cryptographic keys that were declared as const in my program.
This is really dangerous.

Does anyone know how to protect my cryptographic keys of a disassembler?

The database can be used to store the encryption keys/secrets, to be retrieved by the application (for e.g. securing network communication). Now additional targets for attack are both the database password and the database security itself.

An alternative is that the OP wanted to only store/retrieve encrypted data and would be happy with a database. He could then use a database (that has encryption facilities) but the same additional targets are present.

Does this make sense?

I stated that the application should not contain passwords. So that's not a target. If anything is stored in a database, of course the database can be the target, not an ADDITIONAL target.

And since robust databases do have security mechanisms built in, I still say that's the best place to store data.

Some databases are more robust as to security than others. I have no issue with that.

My point has been, since the beginning, that applications ought not know anything about UserName, nor password.

If the information of concern is small, and a database is not wished to be used, still the same principle  can apply:

Let the application handle the encoding and decoding algorithm, that stores an encoded header and encodes the data, say in a file, both based on a run-time supplied password.

That header and any data in the file would be unique for different passwords supplied to the encoding algorithm at encoding time.

If anyone snoops at the encrypted file, he/she can see the encrypted header, and the encrypted data. But to decrypt the data, the original unencrypted password is needed, and THAT is neither in the application, nor in the file. It has to be provided to the deciphering part of the application at decryption time.

Of course, the more complex the encrypting algorithm, the more difficult to crack, even if the algorithm be public knowledge.

Decrypting algorithm is basically the opposite of the encrypting one, and again if known, without the password it would be quite difficult to crack.

Again, using a robust database that handles the security issue, for safekeeping of data, I still consider the most advisable option.

« Last Edit: July 30, 2012, 11:27:40 am by Elmug »

BigChimp

  • Hero Member
  • *****
  • Posts: 5740
  • Add to the wiki - it's free ;)
    • FPCUp, PaperTiger scanning and other open source projects
Re: Security Question
« Reply #43 on: July 30, 2012, 11:28:21 am »
Elmug, you're not covering anything new here. Really, you aren't. Read through earlier posts to see why not.
Edit: also, IIRC, the OP never mentioned he used a database. Adding a database to store your secrets does increas your attack surface.
Your other solution on storing stuff is fine but we already discussed how application disassembly can be used in an attack to intercept decryption keys (see an earlier post from me on that).
As you say: there are different levels of security; it's a matter of making sure you don't secure some part of it too much while leaving open another avenue of attack.

I'd suggest you have a look at threat/vulnerability analysis if you're interested.

Over and out.
« Last Edit: July 30, 2012, 11:36:27 am by BigChimp »
Want quicker answers to your questions? Read http://wiki.lazarus.freepascal.org/Lazarus_Faq#What_is_the_correct_way_to_ask_questions_in_the_forum.3F

Open source including papertiger OCR/PDF scanning:
https://bitbucket.org/reiniero

Lazarus trunk+FPC trunk x86, Windows x64 unless otherwise specified

Elmug

  • Hero Member
  • *****
  • Posts: 849
Re: Security Question
« Reply #44 on: July 30, 2012, 11:35:48 am »
Elmug, you're not covering anything new here. Really, you aren't. Read through earlier posts to see why not.

I'd also suggest you have a look at threat/vulnerability analysis if you're interested.

Over and out.

BigChimp,

Actually, I never intended to cover all possible objections to what I stated; and at this time, I don't need to read what you in a general way suggest. I wouldn't even know where to start, since I can not read minds. But thanks, anyway for maybe believing that I can.

If all that I stated is useless,  that's OK too.


 

TinyPortal © 2005-2018