Security in DB application

I need suggestions concerning securing a database application.
My application connects to a PostGreSQL database that resides on a server on the web. Besides the username+password that I use , I need suggestions about how to make it more secure.
PostgreSQL uses a pg_hba.conf file where I can specify which IP is allowed to connect to the database. But since many clients use ADSL with dynamic IP, I cannot use that conf file to restrict the computers that are allowed to connect.
I am thinking of using a different database (mysql) for authentication, but it's not quite clear to me yet. Perhaps one of you has something similar with this situation and perhaps you don't mind sharing a few ideas with me.
LVL 11
Who is Participating?
aikimarkConnect With a Mentor Commented:
* Your source code is the weak point.  Obfuscation seems to be your best protection option against persistent crackers and hackers.  You can go to a LOT of effort to invent your own obfuscator, but your efforts will not be a wise expenditure of your time versus the relatively inexpensive obfuscator cost.  I know you are not 'looking' for a solution that involves commercial software, but it is my best recommendation.

* Since your client application has no way of knowing if there is a man-in-the-middle attack taking place, you will need to use a more sophisticated authentication than you have currently implemented.

* I would say that if you want better security, you should use a separate server side program that communicates with your client application via https, agrees to a session id and password combination for the current IP address and adds that id/pwd combination to the database along with an expiration time.  In this scenario, your program never transmits a plain text password.

* To tighten the security further, have your application program make certain post-login database (or other server side program) calls that can act as a second level authentication.  What you want to do is require a cracker/hacker to delve into many parts of your code other than the login section.

* Release program updates often.  With each update, include a different GUID that is part of the authentication process.
Here is an approach that is commonly used in banking applications. Among the systems that do it are Front Arena from SunGard and Opics from Misys.
All of your users have an account on the database, with an associated password. The passwords are all the same, and the users do not know what the password is.
The users do all have passwords, of course, just ones that are different  from the one associated with the database account.
Only your application knows what the magic password is, it lives on the server side, and it changes as often as you like. When a user connects, your application uses that user's account and the magic password to log on.Then the application goes to an application-level user table, and checks the user-supplied password against what is stored in that table, and admits the user or not accordingly. You will of course encrypt the passwords in that table.
This has the benefit that if a user should somehow get access to a PostgreSQL prompt, they won't be able to log in because they don't know the password. Which is good because a user of a database application is generally allowed to do anything in the database that the application can do, which is a lot, and you don't want your users to be let loose to execute free-form update statements.
Using this approach also means you don't have to use a different database for authentication.
calinutzAuthor Commented:
Just a question...
If the application logs on to the same database in order to build the magic password from the encrypted table... then it connects to the database. Right? And if someone with bad intentions knows how to use a delphi decompiler it will have all the info needed to connect directly to the database. So i do not know if this is a good approach. I thought about it myself but still didn't think it's a great ideea.

My idea would be to use a second database (expl.mySQL) with no sensitive data in it, except for a single table containing usernames and passwords (both ecrypted) and second username and pass (also ecrypted). The application will connect to this DB (expl.mySQL), use credentials inputed by the user, encrypt them and search for a match in the table. If match found, use the second user and pass from that table to connect to the main DB.
I really think this is a better approach, although I am sure there must be a much better one out there... this is why I am here asking.

Following my idea... if anyone gets his hands on my sourcecode he can connect to the mysql (non-sensitive) DB and view an ecrypted table. And still the encryption code is my weakness at this point since if the cracker gets his hands on the sourcecode... then he will have access to the encryption/decryption code.... So I  am stuck here... waiting for bright ideas.

And please do not explain to me that any application can be decompiled, or recommend me application exe packers (they all have unpackers)
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

* Do your own evaluation of the Themida obfuscator from Oreans.
* login via https
* the server sends the application a piece of data (long integer or string) which is combined with the user-typed password to create a hash value that is sent in to the server.  The server replicates the process from the hashed values of passwords stored on the server.
calinutzAuthor Commented:
I do not own Themida and I am looking for a non commercial solution.
How can I login to PostGreSQL via https?!?! I use components to connect to the database (PostgresDAC). My application is a client server one , not a web application.
The third idea is not very clear to me... could you elaborate? Think database client-server application...
calinutzAuthor Commented:
I kind of know the ideeas you told me, but they all seemed to me as weak solutions before, and that is the reason I posted my question here hoping to get a different answer, a different point of view. However, since you are the only one that answered me I must give you the points and of course thank you for your time.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.