Security in DB application

Posted on 2008-10-27
Last Modified: 2010-04-21
I need suggestions concerning securing a database application.
My application connects to a PostGreSQL database that resides on a server on the web. Besides the username+password that I use , I need suggestions about how to make it more secure.
PostgreSQL uses a pg_hba.conf file where I can specify which IP is allowed to connect to the database. But since many clients use ADSL with dynamic IP, I cannot use that conf file to restrict the computers that are allowed to connect.
I am thinking of using a different database (mysql) for authentication, but it's not quite clear to me yet. Perhaps one of you has something similar with this situation and perhaps you don't mind sharing a few ideas with me.
Question by:calinutz
  • 3
  • 2

Expert Comment

ID: 22813525
Here is an approach that is commonly used in banking applications. Among the systems that do it are Front Arena from SunGard and Opics from Misys.
All of your users have an account on the database, with an associated password. The passwords are all the same, and the users do not know what the password is.
The users do all have passwords, of course, just ones that are different  from the one associated with the database account.
Only your application knows what the magic password is, it lives on the server side, and it changes as often as you like. When a user connects, your application uses that user's account and the magic password to log on.Then the application goes to an application-level user table, and checks the user-supplied password against what is stored in that table, and admits the user or not accordingly. You will of course encrypt the passwords in that table.
This has the benefit that if a user should somehow get access to a PostgreSQL prompt, they won't be able to log in because they don't know the password. Which is good because a user of a database application is generally allowed to do anything in the database that the application can do, which is a lot, and you don't want your users to be let loose to execute free-form update statements.
Using this approach also means you don't have to use a different database for authentication.
LVL 11

Author Comment

ID: 22829409
Just a question...
If the application logs on to the same database in order to build the magic password from the encrypted table... then it connects to the database. Right? And if someone with bad intentions knows how to use a delphi decompiler it will have all the info needed to connect directly to the database. So i do not know if this is a good approach. I thought about it myself but still didn't think it's a great ideea.

My idea would be to use a second database (expl.mySQL) with no sensitive data in it, except for a single table containing usernames and passwords (both ecrypted) and second username and pass (also ecrypted). The application will connect to this DB (expl.mySQL), use credentials inputed by the user, encrypt them and search for a match in the table. If match found, use the second user and pass from that table to connect to the main DB.
I really think this is a better approach, although I am sure there must be a much better one out there... this is why I am here asking.

Following my idea... if anyone gets his hands on my sourcecode he can connect to the mysql (non-sensitive) DB and view an ecrypted table. And still the encryption code is my weakness at this point since if the cracker gets his hands on the sourcecode... then he will have access to the encryption/decryption code.... So I  am stuck here... waiting for bright ideas.

And please do not explain to me that any application can be decompiled, or recommend me application exe packers (they all have unpackers)
LVL 45

Expert Comment

ID: 22855637
* Do your own evaluation of the Themida obfuscator from Oreans.
* login via https
* the server sends the application a piece of data (long integer or string) which is combined with the user-typed password to create a hash value that is sent in to the server.  The server replicates the process from the hashed values of passwords stored on the server.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 11

Author Comment

ID: 22916936
I do not own Themida and I am looking for a non commercial solution.
How can I login to PostGreSQL via https?!?! I use components to connect to the database (PostgresDAC). My application is a client server one , not a web application.
The third idea is not very clear to me... could you elaborate? Think database client-server application...
LVL 45

Accepted Solution

aikimark earned 300 total points
ID: 22917363
* Your source code is the weak point.  Obfuscation seems to be your best protection option against persistent crackers and hackers.  You can go to a LOT of effort to invent your own obfuscator, but your efforts will not be a wise expenditure of your time versus the relatively inexpensive obfuscator cost.  I know you are not 'looking' for a solution that involves commercial software, but it is my best recommendation.

* Since your client application has no way of knowing if there is a man-in-the-middle attack taking place, you will need to use a more sophisticated authentication than you have currently implemented.

* I would say that if you want better security, you should use a separate server side program that communicates with your client application via https, agrees to a session id and password combination for the current IP address and adds that id/pwd combination to the database along with an expiration time.  In this scenario, your program never transmits a plain text password.

* To tighten the security further, have your application program make certain post-login database (or other server side program) calls that can act as a second level authentication.  What you want to do is require a cracker/hacker to delve into many parts of your code other than the login section.

* Release program updates often.  With each update, include a different GUID that is part of the authentication process.
LVL 11

Author Closing Comment

ID: 31510284
I kind of know the ideeas you told me, but they all seemed to me as weak solutions before, and that is the reason I posted my question here hoping to get a different answer, a different point of view. However, since you are the only one that answered me I must give you the points and of course thank you for your time.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello everybody This Article will show you how to validate number with TEdit control, What's the TEdit control? TEdit is a standard Windows edit control on a form, it allows to user to write, read and copy/paste single line of text. Usua…
In my programming career I have only very rarely run into situations where operator overloading would be of any use in my work.  Normally those situations involved math with either overly large numbers (hundreds of thousands of digits or accuracy re…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question