Solved

Security in DB application

Posted on 2008-10-27
6
212 Views
Last Modified: 2010-04-21
I need suggestions concerning securing a database application.
My application connects to a PostGreSQL database that resides on a server on the web. Besides the username+password that I use , I need suggestions about how to make it more secure.
PostgreSQL uses a pg_hba.conf file where I can specify which IP is allowed to connect to the database. But since many clients use ADSL with dynamic IP, I cannot use that conf file to restrict the computers that are allowed to connect.
I am thinking of using a different database (mysql) for authentication, but it's not quite clear to me yet. Perhaps one of you has something similar with this situation and perhaps you don't mind sharing a few ideas with me.
Thanks
0
Comment
Question by:calinutz
  • 3
  • 2
6 Comments
 
LVL 5

Expert Comment

by:PaulKeating
ID: 22813525
Here is an approach that is commonly used in banking applications. Among the systems that do it are Front Arena from SunGard and Opics from Misys.
All of your users have an account on the database, with an associated password. The passwords are all the same, and the users do not know what the password is.
The users do all have passwords, of course, just ones that are different  from the one associated with the database account.
Only your application knows what the magic password is, it lives on the server side, and it changes as often as you like. When a user connects, your application uses that user's account and the magic password to log on.Then the application goes to an application-level user table, and checks the user-supplied password against what is stored in that table, and admits the user or not accordingly. You will of course encrypt the passwords in that table.
This has the benefit that if a user should somehow get access to a PostgreSQL prompt, they won't be able to log in because they don't know the password. Which is good because a user of a database application is generally allowed to do anything in the database that the application can do, which is a lot, and you don't want your users to be let loose to execute free-form update statements.
Using this approach also means you don't have to use a different database for authentication.
 
0
 
LVL 11

Author Comment

by:calinutz
ID: 22829409
Just a question...
If the application logs on to the same database in order to build the magic password from the encrypted table... then it connects to the database. Right? And if someone with bad intentions knows how to use a delphi decompiler it will have all the info needed to connect directly to the database. So i do not know if this is a good approach. I thought about it myself but still didn't think it's a great ideea.

My idea would be to use a second database (expl.mySQL) with no sensitive data in it, except for a single table containing usernames and passwords (both ecrypted) and second username and pass (also ecrypted). The application will connect to this DB (expl.mySQL), use credentials inputed by the user, encrypt them and search for a match in the table. If match found, use the second user and pass from that table to connect to the main DB.
I really think this is a better approach, although I am sure there must be a much better one out there... this is why I am here asking.

Following my idea... if anyone gets his hands on my sourcecode he can connect to the mysql (non-sensitive) DB and view an ecrypted table. And still the encryption code is my weakness at this point since if the cracker gets his hands on the sourcecode... then he will have access to the encryption/decryption code.... So I  am stuck here... waiting for bright ideas.


And please do not explain to me that any application can be decompiled, or recommend me application exe packers (they all have unpackers)
0
 
LVL 45

Expert Comment

by:aikimark
ID: 22855637
* Do your own evaluation of the Themida obfuscator from Oreans.
* login via https
* the server sends the application a piece of data (long integer or string) which is combined with the user-typed password to create a hash value that is sent in to the server.  The server replicates the process from the hashed values of passwords stored on the server.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Author Comment

by:calinutz
ID: 22916936
I do not own Themida and I am looking for a non commercial solution.
How can I login to PostGreSQL via https?!?! I use components to connect to the database (PostgresDAC). My application is a client server one , not a web application.
The third idea is not very clear to me... could you elaborate? Think database client-server application...
0
 
LVL 45

Accepted Solution

by:
aikimark earned 300 total points
ID: 22917363
* Your source code is the weak point.  Obfuscation seems to be your best protection option against persistent crackers and hackers.  You can go to a LOT of effort to invent your own obfuscator, but your efforts will not be a wise expenditure of your time versus the relatively inexpensive obfuscator cost.  I know you are not 'looking' for a solution that involves commercial software, but it is my best recommendation.

* Since your client application has no way of knowing if there is a man-in-the-middle attack taking place, you will need to use a more sophisticated authentication than you have currently implemented.

* I would say that if you want better security, you should use a separate server side program that communicates with your client application via https, agrees to a session id and password combination for the current IP address and adds that id/pwd combination to the database along with an expiration time.  In this scenario, your program never transmits a plain text password.

* To tighten the security further, have your application program make certain post-login database (or other server side program) calls that can act as a second level authentication.  What you want to do is require a cracker/hacker to delve into many parts of your code other than the login section.

* Release program updates often.  With each update, include a different GUID that is part of the authentication process.
0
 
LVL 11

Author Closing Comment

by:calinutz
ID: 31510284
I kind of know the ideeas you told me, but they all seemed to me as weak solutions before, and that is the reason I posted my question here hoping to get a different answer, a different point of view. However, since you are the only one that answered me I must give you the points and of course thank you for your time.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Introduction The parallel port is a very commonly known port, it was widely used to connect a printer to the PC, if you look at the back of your computer, for those who don't have newer computers, there will be a port with 25 pins and a small print…
Have you ever had your Delphi form/application just hanging while waiting for data to load? This is the article to read if you want to learn some things about adding threads for data loading in the background. First, I'll setup a general applica…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now