Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best method to secure connection to firebird over internet

I have a client-server application which use a firebird server 2.5 over internet. I have met the problem of given a secure access to FB databases and as a first approch a tried to solve this problem by integrating a tunnel solution in the application (STunnel software more exactly). BUT, this approch suffer from many aspects : - this add more resource consumption (CPU, memory, threads) at both client/server side, - sotware deployment become a serious problem because STunnel software is writen as a WinNT Service, not a Dll or a Component (WinNT Service need administrator privileges for install) and my client application need to run without installation !

SO, i decided to take the bull by the horn (or the bird by the feathers as we talk about Firebird). I have downloaded the Firebird 2.5 source code and injected secure tunnelization code directly in his low level communication layer (the INET socket layer). NOW, encryption/decryption is done directly by the firebird engine for each TCP/IP packet.

What do you think about this approach vs external tunnelization ?

like image 275
moualek adlene Avatar asked Oct 22 '12 08:10

moualek adlene


1 Answers

I would recommend to wrap data exchange in SSL/TLS stream, from both sides. This is proven standard. While custom implementations, with static keys, can be insecure.

For instance, CTR mode with constant IV can reveal a lot of information, since it only encrypts incremented vector and XORes it with data, so XORing two encrypted packets will show the xored version of unencrypted packets.

like image 167
Nickolay Olshevsky Avatar answered Oct 19 '22 13:10

Nickolay Olshevsky