Discussion:
SQLite - how to protect the data
mxs
2007-02-24 03:14:26 UTC
Permalink
Hi guys,

I am quite new here and quite new to SQLite. I am shocked how small and fast
this database is. So far I've been using MS Access for my little projects
and I cannot wait to replace it with SQLite.

Now, I have a question which I will have to deal with. One of the
application I work on contains data which have very high value. In another
words the whole value of the app is the database, rather than the front end.
If somebody makes a clone of the front end I don't care, but if somebody
copies the database and uses the data for his own front end that would be a
disaster. It is not a privacy issue, but rather the amount of effort put
into filling the database up. I used to use a kind of crypto ActiveX when
Access was used. It worked although slowed already not fastest database down
which showed during search and filter operations.

If anybody knows hot to ensure that the data is not readable without the
front end I would appreciate it.

I found a link talking about encryption, but this is not exactly affordable
for my type of project.
http://www.hwaci.com/sw/sqlite/prosupport.html#crypto


Thanks for any suggestions.

Cheers

Marek
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9130596
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Olaf Beckman Lapré
2007-02-24 06:21:07 UTC
Permalink
Hi,

Why not just encrypt the file system or part of the disk where the database
is situated? I use TrueCrypt, a free open-source program, for this and it
works great and it's very fast. Unless you're doing hundreds of transactions
per second, you'll hardly notice the performance loss (with AES/Whirlpool).
You can then also encrypt USB memory sticks when you take the database with
you.

Regards, Olaf

----- Original Message -----
From: "mxs" <tc3-bJEeYj9oJeDQT0dZR+***@public.gmane.org>
To: <sqlite-users-CzDROfG0BjIdnm+***@public.gmane.org>
Sent: Saturday, February 24, 2007 04:14
Subject: [sqlite] SQLite - how to protect the data
Post by mxs
Hi guys,
I am quite new here and quite new to SQLite. I am shocked how small and fast
this database is. So far I've been using MS Access for my little projects
and I cannot wait to replace it with SQLite.
Now, I have a question which I will have to deal with. One of the
application I work on contains data which have very high value. In another
words the whole value of the app is the database, rather than the front end.
If somebody makes a clone of the front end I don't care, but if somebody
copies the database and uses the data for his own front end that would be a
disaster. It is not a privacy issue, but rather the amount of effort put
into filling the database up. I used to use a kind of crypto ActiveX when
Access was used. It worked although slowed already not fastest database down
which showed during search and filter operations.
If anybody knows hot to ensure that the data is not readable without the
front end I would appreciate it.
I found a link talking about encryption, but this is not exactly affordable
for my type of project.
http://www.hwaci.com/sw/sqlite/prosupport.html#crypto
Thanks for any suggestions.
Cheers
Marek
--
http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9130596
Sent from the SQLite mailing list archive at Nabble.com.
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Adriano
2007-02-24 09:04:13 UTC
Permalink
I'm in the same boat too.
I've just found http://www.sqlcrypt.com/
not tryed yet

i need something that can works either on pc or on windoes mobile devices
thanks
Adriano

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-24 18:25:48 UTC
Permalink
Adriano,

this one looks good and the price is not out of the world although not cheap
either.

So this is basically a modified sqlite database which has an additional
function .encrypt and .decrypt. I haven't used many open source products
before so I am not sure how it works as far taking basically a free product
add two (could be more than that I know) functions and charge 150 bucks for
it. If it's not based on the free SQLite and is totally different database
engine then be it, but to me it looks like it rather is (but I haven't
looked too deep).

Obviously this looks like the easiest solution by far. At least to me for
now. Disadvantage is that it is not open source so if the company goes and
there's a bug, there goes your investment ....

Regards

Marek
Post by Adriano
I'm in the same boat too.
I've just found http://www.sqlcrypt.com/
not tryed yet
i need something that can works either on pc or on windoes mobile devices
thanks
Adriano
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9136419
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-24 18:16:55 UTC
Permalink
Hi Olaf,

so I took a quick look and it looks interesting, certainly very affordable.
One caveat could be that it doesn't seem to work under OS X which will be
important to me. Also all I coud find was how to encrypt stuff through their
GUI, but nothing about available API. When I distribute the app the database
must be already in encrypted mode and my frontend will take care of decrypt
through the API. At least that's what I kind of envision. But maybe I missed
something.

Thanks

Marek
Post by Olaf Beckman Lapré
Hi,
Why not just encrypt the file system or part of the disk where the database
is situated? I use TrueCrypt, a free open-source program, for this and it
works great and it's very fast. Unless you're doing hundreds of transactions
per second, you'll hardly notice the performance loss (with
AES/Whirlpool).
You can then also encrypt USB memory sticks when you take the database with
you.
Regards, Olaf
----- Original Message -----
Sent: Saturday, February 24, 2007 04:14
Subject: [sqlite] SQLite - how to protect the data
Post by mxs
Hi guys,
I am quite new here and quite new to SQLite. I am shocked how small and fast
this database is. So far I've been using MS Access for my little projects
and I cannot wait to replace it with SQLite.
Now, I have a question which I will have to deal with. One of the
application I work on contains data which have very high value. In another
words the whole value of the app is the database, rather than the front end.
If somebody makes a clone of the front end I don't care, but if somebody
copies the database and uses the data for his own front end that would be a
disaster. It is not a privacy issue, but rather the amount of effort put
into filling the database up. I used to use a kind of crypto ActiveX when
Access was used. It worked although slowed already not fastest database down
which showed during search and filter operations.
If anybody knows hot to ensure that the data is not readable without the
front end I would appreciate it.
I found a link talking about encryption, but this is not exactly affordable
for my type of project.
http://www.hwaci.com/sw/sqlite/prosupport.html#crypto
Thanks for any suggestions.
Cheers
Marek
--
http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9130596
Sent from the SQLite mailing list archive at Nabble.com.
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9136345
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Ulrich Telle
2007-02-24 12:21:20 UTC
Permalink
Post by Adriano
I'm in the same boat too.
I've just found http://www.sqlcrypt.com/
not tryed yet
i need something that can works either on pc or on windoes mobile
devices
Since I was in need of encrypting my SQLite database, too, and could not
afford a commercial solution I created my own SQLite encryption
extension, based on experiences I gained developing encryption support
for my wxWidgets component wxPdfDocument.

My SQLite encryption extension is written in C++ and should be
compilable on any platform for which SQLite is available. The API is
compatible with the commercial encryption solution offered by D.R. Hipp,
(but not the encrypted database files, since I do not know the
encryption algorithm used by D.R. Hipp). My algorithm is based on
128-Bit-AES. The source code of the extension is distributed with the
latest release (1.7.2) of wxSQLite3, my SQLite wrapper for wxWidgets:

http://sourceforge.net/project/showfiles.php?group_id=51305&package_id=45182&release_id=343361

Regards,

Ulrich

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-24 18:05:16 UTC
Permalink
Hi Ulrich,

I'll be honest with you I had to google around to find out what is wxWidgets
(obviously I've seen it before, but never dipped in). Pls understand I've
been messing around for years with VB (not even the .NET version) and it
served me quite well. But I decided to move on to something rather free of
Microsoft. So I decided I'd like to try Python and SQLite and convert one of
my projects. This would also let me make my product available to other OS
platforms which was one of the original reasons I decided to look elsewhere.

So it sounds like I have a lot of work (interisting one though) ahead of me
and your solution sounds very much ready and usable as soon as I am
confident of my steps in Python etc.

Thanks for your tip.


Regards

Marek
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9136243
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Martin Jenkins
2007-02-24 18:22:03 UTC
Permalink
Post by mxs
I had to google around to find out what is wxWidgets
...
I decided I'd like to try Python and SQLite
Check out wxPython too.

Martin

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Rich Shepard
2007-02-24 18:42:43 UTC
Permalink
Post by Martin Jenkins
Post by mxs
I decided I'd like to try Python and SQLite
Check out wxPython too.
Python->wxPython->pysqlite2->sqlite3

Works for me.

Rich
--
Richard B. Shepard, Ph.D. | The Environmental Permitting
Applied Ecosystem Services, Inc. | Accelerator(TM)
<http://www.appl-ecosys.com> Voice: 503-667-4517 Fax: 503-667-8863

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Ulrich Telle
2007-02-24 19:31:17 UTC
Permalink
Hi Marek,
Post by mxs
I'll be honest with you I had to google around to find out what is
wxWidgets (obviously I've seen it before, but never dipped in). Pls
understand I've been messing around for years with VB (not even the
.NET version) and it served me quite well. But I decided to move on
to something rather free of Microsoft.
Well, wxWidgets _is_ free of Microsoft and is available for many different platforms. But it wasn't my intent to point you in the direction of wxWidgets.

My encryption solution for SQLite is not bound to wxWidgets in any way. You may as well use it completely independent of wxWidgets (or my component wxSQLite3).

You may just take the source code of my encryption extension from the file release of wxSQLite3, combine it with the sources of SQLite itself, compile with just any C++ compiler to get a SQLite library or DLL supporting database encryption. Please read the readme file of wxSQLite3 for further information.

My extension implements two functions of the SQLite API, namely sqlite3_key and sqlite3_rekey (see sqlite3.h header file of SQLite), which are not implemented in the normal SQLite distribution. To use encryption sqlite3_key has to be called immediately after the call to sqlite3_open. That's all.

Regards,

Ulrich

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-25 02:18:06 UTC
Permalink
Thanks Ulrich, but I think that goes beyond the scope of my knowledge and
tools I have available to me.

I wish somebody (who has C++ knowledge) has done it already and released
version of SQLite with encrypt and decrypt functionality. I cannot believe
that there is not more need for it between SQLite users. You make it sound
like it shouldn't be a problem for someone who knows C++. But I am expecting
a catch somewhere, otherwise why would there be commercial versions of
SQLite which has this functonality.

Thanks for your suggestion anyways.

If you don't mind one more off topic question. You seem to have experience
with wxWidgets. In tandem with wxPython is that a better tool to use than
just Python and Tkinter. Which route is the easier one for a beginner in
this language?

Thanks again

Marek
Post by Ulrich Telle
Hi Marek,
Post by mxs
I'll be honest with you I had to google around to find out what is
wxWidgets (obviously I've seen it before, but never dipped in). Pls
understand I've been messing around for years with VB (not even the
.NET version) and it served me quite well. But I decided to move on
to something rather free of Microsoft.
Well, wxWidgets _is_ free of Microsoft and is available for many different
platforms. But it wasn't my intent to point you in the direction of
wxWidgets.
My encryption solution for SQLite is not bound to wxWidgets in any way.
You may as well use it completely independent of wxWidgets (or my
component wxSQLite3).
You may just take the source code of my encryption extension from the file
release of wxSQLite3, combine it with the sources of SQLite itself,
compile with just any C++ compiler to get a SQLite library or DLL
supporting database encryption. Please read the readme file of wxSQLite3
for further information.
My extension implements two functions of the SQLite API, namely
sqlite3_key and sqlite3_rekey (see sqlite3.h header file of SQLite), which
are not implemented in the normal SQLite distribution. To use encryption
sqlite3_key has to be called immediately after the call to sqlite3_open.
That's all.
Regards,
Ulrich
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9140086
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Roger Binns
2007-02-25 02:44:59 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by mxs
I wish somebody (who has C++ knowledge) has done it already and released
version of SQLite with encrypt and decrypt functionality.
DRH already did! You get a perpetual license. It is also well
integrated into the SQLite code, and can be assumed to have the same
high level of testing and quality as the rest of the SQLite code. And
you know it will correctly work with future releases of SQLite no matter
how the internals change. When you consider the expertise to get
security right (see how the non-security people got WEP wrong in
802.11), the effort required for a complete test suite, and maintenance
for all future versions of SQLite, it is a bargain compared to doing the
work yourself.
Post by mxs
But I am expecting
a catch somewhere, otherwise why would there be commercial versions of
SQLite which has this functonality.
I assume enough people asked for it.
Post by mxs
If you don't mind one more off topic question. You seem to have experience
with wxWidgets. In tandem with wxPython is that a better tool to use than
just Python and Tkinter. Which route is the easier one for a beginner in
this language?
http://www.google.com/search?q=tkinter+vs+wxpython

I recommend seeing how various things you will want to do later are
supported by the toolkit such as internationalization, printing,
clipboard, drag and drop etc.

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF4PgrmOOfHg372QQRAifEAJ9j/tCcXKh8Sfk2WjUeVzdPFIyCjwCgpI/R
rQisMusTExO5mUkNtIJtlSo=
=3IP9
-----END PGP SIGNATURE-----

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Ulrich Telle
2007-02-25 06:26:21 UTC
Permalink
Hi Marek,
Post by mxs
Thanks Ulrich, but I think that goes beyond the scope of my knowledge
and tools I have available to me.
I wish somebody (who has C++ knowledge) has done it already and
released version of SQLite with encrypt and decrypt functionality.
Well, there is a prebuilt DLL with encryption support for Windows bundled with wxSQLite3.
Post by mxs
You make it sound like it shouldn't be a problem for someone who knows
C++. But I am expecting a catch somewhere, otherwise why would there be
commercial versions of SQLite which has this functonality.
The catch is that for non-commercial solutions you don't have a guarantee *how* secure your encrypted database will be. The weak point of encryption is how the encryption key is generated and whether it's hard to crack or not.

I have no proof how secure my solution is but the encryption key is generated in much the same way as it is for Adobe PDF. So I guess what's good enough for PDF should be good enough for SQLite. But I won't give you a guarantee.
Post by mxs
If you don't mind one more off topic question. You seem to have
experience with wxWidgets. In tandem with wxPython is that a better
tool to use than just Python and Tkinter. Which route is the easier
one for a beginner in this language?
Although I know wxWidgets quite well I can't give a qualified answer to your question since I'm using C++ almost exclusively. But I heard wxPython to be very usable.

Regards,

Ulrich

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Roger Binns
2007-02-25 10:38:56 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Ulrich Telle
I have no proof how secure my solution is but the encryption key is generated in much the same way as it is for Adobe PDF. So I guess what's good enough for PDF should be good enough for SQLite. But I won't give you a guarantee.
The problem isn't so much how you generate keys, but how you use them.
Google shows over a million hits for 'pdf encryption crack'.

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF4WdAmOOfHg372QQRAl9bAKDlXi1WgyjznQffY01E7KURVHD1RwCfTfB4
0R6z/ZBmqFR2HG9EsKsOcAk=
=4lgD
-----END PGP SIGNATURE-----

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Ulrich Telle
2007-02-25 13:01:35 UTC
Permalink
Hi Roger,
Post by Roger Binns
The problem isn't so much how you generate keys, but how you use them.
Google shows over a million hits for 'pdf encryption crack'.
You're certainly right. But there is a difference between the PDF encryption and the SQLite encryption I implemented.

PDF encryption is designed in such a way that it's easily possible to decrypt a document if only access permissions are set but no password(s). For this purpose every PDF document contains two values (the U value and the O value) corresponding to the user password resp. owner password. But if a password is set it takes quite a while to crack it, although it's certainly not uncrackable.

My implementation for SQLite does not store such information into the database. So it should be a bit harder to crack the encryption.

Nevertheless there is a weak point in my current implementation, namely the SQLite magic file header. Since this header has 16 bytes and has a (usually known) value it could be used to reconstruct the encryption key. I don't think it's trivial to do it, but I didn't investigate how much effort it would be to crack the encryption key using this information. And probably I'll change my implementation in the next version to not give away such a clue.

But, hey, my implementation is for free. If someone has really tight security constraints he or she should buy and use a commercial solution.

Regards,

Ulrich
--
Ulrich Telle
E-Mail privat: mailto:Ulrich.Telle-***@public.gmane.org
E-Mail Studium: mailto:Ulrich.Telle-***@public.gmane.org
Homepage: http://www.stud.fernuni-hagen.de/q1471341
Fax: +49-(0)12120-203070


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-25 14:39:16 UTC
Permalink
Thanks Ulrich.

Regards

Marek
Post by Ulrich Telle
Hi Marek,
Post by mxs
Thanks Ulrich, but I think that goes beyond the scope of my knowledge
and tools I have available to me.
I wish somebody (who has C++ knowledge) has done it already and
released version of SQLite with encrypt and decrypt functionality.
Well, there is a prebuilt DLL with encryption support for Windows bundled with wxSQLite3.
Post by mxs
You make it sound like it shouldn't be a problem for someone who knows
C++. But I am expecting a catch somewhere, otherwise why would there be
commercial versions of SQLite which has this functonality.
The catch is that for non-commercial solutions you don't have a guarantee
*how* secure your encrypted database will be. The weak point of encryption
is how the encryption key is generated and whether it's hard to crack or
not.
I have no proof how secure my solution is but the encryption key is
generated in much the same way as it is for Adobe PDF. So I guess what's
good enough for PDF should be good enough for SQLite. But I won't give you
a guarantee.
Post by mxs
If you don't mind one more off topic question. You seem to have
experience with wxWidgets. In tandem with wxPython is that a better
tool to use than just Python and Tkinter. Which route is the easier
one for a beginner in this language?
Although I know wxWidgets quite well I can't give a qualified answer to
your question since I'm using C++ almost exclusively. But I heard wxPython
to be very usable.
Regards,
Ulrich
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9144207
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
John Stanton
2007-02-25 17:13:00 UTC
Permalink
One way or another you have to apply sweat or treasure to protect your
data asset. Just how valuable is it?
Post by mxs
Thanks Ulrich, but I think that goes beyond the scope of my knowledge and
tools I have available to me.
I wish somebody (who has C++ knowledge) has done it already and released
version of SQLite with encrypt and decrypt functionality. I cannot believe
that there is not more need for it between SQLite users. You make it sound
like it shouldn't be a problem for someone who knows C++. But I am expecting
a catch somewhere, otherwise why would there be commercial versions of
SQLite which has this functonality.
Thanks for your suggestion anyways.
If you don't mind one more off topic question. You seem to have experience
with wxWidgets. In tandem with wxPython is that a better tool to use than
just Python and Tkinter. Which route is the easier one for a beginner in
this language?
Thanks again
Marek
Post by Ulrich Telle
Hi Marek,
Post by mxs
I'll be honest with you I had to google around to find out what is
wxWidgets (obviously I've seen it before, but never dipped in). Pls
understand I've been messing around for years with VB (not even the
.NET version) and it served me quite well. But I decided to move on
to something rather free of Microsoft.
Well, wxWidgets _is_ free of Microsoft and is available for many different
platforms. But it wasn't my intent to point you in the direction of
wxWidgets.
My encryption solution for SQLite is not bound to wxWidgets in any way.
You may as well use it completely independent of wxWidgets (or my
component wxSQLite3).
You may just take the source code of my encryption extension from the file
release of wxSQLite3, combine it with the sources of SQLite itself,
compile with just any C++ compiler to get a SQLite library or DLL
supporting database encryption. Please read the readme file of wxSQLite3
for further information.
My extension implements two functions of the SQLite API, namely
sqlite3_key and sqlite3_rekey (see sqlite3.h header file of SQLite), which
are not implemented in the normal SQLite distribution. To use encryption
sqlite3_key has to be called immediately after the call to sqlite3_open.
That's all.
Regards,
Ulrich
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Teg
2007-02-25 19:30:55 UTC
Permalink
Hello All,

You also have to accept that, if it's on the user's PC and they REALLY
want that data, they can get it. They don't even need to crack the
encryption. They just need to figure out what key the program's using
to unlock the DB. There's absolutely no way to protect data that's
stored on someone else's PC. Just look at DVD's, HD DVD and Blu-Ray
disks. Millions spent on security, cracked within months of release.


C

Sunday, February 25, 2007, 12:13:00 PM, you wrote:

JS> One way or another you have to apply sweat or treasure to protect your
JS> data asset. Just how valuable is it?
Post by mxs
Thanks Ulrich, but I think that goes beyond the scope of my knowledge and
tools I have available to me.
I wish somebody (who has C++ knowledge) has done it already and released
version of SQLite with encrypt and decrypt functionality. I cannot believe
that there is not more need for it between SQLite users. You make it sound
like it shouldn't be a problem for someone who knows C++. But I am expecting
a catch somewhere, otherwise why would there be commercial versions of
SQLite which has this functonality.
Thanks for your suggestion anyways.
If you don't mind one more off topic question. You seem to have experience
with wxWidgets. In tandem with wxPython is that a better tool to use than
just Python and Tkinter. Which route is the easier one for a beginner in
this language?
Thanks again
Marek
Post by Ulrich Telle
Hi Marek,
Post by mxs
I'll be honest with you I had to google around to find out what is
wxWidgets (obviously I've seen it before, but never dipped in). Pls
understand I've been messing around for years with VB (not even the
.NET version) and it served me quite well. But I decided to move on
to something rather free of Microsoft.
Well, wxWidgets _is_ free of Microsoft and is available for many different
platforms. But it wasn't my intent to point you in the direction of
wxWidgets.
My encryption solution for SQLite is not bound to wxWidgets in any way.
You may as well use it completely independent of wxWidgets (or my
component wxSQLite3).
You may just take the source code of my encryption extension from the file
release of wxSQLite3, combine it with the sources of SQLite itself,
compile with just any C++ compiler to get a SQLite library or DLL
supporting database encryption. Please read the readme file of wxSQLite3
for further information.
My extension implements two functions of the SQLite API, namely
sqlite3_key and sqlite3_rekey (see sqlite3.h header file of SQLite), which
are not implemented in the normal SQLite distribution. To use encryption
sqlite3_key has to be called immediately after the call to sqlite3_open.
That's all.
Regards,
Ulrich
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
JS> -----------------------------------------------------------------------------
JS> To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
JS> -----------------------------------------------------------------------------
--
Best regards,
Teg mailto:Teg-***@public.gmane.org


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-26 03:37:29 UTC
Permalink
I get that, but I will draw an analogy for you. My dad cannot rip a
commercial movie DVD and because he doesn't know how he even doesn't try. So
if someone doesn't know how to crack it I'd say that most people will not
even bother, very few might and some of those could succeed. But I can live
with that and I will.

Regards

Marek
Post by Teg
Hello All,
You also have to accept that, if it's on the user's PC and they REALLY
want that data, they can get it. They don't even need to crack the
encryption. They just need to figure out what key the program's using
to unlock the DB. There's absolutely no way to protect data that's
stored on someone else's PC. Just look at DVD's, HD DVD and Blu-Ray
disks. Millions spent on security, cracked within months of release.
C
JS> One way or another you have to apply sweat or treasure to protect your
JS> data asset. Just how valuable is it?
Post by mxs
Thanks Ulrich, but I think that goes beyond the scope of my knowledge and
tools I have available to me.
I wish somebody (who has C++ knowledge) has done it already and released
version of SQLite with encrypt and decrypt functionality. I cannot believe
that there is not more need for it between SQLite users. You make it sound
like it shouldn't be a problem for someone who knows C++. But I am expecting
a catch somewhere, otherwise why would there be commercial versions of
SQLite which has this functonality.
Thanks for your suggestion anyways.
If you don't mind one more off topic question. You seem to have experience
with wxWidgets. In tandem with wxPython is that a better tool to use than
just Python and Tkinter. Which route is the easier one for a beginner in
this language?
Thanks again
Marek
Post by Ulrich Telle
Hi Marek,
Post by mxs
I'll be honest with you I had to google around to find out what is
wxWidgets (obviously I've seen it before, but never dipped in). Pls
understand I've been messing around for years with VB (not even the
.NET version) and it served me quite well. But I decided to move on
to something rather free of Microsoft.
Well, wxWidgets _is_ free of Microsoft and is available for many different
platforms. But it wasn't my intent to point you in the direction of
wxWidgets.
My encryption solution for SQLite is not bound to wxWidgets in any way.
You may as well use it completely independent of wxWidgets (or my
component wxSQLite3).
You may just take the source code of my encryption extension from the file
release of wxSQLite3, combine it with the sources of SQLite itself,
compile with just any C++ compiler to get a SQLite library or DLL
supporting database encryption. Please read the readme file of wxSQLite3
for further information.
My extension implements two functions of the SQLite API, namely
sqlite3_key and sqlite3_rekey (see sqlite3.h header file of SQLite), which
are not implemented in the normal SQLite distribution. To use encryption
sqlite3_key has to be called immediately after the call to sqlite3_open.
That's all.
Regards,
Ulrich
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
JS>
-----------------------------------------------------------------------------
JS>
-----------------------------------------------------------------------------
--
Best regards,
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9153088
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-26 03:31:39 UTC
Permalink
I don't have any market value in mind, but I do know that the data in the
database took a lot of time to put together (and I mean a lot). It was very
lengthy process of one individual. So it does have a high value, although
not one you can put a monetary value on, not at least for now.

Regards

Marek
Post by John Stanton
One way or another you have to apply sweat or treasure to protect your
data asset. Just how valuable is it?
Post by mxs
Thanks Ulrich, but I think that goes beyond the scope of my knowledge and
tools I have available to me.
I wish somebody (who has C++ knowledge) has done it already and released
version of SQLite with encrypt and decrypt functionality. I cannot believe
that there is not more need for it between SQLite users. You make it sound
like it shouldn't be a problem for someone who knows C++. But I am expecting
a catch somewhere, otherwise why would there be commercial versions of
SQLite which has this functonality.
Thanks for your suggestion anyways.
If you don't mind one more off topic question. You seem to have experience
with wxWidgets. In tandem with wxPython is that a better tool to use than
just Python and Tkinter. Which route is the easier one for a beginner in
this language?
Thanks again
Marek
Post by Ulrich Telle
Hi Marek,
Post by mxs
I'll be honest with you I had to google around to find out what is
wxWidgets (obviously I've seen it before, but never dipped in). Pls
understand I've been messing around for years with VB (not even the
.NET version) and it served me quite well. But I decided to move on
to something rather free of Microsoft.
Well, wxWidgets _is_ free of Microsoft and is available for many different
platforms. But it wasn't my intent to point you in the direction of
wxWidgets.
My encryption solution for SQLite is not bound to wxWidgets in any way.
You may as well use it completely independent of wxWidgets (or my
component wxSQLite3).
You may just take the source code of my encryption extension from the file
release of wxSQLite3, combine it with the sources of SQLite itself,
compile with just any C++ compiler to get a SQLite library or DLL
supporting database encryption. Please read the readme file of wxSQLite3
for further information.
My extension implements two functions of the SQLite API, namely
sqlite3_key and sqlite3_rekey (see sqlite3.h header file of SQLite), which
are not implemented in the normal SQLite distribution. To use encryption
sqlite3_key has to be called immediately after the call to sqlite3_open.
That's all.
Regards,
Ulrich
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9153025
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
John Stanton
2007-02-24 14:52:12 UTC
Permalink
You could use encryption like DES etc in your application. Since sqlite
is open source you could build encryption into the DB. Since an Sqlite
database is one file you can encrypt that file in the file system.

If those are too difficult, make a deal with Dr Hipp for his encrypted
Sqlite.
Post by mxs
Hi guys,
I am quite new here and quite new to SQLite. I am shocked how small and fast
this database is. So far I've been using MS Access for my little projects
and I cannot wait to replace it with SQLite.
Now, I have a question which I will have to deal with. One of the
application I work on contains data which have very high value. In another
words the whole value of the app is the database, rather than the front end.
If somebody makes a clone of the front end I don't care, but if somebody
copies the database and uses the data for his own front end that would be a
disaster. It is not a privacy issue, but rather the amount of effort put
into filling the database up. I used to use a kind of crypto ActiveX when
Access was used. It worked although slowed already not fastest database down
which showed during search and filter operations.
If anybody knows hot to ensure that the data is not readable without the
front end I would appreciate it.
I found a link talking about encryption, but this is not exactly affordable
for my type of project.
http://www.hwaci.com/sw/sqlite/prosupport.html#crypto
Thanks for any suggestions.
Cheers
Marek
-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-24 17:54:36 UTC
Permalink
Hi John,

thanks for the suggestion, but that is rather more than I can swallow right
now. I will have to keep looking for more complete solution which I can just
benefit from.

Regards

Marek
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9136154
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Adriano
2007-02-25 17:56:55 UTC
Permalink
Post by mxs
I found a link talking about encryption, but this is not exactly affordable
for my type of project.
http://www.hwaci.com/sw/sqlite/prosupport.html#crypto
Somebody is using that Sqlite Author solution ?
May i used that solution on all the platform ?
I need it for windows, mac os, windos ce devices ?
I do not understand how to encrypt / decrypt database ... with that
solution ... i've to create a unencrypt database and than ?

Thanks
Adriano

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Florian Weimer
2007-02-24 19:19:51 UTC
Permalink
Post by mxs
If anybody knows hot to ensure that the data is not readable without the
front end I would appreciate it.
You need to turn your application into some kind of web-based service
which is actively monitored for misuse.

Anybody who's got a copy of the application can reverse-engineer it
and reimplement the decryption routines. There is no way around that.

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-25 02:23:32 UTC
Permalink
I realize that, but this is about making it difficult for the average Joe not
to stop professional hackers who I assume can steal anything they want.

Web based approach will not happen in my case and I am not sure you could
guarantee its safety there either. It might be safer with close monitoring,
but never 100% safe.

Thanks

Marek
Post by Florian Weimer
Post by mxs
If anybody knows hot to ensure that the data is not readable without the
front end I would appreciate it.
You need to turn your application into some kind of web-based service
which is actively monitored for misuse.
Anybody who's got a copy of the application can reverse-engineer it
and reimplement the decryption routines. There is no way around that.
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9140122
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Nuno Lucas
2007-02-25 05:28:47 UTC
Permalink
Post by mxs
I realize that, but this is about making it difficult for the average Joe not
to stop professional hackers who I assume can steal anything they want.
Look for SQLITE_FILE_HEADER in the code (it's in the btree.c file). By
redefining it, only your application will be able to open a sqlite
database created by it.

The database will not be encrypted, and you will not be able to open
sqlite databases made by other applications, but will be enough for
the average Joe.

You will have to check every time there is a file format change to not
destroy your databases, though.


Regards,
~Nuno Lucas

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Roger Binns
2007-02-25 02:05:12 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by mxs
One of the
application I work on contains data which have very high value.
[...]
Post by mxs
I found a link talking about encryption, but this is not exactly affordable
for my type of project.
http://www.hwaci.com/sw/sqlite/prosupport.html#crypto
Your statements are contradictory! It has very high value, but you
aren't prepared to spend a one time fee of $2,000 to protect that high
value?

Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF4O7YmOOfHg372QQRApofAJwORp2fWwlyG0ZJNenVFW0KSQNWEQCfUsYt
0+Y3UTKEWz3/xgv8XxNfqQc=
=tLdz
-----END PGP SIGNATURE-----

-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
mxs
2007-02-25 02:20:13 UTC
Permalink
Well, it might sound contradictory, but it's not. I don't know how well the
product will sell and I am not prepare to drop down my own cash to do it.
Not at least at the begining.

Regards

Marek
Post by Roger Binns
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by mxs
One of the
application I work on contains data which have very high value.
[...]
Post by mxs
I found a link talking about encryption, but this is not exactly affordable
for my type of project.
http://www.hwaci.com/sw/sqlite/prosupport.html#crypto
Your statements are contradictory! It has very high value, but you
aren't prepared to spend a one time fee of $2,000 to protect that high
value?
Roger
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF4O7YmOOfHg372QQRApofAJwORp2fWwlyG0ZJNenVFW0KSQNWEQCfUsYt
0+Y3UTKEWz3/xgv8XxNfqQc=
=tLdz
-----END PGP SIGNATURE-----
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--
View this message in context: http://www.nabble.com/SQLite---how-to-protect-the-data-tf3282484.html#a9140103
Sent from the SQLite mailing list archive at Nabble.com.


-----------------------------------------------------------------------------
To unsubscribe, send email to sqlite-users-unsubscribe-CzDROfG0BjIdnm+***@public.gmane.org
-----------------------------------------------------------------------------
Continue reading on narkive:
Loading...