The Daily Click ::. Forums ::. Klik Coding Help ::. Database Security and Blowfish Encryption.
 

Post Reply  Post Oekaki 
 

Posted By Message

The_Antisony

At least I'm not Circy

Registered
  01/07/2002
Points
  1341

VIP MemberStarSnow
26th September, 2012 at 26/09/2012 18:20:01 -

I'm working on a little utility program which stores a whole mess of personal information which could be pretty darn damning if it ever found it's way into the hands of an identity thief. I've been working on a personal information security system (PISS. lol) that requires a user create a username and password the first time the application is loaded. The username and password is recorded to the database, then the database file is encrypted via blowfish.

Every time the database is accessed or queried, it'll require the database file is decrypted. I'm not particularly worried about database security AFTER the user correctly logs in, but how do I verify username and password without decrypting the database file and leaving it completely accessible to would-be identity thieves BEFORE login verification? Kinda defeats the point of requiring a login when anybody has direct access to the unencrypted database file while the login screen is up.

I've thought about making a separate login credentials file where only the actual strings for username and password are encrypted, but the only way I can think of connecting it to what could be one of several database files is by including some kind of comparative file hash. If the computer hangs or freezes sometime after modifying the database but before creating a new hash, not even the correct login information will allow access to the database. No bueno.

Does anybody else have any other options, observations, or input? There's likely something I haven't considered, I'm sure of it.

 
ChrisD> Employer: Say, wanna see a magic trick?
ChrisD> Employee: Uhh… sure, boss.
ChrisD> Employer: Your job! It just disappeared! Pack your things and leave! Pretty good trick, huh?

UrbanMonk

BRING BACK MITCH

Registered
  07/07/2008
Points
  49566

Has Donated, Thank You!Little Pirate!ARGH SignKliktober Special Award TagPicture Me This Round 33 Winner!The Outlaw!VIP MemberHasslevania 2!I am an April FoolKitty
Picture Me This Round 32 Winner!Picture Me This Round 42 Winner!Picture Me This Round 44 Winner!Picture Me This Round 53 Winner!
26th September, 2012 at 26/09/2012 18:32:05 -

Firstly you should blowfish encrypt the database using the users username+password+secret key. Where the secret key is something you hardcore into the program.

Next you should store a seperate hash of the username+password+salt and then to verify the user's info before using it to decrypt the database.
I suggest you double hash it since there are databases online of hash tables.

This is how most similar programs operate.

 
n/a
   

Post Reply



 



Advertisement

Worth A Click