|
Hello there!
I want to know if there is some way to override the connection class to implement any kind of crypto desired (including custom crypto).
I say... I need a code (vb.net please) to intercept any incomming reads and any outgoing writes to implement crypto methods easily.
The benefits are enormous as we will not have to change the queries.
Thank you!
|
|
|
|
|
If you do that, how will the database be able to tell what queries you are sending? Or how will it be able to send the answers back encrypted in the way you want?
|
|
|
|
|
Thanks for your attention!
Look... The queries will not change...
When I query: "SELECT Name, Address FROM Clients WHERE Name = 'John Doe'" on the code... the server just do the thing... responsing something that is crypted without knowing that... and that IS ok...
What I need is to avoid custom code customization like this:
myQuery = "SELECT Name, Address FROM Clients WHERE Name = '" & Crypt("John Doe") & "'"
I need to develop something smart enough to intercept this message and replace only the crypted fields (I will have to inform what field are customizing the connection-or whatever class, or by informing a pattern like... all text fiels... or all fiels with fieldnames begining with "abc"... whatever) with the right values to be possible the server catch the query...
I don't need to rely on storage procedures or triggers or any database engine... I need code side solution for this... I am a developer... not a DBA... and... I dont need those crypto/decrypto methods on the hands of anybody else... nor saved on the Database trigger code... it will be not safe...
On the end I need something on the DataAdapter, or on the Connection classes to intercept this message and translate it before sending the command for the database engine...
And... on the other hand... the response will be the same....
As the server sends me something like this...
Name | Address
--------------------------------------
~4wi2.s |!´$dn8#$0z0e[´_=2^/\!%
I need those fiels automaticaly re-rendered to something readable whitout having to code, because the class translates it for me...
Name | Address
--------------------------------------
John Doe | 2540 Developers Street
Avoiding the hard code:
For each Record replace Record.value with Decipher(Record.value)... etc...
Ok?
Please... give something to begin...
Thanks...
|
|
|
|
|
The basic idea of encrypting connections is described in here: Encrypting Connections to SQL Server[^].
Beyond that, I believe you could use stored procedures that take encrypted text as parameter and return, not result sets, but encrypted text. In both ends you could then decrypt the data. But I really don't see the point in doing that:
- performance degrades
- complexity increases
- possible interpretation problems
- not likely to result any better security than those mechanisms that are supported by SQL Server
The need to optimize rises from a bad design.
My articles[ ^]
|
|
|
|
|
I see...
But I'm not interested on attaching my code on any SQL Server Engine on particular... please understand...
And... no way to write this kind of code on DBA personel public areas... nor on the client-adminstrated database servers...
And about those points you mentioned...
- performance degrades
It depends on the value of the data you are storing... in some cases it justifies this degradation...
- complexity increases
I have the custom crypto product already developed, and, i see no complexity on simplifying the code envolved on the ciphering methods... again... this fact by itself (simplifying custom ciphering code) justifies the work...
- possible interpretation problems
Problems are here to resolve... but first we need then to pop-up... And that's why I need to rewrite those connection, dataadapter and command classes...
- not likely to result any better security than those mechaninsms that are supported by SQL Server
You don't think it? Interesting! Because on my humble opinion those classic crypto methods are a kind of "boxed"... That's why I have writted my custom cyphering classes...
But please... Give me something to work on that classes... freely... not depending on a specific database engine... Because I am ready to try to rewrite those classes for each engine, one by one...
But I need to know more about rewriting those classes...
Thank You!
|
|
|
|
|
I'm having a hard time to undertstand what you're after.
If you want to communicate securely with the database server, almost all of the database systems support that (as I posted the ink regarding SQL Server)
If you want to store the data encrypted, some of the database systems support also that (for example both SQL Server and Oracle). The idea is that if you have sufficient priviliges, you'll see the actual data regardless what tool you use.
If you want to encrypt the data so that it cannot be seen anywhere but in your program, you'll encrypt the data before you send it to the database. The simpliest way could by using classes that are inherited from the actual Parameter classes (like SqlParameter). Whenever the value is set in your program, you encrypt it and when the value is retrieved, you decrypt it. This would however have a downside not seeing the data correctly in the database (using for example Enterprise Manager etc) even if you have sufficient privileges.
But if I understood you correctly, inheriting parameter and adding logic to it could be a starting point. However, I don't think you can do this so that it's usable for all databases since every database has different classes (SQL Server has SqlCOnnection, SqlParameter etc, Oracle has OracleConnection, OracleParameter etc, ODBC has OdbcConnection, OdbcParameter and so on)
The need to optimize rises from a bad design.
My articles[ ^]
|
|
|
|
|
Dear Mika Wendelius,
Thank you again for your attention! You are a kind of a person!
Let me explain myself better... as I posted to our friend, Mr.Dave Kreskowiak:
"I just like big tasks... as I sense that the basic flexibility for those classes needs to be on discussion... And I am ready to begin working on it...
Databases Engines are for help, not to orient the code... As I think that way...
And, for that... I just trying to have some flexibility on those classes"
And I think that is what "discussion foruns" about... it is not all about ourselves, our careers, jobs... it is to discuss the very basics, and it is what I am doing... questioning... trying... improving... and looking for the benefits over that...
Now... commenting your nice words....
"... almost all database systems supports that..."
Yes! But all relies on server certificates... that costs a lot for me... then I need to send those tcp-ip packs already crypted... whithout relying on thirty party security services, orders, certificates, wills, etc...
"If you want to encrypt.... if you have sufficient priviliges"
See... that's the point!!! I command the database I am responsible for BY CODE... not on the contrary... understand now? please...
"If you want to encrypt the data... inherited the actual Parameter classes. Whenever the value is set in you program, you encrypt it and when the value is retrieved, you decrypt it..."
Again... that is the point... I need those classes to do the hard work for me... not on the contrary... please... understand...
"I don't think you can do this so tha it's usable for all databases since every database has different classes..."
Lets begin coding... MySQL first... MS SQL next on the line... etc...
Please see the post I send to Mr. Colin Angus Mackay...
=========== begin copyed post =========
Thanks for your attention!
Look... The queries will not change...
When I query: "SELECT Name, Address FROM Clients WHERE Name = 'John Doe'" on the code... the server just do the thing... responsing something that is crypted without knowing that... and that IS ok...
What I need is to avoid custom code customization like this:
myQuery = "SELECT Name, Address FROM Clients WHERE Name = '" & Crypt("John Doe") & "'"
I need to develop something smart enough to intercept this message and replace only the crypted fields (I will have to inform what field are customizing the connection-or whatever class, or by informing a pattern like... all text fiels... or all fiels with fieldnames begining with "abc"... whatever) with the right values to be possible the server catch the query...
I don't need to rely on storage procedures or triggers or any database engine... I need code side solution for this... I am a developer... not a DBA... and... I dont need those crypto/decrypto methods on the hands of anybody else... nor saved on the Database trigger code... it will be not safe...
On the end I need something on the DataAdapter, or on the Connection classes to intercept this message and translate it before sending the command for the database engine...
And... on the other hand... the response will be the same....
As the server sends me something like this...
Name | Address
--------------------------------------
~4wi2.s |!´$dn8#$0z0e[´_=2^/\!%
I need those fiels automaticaly re-rendered to something readable whitout having to code, because the class translates it for me...
Name | Address
--------------------------------------
John Doe | 2540 Developers Street
Avoiding the hard code:
For each Record replace Record.value with Decipher(Record.value)... etc...
Ok?
Please... give something to begin...
Thanks...
=========== end copyed post ===========
Thanks for your support!
But... yet... I need those classes codes to ovewrite then... in VB.net...
Is there any source for it?
|
|
|
|
|
By the way... I think that your inheriting Parameter classes will do the job very nicely... without a long time development... just a few customizations on the class creation... some few methods to test if the field needs pre/post processing and we are done!...
Thanks for the tip, I think it will fit.
Thank YOU!
|
|
|
|
|
I was just testing the implemenation and I had forgotten that SqlParameter is sealed. So your class could be something like (need to implement all the properties and methods so this is just a seed):
Public Class MyParameter
Private actualParameter As System.Data.SqlClient.SqlParameter
Public Property Value() As Object
Get
If (TypeOf actualParameter.Value Is String) Then
Return Decrypt(actualParameter.Value)
Else
Return actualParameter.Value
End If
End Get
Set(ByVal value As Object)
If (TypeOf actualParameter.Value Is String) Then
actualParameter.Value = Encrypt(value)
Else
actualParameter.Value = value
End If
End Set
End Property
...
End Class
The need to optimize rises from a bad design.
My articles[ ^]
|
|
|
|
|
Yes... it is sealed...
Is there any way get the vb.net version of this class, to help me begining the task?
|
|
|
|
|
|
Yes! It will be handly!Thank you, again!
|
|
|
|
|
You're welcome.
The need to optimize rises from a bad design.
My articles[ ^]
|
|
|
|
|
That won't work unless you rewrite the connection manager in SQL Server too. Good Luck with that!
|
|
|
|
|
Yes... it will be a hard work... as a payback I promisse to publish something here after obtain some success on this enterprise...
Where I begin researching those class, methods, events, etc... in VB.net...
Thanks...
|
|
|
|
|
<Shakes head slowly>I hope you realize that this is a very LARGE undertaking for very little benefit</Shakes head slowly> You're not going to get a much more secure SQL Server connection without taking a large performance hit in the process. Good luck...
|
|
|
|
|
I understand and respect your point...
But again... you give me nothing... Please give me something (on VB.net) to begin my try...
Thank you!
|
|
|
|
|
Actually, he gave you something very valuable. It is just that you are so intent on your current target that you fail to see that best way to win over all is to aim at a different set of targets.
|
|
|
|
|
What! Besides all the criticism I don't see any code of yours anwsering my demand, or any tip of yours for that. Sorry.
|
|
|
|
|
E.Nando wrote: I don't see any code of yours anwsering my demand
I don't respond to demands. Demanding something when you are not in a position to do so is very rude.
My boss may demand something of me because he has the power and authority to do that. On the other hand, I'm giving up my free time to suggest that you may want to look at an alternative way of doing something and you get pissed off with me because it does not fit the route you want to take.
If someone says that they want to go from Glasgow to London I will suggest taking the M74, M6 then M1. If they insist on going by Inverness, Aberdeen, Newcastle, Birmingham, and Bristol en route for no good reason then I'm really at a loss as to give them an easy route. I can suggest the M8, M80, M9, A9, A96, A90, M90, A1, M1, M62, M60, M56, M6, M5, M32, and M4 but that is a heck of a long explanation when the reality is that they don't actually need to go via all these places, they just want to get to Lonodn.
As far, as I can, see attempting to make a mountain out of a mole hill. In my experience there is no good reason to do this.
|
|
|
|
|
Again, you are missing the point! My Gosh!
AS I NEVER MENTIONED DEMAND AS YOU INTERPRETED...
Don't make me laught!
But again... thanks to give me nothing!
And... Enough! While you are playing "smart guy" I got my "demands" discussed and responsed... professionally... without emotional crisis...
|
|
|
|
|
Suit yourself. I still think Miko's original suggesstion[^] was the correct one.
E.Nando wrote: AS I NEVER MENTIONED DEMAND AS YOU INTERPRETED
Well, now you are just shouting... And it was you that used the word "demand". I don't know how else to interpret demand. Someone with power or in authority can demand stuff (my boss, a police office, a polititian, a pissed off customer). Someone with neither cannot.
E.Nando wrote: thanks to give me nothing!
You know what... I'm on this forum becuase I've made mistakes in the past, coming up with weird convoluted solutions to problems. All I am trying to do is to prevent other people making the mistakes I made. If you don't want the benefit of my advice (even if it is simply to say "that's the wrong road") then fair enough. Ignore me, don't enter in to an argument with me.
E.Nando wrote: While you are playing "smart guy"
If that is the impession I gave then I am sorry. I still make mistakes and I still trying to help people and put up signs to say "Wrong Way" if I discover the road does not lead in the right direction. Even if I do not know the right way, alerting people to the wrong way is better than nothing.
E.Nando wrote: without emotional crisis
I'm not the one who is emotional. I'm taking a dispassionate view. I'm explaining my case and why I responded the way that I did. I always try to give good advice as far as I can. As far as I can see that is what I have done here. I advised that the route you have chosen is not a wise choice. I can say that because I took a similar route a number of years ago and it caused me lots of problems. I have learned not to do that again.
|
|
|
|
|
E.Nando wrote: AS I NEVER MENTIONED DEMAND AS YOU INTERPRETED...
Allow me to quote you:
What! Besides all the criticism I don't see any code of yours anwsering my demand, or any tip of yours for that. Sorry.
E.Nando wrote: But again... thanks to give me nothing!
Then ask a question that is answerable. What you want doesn't exist because nobody has an SDK SQL Server that allows you to replace the Connection Manager. I'll say it again -> good luck with that.
|
|
|
|
|
So... I must check and try other approach... thanks.
I think I got a pretty much valuable tip to begin coding..
Anyways... thank you and good luck for you too, on your declared redemption thing.
|
|
|
|
|
I just like big tasks... as I sense that the basic flexibility for those classes needs to be on discussion... And I am ready to begin working on it...
Databases Engines are for help, not to orient the code... As I think that way...
And, for that... I will try to have some flexibility on those classes...
Please give me something...
Thank You!
|
|
|
|