Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Database may get decrypted after changing couple of bytes in database header w/o 'agreement' from crypt plugin. [CORE5213] #5494

Closed
firebird-issue-importer opened this issue Apr 25, 2016 · 12 comments

Comments

@firebird-issue-importer

Submitted by: @aafemt

For databases distributed in encrypted form it's necessary to avoid any ability to be decrypted by client including one mentioned in this issue.

Commits: 5fbbae6 88748bd

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 25, 2016

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 25, 2016

Modified by: @AlexPeshkoff

reporter: Alexander Peshkov [ alexpeshkoff ] => Dimitry Sibiryakov [ aafemt ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 25, 2016

Commented by: @aafemt

ALTER DATABASE DECRYPT is better to be disabled completely. It won't help much, just close one of the ways to get decrypted database without modifying engine. Encryption of a database should be a one way ticket.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 25, 2016

Commented by: Ann Harrison (awharrison)

Surely the Alter Database Decrypt requires the encryption key ...

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 25, 2016

Commented by: @aafemt

Yes, but in the case of superserver received key in secondary connection is neither checked nor used.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 25, 2016

Modified by: @aafemt

security: Developers [ 10012 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 28, 2016

Commented by: @AlexPeshkoff

Ann, certainly (like any other operation on encrypted database) it's decryption requires the key. But as I see the problem here is that currently a key can be used by db crypt manager silently for any purpose - decrypt blocks needed for normal DB operation or decrypt hole database block by block. I.e. before decryption of whole database crypt manager should ask crypt plugin - is it OK to decrypt the database?

Disabling ALTER DATABASE DECRYPT is not an option IMHO - someone may need this operation (for example) in order to later encrypt it with new, better one plugin.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 28, 2016

Commented by: @aafemt

IMHO, decrypting of a database is a task for standalone utility, operating on file level. "Encrypted" flag must stay on header till the end of whole process. Better yet, decryption should go into a new file to preserve original database on error.
Engine must throw error if encounter an encrypted page in unencrypted database, not silently load last known plugin.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Apr 28, 2016

Commented by: @asfernandes

> Yes, but in the case of superserver received key in secondary connection is neither checked nor used.

Why?

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jun 10, 2016

Commented by: @AlexPeshkoff

Protected encrypted checksum of valuable fields with hash stored in DB header. Check hash to be valid on database open.
In 3.0 check it only for databases having crypt process active to avoid problems when upgrading minor FB version.

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented Jun 10, 2016

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0.1 [ 10730 ]

Fix Version: 4.0 Alpha 1 [ 10731 ]

@firebird-issue-importer
Copy link
Author

firebird-issue-importer commented May 25, 2017

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: No test => Cannot be tested

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants