Alle 11:17, venerdì 5 marzo 2004, Matt Clark ha scritto:
> Yes, but only if the password has to entered manually [1] at boot time.
> And it gives zero protection against someone who gains root access to the
> server.
This is a problem for italian users because the italian law clearly states
that only the people delegated to perform maintenance on the personal data
can have access to them. SysAdmin are clearly escluded. So, we do have to
protect the data even from the "prying eyes" of our SysAdmin... :-(
> So you _also_ have to encrypt the sensitive data before giving it to the
> DB, using a key that is not stored on the DB server.
Right.
> Of course that means your app servers have to have _those_ passwords/
> keys entered manually at boot time, or else someone who roots them can
> read your sensitive data quite trivially.
Right.
> And to do any better than that you need one of those very snazzy cards
> from nCipher or whoever, that allow you to process encrypted data in a
> hardware sandbox so even your application doesn't see it, or at least
> only allow signed code to manipulate the data.
Actually, we are considering the adoption of USB cryptographic keys for this
task. Having the passwords stored in a USB EPROM should be safer and easier
to use than a set of hard-to-remember/hard-to-crack alphanumeric passwords
(each at least 8 characters long, accordingly with our law).
IMHO, this crypto topic should be seriously taken into account by the
developers of all of the major Open Source Database Engines (PostgreSQL,
MySQL and Firebird). Given that a large part of the data stored into these DB
are somehow "personal" or even "sensitive", the lack of built-in
cryptographic protection could push our beloved GPL RDBMS out of the market.
See you
-----------------------------------------
Alessandro Bottoni and Silvana Di Martino
alessandrobottoni@interfree.it
silvanadimartino@tin.it