Encrypting only specific tables / fields of an SQLite database - java

Is it possible?
I read about SQLCipher, but it seems to encrypt the whole database.
Is there a way to configure it to encrypt only specific parts of it?
A table or a field will do just fine.

In the end I didn't need to use SQLite or any other techniques for encryption, because I found out I don't have to store the app client's secret at all, just the ID which is public.

You could use expand the DBHelper and run certain queries through a simple encryption util like the one noted in this answer.
Or rip out the CrypoHelper from android-passwordsafe written by Steven Osborn.

Related

Best Practice on Parse Server Security

I am actually trying to write a small App where I intend to store the Names and Surnames of users in a Parse Server data base. I would need , for a define user , to read and get the Name and Surname of other users at some point.
I have read that anyone can decompile my APK and extract the App id and the Master Key . For me these values are stored in strings.xml , but I can't understand how I can store them elsewhere , as they are needed to connect to the server.
Is there a way to protect the decompiling in order to preserve the MasterKey? Or should I enforce ACL for those columns (Name and Surname added in the User class) and like read the Name and Surname of other users using Cloud Coud when I need it?
What would be the best practice to do that please?
DO NOT USE MASTER KEY IN A CLIENT APP
If your master key is compromised then your whole parse instance will be compromised. Instead, use class and object ACL to protect your data. If you need special queries that require master key, do it in server-side or cloud code.
Read this doc carefully: https://docs.parseplatform.org/android/guide/#security
There are some universal solution for "protect things inside APK".
Google APK reinforcement.

How to Convert SQL table into Redis Data

Hi I am new to redis and want some help over here. I am using java and sql server 2008 and redis server. To interact with redis I am using jedis api for java. I know that redis is used to store key value based things. Every key has values.
Problem Background:
I have a table names "user" which stores data like id, name, email, age, country. This is schema of sql table. Now this table have some rows(means some data as well). Now here my primary key is id and its just for DB use Its of no use for me in application.
Now in sql I can insert new row, can update a row, can search for any user, can delete a user.
I want to store this tables data into redis. Then I want to perform similar operations on redis as well, like search, insert, delete. But if I have a good design on "Storing this info in DB and Redis" then these operations will be carried out simply. Remember I can have multiple tables as well. So should store data in redis on basis of table.
My Problem
Any design or info you can advise me that how I can convert DB data to Redis and perform all operations. I am asking this because I know Facebook is also using redis to store data. Then how they are storing data.
Any help would be very appreciative.
This is a very hard question to answer as there are multiple ways you could do.
The best way in my opinion would be use hashes. This is basically a nested a nested key-value type. So your key would match to the hash so you can store username, password, etc.
One problem is indexing, you would need to have an ID stored in the key. For example each user would have to have a key like: USER:21414
The second thing unless you want to look at commands like KEYS or SCAN you are going to have to maintain your own list of users to iterate, only if you need to do that. For this you will need to look at lists or sorted sets.
To be honest there is no true answer to this question, SQL style data does not map to key-value's in any real way. You usually have to do a lot more work yourself.
I would suggest reading as much as you can and would start here http://redis.io/commands and here http://redis.io/documentation.
I have no experience using Jedis so I can't help on that side. If you want an example I have an open-source social networking site which uses Redis as it's sole data store. You can take a look at the code to get some ideas https://github.com/pjuu/pjuu/blob/master/pjuu/auth/backend.py. It uses Python but Redis is such an easy thing to use everywhere there will not be that much to difference.
Edit: My site above no longer solely uses Redis. An older branch will need to be checked such as 0.4 or 0.3 :)

Web-App using Hibernate that queries a SQL Server 2005 encrypted column

we are devolping a web-application using Spring 3.1.2 and Hibernate 4.1.7 with a database SQL Server 2005.
On a table we've got a column encrypted and we need to perform some queries like, for example, this one:
OPEN SYMMETRIC KEY PasswordFieldSymmetricKey
DECRYPTION BY PASSWORD = 'myPassword'
SELECT id,
plain,
cipher,
CONVERT(varchar(50),
DecryptByKey(cipher)) AS 'Decrypted'
FROM TS_OWN.cryptest;
GO
CLOSE SYMMETRIC KEY PasswordFieldSymmetricKey
As a solution, someone proposed to create a view that manages the decryption but we need that no one must see the decrypted data, and of course DBA for example could query that view.
At the same time we don't want to perform the decryption on java side, due to some heavy aggregation logic that is expected to be performed by database engine due to performance reasons.
A possible solution is to create a view that performs decryption, aggregations and then encrypts the result one more time, performing decryption of the aggregated values on Java side.
Does someone know alternatives?
Thank you all,
Luca
From a server-side perspective, the most transperent solution is to use Jasypt. This library comes with several Hibernate UserTypes for encrypting text/password fields.
As mentioned in the reference documentation, there are limitations:
But encryption sets a limitation on your Hibernate usage: security
standards establish that two different encryption operations on the
same data should not return the same value (due to the use of a random
salt). Because of this, none of the fields that are set to be
encrypted when persisted can be a part of a WHERE clause in your
search queries for the entity they belong to.
While your HQL/SQL queries will hide the decrypting complexity, you won't get the same performance as with a specific database decryption function.
Using database decryption functions performs better, but then all your queries will be embedded in views and that's going to change dramatically the way you use Hibernate.
You could map entities to views instead, but you'll have to pay attention to DML statements (some DBs offer updatable views, others give you materialized views or you might use INSTEAD OF triggers).
One possible solution for OPEN/CLOSE SYMETRIC is to use your own #Decrypt annotation and add an aspect to insert those right after the transaction starts and right before it ends. This will work because the sql session/connection is bound to the current transaction/thread.

performance improvement of queries against encrypted table without changing the application code

I have tagged this problem with both Oracle and Java because both Oracle and Java solutions would be accepted for this problem.
I am new to Oracle security and have been presented with the below problem to solve. I have done some research on the internet but I have had no luck so far. At first, I thought Oracle TDE might be helpful for my problem but here: Can Oracle TDE protect data from the DBA? it seems TDE doesn't protect data against DBA and this is an issue which is not to be tolerated.
Here is the problem:
I have a table containing millions of records. I have a Java application which queries this table using equality or range criteria against a column in the table which is the primary key column of the table. The primary key column contains sensitive data and thus has been encrypted already. As the result, querying data using normal (i.e. decrypted) values from the application cannot use the primary key's unique index access path. I need to improve the queries' performance without any changes on the application code (application config can be modified if necessary but not the code). It would be OK to do any changes that are necessary on the database side as long as that column remains encrypted.
Oracle people please: What solution(s) do you suggest to this problem? How can I create an index on decrypted column values and somehow force Oracle to utilize this index? How can I use partitioning such as hash-partitioning? How about views? Any, Any solution?
Java people please: I myself have this very vague idea which is to create a separate application in between (i.e between the database and the application) which acts as a proxy that receives the queries from the application and replaces the decrypted values with encrypted values and sends it for the database, it then receives the response and return the results back to the application. The proxy should behave like a database so that it should be possible for the application to connect to it by changing the connection string in the configuration file only. Would this work? How?
Thanks for all your help in advance!
which queries this table using equality or range criteria against a column in the table which is the primary key column of the table
To find a specific value it's simple enough - you can store the data encrypted any way you like - even as a hash and still retrieve a specific value using an index. But as per my comment elsewhere, you can't do range queries without either:
decrypting each and every row in the table
or
using an algorithm that can be cracked in a few seconds.
Using a linked list (or a related table) to define order instead of an algorithm with intrinsic ordering would force a brute force check on a much larger set of values - but it's nowhere near as secure as a properly encrypted value.
It doesn't matter if you use Oracle, Java or pencil and paper. Might be possible using quantum computing - but if you can't afford to ensure the security of your application / pay for good advice from an expert cryptographer, then you certainly won't be able to afford that.
How can I create an index on decrypted column values and somehow force Oracle to utilize this index?
Maybe you could create a function based index in which you index the decrypted value.
create index ix1 on tablename (decryptfunction(pk1));

Secure database storage in Android

I'm implementing the in-app-billing system for my app and (as the documentation advices) I'd like to add some encryption system to the database.
I've tested SQLCipher, I liked it but since it need to override all the classes at android.database.sqlite.* your app loses the connection to that part of the SDK, losing possible important future updates and depending on the developer (or yourself since is opensource).
Other solution I've considered is to add a extra column in the sensible tables storing there a value (unique for each device), and then ignore the data that don't contain that key. But this method is clearly more weak.
How can I improve the security without using SQLCipher? Thanks
If your sensible table contains columns that are sensible and some that aren't, and if you don't use the sensible columns in a where clause, the you can easly encrypt/decrypt just that sensible fields on write/read operations without a significant performance cost.
If you need to use sensible columns in your where clause in a table with just a few records, you can read all the records, decrypt and choose.
If none of the above aplies, then I have no other suggestion beside SQLCipher.

Categories

Resources