Encoding "Table Name" and "Filed Name"

Encoding "Table Name" and "Filed Name"

am 17.06.2011 06:42:19 von Vikram A

--0-1876955729-1308285739=:83264
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hello there,=0AI request you to give your commends on the following,  =
=0A1. We have planned to cipher our table name  and=A0filed name [the n=
ecessary data will be=A0ciphered=A0with predefined functions with 'key']=0A=
2. This cipher functions will be our own code=0A3. Using these functions we=
can mange the=A0applications We are expecting following=A0advantages =
through this,  =0AUnauthorized use either by the  =0A1. DB administ=
rator=0A2. ex-developer Or=0A3. Any body   =0AMy question is, DO i face=
any negative project=A0management problems by doing this? Pleas share your=
=A0experience=A0on this aspect and commend our idea.=0AThank you=0AVikram A
--0-1876955729-1308285739=:83264--

Re: Encoding "Table Name" and "Filed Name"

am 17.06.2011 08:20:24 von Johan De Meersman

----- Original Message -----
> From: "Vikram A"
>
> My question is, DO i face any negative project management problems b=
y
> doing this? Pleas share your experience on this aspect and comm=
end
> our idea.

Seems... a bit pointless, no? If someone has access to the database, they c=
an still see the data. If someone has access to the code, they can still fi=
gure out the naming scheme. If, for some reason, you have to do manual look=
ups (think debugging, custom reporting, ...) you're making your own life ha=
rd.

If you don't want people to see your data, manage your accounts. If people =
leave, delete their accounts. Make sure your code prevents SQL injections (=
use bind variables and so on). Firewall off your server from everything but=
the application server. Et cetera ad nauseam.

There's plenty of security recommendations, but I've never heard of anyone =
encrypting their table and field names. It sounds like something upper mana=
gement would come up with :-)


--
Bier met grenadyn
Is als mosterd by den wyn
Sy die't drinkt, is eene kwezel
Hy die't drinkt, is ras een ezel

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

Re: Encoding "Table Name" and "Filed Name"

am 17.06.2011 08:53:56 von Vikram A

--0-781805660-1308293636=:76191
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Sir, I agree, its impossible to do=A0manual=A0look ups. But our aim is=
to avoid the use of DB with out code. Also we have ensured, 'secret data i=
s encrypted using some functions with key'.  =0AI shall follow both enc=
ode i.e, =A01) filed and table name, 2) data level? Or only data level is e=
nough by having accounts as you suggested? Thanks You.  Vikram=0A=
=0A________________________________=0AFrom: Johan De Meersman era.be>=0ATo: Vikram A =0ACc: MY SQL Mailing list sql@lists.mysql.com>=0ASent: Friday, 17 June 2011 11:50 AM=0ASubject: Re: E=
ncoding "Table Name" and "Filed Name" =0A----- Original Message -----=
=0A> From: "Vikram A" =0A>=0A> My question is, DO i f=
ace any negative project=A0management problems by=0A> doing this? Pleas sha=
re your=A0experience=A0on this aspect and commend=0A> our idea. Seems.=
... a bit pointless, no? If someone has access to the database, they can sti=
ll see the data. If someone has access to the code, they can still figure o=
ut the naming scheme. If, for some reason, you have to do manual lookups (t=
hink debugging, custom reporting, ...) you're making your own life hard.=0A=
=0AIf you don't want people to see your data, manage your accounts. If peop=
le leave, delete their accounts. Make sure your code prevents SQL injection=
s (use bind variables and so on). Firewall off your server from everything =
but the application server. Et cetera ad nauseam. There's plenty of se=
curity recommendations, but I've never heard of anyone encrypting their tab=
le and field names. It sounds like something upper management would come up=
with :-) =0A--=0ABier met grenadyn=0AIs als mosterd by den wyn=0ASy d=
ie't drinkt, is eene kwezel=0AHy die't drinkt, is ras een ezel --=0AMy=
SQL General Mailing List=0AFor list archives: http://lists.mysql.com/mysql=
=0ATo unsubscribe:=A0 =A0 http://lists.mysql.com/mysql?unsub=3Dvikkiatbipl@=
yahoo.in
--0-781805660-1308293636=:76191--

Re: Encoding "Table Name" and "Filed Name"

am 17.06.2011 09:35:07 von Johan De Meersman

--=_36ea750b-6ff8-4914-b0eb-ac1397380efd
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

----- Original Message -----

> From: "Vikram A"

> I agree, its impossible to do manual look ups. But our aim is to
> avoid the use of DB with out code. Also we have ensured, 'secret
> data is encrypted using some functions with key'.

> I shall follow both encode i.e, 1) filed and table name, 2) data
> level? Or only data level is enough by having accounts as you
> suggested?
Data level encodes are usually considered good enough, although there's nothing to stop you from encrypting the field names if you feel so enclined. I predict you *will* need to make manual queries sooner or later, though :-p

--
Bier met grenadyn
Is als mosterd by den wyn
Sy die't drinkt, is eene kwezel
Hy die't drinkt, is ras een ezel

--=_36ea750b-6ff8-4914-b0eb-ac1397380efd--

RE: Encoding "Table Name" and "Filed Name"

am 17.06.2011 16:11:11 von Jerry Schwartz

>-----Original Message-----
>From: Vikram A [mailto:vikkiatbipl@yahoo.in]
>Sent: Friday, June 17, 2011 2:54 AM
>To: Johan De Meersman
>Cc: MY SQL Mailing list
>Subject: Re: Encoding "Table Name" and "Filed Name"
>
>Sir,
>
>I agree, its impossible to do manual look ups. But our aim is to avoid the
>use
>of DB with out code. Also we have ensured, 'secret data is encrypted using
>some
>functions with key'.
>
[JS] A lot depends upon your ultimate goal. Do you need to keep anyone from
seeing the data, or do you need to prevent sabotage?

Even if your DB manager can't tell what the "real" table names are, he could
still sabotage your system simply by deleting the entire database.

>I shall follow both encode i.e, 1) filed and table name, 2) data level? Or
>only data level is enough by having accounts as you suggested?
>
[JS] Encrypting at the data level will prevent anyone from seeing the real
data values, but even that requires more than just encryption. Ideally, you
would have two people work on the encryption algorithms separately and you
must make sure that they cannot communicate with each other -- ever!

You will need those two people (or companies) forever if you ever want to
change the application.

There are books on this.

You always have to trust somebody, and that somebody is always the weak link.
Somebody must be using the application, and that someone is a bigger risk that
your DB manager.

Regards,

Jerry Schwartz
Global Information Incorporated
195 Farmington Ave.
Farmington, CT 06032

860.674.8796 / FAX: 860.674.8341
E-mail: jerry@gii.co.jp
Web site: www.the-infoshop.com




>Thanks You.
>Vikram
>
>________________________________
>From: Johan De Meersman
>To: Vikram A
>Cc: MY SQL Mailing list
>Sent: Friday, 17 June 2011 11:50 AM
>Subject: Re: Encoding "Table Name" and "Filed Name"
>
>
>----- Original Message -----
>> From: "Vikram A"
>>
>> My question is, DO i face any negative project management problems by
>> doing this? Pleas share your experience on this aspect and commend
>> our idea.
>
>Seems... a bit pointless, no? If someone has access to the database, they can
>still see the data. If someone has access to the code, they can still figure
>out the naming scheme. If, for some reason, you have to do manual lookups
>(think debugging, custom reporting, ...) you're making your own life hard.
>
>If you don't want people to see your data, manage your accounts. If people
>leave, delete their accounts. Make sure your code prevents SQL injections
>(use
>bind variables and so on). Firewall off your server from everything but the
>application server. Et cetera ad nauseam.
>
>There's plenty of security recommendations, but I've never heard of anyone
>encrypting their table and field names. It sounds like something upper
>management would come up with :-)
>
>
>--
>Bier met grenadyn
>Is als mosterd by den wyn
>Sy die't drinkt, is eene kwezel
>Hy die't drinkt, is ras een ezel
>
>--
>MySQL General Mailing List
>For list archives: http://lists.mysql.com/mysql
>To unsubscribe: http://lists.mysql.com/mysql?unsub=vikkiatbipl@yahoo.in




--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: Encoding "Table Name" and "Filed Name"

am 18.06.2011 09:09:47 von Vikram A

--0-1229525408-1308380987=:35813
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Mr. Jerry/and all, I am=A0drooping=A0this idea of making=A0schema=A0en=
cryption=A0.=A0As it leads to lots of confusion as Mr. John said. I am=
following the data=A0level=A0encription. Thank you for the comments.=
  =0AVikram ________________________________=0AFrom : Jerry Schwart=
z =0ATo: 'Vikram A' ; 'Johan De Meer=
sman' =0ACc: 'MY SQL Mailing list' om>=0ASent: Friday, 17 June 2011 7:41 PM=0ASubject: RE: Encoding "Table Nam=
e" and "Filed Name" >-----Original Message-----=0A>From: Vikram A [mai=
lto:vikkiatbipl@yahoo.in]=0A>Sent: Friday, June 17, 2011 2:54 AM=0A>To: Joh=
an De Meersman=0A>Cc: MY SQL Mailing list=0A>Subject: Re: Encoding "Table N=
ame" and "Filed Name"=0A>=0A>Sir,=0A>=0A>I agree, its impossible to do manu=
al look ups. But our aim is to avoid the =0A>use=0A>of DB with out code. Al=
so we have ensured, 'secret data is encrypted using =0A>some=0A>functions w=
ith key'.=0A>=0A[JS] A lot depends upon your ultimate goal. Do you need to =
keep anyone from =0Aseeing the data, or do you need to prevent sabotage?=0A=
=0AEven if your DB manager can't tell what the "real" table names are, he c=
ould =0Astill sabotage your system simply by deleting the entire database.=
>I shall follow both encode i.e,=A0 1) filed and table name, 2) data =
level? Or=0A>only data level is enough by having accounts as you suggested?=
=0A>=0A[JS] Encrypting at the data level will prevent anyone from seeing th=
e real =0Adata values, but even that requires more than just encryption. Id=
eally, you =0Awould have two people work on the encryption algorithms separ=
ately and you =0Amust make sure that they cannot communicate with each othe=
r -- ever! You will need those two people (or companies) forever if yo=
u ever want to =0Achange the application. There are books on this.=0A=
=0AYou always have to trust somebody, and that somebody is always the weak =
link. =0ASomebody must be using the application, and that someone is a bigg=
er risk that =0Ayour DB manager. Regards, Jerry Schwartz=0AGlobal=
Information Incorporated=0A195 Farmington Ave.=0AFarmington, CT 06032=0A=
=0A860.674.8796 / FAX: 860.674.8341=0AE-mail: jerry@gii.co.jp=0AWeb site: w=
ww.the-infoshop.com =0A>Thanks You.=0A>Vikram=0A>=0A>___________=
_____________________=0A>From: Johan De Meersman =0A>To=
: Vikram A =0A>Cc: MY SQL Mailing list ysql.com>=0A>Sent: Friday, 17 June 2011 11:50 AM=0A>Subject: Re: Encoding "=
Table Name" and "Filed Name"=0A>=0A>=0A>----- Original Message -----=0A>> F=
rom: "Vikram A" =0A>>=0A>> My question is, DO i face =
any negative project management problems by=0A>> doing this? Pleas share yo=
ur experience on this aspect and commend=0A>> our idea.=0A>=0A>Seems... a b=
it pointless, no? If someone has access to the database, they can=0A>still =
see the data. If someone has access to the code, they can still figure=0A>o=
ut the naming scheme. If, for some reason, you have to do manual lookups=0A=
>(think debugging, custom reporting, ...) you're making your own life hard.=
=0A>=0A>If you don't want people to see your data, manage your accounts. If=
people=0A>leave, delete their accounts. Make sure your code prevents SQL i=
njections =0A>(use=0A>bind variables and so on). Firewall off your server f=
rom everything but the=0A>application server. Et cetera ad nauseam.=0A>=0A>=
There's plenty of security recommendations, but I've never heard of anyone=
=0A>encrypting their table and field names. It sounds like something upper=
=0A>management would come up with :-)=0A>=0A>=0A>--=0A>Bier met grenadyn=0A=
>Is als mosterd by den wyn=0A>Sy die't drinkt, is eene kwezel=0A>Hy die't d=
rinkt, is ras een ezel=0A>=0A>--=0A>MySQL General Mailing List=0A>For list =
archives: http://lists.mysql.com/mysql=0A>To unsubscribe:=A0 =A0 http://lis=
ts.mysql.com/mysql?unsub=3Dvikkiatbipl@yahoo.in
--0-1229525408-1308380987=:35813--