Securing a database
Bryan Olson
fakeaddress at nowhere.org
Fri Jan 23 06:41:39 EST 2009
kt83313 at gmail.com wrote:
> Anyways, if we can make it real hard for them to analyze also, I think
> we are in the good - esp since the clients are not extremely rich
> enough to go for professional analyzers --
Sounds like you have the "digital rights management" (DRM) problem. As
Diez pointed out, there is no robust software solution. Nevertheless,
many clever people have worked each side, so there's now something of a
body of practice and experience.
> What is the skype method? The code is not huge - less than 20K LOC so,
> code encryption looks somewhat OK - would you be able to direct me to
> any hints on this?
I don't think Skype has much to offer here. They're not focused on
selling DRM technology; they sell communication services. Third parties
can write applications on top of those services, which can be protected
by Skype's DRM. (If I'm wrong on that, someone please correct me.)
Diez's noted Skype's use of a layered approach, but there's nothing
special about the notion of layered code encryption in DRM software.
It's been used multiple times, broken multiple times, and patented
multiple times.
> One another option that I was thinking was to automatically generate
> the password for the database - re-encrypt every 1 hr - and store the
> password inside the code itself. Is that possible in Python? i.e.
> changing the code itself.
Possible it is. Effective it is almost certainly not, at least not
without a whopping bunch of other techniques going vastly beyond that
description.
Look up DRM technology companies, such as CloakWare, Macrovision, and
Cryptography Research.
If you have a modest number of customers, hardware solutions and/or
strict contractual commitments might offer practical solutions.
--
--Bryan
More information about the Python-list
mailing list