Securing a database

Bryan Olson fakeaddress at nowhere.org
Fri Jan 23 12:41:39 CET 2009


kt83313 at gmail.com wrote:
> Anyways, if we can make it real hard for them to analyze also, I think
> we are in the good - esp since the clients are not extremely rich
> enough to go for professional analyzers --

Sounds like you have the "digital rights management" (DRM) problem. As 
Diez pointed out, there is no robust software solution. Nevertheless, 
many clever people have worked each side, so there's now something of a 
body of practice and experience.

> What is the skype method? The code is not huge - less than 20K LOC so,
> code encryption looks somewhat OK - would you be able to direct me to
> any hints on this?

I don't think Skype has much to offer here. They're not focused on 
selling DRM technology; they sell communication services. Third parties 
can write applications on top of those services, which can be protected 
by Skype's DRM. (If I'm wrong on that, someone please correct me.)

Diez's noted Skype's use of a layered approach, but there's nothing 
special about the notion of layered code encryption in DRM software. 
It's been used multiple times, broken multiple times, and patented 
multiple times.

> One another option that I was thinking was to automatically generate
> the password for the database - re-encrypt every 1 hr - and store the
> password inside the code itself. Is that possible in Python? i.e.
> changing the code itself.

Possible it is. Effective it is almost certainly not, at least not 
without a whopping bunch of other techniques going vastly beyond that 
description.

Look up DRM technology companies, such as CloakWare, Macrovision, and 
Cryptography Research.

If you have a modest number of customers, hardware solutions and/or 
strict contractual commitments might offer practical solutions.


-- 
--Bryan



More information about the Python-list mailing list