Ask the Expert

Encryption and database security

In my application, I have an MS Access MDB file which stores all the user data.

Presently, I am using SHA-256 to store passwords in the table and further protecting the MDB file itself with MD5 hash to check the integrity of the file. This MD5 hash value is checked each time the application starts.

I have three questions:

(1) What is better, storing hashed or encrypted values in the database?

(2) When my application starts, a decrypted or encrypted password is stored in public variables, depending upon the situation. To secure the data, I immediately change the value of these variables to "", as soon as the job of these variable is over. Is this the way the hash or encrypted values are destroyed from memory?

(3) Please suggest some good links discussing security of databases.


    Requires Free Membership to View

In response to your first question, it depends on what problem you are trying to solve.

Hashes are fancy checksums. It's hard for them to be faked by accident or on purpose. However, if you are worried about someone unauthorized modifying the database, they could in theory change the data and the hash. You need to examine how hard that would be. If you stored the data and hashes in a distributed fashion, it might be harder for someone to change the database undetectably.

Hashes of that sort work best in a situation like a library of hashes of important files -- like the system files of your Windows system -- so you could check them by some process.

If instead, you want to stop unauthorized reading of the database, then encryption is the only answer.

The answer to your second question is typically, yes, the buffer containing the passphrases or keys or other sensitive data gets cleared as soon as it is used.

I don't know what language you're programming in, but it sounds like it's something like a scripting language. In such a case, you need to be sure that when you put "" into the variable that the variable is actually cleared, not merely deallocated. I'll bet you it's not.

And finally, here are a few resources on database security:


For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: Top 10 database security headaches
Best Web Links: Database security
Infosec Know IT All Daily Trivia: Database security
Featured Topic: Database security


This was first published in February 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: