Sky Dancer Studios, Inc.
Click for 'About Us' Click for Services Click for Software Click to Contact Us

HOME - NEWS


Sky Dancer LogoHINTS for using FileMaker™ Pro with BlowFish and Security Hints in General

Most breaches of security are NOT the result of using a weak encryption algorithm! Most security failures are the result not using secure practices! The following are some basic secure practices that should be used when designing, creating, coding and using secure databases and/or software applications. These hints can be used when working with FileMaker Pro and the BlowFish plug-in, or any other database and encryption system.

1. NEVER use ONE password or KEY to encrypt an entire database or it's records! One of the EASIEST "cracks" in encryption is to find two fields or text strings that were encrypted with the same KEY! "CRACKING 101" includes the practice of exclusive-ORing them together to eliminate the common encryption! After that...it's easy to throw a dictionary or "most common occurring letters" to guess the original text!

If you're encrypting records in a database, use as parts of the 'encryption key" a field(s) that are unique to each record! Like a record number...or serial number. Perform a complex mathematical formula to the unique field, convert it to text and add it to your encryption key for that record. That way NO TWO RECORDS will have the same encryption key! (VERY important!!!)

2. When designing a database or any secure software NEVER name any FIELD, RECORD, VARIABLE or PARAMETER "Password" or "Key" or "ID" or use ANY of those names in defining code, data or comments! Use non-descriptive names like "U472" or "F3" or ANYTHING but a security term or any word that would occur in a dictionary that is in any way related to security! (This is ONE time NOT to clearly document your code or database!

3. NEVER store a complete 'KEY" in any variable, or field! Break up your keys into numerous storage locations. Use "partial" pieces of long strings with functions like "LEFT" (which takes a number of characters from the left side of a text string) "MIProgrammerD" (which extracts a string of characters from the middle of a string of text) and "RIGHT" (which extracts the right hand end of a certain number of characters from a string). Use these functions to select "sub strings" from several sources and combine them in odd ways to create your keys. ALSO...add in some mathematical calculations that are converted to text! These are VERY difficult to spot and figure out in "code dumps"!

Another great way to hide your keys is to use portions of text strings that are already part of the software or database like "Dialog Box Text" or user interface text field prompts. Use the above substring functions to add portions of these text strings to your keys. That way anyone who "dissects" your code or database with a "hex editor" won't see obvious strings of text that could be your KEY(s)!

4. NEVER use keys or passwords shorter than 12 characters! The LONGER the BETTER! If your data is REALLY sensitive, use the FULL 56 Unicode character key length in BlowFish!!!! REQUIRE all keys and passwords to contain characters from at least THREE of the four following groups:

  • LOWER case characters
  • UPPER case characters
  • NUMBERS
  • PUNCTUATION and SYMBOLS (!@#$%?<>, etc.)

     

    AXE!

    • Maintain a company wide policy of NEVER allowing PASSWORDS or KEYS to be WRITTEN DOWN on ANYTHING for ANY REASON!

 

 

 

5. After EVERY use of a key in your database or software IMMEDIATELY set the ENCRYPTION or DECRYPTION key to something useless! That will prevent the "HALT THE CODE" type of attacks which can leave your key in the encryption algorithm!


6. At the END of running your software or database, and BEFORE exiting...OVERWRITE any display fields or variables that were used for keys, passwords or decrypted text with LONG strings of random text to hide any lingering data on disks or in computer memory! THEN exit your program! (And ONLY then!)

Top Secret

General Security Guidelines for REALLY Sensitive Data

7. Security for CRITICALLY sensitive information MUST include the THREE basic components of STRONG security systems:

  • Someone You ARE
  • Something You HAVE
  • Something You KNOW

 

1. Someone you ARE - Physical Security - First...you must be someone who is allowed access to the system!. All computers, servers and networks MUST be located in COPphysically secure rooms or buildings! They must be located behind locked, secure doors that typically require magnetic-striped (or electronic chip-carrying "smart") ID cards that are limited to only those personnel that MUST have access to the secure data/systems.(AND...don't forget that many of today's office buildings have ceilings that are merely "fiber board" panels that hang overhead in a grid! These can easily be lifted out to allow a person to climb OVER office walls and partitions!) And NEVER put a book, box or something in the computer center DOOR to keep the door lock from closing because you are just running out to get lunch, coffee, a quick candy bar, whatever...and will "be right back". That's an INFAMOUS way for visitors who just happen to be standing around the in the hall to gain quick access!

2. Something You HAVE - Physical Keys or ID Cards - Security must require a PHYSICAL "key", ID card or "USB dongle" or a "One Time" key generator "FOB" that must be provided to access the system. These can again be "smart-cards" with electronic chips, "fingerprint readers" hooked to the secure access point, "key-generation fobs" etc. Any attempt to access secure data should REQUIRE the insertion/use of this physical ID "key" that only permitted personnel are allowed to posess!

3. Something You KNOW - KNOWLEDGE of a PASSWORD or KEY - In addition to gaining physical access and requiring the person requesting secure data to have in his/her possession an ID "key" card or fingerprint, the person requesting access MUST have personal knowledge of a "password" or additional "key" phrase to enter into the access point computer. The combination of this "Software Key" AND the PHYSICAL ID, (USB Drive, key card or fingerprint) must ALL be used in combination for calculating the encryption/.decryption key for access to be granted and the data decrypted!

 

...and finally...VERY IMPORTANT POINTS TO REMEMBER:

No security is "UNCRACKABLE"!!!

ANYTHING that can be "DONE"...can be 'UNDONE"! (Or..."gotten around"!)

Rabid Computer
The MOST important thing to remember in security....is to make it so difficult and time consuming to decode your data...that it's just not WORTH it for anyone to try! Make sure the data decoded is not worth the effort it takes to DECIPHER it! The more valuable the data...the more TIME and EFFORT it must take to decode it or to defeat your security!

And make SURE..if someone gets ONE password or key...that the SAME password won't unlock the REST of your DATA!!!!!!


BurglarDON'T USE THE SAME KEY TWICE!!!!!!

 

  

 

Copyright © 2004-2008 Sky Dancer Studios, Inc.
All Trademarks Acknowledged

FileMaker® Pro is a trademark of FileMaker, Inc., registered in the U.S.and other countries. FileMaker and the file folder logo are trademarks of FileMaker, Inc.*