Background Image

BLOG

?

Shortcut

PrevPrev Article

NextNext Article

Larger Font Smaller Font Up Down Go comment Print Attachment

 

Written by Youngjin Hwang on 05/11/2021

 

Nowadays, browsing the internet with PCs or our smartphones has become an essential part of our daily life. As a result, it is possible to peek into the data being transmitted over the Internet with malicious intent. In other words, being able to peek at the data being transmitted by someone is called sniffing.

 

A classic example of a sniffing attack would be intercepting the account’s id and password and causing physical damage by using the personal information of others.

Third Party (1).png

 

To protect our database user data, CUBRID 11.0 has enhanced security by providing packet encryption (and TDE (Transparent Data Encryption) based data encryption, but that will be cover in another blog later). When packet encryption is applied, the packet is encrypted and transmitted for the data to be transmitted, making the data uninterpretable even if someone sniffs it.

 

CUBRID PACKET ENCRYPTION

 

CUBRID uses SSL/TLS protocol to encrypt data transmitted between the client and server. SSL encrypts data sent and received using a symmetric key, in another word, the client and server share the same session key to decrypt.

 

Whenever a client connects to the server, an asymmetric encryption algorithm is used to exchange information required to generate a newly created session key in an encrypted form. For this purpose, the server's public key and private key are required.

 

The public key used by the server is included in the certificate ‘cas_ssl_cert.crt’, and the private key is included in ‘cas_ssl_cert.key’. The certificate and private key are located in the $CUBRID/conf directory. This certificate was created using OpenSSL's command tool and is a ‘self-signed’ certificate.

 

This certificate, ‘self-signed’ certificate, was created with the OpenSSL command tool utility and can be replaced with another certificate issued by a public CA (Certificate Authorities, for example, IdenTrust or DigiCert) if desired. Or existing certificate/private key can be replaced by generating a new one using the OpenSSL command utility.

 

Below is an example of creating a private key and certificate using the OpenSSL command tool.

 

# create 2048 bit size RSA private key
$ openssl genrsa -out my_cert.key 2048
 
# create CSR (Certificate Signing Request)
$ openssl req -new -key my_cert.key -out my_cert.csr
 
# create a certificate valid for 1 year.
$ openssl x509 -req -days 365 -in my_cert.csr -signkey my_cert.key -out my_cert.crt 
cs

And replace my_cert.key and my_cert.crt with $CUBRID/conf/cas_ssl_cert.key and $CUBRID/conf/cas_ssl_cert.crt respectively.

 

(The self-signed certificate example written above is a certificate that is valid for one year and must be renewed every year. If you do not want to renew every year, since the self-signed certificate does not need to be renewed every year if you increase the validity period, you can change the validity period of the self-signed certificate. You can increase it or use it instead of a certificate issued by an accredited certification authority.)

 

CUBRID PACKET ENCRYPTION METHOD

  • Supported drivers:

CUBRID provides various drivers, but the drivers that support packet encryption connections are JDBC and CCI drivers.

 

  • Server setting:

CUBRID can set the encryption mode and non-encryption mode on a per broker basis. The default is the non-encryption mode, and you can set the encryption mode by changing the SSL parameter value of cubrid_broker.conf in the configuration file to ON as shown in the figure below.

 

d4f93c1d44ebe1e58fb70a424ec5a31d.png

 

The client (AP application) can make an encrypted connection using the useSSL property of db-url. Clients can connect to SSL by simply adding the useSSL property as shown in the example below.

 

JDBC driver : "jdbc:cubrid:localhost:33000:demodb:::?charset=utf-8&useSSL=true","UserId",""
CCI driver  : cci:cubrid:localhost:33000:demodb:::?useSSL=true
cs

 

  • CUBRID Manager:

KakaoTalk_20210507_132316654.jpg

 

If the broker is used without setting the useSSL property while operating in encryption mode, the following error will be displayed. This means that the client you are trying to connect to and the broker encryption mode must match (both in encrypted mode or both in non-encrypted mode).

 

The requested SSL mode is not permitted, the CAS server is running in a different mode (check useSSL property).

 

BEFORE/AFTER APPLYING PACKET ENCRYPTION

  • Before: 

The picture below is when packet encryption connection is not applied. If you look at the TCP stream, you can see the query and results used.

9b1e1f8b15af7557e68deb1e122bea53.jpgbdea1082d3f90bcbeed9da948e547259.png

 

  • After: 

The picture below is a screenshot after applying the packet encryption connection. In this case,  displayed query and result values are encrypted and cannot be interpreted.

5af1197dde53b26acd39e38927c75025.png

 

ba1a01af7df16a90c9fcffbec65c8d8e.png

 


  1. CUBRID's Development Culture: The Development Process and Improvements Behind

    Written by Hyung-Gyu, Ryoo on 07/16/2021   Foreword Hello, I am Hyung-Gyu Ryoo, I am working in CUBRID as a research engineer in the R&D department. In this post, I would like to introduce the development process of the open source project CUBRID and the efforts we have made to improve the process.   It has been almost two and a half years since I joined CUBRID.  During this period, as many great fellow developers have joined the CUBRID community, the R&D department of CUBRID has grown from one small team to three developments teams along with a QA team.   After I participated in the first major version release (CUBRID 11), I was able to look back to the release process and improve the development process with my fellow developers.     The Development Process of the Open Source Data...
    Read More
  2. TDE (Transparent Data Encryption) in CUBRID 11

    Written by Jiwon Kim on 07/07/2021 👍Increase the level of database security by utilizing various security features of CUBRID. CUBRID 11 has enhanced security by providing the Transparent Data Encryption (henceforth, TDE) feature. So, what is TDE? TDE means transparently encrypting data from the user’s point of view. This allows users to encrypt data stored on disk with little to no application change. When a hacker hacks into an organization, the number one thing they want to steal is the important data in the database. Alternatively, there may be a situation where an employee with malicious intention inside the company logs into the database and moves all data to a storage media such as a USB.  The easiest way to protect data in these situations is to encrypt the database. TDE, a technolog...
    Read More
  3. Preventing Sniffing by CUBRID- Packet Encryption

      Written by Youngjin Hwang on 05/11/2021   Nowadays, browsing the internet with PCs or our smartphones has become an essential part of our daily life. As a result, it is possible to peek into the data being transmitted over the Internet with malicious intent. In other words, being able to peek at the data being transmitted by someone is called sniffing.   A classic example of a sniffing attack would be intercepting the account’s id and password and causing physical damage by using the personal information of others.   To protect our database user data, CUBRID 11.0 has enhanced security by providing packet encryption (and TDE (Transparent Data Encryption) based data encryption, but that will be cover in another blog later). When packet encryption is applied, the packet is encrypted and tran...
    Read More
  4. Contributing to Open Source Community/Project

      Written by Charis Chau on 06/23/2020      What is an open source project? To answer this, let us start with a burger! Imagine an open source project is a burger selling in a restaurant. Every day, the chef makes thousands of burgers that have the same quality by following the same recipe from the restaurant. One day, customer A comes to the burger place to try the burger, and he/she loves it! Therefore, customer A decides to ask the chef whether he/she can get the recipe. Here, if the restaurant is open source, they will be happy to share the recipe to customer A, vice versa.     After customer A gets the receipt, he/she decide to make the burger at home by him/herself! However, customer A is a meat lover and does not like onion that much, so he/she decide to change the recipe by taking o...
    Read More
  5. CUBRID License Model

    Written by Charis Chau on 06/08/2020   Why Licenses Matter?   Open source licenses allow software to be freely used, modified, and shared. Choosing a DBMS with suitable licenses could save the development cost of your application or the Total Cost of Ownership (TCO) for your company. Choosing a DBMS without a proper license, you might find yourself situate in a legal grey area!     CUBRID Licenses   Unlike other open source DBMS vendors, CUBRID is solely under open source license instead of having a dual license in both commercial license and open source license. Which means that for you, it is not mandatory to purchase a license or annual subscription; company/organizational users can achieve the saving from Total Cost of Ownership (TCO).   Since CUBRID has been open source DBMS from 2008,...
    Read More
Board Pagination Prev 1 2 3 4 Next
/ 4

Join the CUBRID Project on