Background Image

BLOG

  1. Home
  2. BLOG

Preventing Sniffing by CUBRID- Packet Encryption

Votes 0 Comment 0
?

Shortcut

PrevPrev Article

NextNext Article

Larger Font Smaller Font Up Down Go comment Print Attachment

 

Written by Youngjin Hwang on 05/11/2021

 

Nowadays, browsing the internet with PCs or our smartphones has become an essential part of our daily life. As a result, it is possible to peek into the data being transmitted over the Internet with malicious intent. In other words, being able to peek at the data being transmitted by someone is called sniffing.

 

A classic example of a sniffing attack would be intercepting the account’s id and password and causing physical damage by using the personal information of others.

Third Party (1).png

 

To protect our database user data, CUBRID 11.0 has enhanced security by providing packet encryption (and TDE (Transparent Data Encryption) based data encryption, but that will be cover in another blog later). When packet encryption is applied, the packet is encrypted and transmitted for the data to be transmitted, making the data uninterpretable even if someone sniffs it.

 

CUBRID PACKET ENCRYPTION

 

CUBRID uses SSL/TLS protocol to encrypt data transmitted between the client and server. SSL encrypts data sent and received using a symmetric key, in another word, the client and server share the same session key to decrypt.

 

Whenever a client connects to the server, an asymmetric encryption algorithm is used to exchange information required to generate a newly created session key in an encrypted form. For this purpose, the server's public key and private key are required.

 

The public key used by the server is included in the certificate ‘cas_ssl_cert.crt’, and the private key is included in ‘cas_ssl_cert.key’. The certificate and private key are located in the $CUBRID/conf directory. This certificate was created using OpenSSL's command tool and is a ‘self-signed’ certificate.

 

This certificate, ‘self-signed’ certificate, was created with the OpenSSL command tool utility and can be replaced with another certificate issued by a public CA (Certificate Authorities, for example, IdenTrust or DigiCert) if desired. Or existing certificate/private key can be replaced by generating a new one using the OpenSSL command utility.

 

Below is an example of creating a private key and certificate using the OpenSSL command tool.

 

# create 2048 bit size RSA private key
$ openssl genrsa -out my_cert.key 2048
 
# create CSR (Certificate Signing Request)
$ openssl req -new -key my_cert.key -out my_cert.csr
 
# create a certificate valid for 1 year.
$ openssl x509 -req -days 365 -in my_cert.csr -signkey my_cert.key -out my_cert.crt 
 cs

And replace my_cert.key and my_cert.crt with $CUBRID/conf/cas_ssl_cert.key and $CUBRID/conf/cas_ssl_cert.crt respectively.

 

(The self-signed certificate example written above is a certificate that is valid for one year and must be renewed every year. If you do not want to renew every year, since the self-signed certificate does not need to be renewed every year if you increase the validity period, you can change the validity period of the self-signed certificate. You can increase it or use it instead of a certificate issued by an accredited certification authority.)

 

CUBRID PACKET ENCRYPTION METHOD

  • Supported drivers:

CUBRID provides various drivers, but the drivers that support packet encryption connections are JDBC and CCI drivers.

 

  • Server setting:

CUBRID can set the encryption mode and non-encryption mode on a per broker basis. The default is the non-encryption mode, and you can set the encryption mode by changing the SSL parameter value of cubrid_broker.conf in the configuration file to ON as shown in the figure below.

 

d4f93c1d44ebe1e58fb70a424ec5a31d.png

 

The client (AP application) can make an encrypted connection using the useSSL property of db-url. Clients can connect to SSL by simply adding the useSSL property as shown in the example below.

 

JDBC driver : "jdbc:cubrid:localhost:33000:demodb:::?charset=utf-8&useSSL=true","UserId",""
CCI driver  : cci:cubrid:localhost:33000:demodb:::?useSSL=true
 cs

 

  • CUBRID Manager:

KakaoTalk_20210507_132316654.jpg

 

If the broker is used without setting the useSSL property while operating in encryption mode, the following error will be displayed. This means that the client you are trying to connect to and the broker encryption mode must match (both in encrypted mode or both in non-encrypted mode).

 

The requested SSL mode is not permitted, the CAS server is running in a different mode (check useSSL property).

 

BEFORE/AFTER APPLYING PACKET ENCRYPTION

  • Before: 

The picture below is when packet encryption connection is not applied. If you look at the TCP stream, you can see the query and results used.

9b1e1f8b15af7557e68deb1e122bea53.jpgbdea1082d3f90bcbeed9da948e547259.png

 

  • After: 

The picture below is a screenshot after applying the packet encryption connection. In this case,  displayed query and result values are encrypted and cannot be interpreted.

5af1197dde53b26acd39e38927c75025.png

 

ba1a01af7df16a90c9fcffbec65c8d8e.png

 

Up Down Go comment Print Attachment
Select Editor
?

  1. Understanding Vert.x Architecture - Part II

    Written by Jaehong Kim on 06/16/2017 Previous blog article covered Vert.x, a Java application framework which provides noticeable performance advantage over competing technologies and features multi programming language support. The previous article has explained us about the philosophy of Vert.x, performance comparison with Node.js, internal structure of Vert.x, and many more. Today, I would like to continue this conversation and talk more about Vert.x architecture. Considerations Used to Develop Vert.x Polyglot is the feature making Vert.x stand out from other server frameworks. In the past, server frameworks could not support multiple languages. Supporting several languages does more than expand the range of users. More important thing is that services using different languages in a dist...
    Read More
  2. No Image

    Understanding Vert.x Architecture - Part I: Inside Vert.x. Comparison with Node.js

    Written by Seongmin Woo on 06/14/2017 Vert.x is a server framework that is rapidly arising. Each server framework claims its strong points are high performance with a variety of protocols supported. Vert.x takes a step forward from that. Vert.x considers the environment of establishing and operating the server network environment. In other words, Vert.x includes careful consideration in producing several 'server process DAEMONs' that run on the clustering environment, as well as producing one server process DAEMON. Therefore, it is important to review Vert.x: which network environment it considers as well as how it delivers high performance. So, I think it will be valuable to pay sufficient time examining Vert.x structure. Philosophy of Vert.x Vert.x is a project affected by Node.js. Like N...
    Read More

  3. Understanding TCP/IP Network Stack & Writing Network Apps

    Written by Hyeongyeop Kim on 06/09/2017 We cannot imagine Internet service without TCP/IP. All Internet services we have developed and used at NHN are based on a solid basis, TCP/IP. Understanding how data is transferred via the network will help you to improve performance through tuning, troubleshooting, or introduction to a new technology. This article will describe the overall operation scheme of the network stack based on data flow and control flow in Linux OS and the hardware layer. Key Characteristics of TCP/IP How should I design a network protocol to transmit data quickly while keeping the data order without any data loss? TCP/IP has been designed with this consideration. The following are the key characteristics of TCP/IP required to understand the concept of the stack. TCP and IP ...
    Read More

  4. Understanding JVM Internals

    Written by Se Hoon Park on 05/30/2017 Every developer who uses Java knows that Java bytecode runs in a JRE (Java Runtime Environment). The most important element of the JRE is Java Virtual Machine (JVM), which analyzes and executes Java byte code. Java developers do not need to know how JVM works. So many great applications and libraries have already been developed without developers understanding JVM deeply. However, if you understand JVM, you will understand Java more, and will be able to solve the problems which seem to be so simple but unsolvable. Thus, in this article I will explain how JVM works, its structure, how it executes Java bytecode, the order of execution, examples of common mistakes and their solutions, as well as the features in Java SE 7 Edition.   Virtual Machine The JRE ...
    Read More

  5. Understanding JDBC Internals & Timeout Configuration

    Written by Woon Duk Kang on 06/07/2017   An application with a proper JDBC timeout can cut down the failure time. In this article, we would like to talk about different kinds of timeout values and recommended timeout application methods when you import values from DBMS. Web Application Server became unresponsive after a DDoS attack one day (This is a close reconstitution of an actual event.) The entire service did not work normally after a DDoS attack. The network was disconnected because L4 was not working, which caused WAS to be inoperable as well. Shortly afterward, the security team blocked all DDoS attacks and restored the network back to normal. Yet, WAS was still not working. Through the ThreadDump of WAS, the service team was able to confirm that WAS had stopped during API call from...
    Read More
Board Pagination Prev 1 2 3 4 5 6 Next
/ 6

Join the CUBRID Project on

 

Site Map