Firebird Documentation Index → Firebird 3.0.6 Release Notes → Security → "Over the wire" Connection Encryption |
CORE-672 ...
All network traffic in Firebird 3 may be optionally encrypted. As with authentication, plug-ins are used for encrypting and decrypting network traffic.
The default plug-in is arc4 (Alleged RC4). It is eminently possible to
write your own crypt plug-in to encrypt data travelling over the wire. Whatever you use for your
plug-in, it is necessary to use the Firebird 3 version of the fbclient
library.
The challenge with use of a symmetric cypher is where to get a key for it. Firebird assumes that such a key, also called a secret session key, is produced by the authentication plug-in at the connection establishment phase. SRP meets this requirement just fine by producing a cryptographically strong session key.
If you want to use encryption with an authentication plug-in that does not provide the session key and agree to use some pre-defined key, say, one stored at the client side as a file and on the server in the security database for that specific client, then make that plug-in inform Firebird that it does have a session key.
Specifications for the key's size, its format, how it is calculated and verified, etc., are not generalised. The key's format and other details are specific to the wire encryption/decryption plug-in.
In particular, RC4 uses a symmetric key which can have any length, while the key produced by SRP has a length of 20 bytes. That key is a SHA-1 hash on SRP's session key and some other SRP-related things, such as user name.
To export a key from your authentication plug-in, use the ServerBlock or the ClientBlock interface. One of these is always passed to the server/client part of an authentication plug-in. Both have a “newKey” method that returns a pointer to the CryptKey interface. That interface in turn has the methods setSymmetric and setAsymmetric for storing the symmetric or asymmetric key in the interface, i.e., exporting that key.
Firebird Documentation Index → Firebird 3.0.6 Release Notes → Security → "Over the wire" Connection Encryption |