Firebird Documentation IndexFirebird 3.0.2 Release NotesSecurity → "Over the wire" Connection Encryption
Firebird Home Firebird Home Prev: New Authentication Method in Firebird 3Firebird Documentation IndexUp: SecurityNext: Mapping of Users to Objects

"Over the wire" Connection Encryption

The Secret Session Key
Alex Peshkov

CORE-672 ...

All network traffic in Firebird 3 may be optionally encrypted. As with authentication, plug-ins are used for encrypting and decrypting network traffic.

The default plug-in is arc4 (Alleged RC4). It is eminently possible to write your own crypt plug-in to encrypt data travelling over the wire. Whatever you use for your plug-in, it is necessary to use the Firebird 3 version of the fbclient library.

The Secret Session Key

The challenge with use of a symmetric cypher is where to get a key for it. Firebird assumes that such a key, also called a secret session key, is produced by the authentication plug-in at the connection establishment phase. SRP meets this requirement just fine by producing a cryptographically strong session key.

Tip

If you want to use encryption with an authentication plug-in that does not provide the session key and agree to use some pre-defined key, say, one stored at the client side as a file and on the server in the security database for that specific client, then make that plug-in inform Firebird that it does have a session key.

Specifications for the Key

Specifications for the key's size, its format, how it is calculated and verified, etc., are not generalised. The key's format and other details are specific to the wire encryption/decryption plug-in.

In particular, RC4 uses a symmetric key which can have any length, while the key produced by SRP has a length of 20 bytes. That key is a SHA-1 hash on SRP's session key and some other SRP-related things, such as user name.

Exporting a Key from an Authentication Plug-in

To export a key from your authentication plug-in, use the ServerBlock or the ClientBlock interface. One of these is always passed to the server/client part of an authentication plug-in. Both have a “newKey” method that returns a pointer to the CryptKey interface. That interface in turn has the methods setSymmetric and setAsymmetric for storing the symmetric or asymmetric key in the interface, i.e., exporting that key.

Prev: New Authentication Method in Firebird 3Firebird Documentation IndexUp: SecurityNext: Mapping of Users to Objects
Firebird Documentation IndexFirebird 3.0.2 Release NotesSecurity → "Over the wire" Connection Encryption