4

Most conversations about ODBC are Microsoft centric, but the protocol is often used in heterogeneous environements, such as a Windows client connecting to a database on an *nix server. While my question is open ended, I'm most interested in the heterogeneous scenario.

In researching a specific use case, I was surprised to find almost no encryption specific controls in the drivers. There was a check-box to turn on encryption, but I could find no documentation about controlling the algorithms used or to specify/provide certificates. Red lights started flashing. "Does it use TLS 1.2, or an older version?" "Is there mutual authentication?" "Are the certificates validated or are self-signed certs trusted?" "What certs are used?" Yea, like that...

I found some information about how this operates in a Microsoft environment. Even this information was not entirely satisfying, but the documentation for the protocol itself or for specific drivers from the *nix world seems to be almost completely lacking.

Community
  • 1
JaimeCastells
  • 1,156
  • 1
  • 9
  • 16
  • I'm not sure this is a security question – schroeder Nov 10 '15 at 22:21
  • 5
    I'm surprised by this comment. Encryption of data in motion is certainly a security control and using weak encryption is a category of vulnerability. There may be other forums where this expertise is more common... – JaimeCastells Nov 11 '15 at 00:19
  • 1
    It's a protocol/API question, not a security question. – schroeder Nov 11 '15 at 00:20
  • 1
    Schroeder, I'm not sure I understand the distinction. Would this question (http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) be considered a security question or a protocol/API question? – mti2935 Nov 11 '15 at 18:14
  • 2
    I'm going to agree with Jaime. We should be aiming for a "big tent" here, where we're broad in what we consider security. There's certainly some protocol question here, but the heart of this question is security. – Steve Sether Nov 11 '15 at 21:31
  • 1
    Yup, agreement that this is a security question, considering it's how to use security in the context of some system. It would be a shame to make the OP go learn all about ODBC, then come back here and ask some specific question. Why not handle the entire thing in one go? – Andrew Philips Nov 11 '15 at 21:51

1 Answers1

7

It depends upon the ODBC driver. If the driver has internal crypto, you can activate it. However, it also depends upon the backend database. ODBC may be used to connect to databases other than SQL server. For example, a native Oracle ODBC driver written on top of Oracle's DB client can use oracle network security when connecting. Other ODBC drivers may not use or have native security.

EDIT for Clarification

ODBC - Open Database Connectivity - is an API (library) within a program, it is not a network protocol. There's the Driver Manager, which is what is linked into the program and then there are Drivers which connect to various databases that are dynamically loaded (often) or statically linked (infrequently) into the program.

The program can exist on the same machine as the database (and use interprocess communication) or remotely on another machine (and use network communication). As there is no universal network protocol for accessing every type of database, each driver has its own network protocol, if it's network capable. For example, in the case of ODBC/Oracle, there would be a specific ODBC Oracle Driver that slots under the ODBC call stack and converts ODBC calls into SQL*Net calls. Those calls may be secured (the point of your question) using Oracle's Advanced Security Option (its native network security).

Likely, you're using a different database. In that case, you'll need a different ODBC Driver that, hopefully, has a secure networking layer built into it.

Years ago, I worked for a startup that specialized in building secure ODBC drivers for Oracle, Sybase and Generic ODBC networking. For the generic ODBC driver, we wrote our own client/server network protocol that used Kerberos and DCE RPC for securing network communications and the server side would call into the database via another ODBC Driver Manager.

Andrew Philips
  • 1,411
  • 8
  • 10
  • So you are saying ODBC has no integral encryption and depends on functionality beyond the protocol, yes? – JaimeCastells Nov 11 '15 at 14:12
  • 2
    Yes, there's no universal network protocol for database access. ODBC is a library with a driver manager and drivers. See my EDIT for details. – Andrew Philips Nov 11 '15 at 18:07
  • 1
    ODBC isn't a protocol at all, it's really an API that surrounds many protocols so you can talk to databases in a standard way. The underlying protocol can be (whatever). ODBC just has to support some basic functionality to connect to the database. It doesn't, and AFAIK can't specificy an encryption layer. – Steve Sether Nov 11 '15 at 21:34
  • 1
    @SteveSether, doesn't my answer say just that? I'm curious if I missed something. – Andrew Philips Nov 11 '15 at 21:49
  • 2
    @AndrewPhilips Sorry, I was talking to Jamie. You didn't miss anything, just trying to clarify to Jaime who didn't seem to understand. – Steve Sether Nov 11 '15 at 22:12