Securing Stored Data
RDM has the ability to secure database content through support of database level encryption. The implementation of encryption in RDM allows for both authentication and obfuscation. The RDM engine, used in a wide variety of applications running on a wide variety of hardware, has been designed with an encryption functionality that is flexible but focused, providing robust security to meet the needs of embedded applications and devices without the computational and human resource overhead required by an enterprise engine.
Raima chose the AES encryption cypher for our data security solution for several reasons
- It is an industry standard and highly secure algorithm
- It allows for several key sizes (128, 192, and 256 bits) to give our customers the flexibility to choose between higher security and higher performance.
- As a symmetric-key block cipher the number of bits of input match the number of bits of encrypted data
- There is public test data available to validate an AES implementation
- It allows Raima to provide a level of obfuscation and authentication
Raima’s encryption implementation provides data obfuscation by encrypting all data that is written to disk (including log files). Even if an attacker were monitoring file I/O to determine what files are updated by an application, it is still hard to interpret the contents of those files without the correct encryption key. For performance and practicality, the database files are not encrypted as a whole, but they are encrypted in individual chunks instead. When you update a row in a table, the engine only updates the chunk of the file that has the particular encryption block where the row is stored. In addition, all database data transferred between an RDM runtime and a remote TFS is encrypted while on the network. The only time that data is clear is when it is residing in the runtime cache.
This level of security can eliminate an attacker from reverse engineering database files to discover the contents, but it does not eliminate the risk of an attacker using an application authorized to read/write the data in a database. This is where authentication plays a role in security.
To create an encrypted RDM database, an encryption passcode must be provided. This passcode is put through a one-way hash to create an encryption key. This encryption key is used to encrypt a randomly generated key which is used to encrypt all database content. Any application that wants to read an encrypted database must provide the correct passcode, including all of the RDM utility applications as well as any application provided by the developer.