Simple encryption:
Simple encryption:
Folks, I have not had cause to use encryption in any code for the last 4 or 5 years and I just wondered what everyone was using nowadays. Is there anything in the System.??? VCL ?
1. I need to be able to encrypt a string
2. I need to be able to encrypt a file
It needs to be simple code
Thanks
Folks, I have not had cause to use encryption in any code for the last 4 or 5 years and I just wondered what everyone was using nowadays. Is there anything in the System.??? VCL ?
1. I need to be able to encrypt a string
2. I need to be able to encrypt a file
It needs to be simple code
Thanks
Encryption isn't simple. You do need to understand the concepts behind the various possible encryption algos, and you do need to have a clear idea of what your goals are. You need to understand what you are defending against. You may need to appreciate the export rules of various states. If you neglect these issues you are likely to have a false sense of security.
ReplyDeleteDavid Heffernan Ok, I appreciate this, but I am going to be doing a low form of encryption just to stop prying eyes and tampering fingers. It's very unlikely that our user base will be the kind of people who sit down and attempt to hack what we have done. The distribution of our software is very limited for a start
ReplyDeleteIf it's just from non-technical prying eyes and fingers, I would not go for anything elaborate (and accompanying false sense of security David Heffernan mentionned), just encode in hexadecimal or base64.
ReplyDeleteAny "simple" encryption likely would not hold long from technical eyes anyway.
Eric Grange I think I might need a little bit more than that just in case
ReplyDeleteWhat about LockBox and LockBox3 ( old TurboPower components ). I think they are on GetIT as well. Is anyone using these?
ReplyDeleteTMS has some Encryption-Tools...
ReplyDeletetmssoftware.com - TMS Software
Thomas Feichtenschlager ... for which they want quite a bit of money !
ReplyDeleteTony Danby then you will have to worry about the "not simple" aspects (against who you want to defend, for how long, how you will protect the key, how many messages you will encrypt, where they will be stored, how the keys are generated, etc.).
ReplyDeleteBasically once you start defending against a script kiddy, you start defending against automatic decryption tools, which means you instantly leave the realm of "simple". And I am not talking about a hacker or a cryptanalyst, just a script kiddy that can use google and a download button.
Tony Danby Why not just implement something at random that you make up yourself. If you don't want to learn about encryption then there's not much point doing anything else.
ReplyDeleteEric Grange Yeah it's a moral and coding dilemma, when someone asks me to do "encryption" but gives me neither the time nor the money; then wants it "simple" ( from a coding intergration and modifacation POV ) so it can be included in other places. I understand the remit from that aspect, but am puzzled by it from other aspects, as you say ... how far do you take it.... I know the remit is just to get a "basic" layer of security, but what is basic ....
ReplyDeleteTony Danby
ReplyDeleteDon't know how much your time is worth. But I guess it would take me days or even weeks to create reliable encryption-tools. It is more likely that it would never be acceptable finished since it seems really complex and risky. So the price seems more than fair too me...
Thomas Feichtenschlager it does to me, but not too people managing this ....
ReplyDelete/sub
ReplyDeleteThomas Feichtenschlager actually the encryption library is the "simple" portion of any encryption... it's how you integrate it, how manage and generate keys, how you avoid reuse, etc. that is complex (and fraught with perils).
ReplyDeleteThe best encryption in the world is useless if the keys can be brute-forced or are mis-managed in any fashion for instance.
Just like in the real-world, the security of any building involves far more than strong locks: you need strong walls, strong windows, strong doors, not give a duplicate of keys to the janitor, etc. Anything cheap security is illusionary.
In a burglary a few years ago, they just kicked the door very hard, until the walls broke (strong door fell on the ground, still closed)
Eric Grange
ReplyDeleteTo be honest - I do know very, very less about encryption. Probably because up to now I never was forced to use it actively...
Just wanted to give Tony the link to the TMS tool I've seen. It's anyhow up to him/his customer to decide if it is useful and or worth the price.
Guys; I think, as I am trying to keep several "camps" happy here; I'll do the political thing and code for LockBox / LockBox3 using a Test harness application to start with.
ReplyDeleteDepending on the results of this we will either go ahead with full development in LockBox or I will recommend looking elsewhere such as the TMS components Thomas Feichtenschlager mentioned.
Also, I will take on board everything Eric Grange is saying, sage advice, thank you !
You don't encrypt strings. You encrypt byte sequences. You encrypt after you converted strings into bytes with the correct encoding. Decryption is the other way around: you decrypt bytes, then convert (using the right encoding) those bytes to strings.
ReplyDeleteJeroen Wiert Pluimers I am aware of this, but a lot of component libraries have a "EncryptString" routine to make life simpler and it's this simplicity I am striving for.
ReplyDeleteTony Danby if you can, ask who they want that encryption to defend against, and for how long. If you have no clear answer, then it's just going to end up as a hot potatoe sooner or later, so I would suggest to make those specs yourself have them signed or registered "officially" in one way or another. Try to spell it clearly that you are not responsible for the keys, that they should follow industry good practices for keys, etc. basically... CYA :)
ReplyDeleteEric Grange ;-) I think it's already getting to the "hot potato" stage and I havn't even coded anything yet ;-) Maybe I should sit back and wait for the "dust" to clear .....
ReplyDeleteTony Danby they oversimplify and cause for all the "hey, I'm surprised this fails" messages in the various forums (not limited to Delphi BTW).
ReplyDeleteDo it the right way now will save you a lot of trouble later.
You can also take a look at DCPCrypt library.
ReplyDeleteSébastien Paradis I thinks this is an old library that hasn't been updated in some time. I would think there would be problems if I tried to get it to work under Delphi 10.2 and then there would be the 64bit issues. Sorry, I should have mentioned I am using Delphi 10.2
ReplyDeleteHave you considered encoding your data in a Zip format that's password protected? You could also xor the result with a key to make it more confusing.
ReplyDeleteDavid Schwartz hmmmm one to consider, thanks. Although it doesn't solve the bit where i need to do a string?
ReplyDeleteDavid Schwartz google "zip password cracker" ;)
ReplyDeleteYou would be spending probably more time adding passworded zips, even if it's trivial, than it could take to crack...
Encryption algorithms don't change that often so you can still use DCPCrypt or one of the Turbo power tools for a solid one. Anything from Mormot will be up to date too.
ReplyDeleteUse TForge encryption library by serge on bitbucket.
ReplyDeleteUsed it sometime back for some simple aes encryption task and it worked smoothly.
Ugochukwu Mmaduekwe oh I'll take a look at that, thanks. Do you have a link?
ReplyDeleteTony Danby, sure
ReplyDeletebitbucket.org - sergworks / TForge
Tony Danby, he sure has some good examples on his blog.
ReplyDeletesergworks.wordpress.com - The Programming Works
Ugochukwu Mmaduekwe thanks
ReplyDeletecityinthesky.co.uk - DCPcrypt - David A.W. Barton ― City in the Sky
ReplyDeleteSpring4D has some encryption classes IIRC
ReplyDeleteAlways wondered if they are usable. In general, i think that Spring4D quality is good (thanks Stefan) so I will not mind centralizing all those needs on a single framework/components.
ReplyDeleteIt's far easier to grab scrambled data after it has been decrypted than to waste time trying to break the encoding algorithm. It's also often easier to simply disassemble and reverse engineer the code. If someone is willing to go through this much effort, you've got some pretty valuable data there!
ReplyDeleteIf all you're trying to do is obscure some data and make it difficult to read, just put several layers of transforms in place that are scattered around the entire code base, and perhaps embedded in some dynamically-loaded data. LZ compression or something similar is just another means of scrambling things that's easy to unscramble. Who cares if there are password crackers out there?
Pseudo-random number generators are just that -- given a starting seed, most generate a predictable sequence of numbers. So use that to swap bytes in the target data block; no "cracker" is going to make any headway until the person trying to crack it figures out how to unscramble it first.
The question is, how many layers of scrambling and indirection do you want to use? Each one raises the bar on the effort needed to unscramble it completely. You don't need a bullet-proof encryption algo, just enough complexity that it becomes sufficiently challenging as to discourage all but the most determined crackers.
David Schwartz layers of simple "scrambling" usually only add opportunities for bugs... in the end your code will still have a call to a top-level decryption routine, and that's the only call the hacker needs to make.
ReplyDeleteUsing a PRNG, the key is the seed (btw AES is just a PRNG), but that's not enough: if the seed is too weak and does not have enough random, it can be brute-forced.
For instance in another post here I discussed how if you use the Delphi Random function in a card game, then knowing just 4-5 cards in the deck, like the hand you were dealt, is enough to know the hands of all other players... because the PRNG seed is too small at 32bits.
Another simple scenario if the key is a password is to just automate the password entry and hammer at it. That can work no matter how obtuse your "scrambling" is, and it does not involve disassembly or much expertise beyond simple autoit-like tools.
In the end, it really comes down to who you're defending against, and the value of what you're trying to protect.
This is a classic discussion of encryption. Follow the majority of the advice given here and sit back and enjoy the warm glow of the illusion of security. Oh, and then pay the price of maintaining the now obfuscated code which brings you no discernible benefit.
ReplyDeleteI was eecomended to use RC4 algorhytm for encryption so I do it for strings and files too.
ReplyDeleteR Gosp Encryption operates on arrays of bytes, not on text. You don't encrypt strings. You encode strings as byte arrays using a specific encoding, and then encode the byte array.
ReplyDeleteR Gosp RC4 is pretty unsecure, broken since years, and not to be used any more - see tools.ietf.org - RFC 7465 - Prohibiting RC4 Cipher Suites
ReplyDelete