Simple encryption:

Simple encryption:

Folks, I have not had cause to use encryption in any code for the last 4 or 5 years and I just wondered what everyone was using nowadays. Is there anything in the System.??? VCL ?

1. I need to be able to encrypt a string
2. I need to be able to encrypt a file

It needs to be simple code

Thanks

Comments

  1. Encryption isn't simple. You do need to understand the concepts behind the various possible encryption algos, and you do need to have a clear idea of what your goals are. You need to understand what you are defending against. You may need to appreciate the export rules of various states. If you neglect these issues you are likely to have a false sense of security.

    ReplyDelete
  2. David Heffernan Ok, I appreciate this, but I am going to be doing a low form of encryption just to stop prying eyes and tampering fingers. It's very unlikely that our user base will be the kind of people who sit down and attempt to hack what we have done. The distribution of our software is very limited for a start

    ReplyDelete
  3. If it's just from non-technical prying eyes and fingers, I would not go for anything elaborate (and accompanying false sense of security David Heffernan mentionned), just encode in hexadecimal or base64.
    Any "simple" encryption likely would not hold long from technical eyes anyway.

    ReplyDelete
  4. Eric Grange I think I might need a little bit more than that just in case

    ReplyDelete
  5. What about LockBox and LockBox3 ( old TurboPower components ). I think they are on GetIT as well. Is anyone using these?

    ReplyDelete
  6. Thomas Feichtenschlager ... for which they want quite a bit of money !

    ReplyDelete
  7. Tony Danby then you will have to worry about the "not simple" aspects (against who you want to defend, for how long, how you will protect the key, how many messages you will encrypt, where they will be stored, how the keys are generated, etc.).

    Basically once you start defending against a script kiddy, you start defending against automatic decryption tools, which means you instantly leave the realm of "simple". And I am not talking about a hacker or a cryptanalyst, just a script kiddy that can use google and a download button.

    ReplyDelete
  8. Tony Danby​ Why not just implement something at random that you make up yourself. If you don't want to learn about encryption then there's not much point doing anything else.

    ReplyDelete
  9. Eric Grange Yeah it's a moral and coding dilemma, when someone asks me to do "encryption" but gives me neither the time nor the money; then wants it "simple" ( from a coding intergration and modifacation POV ) so it can be included in other places. I understand the remit from that aspect, but am puzzled by it from other aspects, as you say ... how far do you take it.... I know the remit is just to get a "basic" layer of security, but what is basic ....

    ReplyDelete
  10. Tony Danby
    Don't know how much your time is worth. But I guess it would take me days or even weeks to create reliable encryption-tools. It is more likely that it would never be acceptable finished since it seems really complex and risky. So the price seems more than fair too me...

    ReplyDelete
  11. Thomas Feichtenschlager it does to me, but not too people managing this ....

    ReplyDelete
  12. Thomas Feichtenschlager actually the encryption library is the "simple" portion of any encryption... it's how you integrate it, how manage and generate keys, how you avoid reuse, etc. that is complex (and fraught with perils).

    The best encryption in the world is useless if the keys can be brute-forced or are mis-managed in any fashion for instance.

    Just like in the real-world, the security of any building involves far more than strong locks: you need strong walls, strong windows, strong doors, not give a duplicate of keys to the janitor, etc. Anything cheap security is illusionary.

    In a burglary a few years ago, they just kicked the door very hard, until the walls broke (strong door fell on the ground, still closed)

    ReplyDelete
  13. Eric Grange
    To be honest - I do know very, very less about encryption. Probably because up to now I never was forced to use it actively...
    Just wanted to give Tony the link to the TMS tool I've seen. It's anyhow up to him/his customer to decide if it is useful and or worth the price.

    ReplyDelete
  14. Guys; I think, as I am trying to keep several "camps" happy here; I'll do the political thing and code for LockBox / LockBox3 using a Test harness application to start with.

    Depending on the results of this we will either go ahead with full development in LockBox or I will recommend looking elsewhere such as the TMS components Thomas Feichtenschlager mentioned.

    Also, I will take on board everything Eric Grange is saying, sage advice, thank you !

    ReplyDelete
  15. You don't encrypt strings. You encrypt byte sequences. You encrypt after you converted strings into bytes with the correct encoding. Decryption is the other way around: you decrypt bytes, then convert (using the right encoding) those bytes to strings.

    ReplyDelete
  16. Jeroen Wiert Pluimers I am aware of this, but a lot of component libraries have a "EncryptString" routine to make life simpler and it's this simplicity I am striving for.

    ReplyDelete
  17. Tony Danby if you can, ask who they want that encryption to defend against, and for how long. If you have no clear answer, then it's just going to end up as a hot potatoe sooner or later, so I would suggest to make those specs yourself have them signed or registered "officially" in one way or another. Try to spell it clearly that you are not responsible for the keys, that they should follow industry good practices for keys, etc. basically... CYA :)

    ReplyDelete
  18. Eric Grange ;-) I think it's already getting to the "hot potato" stage and I havn't even coded anything yet ;-) Maybe I should sit back and wait for the "dust" to clear .....

    ReplyDelete
  19. Tony Danby they oversimplify and cause for all the "hey, I'm surprised this fails" messages in the various forums (not limited to Delphi BTW).

    Do it the right way now will save you a lot of trouble later.

    ReplyDelete
  20. You can also take a look at DCPCrypt library.

    ReplyDelete
  21. Sébastien Paradis I thinks this is an old library that hasn't been updated in some time. I would think there would be problems if I tried to get it to work under Delphi 10.2 and then there would be the 64bit issues. Sorry, I should have mentioned I am using Delphi 10.2

    ReplyDelete
  22. Have you considered encoding your data in a Zip format that's password protected? You could also xor the result with a key to make it more confusing.

    ReplyDelete
  23. David Schwartz​ hmmmm one to consider, thanks. Although it doesn't solve the bit where i need to do a string?

    ReplyDelete
  24. David Schwartz google "zip password cracker" ;)

    You would be spending probably more time adding passworded zips, even if it's trivial, than it could take to crack...

    ReplyDelete
  25. Encryption algorithms don't change that often so you can still use DCPCrypt or one of the Turbo power tools for a solid one. Anything from Mormot will be up to date too.

    ReplyDelete
  26. Use TForge encryption library by serge on bitbucket.
    Used it sometime back for some simple aes encryption task and it worked smoothly.

    ReplyDelete
  27. Ugochukwu Mmaduekwe oh I'll take a look at that, thanks. Do you have a link?

    ReplyDelete
  28. Spring4D has some encryption classes IIRC

    ReplyDelete
  29. Always wondered if they are usable. In general, i think that Spring4D quality is good (thanks Stefan) so I will not mind centralizing all those needs on a single framework/components.

    ReplyDelete
  30. It's far easier to grab scrambled data after it has been decrypted than to waste time trying to break the encoding algorithm. It's also often easier to simply disassemble and reverse engineer the code. If someone is willing to go through this much effort, you've got some pretty valuable data there!

    If all you're trying to do is obscure some data and make it difficult to read, just put several layers of transforms in place that are scattered around the entire code base, and perhaps embedded in some dynamically-loaded data. LZ compression or something similar is just another means of scrambling things that's easy to unscramble. Who cares if there are password crackers out there?

    Pseudo-random number generators are just that -- given a starting seed, most generate a predictable sequence of numbers. So use that to swap bytes in the target data block; no "cracker" is going to make any headway until the person trying to crack it figures out how to unscramble it first.

    The question is, how many layers of scrambling and indirection do you want to use? Each one raises the bar on the effort needed to unscramble it completely. You don't need a bullet-proof encryption algo, just enough complexity that it becomes sufficiently challenging as to discourage all but the most determined crackers.

    ReplyDelete
  31. David Schwartz layers of simple "scrambling" usually only add opportunities for bugs... in the end your code will still have a call to a top-level decryption routine, and that's the only call the hacker needs to make.

    Using a PRNG, the key is the seed (btw AES is just a PRNG), but that's not enough: if the seed is too weak and does not have enough random, it can be brute-forced.
    For instance in another post here I discussed how if you use the Delphi Random function in a card game, then knowing just 4-5 cards in the deck, like the hand you were dealt, is enough to know the hands of all other players... because the PRNG seed is too small at 32bits.

    Another simple scenario if the key is a password is to just automate the password entry and hammer at it. That can work no matter how obtuse your "scrambling" is, and it does not involve disassembly or much expertise beyond simple autoit-like tools.

    In the end, it really comes down to who you're defending against, and the value of what you're trying to protect.

    ReplyDelete
  32. This is a classic discussion of encryption. Follow the majority of the advice given here and sit back and enjoy the warm glow of the illusion of security. Oh, and then pay the price of maintaining the now obfuscated code which brings you no discernible benefit.

    ReplyDelete
  33. I was eecomended to use RC4 algorhytm for encryption so I do it for strings and files too.

    ReplyDelete
  34. R Gosp Encryption operates on arrays of bytes, not on text. You don't encrypt strings. You encode strings as byte arrays using a specific encoding, and then encode the byte array.

    ReplyDelete
  35. R Gosp RC4 is pretty unsecure, broken since years, and not to be used any more - see tools.ietf.org - RFC 7465 - Prohibiting RC4 Cipher Suites

    ReplyDelete

Post a Comment