Hello,
While trying to add salt to SQLite database encryption passwords, I came across this limitation: the SQLite engine only takes into account the first 16 characters of the encryption key and silently ignores any characters above this limit.
Consider the following code:
[code]dim now as new Date
dim filename_int as Int64 = now.TotalSeconds
dim filename as string = str(filename_int)
// we create a database using a long key
dim initDB as new SQLiteDatabase
initDB.DatabaseFile = GetFolderItem(“c:\temp” + filename)
initDB.EncryptionKey = “abcdefghijklmnopqrstuvwxyz”
dim createOutcome as Boolean = initDB.CreateDatabaseFile
initDB.Close
MsgBox str(createOutcome) // true = create OK, false = create fail
// then we try to read the database using a shorter key
dim readDB as new SQLiteDatabase
readDB.DatabaseFile = GetFolderItem(“c:\temp” + filename)
readDB.EncryptionKey = “abcdefghijklmnop”
dim readOutcome as Boolean = readDB.Connect
MsgBox str(readOutcome) // result is true (!!!) in 2017R2.1 & 2018R1 (windows)
[/code]
What happened in my case, where my salt was 27 characters long, followed by the actual user password is obvious; the first 16 characters of the salt were used as the encryption password and any user password would unlock the database!
is this limitation intended, or something’s not right with the SQLite engine?
Could others confirm this and if yes, Is it a bug or a feature?
I think 16 characters are not enough at a time when all serious password-protection mechanisms recommend at least 20 characters.
Xojo team, could we please do something about it?
So I overheard this from a SmartFriend™. 16 characters at 8 bits per character sounds suspiciously like 128-bit encryption, which is the default in SQLite.
Dave found the documentation I was looking for, especially the disturbing part that I was afraid myself:
So, question answered: it’s not a bug, it’s a feature and I should probably have to live with it.
I just think the maximum key length deserves a special mention in the Xojo documentation itself, since encryption is a sensitive issue.