I have this code from an old app which encrypts an SQLite database file.
I was under the impression that Xojo encrypted databases using SHA-512, but this old code seems to use MD5 - or is it encrypting via SHA-512 and then hashing it using MD5?
if db.connect() then
db.encrypt EncodeHex(MD5("123456789"))
Do I really need to hash via MD5 if my database is encrypted using SHA-512?
Could I not simply use the code below:
if db.connect() then
db.encrypt EncodeHex("123456789")
Does anyone know if it is legal to encrypt a database using SHA-512 in the UK???
You give it a password… not required to hash it when you supply it… whatever you give it is hashed as part of the encyrption process anyways… Just remember it is useless to encrypt a database (or anything else for that matter) by hard-coding the password.
I do know in the US it is illegal to export certain crypto alogrithms… But (and I will let XOJO confirm) or deny this… That any crypto that is built in to XOJO is legal, or you would not even be able to use it in the UK
Dave,
Regarding your point 1 - are you saying that it is pointless using the code below, as it is hardcoded into the app?
db.encrypt EncodeHex(MD5("123456789"))
Regarding point 2, all I want is to prevent someone from copying the database file, and then simply opening it and viewing the contents. If they decompile / crack my app, then yes - they will easily retrieve the key.
What I am saying is what you supply IS the PASSWORD. Pre-hashing the password makes it no more or less secure
The “encrypt” command hashes it for you, and does NOT store the value you provide, meaning the password cannot be reverse engineered (hacked perhaps, but not extracted from the database).
But the introduction of the password should be from an external source… Such as asking the user for it, but if you hardcode it in your program, a hacker will have access to your database in moments if they are so determined.
dim pw as string
pw=Ask_User_For_Password()
db.encrypt pw
the same for decrypt
If you just want to make it “not easy”… then go ahead and hard code a value [I’d make it a constant at least]
OK, let me see if I understand the concept you are explaining.
If I use your code example above:
I presume that Ask_User_For_Password() is a method, which displays a window asking the user to enter the key of his choice. The returned value is then used to encrypt the database file (after it has been created).
Therefore I use that on first run, which will encrypt the database file.
If I am correct so far - how does the user use the database on future runs (after the database has been initially been created and encrypted)?
Does the user need to enter the key each time he runs the app? Otherwise, surely the key will still be hard coded somewhere?
It depends on what’s happening. Do you want the user to control the encryption of the database or just have a password so they can log into the database? Big difference.
I was intending on hard coding the encryption key, but it now seem to make more sense in letting the user decide the key via the method above. That way I do not need to create a unique key for each customer, as each customer can decide their own key.
My only question now is how the user accesses the database after they have initially encrypted it??
They’d have to enter the key each time unless you’ve made a file somewhere that you can read with the key in it. That would work if you hard code encrypt that file.
I was going to password the app anyway, so if the user has to enter the encryption key upon each run of the app - I can kill 2 birds with 1 stone
If the user enters the same set of digits which they used to initially encrypt the database, would that actually connect to the database, or would I need to encrypt the entered digits again?
Cool - and this way I presume there is no encryption key / password stored anywhere in the app, as it is entered by the user every time? If so, this seems a lot more secure.
My final 2 questions then are:
What encryption does this use? Is it a variant of SHA, or a completely different type, as I need to ensure it is legal in the UK.
What is the only way in which someone could work out the key / password? Could they hack my app and find out, or would they only be able to find out by doing something with the actual database file?
Thank you for all your help - I have learnt a lot from this thread.