Xojo.Crypt RSA question

This is a new area for me so please bear with me.

My need is simple. The solution seems overly complex for the situation. I have a SQLite database and an application that requires the user to sign in with UserID and Password which are stored in a table. Obviously, if I just store the password in a field in the table, any SQL browser app can open the database and read the password.

So I have read through the docs on Xojo.Crypto and looked at the Example Projects. I understand how to encrypt and decrypt the password using the private and public keys. But where do I store the keys? Do I generate them and then put them as a constant in the program code? Even use the Example Project to generate the keys and then just copy them to my app?

In the UG Book on Framework, the first example:
dim value as string
value = Crypto.SHA256(Password)
seems simple enough except it doesn’t show how to DECRYPT it.

What is the best way to do this?


SHA256 is not encryption, it’s a hash, meaning it’s one-way only. It’s meant to compare two streams of bytes (like a password) to see if they are the same without storing anything else about the stream of bytes, which is what you want.

Typically the procedure is to store a hash (like SHA256), then compare the hash of an entered password to see if they are the same. There is no need to “decrypt” anything.

(Even this is insufficient as you should be using a scheme like PBKDF2, bcrypt, or scrypt instead of a straight hash.)

However, if you do this, anyone can open your database with some SQLite utility. Can you encrypt the database instead and have your user enter the key that way? SQLite encryption is part of the SQLiteDatabase class.

Kem; When the app is ready for final distribution then encrypting the entire database would be an option. But I this point I am in and out of the app every few minutes for testing and use a sql browser (Base) a lot.

All I really want to do is make the password unreadable in the database if opened by Base or similar.

I coded a little “encryption” routine myself which certainly isn’t secure but it would take a good amount of work to get around. I may just stick with it for the time being.


As Kem said… it you store the password IN the database… don’t store clear text… store a hashed version of it
When the user enters the “clear text” version, then hash IT, and compare to the value in the database

But if you are contemplating encrypting the entire database as also suggested, why not do it now?
You can embed the password in your test code so you don’t have to enter each time you do a test run…

also be aware… I believe an Xojo encrypted Sqlite database, may or MAY NOT be able to be decrypted by non-Xojo applications. It would depend on it they both used the same encryption scheme or not

Use the Crypto.PBKDF2 (Password-Based Key Derivation Function) method to derive a high-entropy encryption key (or salted hash) from a low-entropy string like the user’s password. Use the derived key to encrypt/decrypt.

This means you don’t have to store the key anywhere, instead ask the user for their password and re-generate it.

Also see: https://blog.xojo.com/2015/10/09/tips-dealing-with-the-problem-of-passwords/