DB File Encryption Password Expansion

Discussion of open issues, suggestions and bugs regarding LiteDAC (SQLite Data Access Components) for Delphi, C++Builder, Lazarus (and FPC)
Post Reply
friedrb
Posts: 3
Joined: Sun 22 Jun 2014 10:53

DB File Encryption Password Expansion

Post by friedrb » Sun 22 Jun 2014 11:29

Hi Guys,

I'm considering using AES-128 encryption for my database file. Is there a "Password Expansion" or "Key Derivation Function" (like PBKDF2) performed on the encryption key after it is passed to EncryptDatabase(NewEncryptionKey: string);

If so, could you talk about which one was chosen, or at least what exactly happens to the key before it is sent to the AES algorithm? Since the TLiteConnection.EncryptionKey property in the component is a unicode string, it makes me think that it expects values that look more like casual text passwords (like "11111"), and not the actual keys used for the cipher algorithm, which would be more like 128bit random-looking binary data.

What I'm ultimately trying to understand is the amount of protection the system provides against attacks on the cryptography.

Thanks,
Bill.

AlexP
Devart Team
Posts: 5530
Joined: Tue 10 Aug 2010 11:35

Re: DB File Encryption Password Expansion

Post by AlexP » Mon 23 Jun 2014 10:03

Hello,

The EncryptionKey property is a string that is mapped to a pointer on an Ansi string, and this pointer is passed to the sqlite3_key method. Encryption implementation depends on the used SQLite library.

friedrb
Posts: 3
Joined: Sun 22 Jun 2014 10:53

Re: DB File Encryption Password Expansion

Post by friedrb » Mon 23 Jun 2014 14:16

Hi Alex,

I forgot to mention that I was intending to use the "Direct" connection with DevArt encryption to the SQLite database file. Can you shed some light on how the DevArt encryption deals with the string passed to sqlite3_key? (Such as, if the key is salted and/or expanded with a key derivation function, and how many rounds of hashing might be used.)

Thanks,
Bill.

AlexP
Devart Team
Posts: 5530
Joined: Tue 10 Aug 2010 11:35

Re: DB File Encryption Password Expansion

Post by AlexP » Tue 24 Jun 2014 09:47

Encryption is implemented in the TCREncryptor class. If you have a version with source code, you can see the implementation in the CREncryption module.

friedrb
Posts: 3
Joined: Sun 22 Jun 2014 10:53

Re: DB File Encryption Password Expansion

Post by friedrb » Tue 24 Jun 2014 19:40

Hi Alex,

I've only purchased the Standard Edition and don't have access to the source code. All I'm really looking for is a confirmation that something is being done to strengthen the password/pass-phrase (i.e. "key") before it is used to encrypt the database using Direct DevArt Database File Encryption.

For example, I've seen lots of recommendations in security forums that say the key should be salted and passed to a function like PBKDF2 before it is used in a block cipher. I just want a confirmation that something like this is happening.

Do you have a white paper, or some specs, a high level overview, or a note from the developers that describe the way the crypto is being used when direct mode encryption is chosen in the TLiteConnection component?

Thanks,
Bill.

AlexP
Devart Team
Posts: 5530
Joined: Tue 10 Aug 2010 11:35

Re: DB File Encryption Password Expansion

Post by AlexP » Thu 26 Jun 2014 08:14

No, these encryption features are not implemented in our products.

Post Reply