Devart Forums

Discussion forums for open issues and questions concerning database tools, data access components and developer tools from Devart
https://forums.devart.com/

DB File Encryption Password Expansion

https://forums.devart.com/viewtopic.php?f=48&t=29832

Page 1 of 1

DB File Encryption Password Expansion

Posted: Sun 22 Jun 2014 11:29
by friedrb
Hi Guys,

I'm considering using AES-128 encryption for my database file. Is there a "Password Expansion" or "Key Derivation Function" (like PBKDF2) performed on the encryption key after it is passed to EncryptDatabase(NewEncryptionKey: string);

If so, could you talk about which one was chosen, or at least what exactly happens to the key before it is sent to the AES algorithm? Since the TLiteConnection.EncryptionKey property in the component is a unicode string, it makes me think that it expects values that look more like casual text passwords (like "11111"), and not the actual keys used for the cipher algorithm, which would be more like 128bit random-looking binary data.

What I'm ultimately trying to understand is the amount of protection the system provides against attacks on the cryptography.

Thanks,
Bill.

Re: DB File Encryption Password Expansion

Posted: Mon 23 Jun 2014 10:03
by AlexP
Hello,

The EncryptionKey property is a string that is mapped to a pointer on an Ansi string, and this pointer is passed to the sqlite3_key method. Encryption implementation depends on the used SQLite library.

Re: DB File Encryption Password Expansion

Posted: Mon 23 Jun 2014 14:16
by friedrb
Hi Alex,

I forgot to mention that I was intending to use the "Direct" connection with DevArt encryption to the SQLite database file. Can you shed some light on how the DevArt encryption deals with the string passed to sqlite3_key? (Such as, if the key is salted and/or expanded with a key derivation function, and how many rounds of hashing might be used.)

Thanks,
Bill.

Re: DB File Encryption Password Expansion

Posted: Tue 24 Jun 2014 09:47
by AlexP
Encryption is implemented in the TCREncryptor class. If you have a version with source code, you can see the implementation in the CREncryption module.

Re: DB File Encryption Password Expansion

Posted: Tue 24 Jun 2014 19:40
by friedrb
Hi Alex,

I've only purchased the Standard Edition and don't have access to the source code. All I'm really looking for is a confirmation that something is being done to strengthen the password/pass-phrase (i.e. "key") before it is used to encrypt the database using Direct DevArt Database File Encryption.

For example, I've seen lots of recommendations in security forums that say the key should be salted and passed to a function like PBKDF2 before it is used in a block cipher. I just want a confirmation that something like this is happening.

Do you have a white paper, or some specs, a high level overview, or a note from the developers that describe the way the crypto is being used when direct mode encryption is chosen in the TLiteConnection component?

Thanks,
Bill.

Re: DB File Encryption Password Expansion

Posted: Thu 26 Jun 2014 08:14
by AlexP
No, these encryption features are not implemented in our products.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/