FoxPro Programming
Encrypting some table fields
Gravatar is a globally recognized avatar based on your email address. Encrypting some table fields
  Albert Gostick
  All
  Feb 6, 2018 @ 08:45am

Hi all,

Client would like to encrypt a few fields in a table and I have not used encryption over the years. I noticed that my wwUtils setup includes wwEncryption. Is this calls robust enough for encryption needs these days? If so, are there any articles written on how to use it (I see some examples in the header area of the class but some articles would also be nice outlining a strategy of how to use them as safely as possible).

Thanks, Albert

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Rick Strahl
  Albert Gostick
  Feb 7, 2018 @ 02:54pm

The encryption classes uses .NET for encryption and those routines are battle tested - I used them in just about any project without issues. The key is to make sure you properly create a good encryption key and store it/access it in such a way that it's secure.

Info can be found here:

For two way encryption use the Encrypt/Decrypt() methods, for one way hashing (for passwords typically) use the Hash methods.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Albert Gostick
  Albert Gostick
  Feb 8, 2018 @ 07:51am

I tried the class and looked at the help notes and have a couple follow up questions:

  • the encrypted string is larger than the original string - what would the calculation be to determine the new expected size of fields?

  • wikipedia seems to give a mixed message about TripleDES stating at one point it is relatively weak but at another point is it used by some major software vendors; is it a "general purpose" encryption where one does not need "top secret" 256 bit encryption (just your opinion, or anyone else's here)

  • does the encryption key length make any appreciable difference for the security of it?

  • regarding your comment about where to store the key, I can put my thinking cap on but maybe someone has already thought this through: should it be stored in a .h file bundled into the app or as a property of a class? I just don't know where hackers would look or what memory they would can to find a key.

  • reading your help notes, if no key is passed for encryption, you say it uses a default key from the .dll - I assume you mean something in the .net framework supplies the key and if this is so, does this key vary depending upon the version installed by the end user machine?

Thanks, Albert

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Rick Strahl
  Albert Gostick
  Feb 9, 2018 @ 02:58pm

the encrypted string is larger than the original string - what would the calculation be to determine the new expected size of fields?

Yup - I don't know just experiment and look at the sizes. The output size will be bigger because there's additional content in the key plus the key is encoded into binary so at minimum you're looking at 2x but most likely more like 3x.

wikipedia seems to give a mixed message about TripleDES stating at one point it is relatively weak but at another point is it used by some major software vendors; is it a "general purpose" encryption where one does not need "top secret" 256 bit encryption (just your opinion, or anyone else's here)

Microsoft uses TripleDES in ASP.NET so I think that's a pretty safe bet. For anything but national security level security I think you'll be fine 😃 If you're worried about security create longer keys and salt with as many context specific values as you can manage.

does the encryption key length make any appreciable difference for the security of it?

Definitely. Longer keys are harder to break. But more importantly make sure that you use a salt value that essentially makes the encryption key different for each and every record value you encrypt.

regarding your comment about where to store the key, I can put my thinking cap on but maybe someone has already thought this through: should it be stored in a .h file bundled into the app or as a property of a class? I just don't know where hackers would look or what memory they would can to find a key.

It depends on how secure you want to be. Any value embedded into the app is potentially hackable. I tend to obfuscate - store under an obtuse name and use binary values and split the value across multiple variables stored in a couple of different locations in the application.

reading your help notes, if no key is passed for encryption, you say it uses a default key from the .dll - I assume you mean something in the .net framework supplies the key and if this is so, does this key vary depending upon the version installed by the end user machine?

No the DLL includes a default hard coded key which is not very secure obviously as this is used by any application that uses this library. But for many types of applications that's just fine. Casual encryption hashing is a thing - usually you just want to protect from drive by pickups of keys and passwords (say for a server on a public ISP network).

There's no such thing as perfect security - only levels of partial security. In my experience, even the most basic security settings for most applications are effective in staving off attack as there so many lower hanging fruit available.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Albert Gostick
  Rick Strahl
  Feb 14, 2018 @ 02:45pm

Hi Rick,

FYI, String growth in length: tested on a bunch of fields

  • tends to grow 2-3 times for fields up to 12 chars, about 1.5x for fields up to 50 chars and 1.33 for fields over that
  • for documents, seems to grow at about 1.33x the original doc size

Encryption method: I will have to talk to them; their IT guy tends to want "256 everything" although I think it is overkill; I think the bigger issue is hiding the key

Keys: I had already thought of maybe storing the key (or parts of it) in multiple places in the app so your suggestion confirms this as a viable option

Question: when you say "store binary values", help me out: do you mean converting to ascii equivalents? or is there some function I have not used that does this?

Regarding method of encryption: I have not delved into your source but are you just wrapping calls to something in .net such that you could easily add in the option to do 256 bit encryption (if my customer insists on that)? or does it impact a bunch of classes or methods?

Thanks, Albert

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Rick Strahl
  Albert Gostick
  Feb 14, 2018 @ 06:26pm

TripleDES max size is 192 bits (3 keys at 56 bits) and that's what's the default.

.NET supports a number of different cypto providers:

  • TripleDES (what I use): Max key size: 192
  • AES (based Rijndeal): Max key size: 256
  • RijndaelManaged : Max key size: 256

Others can be added if necessary but it requires a bit of change to the existing underlying .NET wrapper classes that would break backwards compatibility. It's something that has to be changed in the framework.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Albert Gostick
  Rick Strahl
  Feb 15, 2018 @ 01:25pm

Ok. Reading a bit more on the crypto methods, it does seem overkill to go with the 256 bit ones. I will run it past them. I think they have "bigger fish to fry" in regards to their data than the level of encryption.

Question: when you talk about the key size, is this the size of the encrytion key passed in to the .EncryptString() function? i.e. should I be passing in a 56 bit or a 192 bit key? or is the .net function taking my key (of whatever length) and working that up into a 56 bit key stored with the data?

Albert

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Rick Strahl
  Albert Gostick
  Feb 15, 2018 @ 06:21pm

Question: when you talk about the key size, is this the size of the encryption key passed in to the .EncryptString() function? i.e. should I be passing in a 56 bit or a 192 bit key? or is the .net function taking my key (of whatever length) and working that up into a 56 bit key stored with the data?

Heck no 😃

This refers to the keys the algorithm generates to encode the values. You provide a key phrase and the algo turns that into a key of specified bit size.

Any of the inputs can be short, and they keys generated will always be longer. That said you should never have really small values and the key especially should be at least 10 characters long - more is better. But again - this assumes your data is compromised in the first place.

The real key is not getting your data compromised in the first place.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Albert Gostick
  Rick Strahl
  Feb 16, 2018 @ 07:00am

I thought of this after - they key would never be stored with the data - duh...oh well, write first, think later...

This company is trying to beef up their security 3 fold: trying to close every door to keep the bad guys out, then encrypting what is sensitive (which is needed to not only slow them down but you have to show due diligence if something does happen) and three, having a restore plan with good data (especially regarding to ransomware which now tries to get into your backups to delete them first - this seems to be the hardest one to accomplish).

On a related note, someone on the UT said that with a debugger (C++ they said) that someone can always figure out where you store your keys - I know we talked about obfuscating them, but are there any ways to hide the calls that fetch a key i.e. protected or hidden method - or are all these visible to a debugger?

Update: just checked UT and Hank Fey said that he has seen that 3DES is just as hard to break as AES256.

Thanks, Albert

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Rick Strahl
  Albert Gostick
  Feb 16, 2018 @ 01:04pm

That why I said encrypted data is only as secure as the key you use.

I'm not sure what we're talking about here. If we're talking about a Web application, accessing the code is less of a concern than in a desktop application. In a desktop application you can almost always access keys if you can decompile the code because at some point the key will have to be passed to the encryption code.

In .NET there's a SecureString class that keeps values encrypted end to end, but even that is not safe if you can access the code and debug into it because you can essentially evaluated even a secure string and get the underlying value out.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Encrypting some table fields
  Albert Gostick
  Rick Strahl
  Feb 16, 2018 @ 02:01pm

It's a desktop code. Someone on UT suggested using ReFox to compile the application - and he said that even someone very determined could eventually get to the key - but that most hackers would not try that hard (unless it was valuable data - which it is not "that" valuable).

Albert

© 1996-2024