PDA

View Full Version : Security Library Usage



Tom Murphy
15-Apr-2019, 09:07 PM
Hi DAW

We're starting to look at using the security library to store passwords and other sensitive data. I have watched the video in the learning center and read the .pdf that comes with the library, is there anymore help available? And a layout of the class structure.

I just to want make sure thinking on this is correct, and looking for suggestions.

Passwords

For the passwords we should be looking at the passcode storage, this is one way encryption. And after setup, like setting the algorithm, there's 2 basic methods - one to store the password and one to verify. This sounds pretty easy but as mentioned in the .pdf needs a big field to store the data.

Sensitive Data

We need to store some sensitive data, this data needs to be encrypted for storage and decrypted for use. Which type of data encryption would be recommended, generic/keyed hashes? Is this 2 way encryption? I'm thinking it is, but don't see any public methods in the library to do the decryption.

The other alternative looks to be AES Encryption? Is this ok for storage, as the IV/Nonce need to be known.

Samuel Pizarro
15-Apr-2019, 09:13 PM
Hi Tom

It may worth watching this video from Learning center, if you haven't yet.

https://learning.dataaccess.com/courses/security-the-basics/

Regards

Joao Mauricio Rinardo
16-Apr-2019, 03:46 PM
Hi, Tom!

I'm not sure if there's a document containing the layout of class structure, but basically the classes you'll need to use are the ones shown in the course at the Learning Center.

Regarding password storage, you're correct. You'll use the cSecurePasscodeStorageMethod and configure it to use one of the supported password hashing algorithms (piPasscodeHashImplementation property).

To store a password, you call the StorageString method. To verify a password, you call the Verify method. The storage string contains a hash and this is bigger than the original password. I think the default size is 128 bytes for the hashed password, but according to the Libsodium documentation, the output may be smaller than that.

For the encryption, you should use one of the AES encryption algorithms supported by the library: AES CBC or AES GCM for authenticated encryption. Generic hashes can't be used for that because they generate hashes and those can't be reverted back to plain text.

For encryption, the key used for the encryption needs to be securely stored. It should be secret.

In the library, you can use the cSecureSymmetricKeyEncryptionMethod class and set the desired encryption algorithm in the piEncryptImplementation property.

I created a sample workspace to demonstrate the DataFlex Security Library (www.DataAccess.com.br/SamplesDFSecurityLib.zip (http://www.dataaccess.com.br/SamplesDFSecurityLib.zip)). The samples there are similar to the ones in the Learning Center.

Best Regards

Tom Murphy
16-Apr-2019, 08:41 PM
Hi Joćo

Thanks for getting back to me, that all makes sense. I'll check out the AES encryption algorithms.