PDA

View Full Version : DF20 library?



wila
26-Mar-2021, 01:51 PM
Hi,

As one might expect... I have a question.

Is an update of this security library in the works?

It would be nice if we could use this on DataFlex 2021 as well. :cool:

--
Wil

Michael Mullan
27-Mar-2021, 06:37 AM
there is a slightly modified one in PLATO, and I'm fairly sure there will be a proper release too.

/MM

Raphael Theiler
29-Mar-2021, 07:27 AM
It feels a bit more than "slightly modified".

Sture
29-Mar-2021, 07:35 AM
The one that will accompany the next version of Plato will be one step newer than currently is the case.

Like Michael, I expect a seperate release of the security library.

I cannot attest to the degree of modifiedness since I have only ever used this one.

-Sture

wila
29-Mar-2021, 12:09 PM
OK, looked at the SecMod library in Plato.

It is a completely different library.
Might have a few small things that are the same or similar, but it does not come close to what I need for things like being able to use google authenticator for 2 factor authentication.

So, I'm sorry, but that's not the answer right now.
--
Wil

Michael Mullan
29-Mar-2021, 01:22 PM
so, what is this other security Library of which you speak?

I thought SecMod was it, and the version in PLATO was very much similar to the released one. I guess I'm missing Something?

Sture
29-Mar-2021, 01:28 PM
Hi Will,

that's alright. One can always check back later :-). Authenticators is high on the list for after the final Plato release.

Michael, I am talking the encryption library.

-Sture

wila
29-Mar-2021, 03:00 PM
so, what is this other security Library of which you speak?

I thought SecMod was it, and the version in PLATO was very much similar to the released one. I guess I'm missing Something?

???

SecMod appears to be the old cryptography package with a DataFlex example on how you can implement a -rather basic- RBAC (no offense intended, I think it can be useful for some applications).
I need to investigate more to say something more about it, so far I only briefly checked if it could replace the security library that we use.

The DataFlex Security Library is the forum you are in... https://support.dataaccess.com/Forums/showthread.php?63166-Welcome!
It is so vastly different that I am not even sure where to start.
It has a lot of low level primitives, it provides wrappers around things like CNG and libsodium.
It has several 2 factor implementations in there TOTP/HOTP/FIDO U2F, it has web wrappers for a QR code control and taking care of most of the 2 factor work flow.

There is no comparison IMO beyond that they both deal with security.

--
Wil

wila
29-Mar-2021, 03:01 PM
Hi Will,

that's alright. One can always check back later :-). Authenticators is high on the list for after the final Plato release.

Michael, I am talking the encryption library.

-Sture

Thanks Sture.

I think Plato has a different purpose.
--
Wil

Michael Mullan
29-Mar-2021, 04:09 PM
Ah I see,

I think that SecMod may be a subset of the whole security library, with some examples baked in.

wila
29-Mar-2021, 04:31 PM
Ah I see,

I think that SecMod may be a subset of the whole security library, with some examples baked in.

It has an entirely different bases (DAW cryptographer2 classes versus CNG/LibSodium), but yes that would be a way to look at it.

FWIW I see now that the cryptographer2 class is NOT just a new version of the old DAW cryptographer class, but it also doesn't appear to be based on CNG/LibSodium either. They are not very comparable except that they have a few matching cryptographic algorithms.

For the moment I prefer the CNG/LibSodium library.

--
Wil

wila
30-Mar-2021, 02:28 AM
SecMod appears to be the old cryptography package with a DataFlex example on how you can implement a -rather basic- RBAC (no offense intended, I think it can be useful for some applications).


Sigh... very poor phrasing on my end.

First off, it isn't the old cryptographer package, it is a new one with a similar name.

Second the part - rather basic - ... I should have just said "it is an example of how you can implement an RBAC security model", without the - rather basic part.

Is it basic?
That depends on how you look at it.

We don't have much public examples of this in DataFlex right now and now we have one.
It has some nice features that you can easily set with a few properties.
So from a DataFlex view point.. we have something much more advanced than we ever had, not basic at all.
I'm sure it took a lot of efforts to get where it is at right now.

Looking at it from outside of the DataFlex world. Then yes, it is basic. Look at Active Directory or Azure RBAC (and a whole bunch of others)
There is no comparison.

Now why was I surprised by the answer --> look at SecMod in Plato

SecMod is an RBAC implementation with yet another package for the security part, it is a completely different thing.
Not everyone needs an RBAC, not every existing RBAC fits in this particular implementation.

I really really hope that the security library that this forum was for here has not gone the way of the dodo as it serves a completely different purpose.
To be frank I'm a bit surprised that it wasn't used as the bases for the SecMod library.
--
Wil

Michael Mullan
30-Mar-2021, 08:37 AM
Sorry for the misunderstanding Wil,

I used the SecMod from Plato, just as it was, without needing to dig too deep into what is under the hood. I wrote my own 2FA module, after I wrote the classes to communicate with the Gateway api (https://gatewayapi.com/) that Sture recommended from Denmark. I just used the Secmod bits for the barest level of security on my weblogin.

/MM

wila
30-Mar-2021, 08:45 AM
Michael,

No apology needed.

If anyone has to apologize it is me for not recognizing what the secmod library is intended for.

As you have already discovered - way before me - it is a great start on adding a role based access control security module to your webapp.
It saves you a lot of time if you have to get there from start.

--
Wil

Raphael Theiler
16-Apr-2021, 02:09 AM
Any news from DataAccess? Is a 20.0-version of the security library planned?
(To avoid any misunderstandings, I'm talking about this library: https://www.dataaccess.eu/resources/downloads/download-category/download-subcategory-842?dagapsg=90 )

josephmullins
17-Apr-2021, 11:54 PM
Hey Wila,

We had to make the security library work for 2020 so did the following steps

Upgrade the library in place (Had to edit `ProgramPath=./` inside the config.ws).
Download the correct old version of Libsodium (libsodium-1.0.16) from https://download.libsodium.org/libsodium/releases/old/
Compile it using Visual Studio X64 (not 32).
Copy the generated library (libsodium.dll) to the required location.


So far our testing has proven it to work correctly. Obviously a proper release from DAW is preferred, but if you would like a copy of this modified library please send a PM and I'm happy to share it.

Raphael Theiler
19-Apr-2021, 02:58 AM
We use CNG instead of libsodium. The hash-function seems to be broken (returns empty hashes) if compiled with 64 bit.

Raphael Theiler
19-Apr-2021, 09:57 AM
Actually, I thing it's just this one function call to an external function: WinAPI_BCryptDeriveKeyPBKDF2
I guess some of the parameters/types have changed and are now incompatible. The return code suggest invalid parameters and the hash is empty. The empty hash leads to all kind of weird and funny problems (such as all passwords are valid, since the compare function crops the hash of the input to the same length as the stored string, etc).

If someone has any insights on how to fix this, I would appreciate it. I compared the WIN32 API with the code and it seems to be okay, except the one BigInt parameter which is split.

wila
20-Apr-2021, 04:43 AM
Joseph, Thanks for the reply.

If it is just compiling the binaries to 64 bit then I'd be fine for that, but thanks for the offer.

PS: Any reason on why you put the dll in a windows system folder instead of in the app's program folder?
Putting DLL's in windows maintained folders is not recommended as another application might put a different version of the DLL in there and that might then break your application.
--
Wil

wila
20-Apr-2021, 04:52 AM
Raphael,

This is why I do like an answer from DAW on this question.
We need to know if this project is maintained, or if the community has to come up with patches.

There's currently a few issues:
- The libsodium dll used is a few versions behind (not super great for a security library)
- There's no official DF20 support & the 64 bit libsodium binaries are missing
- Your example of "and now all passwords are valid" ... should never be possible. Which means that I consider that a bug and a need in additional code checking for a valid output from the external function call.
- There are going to be more 64 bit issues, either due to unicode or due to missing structure padding.

Now I personally don't need an answer right away. I am also fully aware that DAW has bigger fish to fry right at this moment, working hard on a patch release already. It would however be nice to know if it is still being considered or what the future of this library is.

IMO this is a very important library and many more developers are going to need the functionality offered by it over time, so it would be sad if it goes the way of the dodo.
--
Wil

Richard Hogg
20-Apr-2021, 06:32 AM
I agree with Wil that this is a very important library. Given data security and the principle of security by design should now be embedded in software design rather than an optional "nice to have" or an afterthought, I too would be sad if this library and the functionality it provides didn't become either a baked in part of DF or an easily integrated library. DAW have done fantastic hard work building the DF to a great product. As DF is largely about accessing data and given data is now a commodity eagerly sought by malicious players developers need maximum opportunity to protect it.

josephmullins
20-Apr-2021, 11:02 AM
Hey Wila,

It was rather straight forward once worked out what was going on :D

Good point on the System32, I have adjusted the post incase someone does that. System32 made it easier when testing a few projects.

Clive Richmond
20-Apr-2021, 09:25 PM
I agree with Wil that this is a very important library. Given data security and the principle of security by design should now be embedded in software design rather than an optional "nice to have" or an afterthought, I too would be sad if this library and the functionality it provides didn't become either a baked in part of DF or an easily integrated library. DAW have done fantastic hard work building the DF to a great product. As DF is largely about accessing data and given data is now a commodity eagerly sought by malicious players developers need maximum opportunity to protect it.

+1

Raphael Theiler
30-Apr-2021, 04:25 AM
https://media.giphy.com/media/5x89XRx3sBZFC/source.gif

linda_
11-May-2021, 12:24 AM
is there an update?

Vincent Oorsprong
11-May-2021, 01:45 AM
Linda,

A library update is on the way. I can't tell you a release date though.

Raphael Theiler
11-May-2021, 07:02 AM
Good news :)

If you happen to find a fix for this one function call to the Win32-API ( -> WinAPI_BCryptDeriveKeyPBKDF2 ) let me know. At a first glance this seems to be the only functionality, that we use that does not work.
I assume it's a problem with the Interations-parameter (which used to be a BigInt, split into to UIntegers).

Raphael Theiler
11-Jun-2021, 09:39 AM
The monthly follow up ;) Any news?

André de Vries
11-Jun-2021, 10:01 AM
Hi all,

Yes, there will be an update of the security library that will be suitable for DataFlex 2021 too.
It is near completion and then will need some final internal testing.

- André

Samuel Pizarro
11-Jun-2021, 12:36 PM
nice ...