Results 1 to 4 of 4

Thread: Security Library Usage

  1. #1
    Join Date
    Feb 2009
    Location
    Perth, Western Australia
    Posts
    803

    Default Security Library Usage

    Hi DAW

    We're starting to look at using the security library to store passwords and other sensitive data. I have watched the video in the learning center and read the .pdf that comes with the library, is there anymore help available? And a layout of the class structure.

    I just to want make sure thinking on this is correct, and looking for suggestions.

    Passwords

    For the passwords we should be looking at the passcode storage, this is one way encryption. And after setup, like setting the algorithm, there's 2 basic methods - one to store the password and one to verify. This sounds pretty easy but as mentioned in the .pdf needs a big field to store the data.

    Sensitive Data

    We need to store some sensitive data, this data needs to be encrypted for storage and decrypted for use. Which type of data encryption would be recommended, generic/keyed hashes? Is this 2 way encryption? I'm thinking it is, but don't see any public methods in the library to do the decryption.

    The other alternative looks to be AES Encryption? Is this ok for storage, as the IV/Nonce need to be known.
    Cheers,

    Thomas Murphy
    Triumph Business Systems Pty Ltd
    www.triumph.com.au

  2. #2
    Join Date
    Feb 2009
    Location
    Brazil
    Posts
    2,383

    Default Re: Security Library Usage

    Hi Tom

    It may worth watching this video from Learning center, if you haven't yet.

    https://learning.dataaccess.com/cour...ty-the-basics/

    Regards
    Samuel Pizarro

  3. #3
    Join Date
    Mar 2009
    Location
    São Paulo/Brazil
    Posts
    77

    Default Re: Security Library Usage

    Hi, Tom!

    I'm not sure if there's a document containing the layout of class structure, but basically the classes you'll need to use are the ones shown in the course at the Learning Center.

    Regarding password storage, you're correct. You'll use the cSecurePasscodeStorageMethod and configure it to use one of the supported password hashing algorithms (piPasscodeHashImplementation property).

    To store a password, you call the StorageString method. To verify a password, you call the Verify method. The storage string contains a hash and this is bigger than the original password. I think the default size is 128 bytes for the hashed password, but according to the Libsodium documentation, the output may be smaller than that.

    For the encryption, you should use one of the AES encryption algorithms supported by the library: AES CBC or AES GCM for authenticated encryption. Generic hashes can't be used for that because they generate hashes and those can't be reverted back to plain text.

    For encryption, the key used for the encryption needs to be securely stored. It should be secret.

    In the library, you can use the cSecureSymmetricKeyEncryptionMethod class and set the desired encryption algorithm in the piEncryptImplementation property.

    I created a sample workspace to demonstrate the DataFlex Security Library (www.DataAccess.com.br/SamplesDFSecurityLib.zip). The samples there are similar to the ones in the Learning Center.

    Best Regards
    João Maurício Rinardo
    Data Access Latin America

  4. #4
    Join Date
    Feb 2009
    Location
    Perth, Western Australia
    Posts
    803

    Default Re: Security Library Usage

    Hi João

    Thanks for getting back to me, that all makes sense. I'll check out the
    AES encryption algorithms.
    Cheers,

    Thomas Murphy
    Triumph Business Systems Pty Ltd
    www.triumph.com.au

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •