Has anyone ever attempted to change the default blowfish encryption to AES, i have seen the documentation and it states "You can only replace the default encryption implementation with another 8-byte block cipher implementation.' But if you have the source code, can that be easily changed to a 16 byte? Or is this a massive task and should be avoided lol.


https://www.elevatesoft.com/manual?action=viewtopic&id=dbisam4&product=rsdelphiwin32&version=10T&topic=Encryption

Graham,

<< Has anyone ever attempted to change the default blowfish encryption to AES, i have seen the documentation and it states "You can only replace the default encryption implementation with another 8-byte block cipher implementation.' But if you have the source code, can that be easily changed to a 16 byte? Or is this a massive task and should be avoided lol. >>

The constant that you need to change in order to change the crypto block size is this:

CRYPTO_BLOCK_SIZE

in the dbisamcn.pas unit.

However, in order to do this with existing table data, you'll have to recreate all of the tables and re-populate the data.  This is because the header/record sizes are padded out to the crypto block size.

I can see about adding an engine-level setting for the crypto block size, and that will at least eliminate the need for changing the crypto constant.

Tim Young
Elevate Software
www.elevatesoft.com

ok thanks Tim. If i change the constant to use 16 bytes, can i then use the dbisam events (TDBISAMEngine OnCryptoInit, OnEncryptBlock, OnDecryptBlock, and OnCryptoReset events. )  to change the encryption used or do i need to override all the source functions?

i have requirements to get a higher level of security from our local government, so i need AES basically. So if i can change to 16bytes then override the events im hoping that will work. I know this will probably kill our performance. Only other alternative i could think is building a REST server on top of the database but they could take 12months to do.

Any ideas on how this would work with reportBuilder as well? would that require a recompile as well?

They look like they may accept blowfish now, but they are after evidence on the use of it. I can create diagrams and send screenshots of the software for passwords and turning on etc... but there are other documents that may help if you have come across this before.


Suitable Evidence
·         Configuration files or screen shots (of the configuration page)
·         Message header which has the algorithm definition
·         Product data sheet/white papers (together with Product purchase/ownership documentation such as receipts, front page of a contract of product/support/service)
·         Federal Information Processing Standard Validation documents (US government computer security standard, e.g. FIPS 140-2)
·         Product Common Criteria Evaluation documents
·         Product Evaluation Assurance Level (EAL) documents

Graham,

<< ok thanks Tim. If i change the constant to use 16 bytes, can i then use the dbisam events (TDBISAMEngine OnCryptoInit, OnEncryptBlock, OnDecryptBlock, and OnCryptoReset events. )  to change the encryption used or do i need to override all the source functions?  >>

No, once you change the constant, the only thing you need to do is make sure that you recreate all database tables using the new crypto implementation, and then you'll be all set.

Tim Young
Elevate Software
www.elevatesoft.com

Graham,

<< i have requirements to get a higher level of security from our local government, so i need AES basically. So if i can change to 16bytes then override the events im hoping that will work. I know this will probably kill our performance. >>

You shouldn't see any difference in performance at all, at least with AES-128.  In fact, with a 16-byte block, the performance will probably increase (less function call overhead).

DBISAM and EDB are headed in the direction of AES, anyway, so you're just getting ahead of the curve.

<< Any ideas on how this would work with reportBuilder as well? would that require a recompile as well?
>>

No, not for just ReportBuilder classes that reference DBISAM code.  That's all still just a matter of recompiling *your* application with the new crypto code.

Tim Young
Elevate Software
www.elevatesoft.com

Graham,

<< They look like they may accept blowfish now, but they are after evidence on the use of it. I can create diagrams and send screenshots of the software for passwords and turning on etc... but there are other documents that may help if you have come across this before. >>

The only thing that we provide in the documentation is this:

https://www.elevatesoft.com/manual?action=viewtopic&id=dbisam4&product=rsdelphiwin32&version=10T&topic=Encryption

Apart from that, there's the actual source code (the Blowfish implementation is in dbisamcr.pas).

Tim Young
Elevate Software
www.elevatesoft.com

ok thanks tim for your help much appreciated. Didnt think you would bother applying AES to dbisam at this point, everything being put into EDB.