Platform: Using Delphi Rad Studio 2007 on Windows XP SP3 and Vista. Elevated DB (registered user)
Reference: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Requirement: FIPS 140.2 compliant encryption
========
My application obtains/creates sensitive data in plain text that it MUST save to file/DB using a *** FIPS 140.2 compliant encryption ***.

The URL above lists FIPS VALIDATED modules. I have looked at "affordable" third-party encryption toolkits (e.g., SecureBridge).  None is FIPS validated - allegedly due to high cost of obtaining such validation. (Also, [freeware] DCPCrypt and Lockbox are NOT FIPS validated since they have written their own implementations)

Windows CryptoAPI is FIPS approved and is available on all XP and XP+ Windows. Thus, using CryptoAPI is a logical choice.

***** Tim:
From my reading, BlowFish is NOT a FIPS approved encryption algorithm; AES and Triple DES and a few lesser known ones are. According to some write up on NIST/FIPS websites, if an application does not use FIPS validated encryption, the data is considered as secure as plain text.  Since many of Elevate customers do business with governments (USA and elsewhere), approved encryption is going to be more and more important. Needless to say, governments (USA and others) are the largest purchasers of IT products - so, it is good business to meet their requirements.

Comments ? Plans for Elevated DB ?

***** ALL:
[Before you tell me to roll my own...] I have downloaded JEDI WCrypt2 and have worked out SHA-1 hash (FIPS approved) and MD5 hash (not FIPS approved). However, I am not having any luck with Block-Cipher Encryption algorithms: AES (128 or 256 bit) or Triple DES. JEDI does not provide any implementation examples that I could find. There are good "how to" articles on web in C++ but I don't know enough C++ to make sense of them (see below).

Anyone willing to share or write Delphi code that implements AES-128, AES-256 and Triple DES using Windows CryptoAPI for a reasonable compensation ?

I hope one of you Delphi Gurus takes the challenge! You can write to me privately at: Mavi [dot] SupraVISTA [at] gmail.com.

Any help is greatly appreciated. Thanks in advance.

JayM

P.S. My version of JEDI WCrypt2 does not have headers/defines for AES. These are easy to find.
===

Well written how-to articles:  
====================
C++ ---> http://www.codeproject.com/KB/security/WinAES.aspx  
    
C++ --> http://etutorials.org/Programming/secure+programming/Chapter+5.+Symmetric+Encryption/5.27+Extracting+Raw+Key+Data+from+a+CryptoAPI+Key+Object/

A Delphi implementation -->  following may be provide a starting point for who want to try writing code.
See "» CryptoAPI2 Wrapper and demo" link to download Zip file on:
http://www.davinciunltd.com/code/delphi-cryptography/

Google for more....

Jay,

<< From my reading, BlowFish is NOT a FIPS approved encryption algorithm; >>

No, it isn't.  However, it is an algorithm that doesn't involve us paying
royalties or stepping on anyone's copyright, and it will work exactly the
same on any platform.

<< Comments ? Plans for Elevated DB ? >>

None at this time, no.  The problem with using the Windows facilities is the
issue of cross-platform compatibility.  What we'll most likely need to do is
add the ability to use a plug-in for the encryption.

--
Tim Young
Elevate Software
www.elevatesoft.com