Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 10 of 10 total
Thread Encryption routines
Sat, Mar 6 2021 11:09 AMPermanent Link

Anthony

Are there any encryption routines included in EWB, they were mentioned as coming after Beta build 13 but can't find any references since. I want to encrypt a string in Delphi and make it available via EWB.

Many thanks

Anthony
Sun, Mar 7 2021 5:07 PMPermanent Link

erickengelke

Anthony wrote:
>
>Are there any encryption routines included in EWB, they were mentioned as coming after Beta build 13 but can't find >any references since. I want to encrypt a string in Delphi and make it available via EWB.
>

You need to be careful, EWB converts to javascript, and the use has full access to the javascript interpretter/debugger.  

You need to share an encyption key with the server so as to be able to decrypt it.  If you statically compile the key into your program, then someone who discovers the key (through the debugger) can decrypt every message you ever send in the future.  So that's not good.   

Better yet is to use something like LockBox, or a public key mechanism where the knowing the client/public key does not give any clues as to what the encrypted message.  With PK you cannot determine the message from the cryptotext, only someone with the private key can do that, and it is never shared with the client

So AES Rinjdael and similar routines won't cut it for your needs.  You are best off with something like Eliptical Curve Cryptography as the older RSA methods have fallen on hard times.   There are ECC routines for Pascal, with some effort you can convert them, some pascal examples are in Delphi Encryption Compendium (google it).

Or you can include the JavaScript version of Salt libraries or NaCL and work from there... which is much simpler to do in about a day of effort, I know because I've done it long ago in the past.  

Erick
EWB Programming Books and Component Library
http://www.erickengelke.com
Mon, Mar 8 2021 8:21 AMPermanent Link

Matthew Jones

I agree with that. Will add that public-private key encryption is very slow, so you generate a key for symmetric encryption and encrypt that with the public/private part.

But mainly I want to say that you should do it all on the server. The EWB side can use decoded text as the user can see it all anyway with little effort. I have in my code used simple obfuscation of data strings in transit, just to stop it being completely simple, but anyone who cares can get to it with any browser.

--

Matthew Jones
Tue, Mar 9 2021 7:11 AMPermanent Link

erickengelke

"Matthew Jones" wrote:

>I agree with that. Will add that public-private key encryption is very slow, so you generate a key for symmetric >encryption and encrypt that with the public/private part.

Exactly.  The Lockbox in libsodium does exactly that, as do most systems which do some Public Key stuff because symetrical key algorithms like AES are generally much faster.  Libsodium is available for Delphi as well as JavaScript, so that's the fastest way to do all this.  I was using this for a few years.

Another typical concept is to have the server present a nonce to the client at connect time, which is a random number used to help in in the encryption for the current session.  The nonce changes for each session, so cracking the password/nonce once does not give answers to future decryption.  It makes everything harder, especially for 'replay' attacks.

It's common to believe the client and server communicate with SSL, so everything is encrypted and safe.  But the browser and OS, can see everything (except secure cookies), and can be tricked into giving up its secrets to other javascript or programs that can read the cache.

Good luck
Erick
EWB Programming Books and Component Library
http://www.erickengelke.com
Tue, Mar 9 2021 8:38 AMPermanent Link

Matthew Jones

erickengelke wrote:

> .  But the browser and OS, can see everything (except secure cookies),

Though the user can see it still. Indeed, it is the HTML/Javascript that can't see the secure cookie - the Browser is the thing that won't let it be seen by code. But the user can see it.

--

Matthew Jones
Tue, May 4 2021 5:29 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Anthony,

<< Are there any encryption routines included in EWB, they were mentioned as coming after Beta build 13 but can't find any references since. I want to encrypt a string in Delphi and make it available via EWB. >>

Sure, you can use the following TStream methods for encryption/decryption using AES within EWB 3 server applications:

https://www.elevatesoft.com/manual?action=viewmethod&id=ewb3&comp=TStream&method=Encrypt
https://www.elevatesoft.com/manual?action=viewmethod&id=ewb3&comp=TStream&method=Decrypt

Just be sure to not leak any passwords/keys used for the encryption/decryption by hard-coding them in the client applications.  Always keep any passwords/keys on the server side in files, etc.

Tim Young
Elevate Software
www.elevatesoft.com
Thu, May 6 2021 3:38 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Anthony,

Here is what those routines would look like for server applications in EWB 3:

function EncryptString(const Value: String): String;
var
  TempSourceStream: TMemoryStream;
  TempDestStream: TMemoryStream;
begin
  TempSourceStream:=TMemoryStream.Create;
  try
     TempDestStream:=TMemoryStream.Create;
     try
        TempSourceStream.WriteBinaryChars(Value);
        TempSourceStream.Position:=0;
        TempSourceStream.Encrypt(PASSWORD,TempDestStream,etAES256);
        TempDestStream.Position:=0;
        Result:=TempDestStream.ReadBinaryChars(TempDestStream.Size);
     finally
        TempDestStream.Free;
     end;
  finally
     TempSourceStream.Free;
  end;
end;

function DecryptString(const Value: String): String;
var
  TempSourceStream: TMemoryStream;
  TempDestStream: TMemoryStream;
begin
  TempSourceStream:=TMemoryStream.Create;
  try
     TempDestStream:=TMemoryStream.Create;
     try
        TempSourceStream.WriteBinaryChars(Value);
        TempSourceStream.Position:=0;
        TempSourceStream.Decrypt(PASSWORD,TempDestStream,etAES256);
        TempDestStream.Position:=0;
        Result:=TempDestStream.ReadBinaryChars(TempDestStream.Size);
     finally
        TempDestStream.Free;
     end;
  finally
     TempSourceStream.Free;
  end;
end;

procedure TReqHandler1.ReqHandler1HandleRequest(Sender: TObject;
                                               Request: TWebServerRequest);
begin
  Request.SendContent(DecryptString(EncryptString('Hello World')));
end;

However, please note that the ReadBinaryChars/WriteBinaryChars methods were just added and won't be available until 3.01 B2 is released (should be by Friday).  The reason for their inclusion was that the UTF-8 equivalents were doing some unwanted encoding/decoding of the binary strings after encryption.

Tim Young
Elevate Software
www.elevatesoft.com
Thu, May 6 2021 3:56 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Anthony,

Actually, the final form of the routines will look like this:

function EncryptString(const Value: String): String;
var
  TempSourceStream: TMemoryStream;
  TempDestStream: TMemoryStream;
begin
  TempSourceStream:=TMemoryStream.Create;
  try
     TempDestStream:=TMemoryStream.Create;
     try
        TempSourceStream.WriteUTF8Chars(Value);
        TempSourceStream.Position:=0;
        TempSourceStream.Encrypt(PASSWORD,TempDestStream,etAES256);
        TempDestStream.Position:=0;
        Result:=TempDestStream.ReadBinaryChars(TempDestStream.Size);
     finally
        TempDestStream.Free;
     end;
  finally
     TempSourceStream.Free;
  end;
end;

function DecryptString(const Value: String): String;
var
  TempSourceStream: TMemoryStream;
  TempDestStream: TMemoryStream;
begin
  TempSourceStream:=TMemoryStream.Create;
  try
     TempDestStream:=TMemoryStream.Create;
     try
        TempSourceStream.WriteBinaryChars(Value);
        TempSourceStream.Position:=0;
        TempSourceStream.Decrypt(PASSWORD,TempDestStream,etAES256);
        TempDestStream.Position:=0;
        Result:=TempDestStream.ReadUTF8Chars(TempDestStream.Size);
     finally
        TempDestStream.Free;
     end;
  finally
     TempSourceStream.Free;
  end;
end;

I changed the Read/WriteBinaryChars methods so that they deal with the data in hex string format in order to avoid issues with non-printable chars.  This will be in the manual.

I might also just add some EncryptStr/DecryptStr functions to short-cut a lot of this code.

Tim Young
Elevate Software
www.elevatesoft.com
Thu, May 6 2021 4:49 PMPermanent Link

Tim Young [Elevate Software]

Elevate Software, Inc.

Avatar

Email timyoung@elevatesoft.com

Anthony,

Okay, I went ahead and added EncryptStr/DecryptStr functions for 3.02:

https://www.elevatesoft.com/manual?action=viewtopic&id=ewb3&topic=EncryptStr
https://www.elevatesoft.com/manual?action=viewtopic&id=ewb3&topic=DecryptStr

(I needed to increment the minor version number due to the inclusion of some new features such as these functions).

Tim Young
Elevate Software
www.elevatesoft.com
Sat, May 22 2021 8:48 AMPermanent Link

Anthony

Tim Young [Elevate Software] wrote:

>>Okay, I went ahead and added EncryptStr/DecryptStr functions for 3.02:

Hi Tim,

Excellent, thanks for the update and code, has 3.02 been released yet, I don't see it in the downloads?
Image