Board index » delphi » Password Encryption

Password Encryption

I need to encrypt a string and be able to store the
results in a database field.  Is anyone aware of
any encryption routines that I could use?

 

Re:Password Encryption


Quote
> Charles Trivisonno <charl...@eipnetwork.com> wrote in article

<31BC19E3.6...@eipnetwork.com>...

Quote
> I need to encrypt a string and be able to store the
> results in a database field.  Is anyone aware of
> any encryption routines that I could use?

www.cryptocard.com

download cryptov1.zip (delphi components)

Re:Password Encryption


In article <01bb5700.a1251880$a4008...@194.134.5.5.euro.net> "Ed Lagerburg" <lager...@euronet.nl> writes:

Quote
>> Charles Trivisonno <charl...@eipnetwork.com> wrote in article
><31BC19E3.6...@eipnetwork.com>...
>> I need to encrypt a string and be able to store the
>> results in a database field.  Is anyone aware of
>> any encryption routines that I could use?
>www.cryptocard.com
>download cryptov1.zip (delphi components)

Good recommendations.  I haven't tried these products personally but I can say
that *anything* you get from a commercial cryptography vendor is likely to be
much stronger and much safer than anything you could roll yourself.  Also it's
a component so you don't spend any time futzing with implementation; it's been
done for you.

A Paradox-format database that is password-protected is, in my experience,
pretty darn well secure against casual attack, although commercial products
can be had (accessdata.com) that will crack them.  You simply have to
determine what amount of security you need.

/mr/

Re:Password Encryption


Thus spake sund...@primenet.com (Sundial Services):

Quote
>In article <01bb5700.a1251880$a4008...@194.134.5.5.euro.net> "Ed Lagerburg" <lager...@euronet.nl> writes:
>>> Charles Trivisonno <charl...@eipnetwork.com> wrote in article
>><31BC19E3.6...@eipnetwork.com>...
>>> I need to encrypt a string....
>...I can say
>that *anything* you get from a commercial cryptography vendor is likely to be
>much stronger and much safer than anything you could roll yourself.  

I'd have to disagree with this. Most of the commercial cryptography that I've
seen is OK for keeping casual eyes out, but I would not trust for anything
beyond that. IMHO one of the best short articles on this is in the PGP
documentation, under the heading "Beware of Snake Oil."

Quote
>A Paradox-format database that is password-protected is, in my experience,
>pretty darn well secure against casual attack, although commercial products
>can be had (accessdata.com) that will crack them.  You simply have to
>determine what amount of security you need.

Absolutely. Any encryption scheme that is even half-way reliable is either
controlled by the U.S. Gov't or they're fighting to get control of it. There
are various reliable sources out there on the 'Net on this topic.

The commercial products also go to some work to hide how easy it is to
crack nearly every form of "commercial" cryptography.

Caveat Emptor has just become the greatest understatement of all time....

Re:Password Encryption


In article <1996Jun17.154009.44...@spillman.uucp>, jam...@spillman.com says...

Quote
>>>> I need to encrypt a string....
>>...I can say
>>that *anything* you get from a commercial cryptography vendor is likely to be
>>much stronger and much safer than anything you could roll yourself.  

>I'd have to disagree with this. Most of the commercial cryptography that I've
>seen is OK for keeping casual eyes out, but I would not trust for anything
>beyond that. IMHO one of the best short articles on this is in the PGP
>documentation, under the heading "Beware of Snake Oil."

Sorry, I have to step in here, since the 'commerical crytography' which was
mentioned was the code that I wrote, but note the components are
implememtations of trusted encryption algorithms(which I didn't write),
including the one at the hart of PGP, IDEA.  Others include DES(although the
security of DES is now questionable), RC4, RC5 from RSA(www.rsa.com), and IDEA
http://www.ascom.ch/Web/systec/security/idea.htm.

All the components come with complete source(and are FREE), and their
algorithms are freely available(some are even in the hlp file) so there is no
trust issue.  

Quote
>Absolutely. Any encryption scheme that is even half-way reliable is either
>controlled by the U.S. Gov't or they're fighting to get control of it. There
>are various reliable sources out there on the 'Net on this topic.

Unless you are doing outright file encryption, not just password protecting,
you can get away with a lot.  Lot up the new crypto api which MS is bundling
with their OS, it has RC4, RC2, MD5... check out MS www page for more info.  It
does impose limited key lengths for export, but still its not an outright
{*word*241}hold by any means.

Quote
>The commercial products also go to some work to hide how easy it is to
>crack nearly every form of "commercial" cryptography.

Well I can't say that I haven't come across questionable products, but if you
are unsure ask what algorithm they are using, if its not one of the trusted
ones, stay away(this is not to say that a new algorithm is not secure, but it
is likely that it hasn't be analysed as intensly).  Most encrypion algorithms
(all those mentioned above) have been analysed to death, and if they were not
consider secure, you would bet they wouldn't be around.  There is a key
breaking 'machine' for DES, but its last cost was put at $1M, out of reach for
most(Yes the plans are available).  The other algorithms use much longer key
lengths, which greatly increase their security, see:

ftp://ftp.research.att.com/dist/mab/keylength.txt

The point that most algorithms are easy to break is not valid, what is, is that
most people do not take the care in choosing/storing keys.  Which compromises
the security, most vendors will hit you over the head with this, and in no way
try to hide it from you.

Bye.

PS, the components we have made available are free, we are not even in the
software cryptography business, these are just some tools I needed to talk to
various peices of hardware.
--
Greg Carter, Electrial Engineer
CRYPTOCard Corporation
http://www.cryptocard.com/pascal.html

Re:Password Encryption


Quote
gr...@cryptocard.com (Greg Carter) wrote:
>In article <1996Jun17.154009.44...@spillman.uucp>, jam...@spillman.com says...
>>>>> I need to encrypt a string....
>All the components come with complete source(and are FREE), and their
>algorithms are freely available(some are even in the hlp file) so there is no
>trust issue.  

>>Absolutely. Any encryption scheme that is even half-way reliable is either
>>controlled by the U.S. Gov't or they're fighting to get control of it. There
>>are various reliable sources out there on the 'Net on this topic.
>PS, the components we have made available are free, we are not even in the
>software cryptography business, these are just some tools I needed to talk to
>various peices of hardware.

There is industrial-strength cryptography that is not subject to US
export controls.  For more info on our "made in New Zealand"
RPK system, have a look at http://crypto.swdev.co.nz/.

The RPK technology has patent protection pending but is available
worldwide at reasonable cost.  You can find full technical details,
free (beta) software, source code, etc. at our Web site.  There's
even a "trial-run" Delphi 2.0 component there...

RPK is fast, highly secure, well-suited to both software and hardware
implementations, and available for global deployment.  We hope and
expect that before long it will form part of an important global
cryptographic standard.

Regards,
Bill Raike

Re:Password Encryption


Thus spake gr...@cryptocard.com (Greg Carter):

Quote
>In article <1996Jun17.154009.44...@spillman.uucp>, jam...@spillman.com says...
>>>>> I need to encrypt a string....
>>>...I can say
>>>that *anything* you get from a commercial cryptography vendor is likely to be
>>>much stronger and much safer than anything you could roll yourself.  

>>I'd have to disagree with this. Most of the commercial cryptography that I've
>>seen is OK for keeping casual eyes out, but I would not trust for anything
>>beyond that. IMHO one of the best short articles on this is in the PGP
>>documentation, under the heading "Beware of Snake Oil."
>Sorry, I have to step in here, since the 'commerical crytography' which was
>mentioned was the code that I wrote,

This was not meant as an attack on your particular product or company. What I've
found is that people are unaware of the limitations of what is implicitly touted
as good cryptography.  Apparantly your products are not in the same category.

My oversight here is not understanding what was meant by "cryptography vendor."
My ire comes from "crypto" software that is hand-rolled (or incorrectly
implemented) and touted as "secure" either explicitly or implicitly. The number
of good companies is increasing, but there is still enough {*word*99} floating around
that I am very cautious.

I've seen far too many home-brewed ideas touted as "protected by cryptography."
I've seen too many big-name companies (including micro$oft) give users the warm
and fuzzy feeling that their encrypted document is secure.  True, they don't
make any claims that it's good encryption, but they don't go out of their way to
make that fact clear to the end user, either.

I've had to deal with a couple of cases where a third party took a copy of the
files and caused problems. Fortunately one individual was deported and his
accomplices were jailed. In every case the end user was under the impression
that their files were secure.  

Quote
>Well I can't say that I haven't come across questionable products, but if you
>are unsure ask what algorithm they are using, if its not one of the trusted
>ones, stay away

I even get antsy at this if they company is new, since I've run across flawed
implementations.  

Quote
>The point that most algorithms are easy to break is not valid

We're talking about two classifications of "most algorithms."

Other Threads