Solved

password storage/encryption

Posted on 2004-09-21
15
518 Views
Last Modified: 2010-05-18
I'm creating a fairly simple database program for a friend, but since it will be storing info about a lot of people, I need to make sure the system is locked up (data protection act). There isn't really any risk of the data being stolen since the program will be run on a personal computer and it's existance isn't going to be publicised.

So, will I be okay to simply store his password in the registry? If I have to encrypt it: How? I've tried to find algorithms for encrypting short pieces of text but everything seems to be for encrypting entire files with a key of about 16 bytes.

More importantly, I want to store all the data in ini's, purely because there's no string length limit for names and addresses and whatnot like there is with a record system. So, I will probably have to encrypt those files too; again does anyone have a fairly simple and secure way to do this?

Thanx in advance
Synthetics


Delphi's all I know btw, so anything in C is useless to me :S
0
Comment
Question by:Synthetics
  • 3
  • 2
  • 2
  • +6
15 Comments
 
LVL 7

Expert Comment

by:LRHGuy
ID: 12115199
Check this out:

http://sourceforge.net/projects/tplockbox/

If FREE with source. You can encrypt/decrypt strings, files, streams, whatever. Various methids available.
0
 
LVL 7

Expert Comment

by:LRHGuy
ID: 12115204
That should be "Is Free" and comes with source. (Oops!)
0
 
LVL 12

Expert Comment

by:esoftbg
ID: 12115861
0
 
LVL 17

Expert Comment

by:Wim ten Brink
ID: 12116012
About passwords, NEVER store them! Just calculate a hash value over it and store this hash value. In general, it is nearly impossible to calculate a password back from it's hashed value.
About storing data in INI files, please reconsider this option. You could use XML instead, which would provide you a more structured storage model which is still just text-based. XML files can also easier be encrypted and decrypted since you can load/save them to/from streams. Instead of using encryption you might use to use the ZLib units to just compress the file. For someone unaware of this, a compressed file and an encrypted file don't differ much. Just binary data.

For encryption/decryption, you could use the EncryptFile/DecryptFile API in the Windows unit. Would require W2K or XP with NTFS, though. And still allows people to view the file if they have proper access rights.

0
 
LVL 5

Expert Comment

by:Voodooman
ID: 12116152
Hi

You should really look at using a database - for simple apps it is not that hard (gets harder though!).

It will be much easier than all this.

I have used easytable from www.AidAim.com - I think they have a free version for simple apps.

Voodooman
0
 
LVL 13

Expert Comment

by:BlackTigerX
ID: 12116947
use MD5 (see download, full Delphi source provided with example)
and save the hash (instead of the passwords) to the .ini files

http://www.fichtner.net/delphi/md5.delphi.phtml
0
 
LVL 14

Expert Comment

by:DragonSlayer
ID: 12120782
Well, if it's just a simple programme, you can also create a username/password at the database level (for accessing the database), and let the database engine handle the login.

e.g., drop a TDatabase and set the LoginPrompt to True...
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 26

Expert Comment

by:EddieShipman
ID: 12127252
I agree with DragonSlayer, let the DB handle it. You can even use MSAccess (gasp!) for a simple app like this. I'm not sure if you can password protect a Paradox database, though.
0
 
LVL 5

Expert Comment

by:Voodooman
ID: 12128169

Hi

Access is the most powerful desktop database - no question.

Deploying it is more difficult - that's why I suggested EasyTable - no dll's or runtimes.

I am a commercial programmer and I am using Delphi because of the easy distribution and also the very good 3rd party database support.

I am certainly not using it for the speed of development - Visual Basic leaves Delphi for dead in speed of development.

Delphi however has far superior tools and capabilities but is not for beginners.

With Visual Basic the only datadase choices are Access, SQL Server and MSDE.  All very good but complex to deploy across different versions of Windows

Good Luck

Voodooman

0
 
LVL 26

Expert Comment

by:EddieShipman
ID: 12132935
[quote]
I am certainly not using it for the speed of development - Visual Basic leaves Delphi for dead in speed of development.
[/quote]

Here is where you are horribly wrong, my friend.

Delphi can do ANYTHING that VB can in less than 1/4 the time.
0
 
LVL 5

Expert Comment

by:Voodooman
ID: 12141734

So Delphi can do anything that VB can do in less than a quarter of the time - not really...

I have never seen a Delphi App with 140 forms and 120,000 lines of code - I would perceive it to be very difficult to maintain - whereas in VB it is completely manageable.

I agree that Delphi is far superior in standard tools and available tools.

Also the finished look of a Delphi program is far superior to anything that VB can do - much more professional.

However in VB (because it is a scripted language) you can build code in the debugger with no need to re-compile after small changes.  In big Apps this works very well.

As an example:

In VB you can write 100's of lines of code without even running a line of it - then just click run and see what happens - I call this the handgrenade technique......

Also - you need to be a programmer to program in Delphi - the skill needed in Delphi is far higher.

VB does not require the same skill level - hence the large quantity of poor VB programs out there.

For the average progammmer VB is faster and easier - of course Eddie I did not mean you personally - I was just referring to the avaerage programmer out there - sat at his desk all day just to earn a crust - not Delphi Specialists.

Voodooman
0
 
LVL 17

Expert Comment

by:Wim ten Brink
ID: 12141788
Oh, no... Not the Delphi vs. Visual Basic discussion again...

First of all, speed. The Delphi compiler is still the fastest compiler ever. Faster than VB even. This is not a bold statement, it has been proven quite a few times already. But VB does seem to start up a bit faster.
About speed of development, this just depends on the experience of the developer himself. An experienced Delphi developer and an experienced VB programmer will perform about the same speed. Some things can be done faster in Delphi while others can be done faster in VB. That's all. They're both RAD development tools.
About complexity... Well, Delphi isn't an easy language because it's a strongly typed language but it's still a very good language for beginners. Like with Basic, the core instruction set of Delphi is very limited. Once you've learned the proper syntax, both VB and Delphi are just as easy to learn. However, the complexity might come from a previous programming background. In many cases, people who start to learn programming might have worked with some scripting language before. Most of these scripting languages look more like VB than Delphi. Often the = is used for assignements while Delphi uses := and the == is used for comparisons while Delphi use = to compare values. Delphi also uses a bit more symbols than VB. Not just the ( ) but also [ ] and { } and sometime (* *) can be seen in code. Symbols make sourcecode less like a natural language and thus harder to read.
But both VB and Delphi have their purposes. VB is very good for front-end applications, to display data to the user. C and C++ are better for back-end applications that don't display much but that have to process lots of data fast. Delphi is somewhere in-between these two, both usable as front-end as back-end.

Now, back to the question again. oring data just in INI file will work but INI files do have many limitations. One big limitation is the final size of the INI file. By default, Windows doesn't handle INI files well if they grow over 64 KB in size. Yes, that's a flaw in Windows but then again, INI files are not meant to store huge amounts of data. They are meant to store simple configuration data, like screen positions, database locations, filepaths and perhaps a bit more. But not data.
XML is just a better solution. However, if you want a better data-aware solution then use ADO without any back-end database! Yes, that's right! You can create an ADO recordset in memory, add fields to it, fill it with data and then save the recordset to file in either binary form or as XML file. Later, you can read that same file again in an ADO recordset, modify it and save the modifications again. No database required. All you need is ADO...
At http://www.workshop-alex.org/Sources/SM.zip you can find a sample of such an in-memory ADO recordset. It's a complex project though. It was used as a tool by me to create a collection of bugs that needed to be reported, and then sending these bugs to somewhere else, in a nicely formatted HTML email. The application would just show up as a trayicon application and if closed, it would just save all the bugs inside an XML-based file. Basically, it's a single-table application and I didn't want to use any database just to store a single table. This ADO solution works just as well with Delphi 7. A nice simple combination of Indy, Trayicons, ADO and XML. :-)

In this project I chose to save the recordset as a plain XML file but hey, if you change:
  ADODataSet.Recordset.Save(Datafile, adPersistXML);
into
  ADODataSet.Recordset.Save(Datafile, adPersistADTG);
Then you get a binary file. A lot harder to read for many people, just not yet fully encrypted. But it's technically possible to save to a stream instead but then you'd have to import the ADODB type library in your application since ADOInt from Borland has a few flaws.
Oh, btw... If you use ADO this way, you do get a limitation for string lengths again. However, you could define string fields as just very long strings. It won't cost more memory, though, since ADO just takes enough memory to store the string, not more. In my source, I used a string of 16 KB this way.
0
 

Accepted Solution

by:
Rijndael earned 200 total points
ID: 12149351
Here is a simple hash function that returns the hash of a string of HashSize (or HashSize*2) chars.

const HashSize=24;

function StrToHex(const Digest:String):String;
var i:Integer;
    SS: String[hashSize*2];
begin
  SS:='';
  For i:=1 to HashSize do
    begin
      SS:=SS+IntToHex(ord(Digest[i]),2);
    end;
  Result:=SS;
end;


function HashStr(S:String):String;
var i,j:Integer;
    hash:array[1..HashSize] of Byte;
begin

{Initializing Hash array}
for i:=1 to HashSize do
     Hash[i]:=($0048 + i ) mod 256;

  Result:='';
{Building Hash Table}
  for i:=1 to HashSize do
    begin
      for j:=1 to Length(s) do
        hash[i]:=Hash[i]+ord(s[j])+i{+j} mod 256;
        Result:=Result+chr(Hash[i]);
    end;

{Optional, if you save result in a StringList object kind
the result may contain "\0" symbol}
   Result:=StrToHex(Result);
end;


Usage:

procedure TForm1.Button1Click(Sender: TObject);
begin
Label1.Caption:=HashStr(Edit1.Text);
end;

0
 
LVL 5

Author Comment

by:Synthetics
ID: 12154282
ooh lots to think about, I'll try some of these out. I'm only a beginner with delphi; I know what we were taught for A level computing, and I've fiddled with a few other things, but I know how to use the help file so I'll try what's been suggested out.

Thanx for the help :)
Synthetics
0
 
LVL 5

Author Comment

by:Synthetics
ID: 12426517
k, I can adapt those hashing functions for the password, but now I've gone with records for the info I'm storing. All the advice you've given has been top notch (aside from the little VB vs Delphi debate lol), but is it necessary to encrypt or hash those files? Obviously strings are still going to be visible within the record files but I and my "client" find it very unlikely that anyone's going to be examining the documents on his home PC for addresses of the people stored on it. To comply with the data protection act, what is required?

Thanx for all comments so far
Synthetics

(ps increased the points.. not really sure what's appropriate but almost doubled it for you)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article explains how to create forms/units independent of other forms/units object names in a delphi project. Have you ever created a form for user input in a Delphi project and then had the need to have that same form in a other Delphi proj…
Creating an auto free TStringList The TStringList is a basic and frequently used object in Delphi. On many occasions, you may want to create a temporary list, process some items in the list and be done with the list. In such cases, you have to…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now