encrypting dbf files

HunterEC
Posts: 723
Joined: Tue Sep 04, 2007 8:45 am

Re: encrypting dbf files

Post by HunterEC »

Enrico:

You pointed out in the right direction. It HAS TO BE at the RDD level so our dbf designs stay unchanged. In the meantime we shall email Przemek asking him to take a look at the memo field issue (non encrypting when the record GETS encrypted). I've been using the SIX driver since the old DOS days and has served me well. With FW's last version 13.09 I'm getting errors when trying to compile the SAMPSIX.PRG program. This were non-existent in 10.06.
User avatar
Roger Seiler
Posts: 223
Joined: Thu Dec 01, 2005 3:34 pm
Location: Nyack, New York, USA
Contact:

Re: encrypting dbf files

Post by Roger Seiler »

The advantages of the Blowfish encryption system (available in Harbour) are:

1. U.S. government regulations covering privacy and encryption rules (like HIPAA - the Health Insurance Portability and Accountability Act) have found Blowfish to be acceptable, along with a few other widely used and proven systems like DES (though it is being deprecated), RSA, RC5, IDEA and PGP. Other proprietary systems are UNACCEPTABLE under HIPAA unless certified by an independent encryption review agency. This is a key requirement for anyone providing any kind of software subject to the U.S. HIPAA law. The ability to comply with HIPAA rules are of huge importance for a broad range of software applications in the U.S.

2. Blowfish can be used for encrypting selected fields within a database instead of encrypting the entire database. By this method, memo fields and numeric fields can also be encrypted (with special functions used to specially format/unformat the data for encryption). Note that by using specific field encryption, each field gets its own unique hard coded password offering greater security than a single password for the entire database. By leaving fields unencrypted that are useful for statistical analysis of operations, the user can easily be provided with a system for creating adhoc reports on the fly in order to get timely insights into organizational performance. Also with this approach, it is easy to create a data browse offering multiple indexing capability to enable great flexibility in ways of viewing the data.

3. Blowfish is RDD independent. Whether using basic dbf, or some SQL implementation, or ADS, Blowfish can be used. Change the RDD, and no change is needed in the encryption-related coding.

Blowfish is a little quirky in that field data has to be presented to it in string lengths that are in some multiple of 8 bytes, so a dbf's field lengths may have to be changed a bit to work right, and special handling via special functions is needed to handle memo fields and numeric fields. The numeric data has to be converted to char before encryption and then after decryption, converted from char back to numeric. Memo data has to be divided into contiguous blocks of some multiple of 8 bytes, like 1024. In this way encrypted block1+block2+block3... get saved to the memo field. Decryption of the memo is just the reverse - the blocks are extracted, individually decrypted and then all of the memo's text put back together as one text string.

The one problem I've had with Blowfish so far, as I noted a few days ago, is that its implementation in Harbour requires a greatly excessive size for the encryption key - 4168 bytes, which causes extremely slow encryption/decryption performance. I've emailed Przemek (who provided the Blowfish C code to implement Blowfish in Harbour) to see if he could fix this, but so far have received no reply.
User avatar
reinaldocrespo
Posts: 918
Joined: Thu Nov 17, 2005 5:49 pm
Location: Fort Lauderdale, FL

Re: encrypting dbf files

Post by reinaldocrespo »

Roger;

In the same order as your list:

1. Ads encryption is 100% FIPS compliant and certified. Read on the help file.


2. Ads encryption does encrypt memo fields and numeric fields as well. It uses a single password for the complete DD and/or different passwords for each table.


3. ADS is RDD dependent. Change RDD and the encrypted table can't be opened. However, ADS does have clients for just about any web or desktop environment. They have also introduced a WebServices server with version 11 that works great for mobile devices and/or from any platform.

With ADS encryption there is no need to manipulate field sizes, change numerics to chars, or any other quirk.

I do realize that once you commit to ADS RDDs and implement many of their RDD enhancements, there is little chance you can go back but I suppose you could test and decide if it is for you. I find ADS to be the most secure way to keep working with ISAM while adding SQL.

Hope that helps,


Reinaldo.
User avatar
Roger Seiler
Posts: 223
Joined: Thu Dec 01, 2005 3:34 pm
Location: Nyack, New York, USA
Contact:

Re: encrypting dbf files

Post by Roger Seiler »

Thanks for the info, Reinaldo. Glad to learn that ADS is FIPS approved. I'll mention that to my customer and see if they will accept it, even though it's not on the approved list they gave me.

I know that ADS is a great system, if I can get my customer to pay for it.

All the best,

- Roger
jds
Posts: 106
Joined: Sat Dec 05, 2009 12:44 pm

Re: encrypting dbf files

Post by jds »

I can encrypt a dbf file with the SX_DBFENCRYPT function at the end of a xHarbour (Clipper) program so the dbf file can not been read or modified by an external program
but I don not realise the DECRIPTION at the beginning of a new session with the same xHarbour (Clipper) program
jds
Posts: 106
Joined: Sat Dec 05, 2009 12:44 pm

Re: encrypting dbf files

Post by jds »

I am trying to encrypt dbf files while quiting the program and it works with SX_dbfencrypt BUT when I quit/interrupt the program by clicking on the x in the right upper corner of the (start) window it does NOT work. Can anyone explain me how to remediate?
User avatar
James Bott
Posts: 4654
Joined: Fri Nov 18, 2005 4:52 pm
Location: San Diego, California, USA
Contact:

Re: encrypting dbf files

Post by James Bott »

Jds
I am trying to encrypt dbf files while quitting the program and it works with SX_dbfencrypt BUT when I quit/interrupt the program by clicking on the x in the right upper corner of the (start) window it does NOT work.
Try calling the encryption function from the generic exit function.

Code: Select all

Exit Function App_exit()
   // encrypt here
return nil
This function will be called no matter how the program is exited.

James
Patrizio
Posts: 90
Joined: Wed Nov 07, 2007 8:56 am
Location: Italy
Contact:

Re: encrypting dbf files

Post by Patrizio »

In our programs, we are taking a different solution for the encryption of database: we use the windows encryption from a administrator user that we only know the password because we access the DBF-encrypted from FiveWin and .NET and we can't use FW or xHarbour function to encrypt/decrypt.

When a user needs to use our program launch execute a launcher that execute the program as the administrator user (like "run as administrator..." in windows) in order to have rights to the database.

This is the code for run an application as other user, I'm study how create a windows user and crypt files directly from an application.

Code: Select all

#pragma BEGINDUMP
   #define WINVER 0x0500
   #define _WIN32_WINNT 0x0500
   #define _WIN32_IE 0x0501

   #include <hbapi.h>
   #include <Windows.h>
   #include <CommCtrl.h>
   #include <userenv.h>

   HB_FUNC( RUNAS )
   {
      STARTUPINFOW         sInfo;
      PROCESS_INFORMATION  pInfo;
      LPWSTR   szUser        = AnsiToWide(hb_parc(1));   /// User
      LPWSTR   szDomain      = AnsiToWide(hb_parc(2));   /// Domain (or blank)
      LPWSTR   szPassword    = AnsiToWide(hb_parc(3));   /// Password
      LPWSTR   szCommandLine = AnsiToWide(hb_parc(4));   /// Commandline
      LPWSTR   szCurDir      = AnsiToWide(hb_parc(5));   /// Directory 

      // Initialize the STARTUPINFO structure.
      memset(&sInfo, 0, sizeof(sInfo));
      sInfo.cb = sizeof( sInfo );

      /// WINADVAPI BOOL WINAPI CreateProcessWithLogonW(LPCWSTR,LPCWSTR,LPCWSTR,DWORD,LPCWSTR,LPWSTR,DWORD,LPVOID,LPCWSTR,LPSTARTUPINFOW,LPPROCESS_INFORMATION);
      if (!CreateProcessWithLogonW(szUser, szDomain, szPassword, LOGON_WITH_PROFILE, NULL, szCommandLine, 0, NULL, szCurDir, &sInfo, &pInfo))
      {
         hb_retnl( GetLastError() );
         return;
      }

      CloseHandle(pInfo.hProcess);
      CloseHandle(pInfo.hThread);
      hb_retnl( 0 );
   }

#pragma ENDDUMP
 
Post Reply