Re: [sqlite] Encryption

2016-11-15 Thread Richard Andersen
Monday, November 14, 2016, 4:23:49 PM, you wrote:

Thanks a million Ulrich for all the useful information, I think I got
what I need now to make things work the way I want! :)

Richard

> Richard,

>> Well what I've done is to create an encrypted database with
>> SQLite2009 and then use that in my C# project. I just add the password to
>> the connection string in my app and then it works right away.

> According to the information on the SQLite2009 website
> (http://sqlite2009pro.azurewebsites.net/) SQLite2009 supports 2 encryption 
> methods:

> ** Encryption Method is now compatible with wxSQLite3 (AES-128
> bits) and SQLite3 ADO.NET Provider (RSA-MS Crypt) **

> I don't know SQLite2009 from own experience, but I assume that it
> allows you to choose which enryption method to use, when creating a
> new database. To be compatible with the ADO.NET provider
> System.Data.SQLite (http://system.data.sqlite.org) you obviously
> have to choose the corresponding encryption method in SQLite2009.

>> As far as
>> I understand (I'm new to all this) you can also create a database from
>> within your app if it's based on system.data.sqlite.
>> I just can't edit the table columns or add new ones in SQLite2009 once
>> the database is saved or reopened, I can only edit the record data. I
>> just read that once created, you can't (or only very limited) edit the
>> columns of an SQLite database, you have to create a new database with
>> the desired structure and copy the data over.

> I have a bit the impression that you mixed up the terms 'database'
> and 'table'. A 'database' can contain several tables, and adding new
> tables or removing existing tables is simple (and should be
> supported by any SQLite administration tool). However, changing the
> structure of an existing table in SQLite is more complicated, since
> SQLite only supports a limited set of operations to modify a table
> definition. Therefore, if you want to add or remove columns from a
> table definition, you usually have to create a new table with a
> different name, copy the data from the previous table to the new
> one, remove the previous table, and rename the new table to the previous name.

>> I think that's what DB Browser for SQLite does since you actually can
>> reopen and edit the columns and their parameters etc. with it.

> Under the hood DB Browser for SQLite performs the above mentioned steps for 
> you.

>> It can also create encrypted databases but the encryption scheme it uses
>> is not supported by system.data.sqlite it seems.

> Correct. DB Browser for SQLite supports SQLCipher
> (https://www.zetetic.net/sqlcipher/), an AES-256 encryption scheme.

>> But all in all it works fine, I'm just a bit concerned with the RSA
>> encryption in system.data.lite as I've heard it's slow and easy to
>> crack, so I'd prefer something else.

> The RSA encryption offered by System.Data.SQLite should not be
> used, if security is a concern for you. You should prefer an AES encryption 
> scheme.

>> SQLITE Expert looks interesting but I wonder if it also uses the
>> built-in RSA encryption in system.data.sqlite?

> According to the description on the website
> (http://www.sqliteexpert.com/features.html) SQLiteExpert "Supports
> password protected databases (requires third party SQLite library -
> not included)." That is, you have to provide a SQLite3 DLL
> supporting the encryption scheme of your choice. For example,

> - SQLCipher (https://github.com/sqlcipher/sqlcipher), you have to build the 
> DLL yourself
> - wxSQLite3 (https://github.com/utelle/wxsqlite3/releases), Windows binaries 
> are provided

> Other SQLite3 management tools that support the wxSQLite3 encryption scheme 
> are

> - SQLite Maestro
> (https://www.sqlmaestro.com/en/products/sqlite/maestro/about/)
> - wxSQLitePlus (https://github.com/guanlisheng/wxsqliteplus)

>> > Richard Andersen wrote:
>> > In DB Browser for SQlite I can edit the table but I'm not sure if the
>> > SQLCipher encryption used here can be made to work with
>> > System.Data.SQlite, or how to do if it can. Does anyone know anything
>> > about this?

> In principle, it should be possible to replace the SQLite
> encryption implementation in System.Data.SQLite by the SQLCipher or
> wxSQLite3 implementation, although it might not be trivial. The
> latter should be easier to accomplish, since the wxSQLite3
> encryption implementation is self-contained, while SQLCipher
> requires the OpenSSL library as well.

> Regards,

> Ulrich
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2016-11-15 Thread Chris Locke
Ulrich- a fantastically detailed post.

On Mon, Nov 14, 2016 at 3:23 PM, Ulrich Telle  wrote:

> Richard,
>
> > Well what I've done is to create an encrypted database with
> > SQLite2009 and then use that in my C# project. I just add the password to
> > the connection string in my app and then it works right away.
>
> According to the information on the SQLite2009 website (
> http://sqlite2009pro.azurewebsites.net/) SQLite2009 supports 2 encryption
> methods:
>
> ** Encryption Method is now compatible with wxSQLite3 (AES-128 bits) and
> SQLite3 ADO.NET Provider (RSA-MS Crypt) **
>
> I don't know SQLite2009 from own experience, but I assume that it allows
> you to choose which enryption method to use, when creating a new database.
> To be compatible with the ADO.NET provider System.Data.SQLite (
> http://system.data.sqlite.org) you obviously have to choose the
> corresponding encryption method in SQLite2009.
>
> > As far as
> > I understand (I'm new to all this) you can also create a database from
> > within your app if it's based on system.data.sqlite.
> > I just can't edit the table columns or add new ones in SQLite2009 once
> > the database is saved or reopened, I can only edit the record data. I
> > just read that once created, you can't (or only very limited) edit the
> > columns of an SQLite database, you have to create a new database with
> > the desired structure and copy the data over.
>
> I have a bit the impression that you mixed up the terms 'database' and
> 'table'. A 'database' can contain several tables, and adding new tables or
> removing existing tables is simple (and should be supported by any SQLite
> administration tool). However, changing the structure of an existing table
> in SQLite is more complicated, since SQLite only supports a limited set of
> operations to modify a table definition. Therefore, if you want to add or
> remove columns from a table definition, you usually have to create a new
> table with a different name, copy the data from the previous table to the
> new one, remove the previous table, and rename the new table to the
> previous name.
>
> > I think that's what DB Browser for SQLite does since you actually can
> > reopen and edit the columns and their parameters etc. with it.
>
> Under the hood DB Browser for SQLite performs the above mentioned steps
> for you.
>
> > It can also create encrypted databases but the encryption scheme it uses
> > is not supported by system.data.sqlite it seems.
>
> Correct. DB Browser for SQLite supports SQLCipher (
> https://www.zetetic.net/sqlcipher/), an AES-256 encryption scheme.
>
> > But all in all it works fine, I'm just a bit concerned with the RSA
> > encryption in system.data.lite as I've heard it's slow and easy to
> > crack, so I'd prefer something else.
>
> The RSA encryption offered by System.Data.SQLite should not be used, if
> security is a concern for you. You should prefer an AES encryption scheme.
>
> > SQLITE Expert looks interesting but I wonder if it also uses the
> > built-in RSA encryption in system.data.sqlite?
>
> According to the description on the website (http://www.sqliteexpert.com/
> features.html) SQLiteExpert "Supports password protected databases
> (requires third party SQLite library - not included)." That is, you have to
> provide a SQLite3 DLL supporting the encryption scheme of your choice. For
> example,
>
> - SQLCipher (https://github.com/sqlcipher/sqlcipher), you have to build
> the DLL yourself
> - wxSQLite3 (https://github.com/utelle/wxsqlite3/releases), Windows
> binaries are provided
>
> Other SQLite3 management tools that support the wxSQLite3 encryption
> scheme are
>
> - SQLite Maestro (https://www.sqlmaestro.com/en/products/sqlite/maestro/
> about/)
> - wxSQLitePlus (https://github.com/guanlisheng/wxsqliteplus)
>
> > > Richard Andersen wrote:
> > > In DB Browser for SQlite I can edit the table but I'm not sure if the
> > > SQLCipher encryption used here can be made to work with
> > > System.Data.SQlite, or how to do if it can. Does anyone know anything
> > > about this?
>
> In principle, it should be possible to replace the SQLite encryption
> implementation in System.Data.SQLite by the SQLCipher or wxSQLite3
> implementation, although it might not be trivial. The latter should be
> easier to accomplish, since the wxSQLite3 encryption implementation is
> self-contained, while SQLCipher requires the OpenSSL library as well.
>
> Regards,
>
> Ulrich
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2016-11-14 Thread Ulrich Telle
> > On Nov 14, 2016, at 7:23 AM, Ulrich Telle wrote:
> > 
> > The RSA encryption offered by System.Data.SQLite should not be used,
> > if security is a concern for you. You should prefer an AES encryption 
> > scheme.
> 
> I’m surprised anything encrypts databases with RSA, as that algorithm
> is pretty unsuitable for file encryption.

Ouch ... sorry for not resolving the confusion ... I've been taken again by the 
*wrong* citation of RSA encryption.

In fact, System.Data.SQLite acquires an RSA provider, but doesn't use key 
exchange anywhere. Only the supported symmetric encryption algorithm is used. 
And that algorithm is *RC4*.

> It’s an asymmetric (public-key) cipher: you encrypt data with an RSA
> public key, which can then only be decrypted by the owner of the
> matching private key. (This is used by email encryption, for example.)
> Or you can sign data with the private key so that it can be verified
> by anyone who has the public key. Neither of these modes is useful for
> securing a file that you are going to use yourself. Moreover, RSA is
> extremely slow.

True. However, RC4 is fast, but also weak and should therefore be avoided.

> File encryption uses a symmetric-key cipher, of which AES is the most
> common up-to-date one. Both SQLite’s own encryption engine and the
> 3rd party SQLCipher use AES.

The wxSQLite3 encryption extension also uses AES, either AES-128 or AES-256.

Regards,

Ulrich
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2016-11-14 Thread Jens Alfke

> On Nov 14, 2016, at 7:23 AM, Ulrich Telle  wrote:
> 
> The RSA encryption offered by System.Data.SQLite should not be used, if 
> security is a concern for you. You should prefer an AES encryption scheme.

I’m surprised anything encrypts databases with RSA, as that algorithm is pretty 
unsuitable for file encryption. It’s an asymmetric (public-key) cipher: you 
encrypt data with an RSA public key, which can then only be decrypted by the 
owner of the matching private key. (This is used by email encryption, for 
example.) Or you can sign data with the private key so that it can be verified 
by anyone who has the public key. Neither of these modes is useful for securing 
a file that you are going to use yourself. Moreover, RSA is extremely slow.

File encryption uses a symmetric-key cipher, of which AES is the most common 
up-to-date one. Both SQLite’s own encryption engine and the 3rd party SQLCipher 
use AES.

—Jens
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2016-11-14 Thread Ulrich Telle
Richard,

> Well what I've done is to create an encrypted database with
> SQLite2009 and then use that in my C# project. I just add the password to
> the connection string in my app and then it works right away.

According to the information on the SQLite2009 website 
(http://sqlite2009pro.azurewebsites.net/) SQLite2009 supports 2 encryption 
methods:

** Encryption Method is now compatible with wxSQLite3 (AES-128 bits) and 
SQLite3 ADO.NET Provider (RSA-MS Crypt) **

I don't know SQLite2009 from own experience, but I assume that it allows you to 
choose which enryption method to use, when creating a new database. To be 
compatible with the ADO.NET provider System.Data.SQLite 
(http://system.data.sqlite.org) you obviously have to choose the corresponding 
encryption method in SQLite2009.

> As far as
> I understand (I'm new to all this) you can also create a database from
> within your app if it's based on system.data.sqlite.
> I just can't edit the table columns or add new ones in SQLite2009 once
> the database is saved or reopened, I can only edit the record data. I
> just read that once created, you can't (or only very limited) edit the
> columns of an SQLite database, you have to create a new database with
> the desired structure and copy the data over.

I have a bit the impression that you mixed up the terms 'database' and 'table'. 
A 'database' can contain several tables, and adding new tables or removing 
existing tables is simple (and should be supported by any SQLite administration 
tool). However, changing the structure of an existing table in SQLite is more 
complicated, since SQLite only supports a limited set of operations to modify a 
table definition. Therefore, if you want to add or remove columns from a table 
definition, you usually have to create a new table with a different name, copy 
the data from the previous table to the new one, remove the previous table, and 
rename the new table to the previous name.

> I think that's what DB Browser for SQLite does since you actually can
> reopen and edit the columns and their parameters etc. with it.

Under the hood DB Browser for SQLite performs the above mentioned steps for you.

> It can also create encrypted databases but the encryption scheme it uses
> is not supported by system.data.sqlite it seems.

Correct. DB Browser for SQLite supports SQLCipher 
(https://www.zetetic.net/sqlcipher/), an AES-256 encryption scheme.

> But all in all it works fine, I'm just a bit concerned with the RSA
> encryption in system.data.lite as I've heard it's slow and easy to
> crack, so I'd prefer something else.

The RSA encryption offered by System.Data.SQLite should not be used, if 
security is a concern for you. You should prefer an AES encryption scheme.

> SQLITE Expert looks interesting but I wonder if it also uses the
> built-in RSA encryption in system.data.sqlite?

According to the description on the website 
(http://www.sqliteexpert.com/features.html) SQLiteExpert "Supports password 
protected databases (requires third party SQLite library - not included)." That 
is, you have to provide a SQLite3 DLL supporting the encryption scheme of your 
choice. For example,

- SQLCipher (https://github.com/sqlcipher/sqlcipher), you have to build the DLL 
yourself
- wxSQLite3 (https://github.com/utelle/wxsqlite3/releases), Windows binaries 
are provided

Other SQLite3 management tools that support the wxSQLite3 encryption scheme are

- SQLite Maestro (https://www.sqlmaestro.com/en/products/sqlite/maestro/about/)
- wxSQLitePlus (https://github.com/guanlisheng/wxsqliteplus)

> > Richard Andersen wrote:
> > In DB Browser for SQlite I can edit the table but I'm not sure if the
> > SQLCipher encryption used here can be made to work with
> > System.Data.SQlite, or how to do if it can. Does anyone know anything
> > about this?

In principle, it should be possible to replace the SQLite encryption 
implementation in System.Data.SQLite by the SQLCipher or wxSQLite3 
implementation, although it might not be trivial. The latter should be easier 
to accomplish, since the wxSQLite3 encryption implementation is self-contained, 
while SQLCipher requires the OpenSSL library as well.

Regards,

Ulrich
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2016-11-14 Thread Richard Andersen
Sunday, November 13, 2016, 2:16:40 PM, you wrote:

Thanks. Well what I've done is to create an encrypted database with
SQLite2009 and then use that in my C# project. I just add the password to
the connection string in my app and then it works right away. As far as
I understand (I'm new to all this) you can also create a database from
within your app if it's based on system.data.sqlite.

I just can't edit the table columns or add new ones in SQLite2009 once
the database is saved or reopened, I can only edit the record data. I
just read that once created, you can't (or only very limited) edit the
columns of an SQLite database, you have to create a new database with
the desired structure and copy the data over. I think that's what DB
Browser for SQLite does since you actually can reopen and edit the
columns and their parameters etc. with it. It can also create
encrypted databases but the encryption scheme it uses is not supported
by system.data.sqlite it seems.

But all in all it works fine, I'm just a bit concerned with the RSA
encryption in system.data.lite as I've heard it's slow and easy to
crack, so I'd prefer something else. I haven't notice any speed
problems so far though, I can insert 5500+ records each with 14
columns in a second or so.

SQLITE Expert looks interesting but I wonder if it also uses the
built-in RSA encryption in system.data.sqlite?

> I am not sure about sqlite2009, but you edit DBs that are encrypted using
> the encryption in system.data.sqlite.  I use SQLITE Expert. It allows you
> to replace the standard library which does not support encryption to one
> from the system.data.sqlite that does. It is the interop dll that you
> replace. Then after entering the password, the encryption and decryption
> becomes transparent to you.

> Richard Andersen wrote:
> In DB Browser for SQlite I can edit the table but I'm not sure if the
> SQLCipher encryption used here can be made to work with
> System.Data.SQlite, or how to do if it can. Does anyone know anything
> about this?
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2016-11-14 Thread Taosoft
Friday, November 11, 2016, 9:00:36 PM, you wrote:

Ok, thanks!

> Encryption in system.data.sqlite is legacy encryption, only used within
> itself, and not with other applications.

> On Fri, Nov 11, 2016 at 6:24 PM, Richard Andersen  wrote:

>>
>>
>> I'm using the ADO.NET version (System.Data.SQlite).
>>
>> I've created an RSA encrypted database using SQLite2009 and that is
>> working fine, but I can't find any tools for editing the table in
>> SQLite2009 once it's been created. Is it possible at all?
>>
>> In DB Browser for SQlite I can edit the table but I'm not sure if the
>> SQLCipher encryption used here can be made to work with
>> System.Data.SQlite, or how to do if it can. Does anyone know anything
>> about this?
>>
>> thanks,
>> Richard
>>
>> ___
>> sqlite-users mailing list
>> sqlite-users@mailinglists.sqlite.org
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2016-11-12 Thread Chris Locke
Encryption in system.data.sqlite is legacy encryption, only used within
itself, and not with other applications.

On Fri, Nov 11, 2016 at 6:24 PM, Richard Andersen  wrote:

>
>
> I'm using the ADO.NET version (System.Data.SQlite).
>
> I've created an RSA encrypted database using SQLite2009 and that is
> working fine, but I can't find any tools for editing the table in
> SQLite2009 once it's been created. Is it possible at all?
>
> In DB Browser for SQlite I can edit the table but I'm not sure if the
> SQLCipher encryption used here can be made to work with
> System.Data.SQlite, or how to do if it can. Does anyone know anything
> about this?
>
> thanks,
> Richard
>
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption of SQLite database using jquery

2014-09-23 Thread Richard Hipp
On Mon, Sep 22, 2014 at 3:00 PM, Prava Kafle  wrote:

> Hi,
>
> I have been looking for a product that can encrypt Sqlite database using
> JavaScript  and came across Sqlite Encryption  extension.
> Can I use this with my application that uses jquery mobile and
> sqlitedatabase? Before purchasing the product, if I could get some
> information on it or a trial copy of it, I would really appreciate it.
>

I have been in private communication with your VP of Technology (Mr.
Spiller) and have worked this out with him last night.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2013-12-05 Thread Raheel Gupta
Yes, I did test SQLCipher and it slows down a bit.
Now, I would like to go with SEE if its available for the latest version.
SQLCipher is available for 3.8.0.2 while 3.8.1 is out.


On Thu, Dec 5, 2013 at 9:34 PM, Simon Slavin  wrote:

>
> On 5 Dec 2013, at 3:02pm, Raheel Gupta  wrote:
>
> > The only problem is that I dont have access to SEE by Dr. Richard. So how
> > should I test it ?
>
> Why should you test it ?  Have you tested the solutions you do have access
> to and found that they make your app too slow to use ?
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2013-12-05 Thread Simon Slavin

On 5 Dec 2013, at 3:02pm, Raheel Gupta  wrote:

> The only problem is that I dont have access to SEE by Dr. Richard. So how
> should I test it ?

Why should you test it ?  Have you tested the solutions you do have access to 
and found that they make your app too slow to use ?

Simon.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2013-12-05 Thread Raheel Gupta
Hi,

The only problem is that I dont have access to SEE by Dr. Richard. So how
should I test it ? Does he give test licenses ? Also I am assuming it will
always be supported by the latest version of SQLite right ?


On Thu, Dec 5, 2013 at 7:09 PM, Simon Slavin  wrote:

>
> On 5 Dec 2013, at 9:15am, Raheel Gupta  wrote:
>
> > Yes, I agree. But it should not make the inserts and read too slow as
> well.
>
> The key word here is 'too'.  If there's only 5% difference in speed
> between the two systems then it doesn't matter which one you use.
>
> So you have to write your application using one system, try it out on the
> kind of hardware you expect it to be used on, then figure out if one or
> both systems are 'too slow' for your specific use.
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2013-12-05 Thread Simon Slavin

On 5 Dec 2013, at 9:15am, Raheel Gupta  wrote:

> Yes, I agree. But it should not make the inserts and read too slow as well.

The key word here is 'too'.  If there's only 5% difference in speed between the 
two systems then it doesn't matter which one you use.

So you have to write your application using one system, try it out on the kind 
of hardware you expect it to be used on, then figure out if one or both systems 
are 'too slow' for your specific use.

Simon.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2013-12-05 Thread Raheel Gupta
Yes, I agree. But it should not make the inserts and read too slow as well.
I just want to support 256 Bit AES.


On Thu, Dec 5, 2013 at 1:50 PM, Klaas V  wrote:

> When you'use the word 'perfornance' you might be interested not jonly in
> speed, but in strength of protection, privacy of the employees, your
> company as a whole and above all your clients.
> One of the goals of encryption is to avoid e.g. the government(s and the
> spies they hired to peek into your own business and with this behavior
> those of - again - your clients, their clients, etcetera.
>
> There is more in the world than speed and size.
>
> On Wed, Dec 4, 2013 at 6:18 PM, Simon Slavin  wrote:
>
>
> On 4 Dec 2013, at 10:45am, Raheel Gupta  wrote:
>
>
> I wanted to know which is the best in performance ?
>
>
> Season's greetings and cheers.
> Klaas `Z4us` V
>
>
>
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2013-12-05 Thread Klaas V
When you'use the word 'perfornance' you might be interested not jonly in speed, 
but in strength of protection, privacy of the employees, your company as a 
whole and above all your clients.
One of the goals of encryption is to avoid e.g. the government(s and the spies 
they hired to peek into your own business and with this behavior those of - 
again - your clients, their clients, etcetera.

There is more in the world than speed and size.

On Wed, Dec 4, 2013 at 6:18 PM, Simon Slavin  wrote:

> 
> On 4 Dec 2013, at 10:45am, Raheel Gupta  wrote:
> 
>> I wanted to know which is the best in performance ?

> 

Season's greetings and cheers.
Klaas `Z4us` V


___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2013-12-04 Thread Raheel Gupta
>> The answer may depend on what storage system you were using

7200 RPM Sata Drives

>> whether you have small or big databases,

Big which may even reach TBs of data.

>> and whether you have just one user at a time or many users at once.
Multi user. I do use WAL mode.



On Wed, Dec 4, 2013 at 6:18 PM, Simon Slavin  wrote:

>
> On 4 Dec 2013, at 10:45am, Raheel Gupta  wrote:
>
> > I wanted to know which is the best in performance ?
>
> There would probably not be a simple definite answer that applied to all
> setups.  The answer may depend on what storage system you were using,
> whether you have small or big databases, and whether you have just one user
> at a time or many users at once.
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2013-12-04 Thread Simon Slavin

On 4 Dec 2013, at 10:45am, Raheel Gupta  wrote:

> I wanted to know which is the best in performance ?

There would probably not be a simple definite answer that applied to all 
setups.  The answer may depend on what storage system you were using, whether 
you have small or big databases, and whether you have just one user at a time 
or many users at once.

Simon.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-20 Thread Bishwa Shrestha

On 08/20/2012 11:08 AM, Bishwa Shrestha wrote:

Hi,

I am creating an sqlite3 interface to an existing data model. For that 
purpose sqlite3 tables are dynamically loaded. I'm using 
/sqlite3_column_count/ and /sqlite3_column_table_name/ to load data 
into relevant tables only.


Now, I am having problems with queries such as:

SELECT a.column1 FROM table1 AS a, table2 AS b;

however this works:
SELECT a.column1, b.column1 FROM table1 AS a, table2 AS b;

because /sqlite3_column_table_name /only returns columns in the result 
set.


Is there a way to get the table names that were referenced in the 
query itself?


Thanks in advance,
bishwa

Sorry,  wrong thread. I'll create a new one.

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-20 Thread Bishwa Shrestha

Hi,

I am creating an sqlite3 interface to an existing data model. For that 
purpose sqlite3 tables are dynamically loaded. I'm using 
/sqlite3_column_count/ and /sqlite3_column_table_name/ to load data into 
relevant tables only.


Now, I am having problems with queries such as:

SELECT a.column1 FROM table1 AS a, table2 AS b;

however this works:
SELECT a.column1, b.column1 FROM table1 AS a, table2 AS b;

because /sqlite3_column_table_name /only returns columns in the result set.

Is there a way to get the table names that were referenced in the query 
itself?


Thanks in advance,
bishwa
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-17 Thread Richard Hipp
On Fri, Aug 17, 2012 at 1:20 PM, John Grasmeder
wrote:

> I agree, I am trying to find a way of getting the System.Data.SQLite.dll
> to use AES-128 in CCM mode which is the type used by Adobe AIR.
>

The only way to do that is to purchase an SEE license, giving you access to
the SEE source code, then recompile System.Data.SQLite.dll using the SEE
version of "sqlite3.c".


> Currently all I can find is that it uses "Encrypted databases are fully
> encrypted and support both binary and cleartext password types" from
> http://system.data.sqlite.org/index.html/doc/trunk/www/features.wiki.
>
> I have downloaded the fossil application, cloned the repository and
> opened a full source tree from sds.fossil but I am having no luck
> finding anything about the encryption used on SQLite databases. :(
>
>
>  John G.
>
> > -Original Message-
> > From: sqlite-users-boun...@sqlite.org [mailto:sqlite-users-
> > boun...@sqlite.org] On Behalf Of Richard Hipp
> > Sent: Friday, August 17, 2012 12:09 PM
> > To: General Discussion of SQLite Database
> > Subject: Re: [sqlite] Encryption using System.Data.SQLite.dll
> >
> > On Fri, Aug 17, 2012 at 11:58 AM, Carlos Milon Silva
> > wrote:
> >
> > > John,
> > >
> > > The internal Adobe Air SQLite is built to not accept extensions,
> > >
> >
> > Yes, but Adobe Air comes with the SQLite Encryption Extension (SEE)
> > built in.  There is nothing that needs to be extended with Adobe Air.
> >
> >
> >
> > > so, either the System.Data.SQLite.dll or the SQLite Encryption
> > > Extension from hwaci could only be used with a an external native
> > > extension application.
> > >
> >
> > --
> > D. Richard Hipp
> > d...@sqlite.org
> > ___
> > sqlite-users mailing list
> > sqlite-users@sqlite.org
> > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>



-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-17 Thread John Grasmeder
I agree, I am trying to find a way of getting the System.Data.SQLite.dll
to use AES-128 in CCM mode which is the type used by Adobe AIR.
Currently all I can find is that it uses "Encrypted databases are fully
encrypted and support both binary and cleartext password types" from
http://system.data.sqlite.org/index.html/doc/trunk/www/features.wiki.

I have downloaded the fossil application, cloned the repository and
opened a full source tree from sds.fossil but I am having no luck
finding anything about the encryption used on SQLite databases. :(


 John G.

> -Original Message-
> From: sqlite-users-boun...@sqlite.org [mailto:sqlite-users-
> boun...@sqlite.org] On Behalf Of Richard Hipp
> Sent: Friday, August 17, 2012 12:09 PM
> To: General Discussion of SQLite Database
> Subject: Re: [sqlite] Encryption using System.Data.SQLite.dll
> 
> On Fri, Aug 17, 2012 at 11:58 AM, Carlos Milon Silva
> wrote:
> 
> > John,
> >
> > The internal Adobe Air SQLite is built to not accept extensions,
> >
> 
> Yes, but Adobe Air comes with the SQLite Encryption Extension (SEE)
> built in.  There is nothing that needs to be extended with Adobe Air.
> 
> 
> 
> > so, either the System.Data.SQLite.dll or the SQLite Encryption
> > Extension from hwaci could only be used with a an external native
> > extension application.
> >
> 
> --
> D. Richard Hipp
> d...@sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-17 Thread Richard Hipp
On Fri, Aug 17, 2012 at 11:58 AM, Carlos Milon Silva wrote:

> John,
>
> The internal Adobe Air SQLite is built to not accept extensions,
>

Yes, but Adobe Air comes with the SQLite Encryption Extension (SEE) built
in.  There is nothing that needs to be extended with Adobe Air.



> so, either the System.Data.SQLite.dll or the SQLite Encryption Extension
> from hwaci
> could only be used with a an external native extension application.
>

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-17 Thread Carlos Milon Silva

John,

The internal Adobe Air SQLite is built to not accept extensions,
so, either the System.Data.SQLite.dll or the SQLite Encryption Extension 
from hwaci

could only be used with a an external native extension application.

Carlos.

Em 17/08/2012 09:48, John Grasmeder escreveu:

Carlos,

My statements must have misled you, Adobe Air already contains an
implementation of SQLite. I am currently using it with several 'tool'
applications along with my client application that my customer will use
which all process encrypted databases the same way. I am hoping not to
get into a discussion with the 'sqlite-users' list of the merits of who
is implementing database encryption correctly or incorrectly. It doesn't
look like I can change the methods used from the Adobe side of things so
I was hoping that the System.Data.SQLite.dll group allowed some way of
overriding the encryption used on the database file.

Joe Mistachkin has also replied with a reference to SQLite Encryption
Extension (http://www.hwaci.com/sw/sqlite/see.html) which I will look
into today and see if it can be added to my Dotnet code.



Thanks,

John G.

-Original Message-
From: sqlite-users-boun...@sqlite.org [mailto:sqlite-users-
boun...@sqlite.org] On Behalf Of Carlos Milon Silva
Sent: Thursday, August 16, 2012 06:01 PM
To: General Discussion of SQLite Database
Subject: Re: [sqlite] Encryption using System.Data.SQLite.dll

if you really need to use System.Data.SQLite.dll, from Adobe Air, then
you need to follow something like to:

http://blogs.adobe.com/globalization/invoking-icu-from-adobe-air-
applications-part-2-using-flash-builder-4-6/

and call System.Data.SQLite.dll as an external native extension

Carlos.





___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-17 Thread Mike

On 8/17/12 9:48 AM, John Grasmeder wrote:

Joe Mistachkin has also replied with a reference to SQLite Encryption
Extension (http://www.hwaci.com/sw/sqlite/see.html) which I will look
into today and see if it can be added to my Dotnet code.



That $2000.00 license fee would be a killer for me!

Mike

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-17 Thread John Grasmeder
Carlos,

My statements must have misled you, Adobe Air already contains an
implementation of SQLite. I am currently using it with several 'tool'
applications along with my client application that my customer will use
which all process encrypted databases the same way. I am hoping not to
get into a discussion with the 'sqlite-users' list of the merits of who
is implementing database encryption correctly or incorrectly. It doesn't
look like I can change the methods used from the Adobe side of things so
I was hoping that the System.Data.SQLite.dll group allowed some way of
overriding the encryption used on the database file.

Joe Mistachkin has also replied with a reference to SQLite Encryption
Extension (http://www.hwaci.com/sw/sqlite/see.html) which I will look
into today and see if it can be added to my Dotnet code.



Thanks,

John G.
> -Original Message-
> From: sqlite-users-boun...@sqlite.org [mailto:sqlite-users-
> boun...@sqlite.org] On Behalf Of Carlos Milon Silva
> Sent: Thursday, August 16, 2012 06:01 PM
> To: General Discussion of SQLite Database
> Subject: Re: [sqlite] Encryption using System.Data.SQLite.dll
> 
> if you really need to use System.Data.SQLite.dll, from Adobe Air, then
> you need to follow something like to:
> 
> http://blogs.adobe.com/globalization/invoking-icu-from-adobe-air-
> applications-part-2-using-flash-builder-4-6/
> 
> and call System.Data.SQLite.dll as an external native extension
> 
> Carlos.
> 
> Em 16/08/2012 16:17, John Grasmeder escreveu:
> > Hello List,
> >
> >
> >
> > I am currently using System.Data.SQLite.dll version 1.0.79.0. I am
> > creating  a SQLite database file from data stored in MS-SQL which
> will
> > be pushed to client applications running an Adobe Air application on
> > Macs and Windows PCs.  Everything is progressing nicely but I am now
> > at the step where I need to 'Lock up' the SQLite database from
prying
> eyes.
> >
> >
> >
> >
> > How do I go about changing the encryption method/methods that are
> used
> > in the SQLite.SQLiteConnection class? Do I need to implement my own
> > version of SQLiteConnection and override some methods or is there
> some
> > other code I have not found as of date?
> >
> >
> >
> > Creating both Encrypted and non Encrypted databases on both sides
> > (client Adobe ActionScript/server don.net framework) and being able
> to
> > read them from the side that created them leads me to believe the
> > Encryption methods are not the same.
> >
> >
> >
> > If this knowledge is available on the sqlite.org web site could
> > someone please point me in the right direction.
> >
> >
> >
> > Thanks,
> >
> >
> >
> > John G.
> >
> > ___
> > sqlite-users mailing list
> > sqlite-users@sqlite.org
> > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
> 
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-16 Thread Carlos Milon Silva

if you really need to use System.Data.SQLite.dll, from Adobe Air,
then you need to follow something like to:

http://blogs.adobe.com/globalization/invoking-icu-from-adobe-air-applications-part-2-using-flash-builder-4-6/

and call System.Data.SQLite.dll as an external native extension

Carlos.

Em 16/08/2012 16:17, John Grasmeder escreveu:

Hello List,

  


I am currently using System.Data.SQLite.dll version 1.0.79.0. I am
creating  a SQLite database file from data stored in MS-SQL which will
be pushed to client applications running an Adobe Air application on
Macs and Windows PCs.  Everything is progressing nicely but I am now at
the step where I need to 'Lock up' the SQLite database from prying eyes.


  


How do I go about changing the encryption method/methods that are used
in the SQLite.SQLiteConnection class? Do I need to implement my own
version of SQLiteConnection and override some methods or is there some
other code I have not found as of date?

  


Creating both Encrypted and non Encrypted databases on both sides
(client Adobe ActionScript/server don.net framework) and being able to
read them from the side that created them leads me to believe the
Encryption methods are not the same.

  


If this knowledge is available on the sqlite.org web site could someone
please point me in the right direction.

  


Thanks,

  


John G.

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption using System.Data.SQLite.dll

2012-08-16 Thread Joe Mistachkin

John Grasmeder wrote:
> 
> How do I go about changing the encryption method/methods that are used
> in the SQLite.SQLiteConnection class? Do I need to implement my own
> version of SQLiteConnection and override some methods or is there some
> other code I have not found as of date?
> 

The encryption functionality provided by System.Data.SQLite is written in
native code and contained in the interop assembly.

> 
> Creating both Encrypted and non Encrypted databases on both sides
> (client Adobe ActionScript/server don.net framework) and being able to
> read them from the side that created them leads me to believe the
> Encryption methods are not the same.
> 

Right, they are not the same.  The encryption in System.Data.SQLite uses
the Win32 CryptoAPI, which is not used by the standard, cross-platform
encryption module.

> 
> If this knowledge is available on the sqlite.org web site could someone
> please point me in the right direction.
> 

Information on the standard encryption module can be found here:

http://www.hwaci.com/sw/sqlite/see.html

--
Joe Mistachkin

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2010-07-25 Thread Mark Schonewille
Hi Simon,

Yes, I thought of that and was hoping I woudn't have to do it this  
way. Thanks.

--
Best regards,

Mark Schonewille

Economy-x-Talk Consulting and Software Engineering
Homepage: http://economy-x-talk.com
Twitter: http://twitter.com/xtalkprogrammer
KvK: 50277553

Download the Installer Maker plugin for Runtime Revolution at http://qurl.tk/ce

On 25 jul 2010, at 11:06, Simon Slavin wrote:
>
> The only solution left by those considerations would be to encrypt  
> each field separately.  It would be slow and it would expand the  
> filesize but there's no reason why it wouldn't work as long as  
> Revolution is strong enough to implement a good encryption routine.   
> You'll need to write your own front end to some of the SQLite  
> functions.
>
> Simon.


___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2010-07-25 Thread Simon Slavin

On 25 Jul 2010, at 10:00am, Mark Schonewille wrote:

> Thanks for your reply. Unfortunately, if I let Revolution encrypt the  
> entire database file, I have to save a decrypted file to disk before I  
> can access it with SQLite. I was hoping there were a trick to let  
> SQLite do the encryption without having to recompile the add-on  
> mentioned in me earlier post and without having to decrypt the entire  
> file before accessing it.

The only solution left by those considerations would be to encrypt each field 
separately.  It would be slow and it would expand the filesize but there's no 
reason why it wouldn't work as long as Revolution is strong enough to implement 
a good encryption routine.  You'll need to write your own front end to some of 
the SQLite functions.

Simon.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2010-07-25 Thread Mark Schonewille
Thanks for your reply. Unfortunately, if I let Revolution encrypt the  
entire database file, I have to save a decrypted file to disk before I  
can access it with SQLite. I was hoping there were a trick to let  
SQLite do the encryption without having to recompile the add-on  
mentioned in me earlier post and without having to decrypt the entire  
file before accessing it.

--
Best regards,

Mark Schonewille

Economy-x-Talk Consulting and Software Engineering
Homepage: http://economy-x-talk.com
Twitter: http://twitter.com/xtalkprogrammer
KvK: 50277553

Download the Installer Maker plugin for Runtime Revolution at http://qurl.tk/ce

On 25 jul 2010, at 03:10, Timothy A. Sawyer wrote:

> I would think that you can take any third party encryption routine  
> and use it to encrypt the entire database.
>
> I would be remiss if I didn't ask how you would store and retrieve  
> the encryption key, what algorithm you plan to use... All rhetorical  
> questions of course.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption

2010-07-24 Thread Timothy A. Sawyer
I would think that you can take any third party encryption routine and use it 
to encrypt the entire database.

I would be remiss if I didn't ask how you would store and retrieve the 
encryption key, what algorithm you plan to use... All rhetorical questions of 
course. 
--Original Message--
From: Mark Schonewille
Sender: sqlite-users-boun...@sqlite.org
To: General Discussion of SQLite Database
ReplyTo: General Discussion of SQLite Database
Subject: [sqlite] Encryption
Sent: Jul 24, 2010 05:55

Hello,

I creates a project with Runtime Revolution. I am using an add-on  
(called an external) that comes with RR. I don't have the source for  
the external and can't recompile it to include an encryption library.  
Does anyone know about a way to encrypt an SQLite database without  
having to re-compile the source?

--
Best regards,

Mark Schonewille

Economy-x-Talk Consulting and Software Engineering
Homepage: http://economy-x-talk.com
Twitter: http://twitter.com/xtalkprogrammer
KvK: 50277553

Download the Installer Maker plugin for Runtime Revolution at http://qurl.tk/ce

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


** Sent from my mobile device with the tiny keys **
Timothy A. Sawyer, CISSP
Managing Director
MBD Consulting, LLC
55 Madison Av., Suite 400 
Morristown, NJ 07960
Phone: (973) 285-3261 | Fax: (973) 538-0503
Web: http://www.mybowlingdiary.com
Email: tsaw...@mybowlingdiary.com
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption of sqlite DB

2010-05-04 Thread Igor Tandetnik
Timothy A. Sawyer
 wrote: 
> The easiest way to encrypt a specific row is to put the data through
> some 
> sort of one way hash function before you write the data to the table.
> However since this is symmetric, anyone with the key can decrypt the
> data 
> easily.

A function is either one-way or it is symmetric - it can't possibly be both at 
the same time. You seem to be confusing hashing and encryption.

> Also, depending on the strength of the hash function, anyone
> with 
> the hashed data could decrypt the data using a brute force attack.

Brute force attack doesn't depend on the strength of the hash function.

> Use the 
> largest key strength possible without hindering performance.

Hash functions don't use keys.
-- 
Igor Tandetnik


___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption of sqlite DB

2010-05-04 Thread Timothy A. Sawyer
This really depends on what you are trying to protect. Passwords are the
common data pieces that would be protected in this manner.

The easiest way to encrypt a specific row is to put the data through some
sort of one way hash function before you write the data to the table.
However since this is symmetric, anyone with the key can decrypt the data
easily. Also, depending on the strength of the hash function, anyone with
the hashed data could decrypt the data using a brute force attack. I believe
that Java and C both have basic hash functions. In terms of performance,
hashing is probably the most economical and widely accepted method. Use the
largest key strength possible without hindering performance. This will take
some trial and effort.

I would be remiss if I didn't mention that this is in no way a bullet proof
method of protecting data in a database. You have to first analyze the data
you are protecting, and determine the cost to you if someone were to
intercept the data. If the data is transmitted over the network in clear
text for example, anyone with a sniffer and a laptop can intercept and
change the data without you knowing about it. In that case, your hash
function has little or no effect. In the case of passwords, this is a most
dangerous method for password storage. You also have to consider the
security of the database itself. How is it accessed? Where is it stored? If
the data is widely accessible, then this is akin to closing the barn door
after the horse got out.


Timothy A. Sawyer, CISSP
Managing Director
MBD Solutions




-Original Message-
From: sqlite-users-boun...@sqlite.org
[mailto:sqlite-users-boun...@sqlite.org] On Behalf Of Kavita Raghunathan
Sent: Tuesday, May 04, 2010 12:19 PM
To: Discussion of SQLite Database
Subject: [sqlite] Encryption of sqlite DB

Hi,
What's the simplest way to encrypt only certain rows in an sqlite DB? If
there is no way to do this (for storing passwords etc), I would like to know
the best way to encrypt the whole sqlite DB. (Prefer only encrypting some
rows, but if this introduces complexity, I'm willing to encrypt the whole
database)
kavita
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption of sqlite DB

2010-05-04 Thread Swithun Crowe
Hello

KR> What’s the simplest way to encrypt only certain rows in an sqlite DB? 
KR> If there is no way to do this (for storing passwords etc), I would 
KR> like to know the best way to encrypt the whole sqlite DB. (Prefer only 
KR> encrypting some rows, but if this introduces complexity, I’m willing 
KR> to encrypt the whole database)

There is an encryption extension which costs money, from the same people 
that brought you SQLite.

Or, assuming you mean you want to encrypt certain columns, you could do 
this from your application (C, PHP or whatever). If you have the clear 
text password as input, you can put it through an encryption function, and 
then use that as a parameter for a query, rather than the clear text. Or 
you could create a user defined function to call your encryption function, 
and then use this function in your SQL statements.

Swithun.___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption of sqlite DB

2010-05-04 Thread P Kishor
On Tue, May 4, 2010 at 11:19 AM, Kavita Raghunathan
 wrote:
> Hi,
> What’s the simplest way to encrypt only certain rows in an sqlite DB? If 
> there is no way to do this (for storing passwords etc),

You certainly mean some or all columns in all the rows, don't you?
Well, no matter -- you can encrypt any column in any row using any one
way hashing algorithm. Good enough for routine password storage, etc.

> I would like to know the best way to encrypt the whole sqlite DB. (Prefer 
> only encrypting some rows, but if this introduces complexity, I’m willing to 
> encrypt the whole database)

The sqlite developer sells a proprietary encryption mechanism for a
very reasonable price. While the sqlite source code is in public
domain, the encryption-enabled source code is not in public domain.
So, if you buy it, you are supposed to NOT resell or redistribute it.
I have no experience with it, but from occasional hearsay, it is
supposed to be just as good as sqlite itself, so probably worth every
cent spent on it.

> kavita
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>



-- 
Puneet Kishor http://www.punkish.org
Carbon Model http://carbonmodel.org
Charter Member, Open Source Geospatial Foundation http://www.osgeo.org
Science Commons Fellow, http://sciencecommons.org/about/whoweare/kishor
Nelson Institute, UW-Madison http://www.nelson.wisc.edu
---
Assertions are politics; backing up assertions with evidence is science
===
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption of sqlite DB

2010-05-04 Thread Stephan Wehner
On Tue, May 4, 2010 at 9:19 AM, Kavita Raghunathan
 wrote:
> Hi,
> What’s the simplest way to encrypt only certain rows in an sqlite DB? If 
> there is no way to do this (for storing passwords etc), I would like to know 
> the best way to encrypt the whole sqlite DB. (Prefer only encrypting some 
> rows, but if this introduces complexity, I’m willing to encrypt the whole 
> database)

Do you mean you want to encrypt only some columns ?

Stephan

> kavita
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>



-- 
Stephan Wehner

-> http://stephan.sugarmotor.org (blog and homepage)
-> http://loggingit.com
-> http://www.thrackle.org
-> http://www.buckmaster.ca
-> http://www.trafficlife.com
-> http://stephansmap.org -- http://blog.stephansmap.org
-> http://twitter.com/stephanwehner / @stephanwehner
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] encryption

2010-04-12 Thread g...@greschenz.de
you can try
   http://greschenz.dyndns.org/downloads/sqlite_crypt.zip
bye, gg
 

Simon Slavin  hat am 12. April 2010 um 12:56 geschrieben:

>
> On 12 Apr 2010, at 5:59am, Steve Bywaters wrote:
>
> > I am currently using a proprietary ISAM database for an application.
> > These files are .TPS/Topspeed format files, for Clarion, which have built-in
> > encryption via a 'password'.
> >
> > Since sensitive setup and sales data is contained in these, I would want to
> > maintain that level of security.
> > Any way I can do that with a SQLite db?
> > Both for access (ODBC) and for content (should not be human-readable via
> > query).
>
> The main architect behind SQLite runs a company that maintains a non-free
> encryption add-on to SQLite.  You use all the SQLite commands just as you
> would with an unencrypted database, but you pass in a password when, or just
> after, you open the file.  Without the password you get nothing.  And reading
> the file from the disk just gets you gibberish.  For further details see
>
> 
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] encryption

2010-04-12 Thread Simon Slavin

On 12 Apr 2010, at 5:59am, Steve Bywaters wrote:

> I am currently using a proprietary ISAM database for an application.
> These files are .TPS/Topspeed format files, for Clarion, which have built-in 
> encryption via a 'password'.
> 
> Since sensitive setup and sales data is contained in these, I would want to 
> maintain that level of security.
> Any way I can do that with a SQLite db?
> Both for access (ODBC) and for content (should not be human-readable via 
> query).

The main architect behind SQLite runs a company that maintains a non-free 
encryption add-on to SQLite.  You use all the SQLite commands just as you would 
with an unencrypted database, but you pass in a password when, or just after, 
you open the file.  Without the password you get nothing.  And reading the file 
from the disk just gets you gibberish.  For further details see



Simon.
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption and decryption functionality ?

2009-02-04 Thread D. Richard Hipp

On Feb 4, 2009, at 2:08 PM, Lothar Behrens wrote:

> Hi,
>
> I have got any information that sqlite supports encryption and
> decryption.
>
> Does it ?
>
> If these are extensions, where to get ?
>
>

http://www.hwaci.com/sw/sqlite/see.html

D. Richard Hipp
d...@hwaci.com



___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption?

2008-02-26 Thread Günter Greschenz
hi,

yes i know, my changed my webserver to lighttpd but i had no time to 
finish the complete the installation because i'm on a business trip 
right now :-(
but its still working if you know the right urls :-)
please try
http://greschenz.dyndns.org/index.php for 
the main page
http://greschenz.dyndns.org/index.php?title=SQLITE   for a usage sample
http://greschenz.dyndns.org/download.php?id=100  for the 
compression code
http://greschenz.dyndns.org/download.php?id=101  for the 
crypting code
yes, css is not running at the moment, it looks very ugly, i know ;-)

cu, gg

> Hi Günter,
> You mentioned on the sqlite newsgroups that you had some encryption
> modules for sqlite, but I can't get to your website to take a look at
> them. Would it be possible to make them available to me sometime; I'd
> really appreciate the help.
> Thanks,
> - Dom


___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users


Re: [sqlite] Encryption?

2007-12-20 Thread Günter Greschenz

*) for crypting/compression you can have a look at
   http://www.greschenz.de
(look/search for "sqlite" of course :-)
i've written 2 (very small) sqlite-functions to support this...
if my server is down again, please inform me :-)

*) yes, i always use *.sdb (for SqliteDB, what else :-)

Jason Tudor wrote:

Is there any encryption functionality built into SQLite?  Also, can I use
extensions other than .db for SQLite database  filtes?

Thanks
Tudor

  


-
To unsubscribe, send email to [EMAIL PROTECTED]
-



RE: [sqlite] Encryption?

2007-12-19 Thread James Steward
On Wed, 2007-12-19 at 16:10 -0800, James Dennett wrote:
> > -Original Message-
> > From: Jason Tudor [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, December 19, 2007 4:06 PM
> > To: sqlite-users@sqlite.org
> > Subject: [sqlite] Encryption?
> > 
> > Is there any encryption functionality built into SQLite? 
> 
> Not in the public domain version.

>From the ministry of silly thoughts, maybe dm_crypt for Linux only ;-)
http://www.saout.de/misc/dm-crypt/

Can be used to encrypt/decrypt whole file systems on the fly!

JS.


-
To unsubscribe, send email to [EMAIL PROTECTED]
-



RE: [sqlite] Encryption?

2007-12-19 Thread James Dennett
> -Original Message-
> From: Jason Tudor [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, December 19, 2007 4:06 PM
> To: sqlite-users@sqlite.org
> Subject: [sqlite] Encryption?
> 
> Is there any encryption functionality built into SQLite? 

Not in the public domain version.

> Also, can I use extensions other than .db for SQLite database files?

Certainly; SQLite doesn't care about the filename conventions.

-- James


-
To unsubscribe, send email to [EMAIL PROTECTED]
-



Re: [sqlite] Encryption

2006-05-11 Thread Preston & Chrystie

typo... sorry for the confusion, i'll be more careful in the future..

On 5/11/06, Edwin Hernán Barrios Núñez <[EMAIL PROTECTED]> wrote:

Hi ,

When i can download that sqlite version you take about, with
encryption extension.
I saw in your message that you use version 3.4.5 but  on sqlte.org the
last one is 3.3.5.

What is  the diference ? , where i can download encryption ( that it's
a need funcionality for sqlite )

Thanks !!!

On 5/10/06, Preston & Chrystie <[EMAIL PROTECTED]> wrote:
> I'm having trouble compiling the 3.4.5 version with encryption
> extensions.. I have done it a hundred times before, but i just
> switched to a new computer and don't know what stupid mistake i am
> making...
>
> (NOTE: *.c is everything in the zip file with the addition of
> crypto3.c and exclusion of tclsqlite.c)
>
> gcc -DSQLITE_HAS_CODEC=1 *.c -o sqlite3.4.5.exe
>
> the exe is built, but i can't open an encrypted database and .rekey
> command gives me the following:
>
> 'unknown command or invalid arguments:  "rekey". Enter ".help" for help'
>
>
> So what am i doing wrong?
>
> thanks,
> Preston
>



Re: [sqlite] Encryption

2006-05-11 Thread drh
"=?ISO-8859-1?Q?Edwin_Hern=E1n_Barrios_N=FA=F1ez?=" <[EMAIL PROTECTED]> wrote:
> Hi ,
> 
> When i can download that sqlite version you take about, with
> encryption extension.
> I saw in your message that you use version 3.4.5 but  on sqlte.org the
> last one is 3.3.5.
> 
> What is  the diference ? , where i can download encryption ( that it's
> a need funcionality for sqlite )
> 


The "3.4.5" was a typo.  There is no such version.  The latest
version of SQLite is 3.3.5.

The SQLite Encryption Extension is proprietary.  There is a license
fee to access the source code.  You cannot download it without first
paying the license fee.  See 

   http://www.hwaci.com/sw/sqlite/prosupport.html#crypto

for additional information.
--
D. Richard Hipp   <[EMAIL PROTECTED]>



Re: [sqlite] Encryption

2006-05-11 Thread Edwin Hernán Barrios Núñez

Hi ,

When i can download that sqlite version you take about, with
encryption extension.
I saw in your message that you use version 3.4.5 but  on sqlte.org the
last one is 3.3.5.

What is  the diference ? , where i can download encryption ( that it's
a need funcionality for sqlite )

Thanks !!!

On 5/10/06, Preston & Chrystie <[EMAIL PROTECTED]> wrote:

I'm having trouble compiling the 3.4.5 version with encryption
extensions.. I have done it a hundred times before, but i just
switched to a new computer and don't know what stupid mistake i am
making...

(NOTE: *.c is everything in the zip file with the addition of
crypto3.c and exclusion of tclsqlite.c)

gcc -DSQLITE_HAS_CODEC=1 *.c -o sqlite3.4.5.exe

the exe is built, but i can't open an encrypted database and .rekey
command gives me the following:

'unknown command or invalid arguments:  "rekey". Enter ".help" for help'


So what am i doing wrong?

thanks,
Preston



Re: [sqlite] Encryption

2006-05-11 Thread Ralph Wetzel

[EMAIL PROTECTED] schrieb:


Dennis Cote <[EMAIL PROTECTED]> wrote:
 


[EMAIL PROTECTED] wrote:
   


I'm having trouble compiling the 3.4.5 version with encryption
extensions.. 
   


Question answered by private email.

 
 


Version 3.4.5...

I wonder if this is a typo or the mythical "Cinnamon". Editing in the 
wiki and questions being answered by private email makes it all seem 
very hush hush. ;-)


   



A typo, I'm sure.  The questioner is an Encryption Extension
customer and is not connected with the "Cinnamon" project.

"Cinnamon" is the code name for the effort to add full text
search to SQLite.  I did not come up with the name - the main
project sponsor did.  If that sponsor wishes to identify themselves,
they are welcomed to do so, but as is the usual policy in this kinds
of things, I will not.
--
D. Richard Hipp   <[EMAIL PROTECTED]>


 


Have you been aware of this:

   www.cinnamon.de

;-)

Greetings, Ralph


Re: [sqlite] Encryption

2006-05-10 Thread drh
Dennis Cote <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> >
> >> I'm having trouble compiling the 3.4.5 version with encryption
> >> extensions.. 
> > Question answered by private email.
> >
> >   
> Version 3.4.5...
> 
> I wonder if this is a typo or the mythical "Cinnamon". Editing in the 
> wiki and questions being answered by private email makes it all seem 
> very hush hush. ;-)
> 

A typo, I'm sure.  The questioner is an Encryption Extension
customer and is not connected with the "Cinnamon" project.

"Cinnamon" is the code name for the effort to add full text
search to SQLite.  I did not come up with the name - the main
project sponsor did.  If that sponsor wishes to identify themselves,
they are welcomed to do so, but as is the usual policy in this kinds
of things, I will not.
--
D. Richard Hipp   <[EMAIL PROTECTED]>



Re: [sqlite] Encryption

2006-05-10 Thread Dennis Cote

[EMAIL PROTECTED] wrote:



I'm having trouble compiling the 3.4.5 version with encryption
extensions.. 

Question answered by private email.

  

Version 3.4.5...

I wonder if this is a typo or the mythical "Cinnamon". Editing in the 
wiki and questions being answered by private email makes it all seem 
very hush hush. ;-)


I guess we will just have to wait and see.

Dennis Cote



Re: [sqlite] Encryption

2006-05-10 Thread drh
"Preston & Chrystie" <[EMAIL PROTECTED]> wrote:
> I'm having trouble compiling the 3.4.5 version with encryption
> extensions.. I have done it a hundred times before, but i just
> switched to a new computer and don't know what stupid mistake i am
> making...
> 
> (NOTE: *.c is everything in the zip file with the addition of
> crypto3.c and exclusion of tclsqlite.c)
> 
> gcc -DSQLITE_HAS_CODEC=1 *.c -o sqlite3.4.5.exe
> 
> the exe is built, but i can't open an encrypted database and .rekey
> command gives me the following:
> 
> 'unknown command or invalid arguments:  "rekey". Enter ".help" for help'
> 
> 
> So what am i doing wrong?
> 

Question answered by private email.
--
D. Richard Hipp   <[EMAIL PROTECTED]>



RE: [sqlite] Encryption and fixed header values (was Re: [sqlite] Why can i open a textfile?)

2005-08-29 Thread Mrs. Brisby
On Fri, 2005-08-26 at 12:53 -0400, Griggs, Donald wrote:
> Regarding Mrs. Brisby's ending comment:
>"A better defense: use a different key each time. Encrypt the session key
> separately."
> 
> I may way off in asking this, but:
>   Since we're talking about the encyption of data at rest, and aren't in a
> client-server situation, how could sqlite make session keys work?   What
> would constitute a session?

The lifetime of the session is the time between encrypting the data and
decrypting it. It doesn't have to be on line.

PGP (for example) encrypts the message using symmetric ciphers (like RC4
or Blowfish) using a completely random key. It then encrypts the key
using the public-key algorithms desired (RSA, DSA) and writes the
encrypted key.

This works because the receiver decrypts the encrypted random key and
uses it to decode the rest of the message. It has some fantastic
benefits:

1. assymetric ciphers are slow, this is certainly much faster
2. if any information is leaked about the "real key", it's very little.
Often very few bits of the real key are needed.
3. Brute-force attacks on the message will yield the session key, but
brute-force attacks on the encrypted session key won't yield enough
information to reconstruct the key.


This is similar to how SSL works as well, although the exchange is done
"on line" - which is probably why you're confused about it.

This is almost certainly what people are talking about when they refer
to session keys.


With some ciphers (like RC4), the session key can be obtained through
other means. Because RC4's encryption/decryption routine permutes the
keyspace, encrypting _anything_ causes permutations to occur.

But because those permutations are wildly predictable (at first), many
people discard the beginning of the RC4 keystream.

I disagree with this. I suggest taking some random junk and encrypt it.
Throw away the result. This permutes the keystream faster, and it means
that no plaintext is encrypted twice accidentally.

The random junk isn't secret. You can store it at the head of your
ciphertext. This "random junk" is often called an initialization vector-
and is a common way to reuse keys with more safety.

This "IV" and "key" combination are often considered "the session key".



Re: [sqlite] Encryption and fixed header values (was Re: [sqlite]Why can i open a textfile?)

2005-08-29 Thread Mrs. Brisby
On Fri, 2005-08-26 at 16:21 +0200, F.W.A. van Leeuwen wrote:
> > 
> > The usual defense against this attack is to mix some random information
> > into the beginning of the plaintext.
> > 
> > A better defense: use a different key each time. Encrypt the session key
> > separately.
> > 
> 
> And /or start encrypting after the fixed header.

Agreed. Thanks for pointing this out.



RE: [sqlite] Encryption and fixed header values (was Re: [sqlite] Why can i open a textfile?)

2005-08-26 Thread Griggs, Donald
Regarding Mrs. Brisby's ending comment:
   "A better defense: use a different key each time. Encrypt the session key
separately."

I may way off in asking this, but:
  Since we're talking about the encyption of data at rest, and aren't in a
client-server situation, how could sqlite make session keys work?   What
would constitute a session?


Donald Griggs

Opinions are not necessarily those of Misys Healthcare Systems nor its board
of directors.





Re: [sqlite] Encryption and fixed header values (was Re: [sqlite]Why can i open a textfile?)

2005-08-26 Thread F.W.A. van Leeuwen
> 
> The usual defense against this attack is to mix some random information
> into the beginning of the plaintext.
> 
> A better defense: use a different key each time. Encrypt the session key
> separately.
> 

And /or start encrypting after the fixed header.

Best regards,
Frank.


Re: [sqlite] Encryption and fixed header values (was Re: [sqlite] Why can i open a textfile?)

2005-08-25 Thread Mrs. Brisby
On Wed, 2005-08-24 at 22:55 -0400, D. Richard Hipp wrote:
>   Weaknesses in RC4 have been found where
> the first few numbers coming out of the PRNG leak information about the
> key.  If an attacker can guess the first few bytes of plaintext, and
> hence guess the first few numbers from the PRNG, and can do this many
> many times (millions of times) then the attacker can eventually
> reconstruct
> the key.

I noticed this. You understate how much it helps. The first few cycles
of RC4 are so bad that key recovery is easy for modern general purpose
computers.

> The usual defense against this attack (and the one used by SQLite)
> is to discard the first 1000 bytes or so of information coming out
> of the PRNG.  No key information leaks into later bytes of the
> PRNG stream (at least as far as we know) so this secures the cypher
> from attack.

It doesn't need to leak information about the key. A combination
known-plaintext and known-ciphertext attack works very well against RC4.

http://groups.google.com/group/sci.crypt/browse_frm/thread/2716ac20a3fc9971/64eba041932a98ae?lnk=st&rnum=1&hl=en

Since the header is well known, convincing the program to encrypt the
database (by say, making a change to it) several times allows the user
to collect some known-plaintext and lots of ciphertext very quickly.

The usual defense against this attack is to mix some random information
into the beginning of the plaintext.

A better defense: use a different key each time. Encrypt the session key
separately.



Re: [sqlite] Encryption and fixed header values (was Re: [sqlite] Why can i open a textfile?)

2005-08-24 Thread D. Richard Hipp
On Wed, 2005-08-24 at 22:32 -0400, Mrs. Brisby wrote:
> > There are several attacks that can be used to derive the original key 
> > state, but they all require huge samples of data to analyze.
> 
> No they don't. That's the problem. They only need a large number of
> _uses_ of the key, not large amounts of data. Adding some random junk to
> the beginning of the plaintext would help some, but I don't think SQLite
> does this.
> 

RC4 is a pseudorandom number generator (PRNG) against which the
plaintext
is XORed to yield cyphertext.  Weaknesses in RC4 have been found where
the first few numbers coming out of the PRNG leak information about the
key.  If an attacker can guess the first few bytes of plaintext, and
hence guess the first few numbers from the PRNG, and can do this many
many times (millions of times) then the attacker can eventually
reconstruct
the key.

The usual defense against this attack (and the one used by SQLite)
is to discard the first 1000 bytes or so of information coming out
of the PRNG.  No key information leaks into later bytes of the
PRNG stream (at least as far as we know) so this secures the cypher
from attack.

-- 
D. Richard Hipp <[EMAIL PROTECTED]>



Re: [sqlite] Encryption and fixed header values (was Re: [sqlite] Why can i open a textfile?)

2005-08-24 Thread Mrs. Brisby
On Mon, 2005-08-22 at 16:39 -0500, Dennis Jenkins wrote:
> RC4 is basically an XOR against a huge one-time pad.

No it's not. The only thing like a one-time pad is a one-time pad.

What makes an OTP secure isn't the protocol, but where the bits come
from.

If they come from ANYWHERE but a truly random source then it is not
secure.

RC4/ARCFOUR isn't a random source of bits, so it isn't a one-time pad.


> That pad is creating using a "key scheduling algorithm".

No it's not. The key scheduling system moves S-boxes around. There are
exactly 256 S-boxes with RC4/ARCFOUR. If you really did perform an XOR
operation on those SBOXes you would have no security unless:
* your key was exactly 256 bytes
* your data stream was exactly 256 bytes

Nevertheless, it still wouldn't be much security because you probably
didn't chose a strong key to begin with.


> The key state for the random number generator is 256 bytes of data and two 
> 8-bit indicies.  

No it's not. The substitution array (S-boxes) is 256 bytes. It
essentially translates one byte into another byte, then performs a
permutation on the S-boxes. That permutation is fixed. The S-boxes are
moved around each step, thus increasing the run-length. Unfortunately,
its not enough- getting the initial key bytes of the stream makes it
much easier to reconstruct the rest of the swapping routine.

> There are several attacks that can be used to derive the original key 
> state, but they all require huge samples of data to analyze.

No they don't. That's the problem. They only need a large number of
_uses_ of the key, not large amounts of data. Adding some random junk to
the beginning of the plaintext would help some, but I don't think SQLite
does this.


> RC4 is not the strongest encryption available, but for most of us, it is good 
> enough.

... and it wouldn't matter anyway because the key exists in the software
that decrypts it. That's much easier to get to anyway.

> The best way to attack any system using sqlite w/ the crypto extension 
> is to hook the call to "sqlite3_key()" and just steal the rc4 key 
> directly.  Much easier than crunhcing numbers on a super computer.

At least on this, I agree.



Re: [sqlite] Encryption and fixed header values (was Re: [sqlite] Why can i open a textfile?)

2005-08-22 Thread D. Richard Hipp
On Mon, 2005-08-22 at 17:19 -0400, Mike Shaver wrote:
> On 8/22/05, Edwin Knoppert <[EMAIL PROTECTED]> wrote:
> > Hmm, but every known file format has an header.
> > Sqlite has a string, not really a header as it seems.
> > Maybe for v4 to implement a real header (if not yet)
> > A header doesn't need to be encrypted.
> > (A bit for testing if it's encrypted might have it use as well)
> 
> In fact, I was wondering about this very issue when I was working on
> my own encryption layer for Mozilla's storage use.  Does the reliable
> format of the first page (known sqlite header string, various other
> fields that are very likely to be zero or in some way related to the
> size of the DB file) not make known-plaintext attacks on the encrypted
> database much easier?  

The key schedule is perturbed by a randomly chosen nonce that is added
to each page.  The size of the nonce is selectable when the database
is created and defaults to 4 bytes.  This makes an encrypted database
about 0.4% larger than an unencrypted database (since the nonce has to
be stored, thus reducing the space available to store real data) but 
it also make known or chosen plaintext attacks considerably more
difficult.
-- 
D. Richard Hipp <[EMAIL PROTECTED]>



Re: [sqlite] Encryption and fixed header values (was Re: [sqlite] Why can i open a textfile?)

2005-08-22 Thread Dennis Jenkins

Mike Shaver wrote:


On 8/22/05, Edwin Knoppert <[EMAIL PROTECTED]> wrote:
 


Hmm, but every known file format has an header.
Sqlite has a string, not really a header as it seems.
Maybe for v4 to implement a real header (if not yet)
A header doesn't need to be encrypted.
(A bit for testing if it's encrypted might have it use as well)
   



In fact, I was wondering about this very issue when I was working on
my own encryption layer for Mozilla's storage use.  Does the reliable
format of the first page (known sqlite header string, various other
fields that are very likely to be zero or in some way related to the
size of the DB file) not make known-plaintext attacks on the encrypted
database much easier?  Given that the encryption is limited to a page
at a time due to the pager implementation (and placement of the hooks
in sqlite), it would seem that that would be fairly worrisome.

I can mitigate it a bit by having the page number affect the key
selection, but I'm still sort of nervous about it.

Mike
 


I hope that I don't spill too many beans here

My company has licensed the RC4 encryption add-on for sqlite. 

RC4 is basically an XOR against a huge one-time pad.  That pad is 
creating using a "key scheduling algorithm".  The key state for the 
random number generator is 256 bytes of data and two 8-bit indicies.  
There are several attacks that can be used to derive the original key 
state, but they all require huge samples of data to analyze.  RC4 is not 
the strongest encryption available, but for most of us, it is good enough.


The best way to attack any system using sqlite w/ the crypto extension 
is to hook the call to "sqlite3_key()" and just steal the rc4 key 
directly.  Much easier than crunhcing numbers on a super computer.


http://en.wikipedia.org/wiki/Rc4



Re: [sqlite] Encryption extension for SQLite

2004-12-24 Thread D. Richard Hipp
LWL wrote:
> I am by no means an expert cryptographer (in fact, I am just learning
> cryptography) so there may be security flaws in the design of the
> encryption layer. Please help me learn by giving me constructive
> criticism and suggestions to improve the code.
>
A quick glance suggests that there are indeed vulnerabilities,
that an attacker can easily recover plaintext from the database
without having to know the decryption key.  I'll look into this
more carefully after Christmas.
--
D. Richard Hipp -- [EMAIL PROTECTED] -- 704.948.4565


Re: [sqlite] Encryption?

2004-09-23 Thread Will Leshner
Bryan Ashby wrote:
I have searched around and cannot find a definite answer -- We are working on a project that _requires_ a small, embedded and encrypted database. SQLite fits all of our needs except for the encryption part .. which I'm not totally sure about. I notice that in sqlite3.h there is a sqlite3_key() function, though it states it is not available to the public. Why is this? How can we add our own encryption (without breaking SQL searches, etc.!). I see how sqlite3_key() is used in the tcl stuff but I don't have any code for it :(




RE: [sqlite] Encryption?

2004-09-22 Thread Bob Dankert
http://www.hwaci.com/sw/sqlite/prosupport.html#crypto

I would also recommend going through the mailing list archives as I know
there have been a couple conversations per this topic in the last few
weeks.

Bob


-Original Message-
From: Bryan Ashby [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 22, 2004 11:22 AM
To: [EMAIL PROTECTED]
Subject: [sqlite] Encryption?

I've searched and can't find a definite answer - does SQLite 3 support
encryption? If so, how? I knoticed a sqlite3_key() and sqlite3_rekey()
that say something about encryption but am unsure of how to use them.

Thanks,

Bryan



Re: [sqlite] Encryption in 2.8.13

2004-04-08 Thread Peter
Ulrik Petersen wrote:
I see that in 2.8.13, there are stubs for an encryption layer, but the 
encryption itself seems not to have been made publicly available.  Any 
chance of this becoming public in the next release?  
Form what I understand of the description on the SQlite site, encryption 
is available to customers who pay DRH for support. Sorta "value added 
services".
Regards
P.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


Re: [sqlite] Encryption in 2.8.13

2004-04-08 Thread D. Richard Hipp
Ulrik Petersen wrote:
I see that in 2.8.13, there are stubs for an encryption layer, but the 
encryption itself seems not to have been made publicly available.  Any 
chance of this becoming public in the next release?  If not, is there 
any chance that the stubs could be documented so that one can write 
one's own encryption?

Encryption is a valued-added extension.  It is available in the US
for a small fee.  Outside the US, there are issues of export
license and so forth.  I've never worked through those problems
before so I'm not sure what all is involved.
I have decided not to make the encryption extension available
for free at this time.  Sorry.
--
D. Richard Hipp -- [EMAIL PROTECTED] -- 704.948.4565
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]