The encryption wasn't broken. The vulnerability lay in the key management, and it was from there that the key was recovered. No "encryption" was broken. It was merely bypassed.
The same end could have been achieved by application of a rubber hose to the person having knowledge of the key in order to recover the key. The US Government does not use rubber hoses -- they use waterboards and electric current applied judiciously to various parts of the anatomy, but the result is the same. The encryption in not broken. The key is recovered and the encryption is bypassed. In the real old days the first "fix" I ever did (on a PC) was to Lotus 123 version 1A (the one that required the original diskette to be in the drive before it would run). The fix was as simple as finding the spot where the machine code executed "IF NOT VALID GOTO EXIT" and change it to "IF FALSE GOTO EXIT". This did not "break" the copy protection. It did not change it at all. The software merely no longer exited if the check failed. Similarly, one gets all channels on satellite TV by finding the spot in the code where it executes: IF USER AUTHORIZED GOTO VIEW-PROGRAM. Changing the instruction to IF TRUE GOTO VIEW-PROGRAM makes all programs, even those that are blacked out or not subscribed magically viewable. This does not in any way "defeat" or "break" the authorization/encryption system. It merely bypasses it. > -----Original Message----- > From: sqlite-users-bounces at mailinglists.sqlite.org [mailto:sqlite-users- > bounces at mailinglists.sqlite.org] On Behalf Of Simon Slavin > Sent: Sunday, 21 June, 2015 11:26 > To: General Discussion of SQLite Database > Subject: [sqlite] A story of breaking the encryption of a SQLite database > > For those of you who might be interested in a high-tech attempt at busting > SQLCipher encryption: > > <https://medium.com/@14domino/breaking-the-zyzzyva-encryption- > f00360b695d1> > > Please note that the breaking of the encryption was not done by examining > the database itself. SQLiteCipher is not part of SQLite, it's just one of > a number of encryption systems available. This article should not be > taken as indicating that SQLite encryption, /per se/, is poor or easy to > break. > > Simon. > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
