Diese Seite mit anderen teilen ...

Informationen zum Thema:
Forum:
WinDev Forum
Beiträge im Thema:
8
Erster Beitrag:
vor 3 Jahren
Letzter Beitrag:
vor 3 Jahren
Beteiligte Autoren:
willy hermans, Alexandre Leclerc, Paulo Oliveira

Security level of crypt

Startbeitrag von willy hermans am 20.05.2015 09:21

Hello,

For me it is not very clear. What is the security level of the crypt function.

Is it comparable with MD5.

Is an MD5 security available.

Thanks,

Willy Hermans.

Antworten:

As far as i know with the Crypt function the algorithm is RC5 for MD5 checksum you can get it in SQL or using the HashString function

http://doc.windev.com/en-US/?2034005&name=SQL_functions_Editor#SQL_MD5
http://doc.windev.com/en-US/?1000007111

von Paulo Oliveira - am 20.05.2015 09:40
Hi Willy,

Crypt is encrypting a string with a password. This string can be decrypted with the same password. The security level depends of the algorithm you use. cryptSecure will give an RC5 on 128 bits. Read the help and check the Web for more information on the strength of it.

MD5 is not a encrypting algorithm. This is a hash. Once you create a hash you can't recover the original value. MD5 as a hash has its flaws too. Put they can be circumvented by using a good "secret key". But better hashes can be made using SHA 256+ for example.

It really depends what you want to do by encrypting or hashing. For password I would recommend a good hash (you do not keep actual password but compare hashes). For data that must be read again you can use Crypt() before saving the data, or CryptStandard() - new in WD20. And on top of that activate file protection with encrypting and password (some details here: http://doc.windev.com/en-US/?2512046).

Best regards,
Alexandre Leclerc

von Alexandre Leclerc - am 20.05.2015 12:29
Thanks.

In this case a hash is not the best choice because the data has to be recovered.

Medical info is send via a service to a HFSQL file. The hospital (my client) is very very very ... worried about security. Sometimes it can look a little bit paranoid but there is a big bussines in medical data and there are strict laws in Belgium for sending medical data over the net. I can only agree with this.

The sended data is dropped into a local map. The service crypts it and place it crypted into the database in a server via the net. The database is already encrypted. So the extra encryption before putting the record in the file is for security during transport on the net.

The reason why I asked this is because the client asks me : "How secure is your service. Is'nt it better to place the data into a map via a VPN-connection."

So want to have an idea of the level of security.

Again ... many thanks and greetings,

Willy Hermans.

von willy hermans - am 20.05.2015 16:19
What are the minimum requirements to send this kind of data in Belgium over the net?

If possible by law you can encrypt with cryptSecure, compressLZW, encodeBASE64 and use one long and strange password (numbers, letters and special chars).
To ensure that the data isn't changed generate one hash of the file/string you need to send over the net, send it also and check in the destination if the hash is correct against the data you receive.

In almost all router used to connect to the internet you can define ipsec tunnels, if it's your case and your client case define the tunnel and send the data using it for extra security, no cost and it's one of the most used way to encrypt the comms in the vpns.

Instead of putting the data in one map why not sending it over https for instance?
You can do it using one awp page.

von Paulo Oliveira - am 20.05.2015 16:44
The site is hosted in PCSCloud. Maybe a VPS was better. The future will tell. So a VPN via IPSEC between the hospital and PCSCloud is not possible.

The law is not very clear and interpretation differs from person to person. Technology changes faster then laws. So the law can not be actual .....

Personally, I think that the service gives already a very secure result. The password is already long and verry complex.

Now I have already an idea.

My resume:
The crypt function is already very strong when used with long complex password and with the secure option.

When that is not enough I've seen that there are additional possibilities.

The AWP/Https option looks also interesting. But lack of time prevents me now herewith to build a completely new solution. I never build an AWP-Page. I come back to this subject if needed.

Thanks
Willy Hermans

von willy hermans - am 20.05.2015 19:07
Hi Willy,

How do you exchange the data between your software and the remote server?

Is it a service you made using TCP sockets? Or is it a WebService? Or is it a direct connection to HFSQL Servers?

- If this is a service the only thing you can do is increase encryption in using SocketCreateSSL() and SocketConnectSSL() to use SSL certificates, etc.

- If this is a WebService, you can easily add a SSL certificate (ask PCSoft, I guess, if this is not provided by default with your cloud account) and use the HTTPS connection instead when using your services. This will give a very easy layer of protection.

- If this is a direct connection to HFSQL do not forget that all data passes as plain text. But you can use the CryptMethod property in the connection to give some more security.

Best regards,
Alexandre Leclerc

von Alexandre Leclerc - am 20.05.2015 20:40
The service makes a direct connection with the HFSQL server.
The data, text files are readed in a map and crypted by the service.

The crypted text is added to the database. The database is also secured

Greetings,
Willy.

von willy hermans - am 21.05.2015 06:46
Zur Information:
MySnip.de hat keinen Einfluss auf die Inhalte der Beiträge. Bitte kontaktieren Sie den Administrator des Forums bei Problemen oder Löschforderungen über die Kontaktseite.
Falls die Kontaktaufnahme mit dem Administrator des Forums fehlschlägt, kontaktieren Sie uns bitte über die in unserem Impressum angegebenen Daten.