Examples of encryption for database access

Mark Wieder ahsoftware at sonic.net
Thu Jun 28 15:30:03 EDT 2018

On 06/28/2018 09:17 AM, William Prothero via use-livecode wrote:

> I understand Mark’s comment about putting the key and IV vector in the .htaccess file. I will do this as soon as I figure out if I’ve destroyed my server by deleting all files in the /etc/httpd directory by mistake (I was trying to set an environment variable in that directory and ….. arg…l). However, if IV is a random vector, I don’t understand how the php code that accesses the mySQL db would decode the commands and data. The setup would be different for password verification because it doesn’t need to be decoded to be verified. However, for access to a mySQL server, it needs to be decoded on the server. My understanding was that the function of the IV was to increase the number of possible keys to make a dictionary attack less feasible. Also, my php docs say the IV should be 16 bits. I haven’t tried more, but I do get an error message complaining about IV not being 16 bits.

There's no requirement for the initialization vector to be private, just 
that it is unique among all messages using the same encryption key. It 
can be posted to the server along with the encrypted data. Thus you can 
use a new randomized iv for each post, and the php code on the server 
would take the posted iv and use it with the already-known encryption 
key to decrypt the data.

Ignore my comment about 16 bits. You're supplying an iv of 16 *bytes*, 
which is 128 bytes. That's standard for normal use. If you want to get 
serious about it, you could double the length.

  Mark Wieder
  ahsoftware at gmail.com

More information about the Use-livecode mailing list