Examples of encryption for database access

prothero at earthlearningsolutions.org prothero at earthlearningsolutions.org
Thu Jun 28 22:32:07 EDT 2018


Here’s an interesting link re iv vectors. It says iv can be sent in plain view. Hmmm....
http://www.cryptofails.com/post/70059609995/crypto-noobs-1-initialization-vectors

But, I thought having the iv vector in plain view was also a security risk.
Perhaps I’m belaboring this and I apologize if I this discussion is getting tedious.

Bill

William Prothero
http://earthlearningsolutions.org

> On Jun 28, 2018, at 3:53 PM, Mark Wieder via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> Return-Path: <use-livecode-bounces at lists.runrev.com>
> Delivered-To: prothero at earthlearningsolutions.org
> Received: from ssd.earthlearningsolutions.org
>    by ssd.earthlearningsolutions.org with LMTP id iK5OBz9nNVvKBQgAqWmBzQ
>    for <prothero at earthlearningsolutions.org>; Thu, 28 Jun 2018 22:54:55 +0000
> Return-path: <use-livecode-bounces at lists.runrev.com>
> Envelope-to: prothero at earthlearningsolutions.org
> Delivery-date: Thu, 28 Jun 2018 22:54:55 +0000
> Received: from on-rev.com ([37.59.205.90]:45213 helo=var.runrev.com)
>    by ssd.earthlearningsolutions.org with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
>    (Exim 4.91)
>    (envelope-from <use-livecode-bounces at lists.runrev.com>)
>    id 1fYfoU-002Cli-VR
>    for prothero at earthlearningsolutions.org; Thu, 28 Jun 2018 22:54:55 +0000
> Received: from localhost ([127.0.0.1]:40505 helo=meg.on-rev.com)
>    by meg.on-rev.com with esmtp (Exim 4.85)
>    (envelope-from <use-livecode-bounces at lists.runrev.com>)
>    id 1fYfnh-0002Uo-3q; Fri, 29 Jun 2018 00:54:05 +0200
> Received: from c.mail.sonic.net ([64.142.111.80]:34500)
>    by meg.on-rev.com with esmtps (TLSv1.2:DHE-RSA-AES128-GCM-SHA256:128)
>    (Exim 4.85) (envelope-from <ahsoftware at sonic.net>)
>    id 1fYfne-0002Tc-Fv
>    for use-livecode at lists.runrev.com; Fri, 29 Jun 2018 00:54:02 +0200
> Received: from [192.168.0.1] (50-1-85-235.dsl.dynamic.fusionbroadband.com
>    [50.1.85.235]) (authenticated bits=0)
>    by c.mail.sonic.net (8.15.1/8.15.1) with ESMTPSA id w5SMruW6005477
>    (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
>    for <use-livecode at lists.runrev.com>; Thu, 28 Jun 2018 15:53:57 -0700
> Subject: Re: Examples of encryption for database access
> To: Brian Milby via use-livecode <use-livecode at lists.runrev.com>
> References: <CWLP265MB038873410294EB2BBF14AEFA8F4B0 at CWLP265MB0388.GBRP265.PROD.OUTLOOK.COM>
>    <9F0C3B88-0189-4E92-8D43-C1B344D0F752 at major-k.de>
>    <CWLP265MB03888246E70C5FF9AD7D3CA38F4B0 at CWLP265MB0388.GBRP265.PROD.OUTLOOK.COM>
>    <677A939F-B639-4097-A466-70BA022218E2 at gmail.com>
>    <9fd89e75-5162-1468-e67e-3e0a28302944 at sonic.net>
>    <9C9C7F4B-B2C7-42DA-90AB-0926DB177628 at gmail.com>
>    <DC79E88A-761F-4CFC-B882-25E0AAE457C7 at gmail.com>
>    <b41a141b-5f10-ee17-ce6e-873684d605b1 at sonic.net>
>    <A67D8E80-F51E-4FDA-B2E4-B348DF0E714A at gmail.com>
>    <f9a11613-1c50-48a8-9106-0c779e0aa607 at Spark>
>    <4efe880c-d188-400b-31d9-564a0540ac8b at sonic.net>
>    <FF530CAA-ED67-4684-8414-6C37F6FC0EE9 at gmail.com>
>    <1bcf1dcd-f1ab-7bfd-8404-7df1c1b9c3df at sonic.net>
>    <05EC683C-5DD8-44EF-8352-6E052F1D3D27 at earthlearningsolutions.org>
>    <b1c23eff-7f5d-4028-abfd-bf912ded88fa at Spark>
> Message-ID: <281c22d4-20f8-88a3-c2bd-4a7aa85f3820 at sonic.net>
> Date: Thu, 28 Jun 2018 15:53:47 -0700
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
>    Thunderbird/52.8.0
> MIME-Version: 1.0
> In-Reply-To: <b1c23eff-7f5d-4028-abfd-bf912ded88fa at Spark>
> Content-Language: en-US
> X-Sonic-CAuth: UmFuZG9tSVYV61H8iJnDK8B78GdZlYqOiytilmPik8b3rpWaN3EnRBEaGwmBl44wO/6mwKUeRD6UgYKrQpGb7glziXUhBLNd
> X-Sonic-ID: C;bmxTIyZ76BGfs641UvMdPQ== M;TH6LIyZ76BGfs641UvMdPQ==
> X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
> X-BeenThere: use-livecode at lists.runrev.com
> X-Mailman-Version: 2.1.20
> Precedence: list
> List-Id: How to use LiveCode <use-livecode.lists.runrev.com>
> List-Unsubscribe: <http://lists.runrev.com/mailman/options/use-livecode>,
>    <mailto:use-livecode-request at lists.runrev.com?subject=unsubscribe>
> List-Archive: <http://lists.runrev.com/pipermail/use-livecode/>
> List-Post: <mailto:use-livecode at lists.runrev.com>
> List-Help: <mailto:use-livecode-request at lists.runrev.com?subject=help>
> List-Subscribe: <http://lists.runrev.com/mailman/listinfo/use-livecode>,
>    <mailto:use-livecode-request at lists.runrev.com?subject=subscribe>
> From: Mark Wieder via use-livecode <use-livecode at lists.runrev.com>
> Reply-To: How to use LiveCode <use-livecode at lists.runrev.com>
> Cc: Mark Wieder <ahsoftware at sonic.net>
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain; charset="us-ascii"; Format="flowed"
> Errors-To: use-livecode-bounces at lists.runrev.com
> Sender: "use-livecode" <use-livecode-bounces at lists.runrev.com>
> X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
> X-AntiAbuse: Primary Hostname - meg.on-rev.com
> X-AntiAbuse: Original Domain - earthlearningsolutions.org
> X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
> X-AntiAbuse: Sender Address Domain - lists.runrev.com
> X-Get-Message-Sender-Via: meg.on-rev.com: acl_c_authenticated_local_user: mailman/mailman
> 
>> On 06/28/2018 01:49 PM, Brian Milby via use-livecode wrote:
>> Random IV means that an attacker can not generate a dictionary in advance. Knowing it at the same time is not an issue since they cypher is not cracked. The other reason is that the IV seeds the AES encryption so that the first block does not give anything away. If the first encrypted block for the same data is always the same, the attacker can use that to test guesses if they can control what is being encrypted. Same issue if they can predict the IV. See the Wikipedia entry I linked to for a better discussion.
> 
> Encryption with an initialization vector isn't a reversible operation. It's not like XORing a value with another. Being able to *predict* an iv value, however, as opposed to just knowing the current value, is a security problem.
> 
>> IV is fixed at the block size of the cipher. So for AES it is 16 bytes.
> 
> Yes, I stand corrected. Silly me assumed that aes-256 would use a larger block size. AES uses only 128-bit blocks with different key sizes.
> 
> -- 
> Mark Wieder
> ahsoftware at gmail.com
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>> On 06/28/2018 01:49 PM, Brian Milby via use-livecode wrote:
>> Random IV means that an attacker can not generate a dictionary in advance. Knowing it at the same time is not an issue since they cypher is not cracked. The other reason is that the IV seeds the AES encryption so that the first block does not give anything away. If the first encrypted block for the same data is always the same, the attacker can use that to test guesses if they can control what is being encrypted. Same issue if they can predict the IV. See the Wikipedia entry I linked to for a better discussion.
> 
> Encryption with an initialization vector isn't a reversible operation. It's not like XORing a value with another. Being able to *predict* an iv value, however, as opposed to just knowing the current value, is a security problem.
> 
>> IV is fixed at the block size of the cipher. So for AES it is 16 bytes.
> 
> Yes, I stand corrected. Silly me assumed that aes-256 would use a larger block size. AES uses only 128-bit blocks with different key sizes.
> 
> -- 
> Mark Wieder
> ahsoftware at gmail.com
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode



More information about the Use-livecode mailing list