Liberty BASIC Community Forum
« strong encryption with DLL »

Welcome Guest. Please Login or Register.
Jan 23rd, 2018, 7:24pm


Rules|Home|Help|Search|Recent Posts|Notification


« Previous Topic | Next Topic »
Pages: 1  Notify Send Topic Print
 thread  Author  Topic: strong encryption with DLL  (Read 335 times)
hooshnik
Full Member
ImageImageImage


member is offline

Avatar




PM

Gender: Male
Posts: 105
xx strong encryption with DLL
« Thread started on: May 10th, 2017, 10:57am »

Does anybody know how I can use a DLL and get strong encryption with LB using something FOSS? I've looked at some stuff but I don't know if I have to write a wrapper or re-write it to work with LB.
User IP Logged

looking for file "include" support? Check out Aplomb Scribe http://libertybasic.conforums.com/index.cgi?action=display&board=open&num=1434746448
Chris Iverson
Administrator
ImageImageImageImageImage


member is offline

Avatar

20% Cooler


Homepage PM

Gender: Male
Posts: 2294
xx Re: strong encryption with DLL
« Reply #1 on: May 10th, 2017, 5:07pm »

What is it that you're going to be encrypting?

If it's something that's just going to be stored on one computer, I would use the CryptProtectData() and CryptUnprotectData() Win32 APIs.


If it's something you're going to be transferring, there's other things I would use, most likely other parts of the Win32 Crypto API.
User IP Logged

"Do you believe in destiny?" - Pyrrha Nikos, RWBY
"With what wish will your Soul Gem shine?" - Kyubey, Puella Magi Madoka Magica
hooshnik
Full Member
ImageImageImage


member is offline

Avatar




PM

Gender: Male
Posts: 105
xx Re: strong encryption with DLL
« Reply #2 on: May 10th, 2017, 6:44pm »

I would be encrypting customer data and needs to be moderately secure. It will be transfered but most likely by LAN only. Not planning on storing credit cards or SIN, etc.

I think your solution is good.

I wonder if it could be shoe-horned with sqlite or is that not cost-effective vs sqlite + SEE? Recently I have thought of not going the sqlite route however.
User IP Logged

looking for file "include" support? Check out Aplomb Scribe http://libertybasic.conforums.com/index.cgi?action=display&board=open&num=1434746448
Chris Iverson
Administrator
ImageImageImageImageImage


member is offline

Avatar

20% Cooler


Homepage PM

Gender: Male
Posts: 2294
xx Re: strong encryption with DLL
« Reply #3 on: May 10th, 2017, 9:05pm »

It could fairly easily be shoehorned, although you'd most likely have to decrypt the SQLite database while it's in use.

If it's going to be moving between different computers, I also have to ask, is this going to be on a corporate network, where the same account is used on the machines? Or is it going to be different accounts on different computers?

The reason I ask is because, depending on the settings you give it, CryptProtectData() encrypts the data using a user-local or machine-local key(or both), meaning the data can only be decrypted by the same user, or on the same computer, or both. I don't think it'll work with different users across different machines, although I will have to try it to be certain.

It's the easiest way to do it, but it also relies on the data remaining mostly in place.

The alternative is to use other parts of the Crypto API, or use an open-source library.

(Have to be careful if it's GPL-licensed code; because of the terms in the GPL license, I'm honestly not certain it would be allowed to use GPL-licensed libraries with LB, since you couldn't license the LB runtime engine under the GPL.

I'm trying to look more into it to be sure, since it'd be very important to know for those actually selling and openly distributing programs. Internal/personal use is fine, since the GPL only covers redistribution.)
« Last Edit: May 10th, 2017, 9:58pm by Chris Iverson » User IP Logged

"Do you believe in destiny?" - Pyrrha Nikos, RWBY
"With what wish will your Soul Gem shine?" - Kyubey, Puella Magi Madoka Magica
hooshnik
Full Member
ImageImageImage


member is offline

Avatar




PM

Gender: Male
Posts: 105
xx Re: strong encryption with DLL
« Reply #4 on: May 11th, 2017, 09:36am »

Oh crap the can of worms is opened grin

The reason why I say this is because some authors release under the GPL but then you can distribute it with a closed source language like .NET just because the author says it's ok (like winscp)?:

https://winscp.net/forum/viewtopic.php?t=13282

So I was going to use winscp for example because they don't seem to have a problem (distributing with closed source program from closed source compiler).

So what you are saying is normally I can't have a DLL from a GPL project by default with LB unless the author gives the green light? But if I did this using an FOSS basic I would be fine all the time because I'm not linking the code but using an external DLL?

Unfortunately my company doesn't give me access to a lawyer so I'm left to figure this stuff out on my own.
User IP Logged

looking for file "include" support? Check out Aplomb Scribe http://libertybasic.conforums.com/index.cgi?action=display&board=open&num=1434746448
Chris Iverson
Administrator
ImageImageImageImageImage


member is offline

Avatar

20% Cooler


Homepage PM

Gender: Male
Posts: 2294
xx Re: strong encryption with DLL
« Reply #5 on: May 11th, 2017, 11:51am »

WinSCP allows it in a combination of two methods:

1) The copyright holder(author) is explicitly allowing it, and
2) The code that actually interfaces between the GPL'd WinSCP libraries and the proprietary program(the WinSCP .NET bindings/library) is actually licensed under the Mozilla Public License, which is compatible with both.

The MPL's terms are different from the GPL in that, you are allowed to incorporate and use MPL code in a proprietary program, without releasing the proprietary source code. You ARE required to release the source for any modifications to MPL'd code.


So, yes, you would need to get permission from the copyright holder to use it in your program.


THIS FAQ question on the GNU website seems to say that you can follow the license with a non-free compiler system, as long as you don't actually distribute the runtime engine itself with your compiled code:

https://www.gnu.org/licenses/gpl-faq.html#WindowsRuntimeAndGPL

In other words, you'd have to provide your TKN file and the GPL libraries in one package, and LB's runtime engine in another package. This is my understanding so far. (Software licensing is hard. This is why I tend to stick with MIT/BSD license, or, if I want to ensure that modifications to my code/library get shared, the MPL.)
User IP Logged

"Do you believe in destiny?" - Pyrrha Nikos, RWBY
"With what wish will your Soul Gem shine?" - Kyubey, Puella Magi Madoka Magica
hooshnik
Full Member
ImageImageImage


member is offline

Avatar




PM

Gender: Male
Posts: 105
xx Re: strong encryption with DLL
« Reply #6 on: May 11th, 2017, 12:53pm »

Yikes!

I think that DLL will only work with .NET anyway? For LB I would have to use the command line:

https://winscp.net/forum/viewtopic.php?t=10852

It's under the GPL.

I found this (https://winscp.net/forum/viewtopic.php?t=15070):

Quote:
But winscp.exe is NOT A LIBRARY/MODULE, it's an APPLICATION. No linking, neither static nor dynamic happens.

It is the same as, as if you asked anyone, who calls a GPL command-line tool from a batch file/script, to GPL that batch file on the grounds that the batch file "links" the tool.


He goes on to say there is XML to parse the results (so you don't have to use a named pipe I guess) so it could be done if you consider he doesn't think using XML and batch files qualifies as linking. It's clunky but it can be done.
User IP Logged

looking for file "include" support? Check out Aplomb Scribe http://libertybasic.conforums.com/index.cgi?action=display&board=open&num=1434746448
Chris Iverson
Administrator
ImageImageImageImageImage


member is offline

Avatar

20% Cooler


Homepage PM

Gender: Male
Posts: 2294
xx Re: strong encryption with DLL
« Reply #7 on: May 11th, 2017, 1:46pm »

I believe his interpretation of the GPL is correct.

The GPL is explicitly stated to not cover program output, so STDOUT and any files it creates are not required to be GPL'd.

(This is what lets you create proprietary software with GPL compilers, and vis-versa)


As you're running a different program, not linking to it(dynamically or statically), you should be in the clear.
« Last Edit: May 11th, 2017, 1:49pm by Chris Iverson » User IP Logged

"Do you believe in destiny?" - Pyrrha Nikos, RWBY
"With what wish will your Soul Gem shine?" - Kyubey, Puella Magi Madoka Magica
CryptoMan
Senior Member
ImageImageImageImage


member is offline

Avatar




Homepage PM

Gender: Male
Posts: 317
xx Re: strong encryption with DLL
« Reply #8 on: May 13th, 2017, 02:48am »

I can provide our DES / 3DES functions as a DLL.

This part is trivial.

It is also not too difficult to use the Windows Crypto functions from LB.

Difficulty about crypto is not the algorithms called as a DLL or even by using LB written functions. The real difficulty is how you are going to protect the keys.

You can never protect the keys in a PC, Windows, Linux, Android, IOS, etc without special hardware or an external device like an HSM or Smartcard.

If you are happy with just a DLL, send me a DM and I can send our DLL. 3DES is as good as it gets.
User IP Logged

.....
Pages: 1  Notify Send Topic Print
« Previous Topic | Next Topic »

Rules|Home|Help|Search|Recent Posts|Notification

Donate $6.99 for 50,000 Ad-Free Pageviews!

| |

This forum powered for FREE by Conforums ©
Sign up for your own Free Message Board today!
Terms of Service | Privacy Policy | Conforums Support | Parental Controls