Using _crypt.vcx

Hello everyone. I am trying to encrypt the password field in my user
dbf so that no one can read the password if the dbf is opened outside
of the program. I wanted to use the _crypt class, but am not quite sure
how to go about implementing it. I am new to VFP and am not too
familiar with the function. I wanted to encrypt the password field in
the dbf, then have the user login, have the program encrypt his/her
password, and check the encrypted password with the encrypted password
stored in the dbf. Does anyone have a procedure as to how I would go
about doing this? I currently have a login form that checks passwords
against a dbf.

Carsten
Wed Aug 02 01:47:46 CDT 2006

wickedbusa,

take a look at the sample in Solutions.

MODIFY PROJECT (Home()+"\Samples\Solution\solution.pjx")
Start "MAIN.PRG"
Look in the section "Foundation Classes" -> "Add enctyption to applications"

--
Cheers
Carsten
_______________________________

"wickedbusa" <wickedbusa@gmail.com> schrieb im Newsbeitrag
news:1154471425.361124.207250@i3g2000cwc.googlegroups.com...
> Hello everyone. I am trying to encrypt the password field in my user
> dbf so that no one can read the password if the dbf is opened outside
> of the program. I wanted to use the _crypt class, but am not quite sure
> how to go about implementing it. I am new to VFP and am not too
> familiar with the function. I wanted to encrypt the password field in
> the dbf, then have the user login, have the program encrypt his/her
> password, and check the encrypted password with the encrypted password
> stored in the dbf. Does anyone have a procedure as to how I would go
> about doing this? I currently have a login form that checks passwords
> against a dbf.
>

Roger
Wed Aug 02 08:38:11 CDT 2006

wickedbusa wrote:
> Hello everyone. I am trying to encrypt the password field in my user
> dbf so that no one can read the password if the dbf is opened outside
> of the program. I wanted to use the _crypt class, but am not quite
> sure how to go about implementing it. I am new to VFP and am not too
> familiar with the function. I wanted to encrypt the password field in
> the dbf, then have the user login, have the program encrypt his/her
> password, and check the encrypted password with the encrypted password
> stored in the dbf. Does anyone have a procedure as to how I would go
> about doing this? I currently have a login form that checks passwords
> against a dbf.

It depends on how secure your encryption really needs to be.
Personally, I think that using Windows Crypto API is overkill
for user login password encryption, although I do use it for
other purposes.

Which version of VFP are you using?
From VFP8, check out the StrConv function which can encode/decode
a character expression to/from base64 binary and base64 hexbinary.
That should outfox ;-) all but dedicated hackers.

- Roger

wickedbusa
Wed Aug 02 16:31:17 CDT 2006

I'm using VFP 8. I took your advice and used the StrConv function.
Works great. Is there a way to encrypt an entire dbf using this
technique? I need to encrypt an entire dbf on close, then decrypt the
dbf while it is open in the app. If there is an easy way to do this
using this technique please let me know.

Thank you so much for your help.

Arvin
Roger Ansell wrote:
> wickedbusa wrote:
> > Hello everyone. I am trying to encrypt the password field in my user
> > dbf so that no one can read the password if the dbf is opened outside
> > of the program. I wanted to use the _crypt class, but am not quite
> > sure how to go about implementing it. I am new to VFP and am not too
> > familiar with the function. I wanted to encrypt the password field in
> > the dbf, then have the user login, have the program encrypt his/her
> > password, and check the encrypted password with the encrypted password
> > stored in the dbf. Does anyone have a procedure as to how I would go
> > about doing this? I currently have a login form that checks passwords
> > against a dbf.
>
> It depends on how secure your encryption really needs to be.
> Personally, I think that using Windows Crypto API is overkill
> for user login password encryption, although I do use it for
> other purposes.
>
> Which version of VFP are you using?
> From VFP8, check out the StrConv function which can encode/decode
> a character expression to/from base64 binary and base64 hexbinary.
> That should outfox ;-) all but dedicated hackers.
>
> - Roger

Roger
Thu Aug 03 08:22:45 CDT 2006

wickedbusa wrote:
> I'm using VFP 8. I took your advice and used the StrConv function.
> Works great. Is there a way to encrypt an entire dbf using this
> technique? I need to encrypt an entire dbf on close, then decrypt the
> dbf while it is open in the app. If there is an easy way to do this
> using this technique please let me know.

Encrypting an entire DBF requires a different approach. There are
external tools like NetLib and Cryptor which can do this but
it's not always necessary to encrypt and decrypt an entire table on
the fly. For example, you could just encrypt sensitive fields in a table.
You could then create textbox, editbox (etc) classes to decrypt
the encrypted fields for editing purposes and encrypt the data
prior to saving to the table.

OTOH, if total security is your primary concern, you should
consider the client/server approach - ie using a database server
such as MS SQL Server, Oracle or MySqL.

- Roger

Dan
Thu Aug 03 11:02:00 CDT 2006

In addition to Roger's comments, I'd add the standard multi-user warning.

If you "decrypt when in the app", how does the app know the 2nd user is
coming in? Does it go ahead and decrypt already-decrypted data (producing
garbage)?

Tread carefully.

Dan

wickedbusa wrote:
> I'm using VFP 8. I took your advice and used the StrConv function.
> Works great. Is there a way to encrypt an entire dbf using this
> technique? I need to encrypt an entire dbf on close, then decrypt the
> dbf while it is open in the app. If there is an easy way to do this
> using this technique please let me know.
>
> Thank you so much for your help.
>
> Arvin
> Roger Ansell wrote:
>> wickedbusa wrote:
>>> Hello everyone. I am trying to encrypt the password field in my user
>>> dbf so that no one can read the password if the dbf is opened
>>> outside of the program. I wanted to use the _crypt class, but am
>>> not quite sure how to go about implementing it. I am new to VFP and
>>> am not too familiar with the function. I wanted to encrypt the
>>> password field in the dbf, then have the user login, have the
>>> program encrypt his/her password, and check the encrypted password
>>> with the encrypted password stored in the dbf. Does anyone have a
>>> procedure as to how I would go about doing this? I currently have a
>>> login form that checks passwords against a dbf.
>>
>> It depends on how secure your encryption really needs to be.
>> Personally, I think that using Windows Crypto API is overkill
>> for user login password encryption, although I do use it for
>> other purposes.
>>
>> Which version of VFP are you using?
>> From VFP8, check out the StrConv function which can encode/decode
>> a character expression to/from base64 binary and base64 hexbinary.
>> That should outfox ;-) all but dedicated hackers.
>>
>> - Roger

wickedbusa
Thu Aug 03 12:48:45 CDT 2006

I haven't thought about that. I decided to just encrypt a couple of
sensitive fields; however, taking into consideration with what you just
mentioned, how would I go about setting up the app so multiple users
can use the app without the issue you mentioned?
Dan Freeman wrote:
> In addition to Roger's comments, I'd add the standard multi-user warning.
>
> If you "decrypt when in the app", how does the app know the 2nd user is
> coming in? Does it go ahead and decrypt already-decrypted data (producing
> garbage)?
>
> Tread carefully.
>
> Dan
>
> wickedbusa wrote:
> > I'm using VFP 8. I took your advice and used the StrConv function.
> > Works great. Is there a way to encrypt an entire dbf using this
> > technique? I need to encrypt an entire dbf on close, then decrypt the
> > dbf while it is open in the app. If there is an easy way to do this
> > using this technique please let me know.
> >
> > Thank you so much for your help.
> >
> > Arvin
> > Roger Ansell wrote:
> >> wickedbusa wrote:
> >>> Hello everyone. I am trying to encrypt the password field in my user
> >>> dbf so that no one can read the password if the dbf is opened
> >>> outside of the program. I wanted to use the _crypt class, but am
> >>> not quite sure how to go about implementing it. I am new to VFP and
> >>> am not too familiar with the function. I wanted to encrypt the
> >>> password field in the dbf, then have the user login, have the
> >>> program encrypt his/her password, and check the encrypted password
> >>> with the encrypted password stored in the dbf. Does anyone have a
> >>> procedure as to how I would go about doing this? I currently have a
> >>> login form that checks passwords against a dbf.
> >>
> >> It depends on how secure your encryption really needs to be.
> >> Personally, I think that using Windows Crypto API is overkill
> >> for user login password encryption, although I do use it for
> >> other purposes.
> >>
> >> Which version of VFP are you using?
> >> From VFP8, check out the StrConv function which can encode/decode
> >> a character expression to/from base64 binary and base64 hexbinary.
> >> That should outfox ;-) all but dedicated hackers.
> >>
> >> - Roger

Dan
Thu Aug 03 12:59:27 CDT 2006

Decrypt only when needed.

When our users log in, for instance, we don't decrypt passwords at all.
Rather we compare Encrypt(user-typed password) against the already encrypted
data on disk.

Dan

wickedbusa wrote:
> I haven't thought about that. I decided to just encrypt a couple of
> sensitive fields; however, taking into consideration with what you
> just mentioned, how would I go about setting up the app so multiple
> users can use the app without the issue you mentioned?
> Dan Freeman wrote:
>> In addition to Roger's comments, I'd add the standard multi-user
>> warning.
>>
>> If you "decrypt when in the app", how does the app know the 2nd user
>> is coming in? Does it go ahead and decrypt already-decrypted data
>> (producing garbage)?
>>
>> Tread carefully.
>>
>> Dan
>>
>> wickedbusa wrote:
>>> I'm using VFP 8. I took your advice and used the StrConv function.
>>> Works great. Is there a way to encrypt an entire dbf using this
>>> technique? I need to encrypt an entire dbf on close, then decrypt
>>> the dbf while it is open in the app. If there is an easy way to do
>>> this using this technique please let me know.
>>>
>>> Thank you so much for your help.
>>>
>>> Arvin
>>> Roger Ansell wrote:
>>>> wickedbusa wrote:
>>>>> Hello everyone. I am trying to encrypt the password field in my
>>>>> user dbf so that no one can read the password if the dbf is opened
>>>>> outside of the program. I wanted to use the _crypt class, but am
>>>>> not quite sure how to go about implementing it. I am new to VFP
>>>>> and am not too familiar with the function. I wanted to encrypt the
>>>>> password field in the dbf, then have the user login, have the
>>>>> program encrypt his/her password, and check the encrypted password
>>>>> with the encrypted password stored in the dbf. Does anyone have a
>>>>> procedure as to how I would go about doing this? I currently have
>>>>> a login form that checks passwords against a dbf.
>>>>
>>>> It depends on how secure your encryption really needs to be.
>>>> Personally, I think that using Windows Crypto API is overkill
>>>> for user login password encryption, although I do use it for
>>>> other purposes.
>>>>
>>>> Which version of VFP are you using?
>>>> From VFP8, check out the StrConv function which can encode/decode
>>>> a character expression to/from base64 binary and base64 hexbinary.
>>>> That should outfox ;-) all but dedicated hackers.
>>>>
>>>> - Roger

tim_witort
Mon Aug 07 10:24:45 CDT 2006


> wickedbusa wrote:
>> Hello everyone. I am trying to encrypt the password field in my user
>> dbf so that no one can read the password if the dbf is opened outside
>> of the program. I wanted to use the _crypt class, but am not quite
>> sure how to go about implementing it. I am new to VFP and am not too
>> familiar with the function. I wanted to encrypt the password field in
>> the dbf, then have the user login, have the program encrypt his/her
>> password, and check the encrypted password with the encrypted password
>> stored in the dbf. Does anyone have a procedure as to how I would go
>> about doing this? I currently have a login form that checks passwords
>> against a dbf.

I use a one-way encryption routine borrowed from UNIX and
rewritten in VFP. There is no way to decrypt anything that
is encrypted with this routine - even if you have the code
for the routine.

You store all of the users' passwords in their encrypted
form. Then, when a user logs in and enters their password,
you encrypt what they entered and compare the result to
the encrypted password stored in your user table. If they
match, the user entered the correct password and you
grant access.

Using this approach, the passwords are never saved or even
used in the database in their "clear text" (un-encrypted)
form and there is no way to figure out passwords by getting
into the user table.

This is all of limited effect since VFP databases are not
very secure, but it does keep unauthorized people from
running your application.

-- TRW
_______________________________________
t i m
a t
w i t o r t d o t c o m
_______________________________________