FiveTech Software tech support forums

[Roger Seiler]

Since I can't get a solution to the hugely excessive length of the Blowfish key (over 4000 bytes) that makes encryption/decryption painfully slow, can anyone recommend another widely recognized encryption system that works with FWH?

[reinaldocrespo]

Roger;

ADS remote as well as the free local server RDDs allow you to encrypt a .dbf. Here is some text from the help file:

Advantage provides security for your data in a number of important ways. Some of these are associated with how Advantage transmits data across the network, and others are associated with access rights conferred by a data dictionary. But the most fundamental of data security features is provided at the table level. Specifically, individual tables can be encrypted with a password.

When a table is encrypted with a password, both the table and its memo file are encoded using the password. (If you are using a data dictionary and ADT tables, it is possible to also have the index encrypted.) The effect of this encoding is that the raw table and memo files appear scrambled to anyone who attempts to view their contents. Without encryption, it would be possible for someone with a file viewer, or even Windows Notepad (for small tables), to open the table and view its contents.

Once the table is encrypted, you must provide the password for the table each time the table is opened. For database tables, which can only be accessed through a data dictionary, the data dictionary supplies the password automatically. Note, however, that a data dictionary itself provides security, and when the data dictionary is configured correctly, you will not be able to access the data dictionary without supplying a user name and password. The data dictionary user name and password are separate from a table's password.

If you want to view an encrypted free table using the Advantage Data Architect, you will be prompted for the password when you open the table. Similarly, before an encrypted table can be accessed from a client application, that application must submit the password.

How you submit a table's password from a client application depends on the data access mechanism you are using. For example, if you are using the ACE API, you must make a call to AdsEnableEncryption (for Advantage tables) or AdsStmtSetTablePassword (for executing SQL statements against the table), passing the table name or handle and the password as the arguments to the function call. You need to make one of these calls once per Advantage table, prior to accessing it.

I will try to find time to post some samples on encrypting tables for the first time and then using a table that has been encrypted, but you can easily figure it out by reading from the help file. Search for ACE functions AdsEncryptTable(), AdsEnableEncryption(), AdsDecryptTable(), AdsDisableEncryption(). There are also stored procedures to do the same as the ACE api functions if you rather use SQL syntax. The full ACE api is available to you when linking rddads.lib to your apps.

Hope that helps,


Reinaldo.

[Rick Lipkin]

Roger

I posted this code some time ago which has served me well..

Rick Lipkin

viewtopic.php?f=3&t=27189&p=152637#p152637

[Roger Seiler]

Reinaldo and Rick,

Thanks very much for your info. Those are very workable encryption systems, but unfortunately (as far as can see) are not certified as acceptable under the U.S. govt. HIPAA rules (Health Insurance Portability and Accountability Act). An app that I'm developing right now has to be HIPAA compliant, which means it has to use one of the encryption systems that the govt. has found acceptable under HIPAA. The approved list of encryption systems includes DES (though it is being deprecated), Blowfish, RSA, RC5, PGP and IDEA. Other proprietary encryption systems are generally not allowed, unless certified by an independent encryption review agency (an expensive process). Thus FiveWin's built-in encryption system (except for Blowfish), the ADS encryption system, and encryption using the Clipper Tools model, appear to be unacceptable under HIPAA.

Because Blowfish is acceptable under the U.S. govt. HIPAA rules, and we have it in Harbour, that is why I keep asking to get the problem with its overly long encryption key resolved.

[reinaldocrespo]

I see we are running two different threads on the same subject and I have already shown that ADS is FIPS compliant, however, here is more information on ADS encryption:

Advantage provides the capability to encrypt tables and associated data. Data encryption is just one part of the process of creating a secure system. The following are some of the steps that can be taken to secure a database:

· Restrict physical access: Prevent direct user access by keeping all data on a physically remote server and using Advantage Database Server to access the data.

· Use access controls: Use a data dictionary with user logins to restrict who can connect to the database.

· Permissions: Use database roles and assign user and group permissions to fine-tune levels of access that users can have.

· Require logins: Disable free connections on the Advantage Database Server to force all connections to authenticate through a data dictionary.

· Encrypt communications: Enable the encryption of communications between the client and server application with Transport Layer Security (TLS) available beginning in v10.1 or with the existing encryption available with both UDP and TCP/IP communications.

· If requirements call for it, enable FIPS mode to ensure that only encryption algorithms approved for the Federal Information Processing Standard (FIPS) 140-2 are used.

· Encrypt data: Enable table encryption at the data dictionary level or in individual free tables.

Keep in mind that encryption wouldn't even be necessary to secure you data as long as you don't keep the data on a shared folder. With ADS you keep your data on a server that is NOT being shared. There is absolutely no way to see the data unless you can connect using one of the ADS clients. The client makes TCP requests to the server and as long as the client has authenticated, the server answers back with the info being requested by the client. .dbf tables, indexes, and memo files are not visible or accessible to the operating system.


Reinaldo.

[Roger Seiler]

Reinaldo,

Thanks for the excellent info. I'll discuss it will my customer. Hopefully, they'll increase my project's budget to allow using ADS with all of its advantages.

All the best,

- Roger

[Roger Seiler]

I got Blowfish to work fine. See separate thread, "How to work with Blowfish".