Folks:
I’ve been working on a sample stack to demonstrate encryption, best practices
(as far as I can determine).
The online lessons are not adequate for a robust solution to this vital
security issue. I’ve posted a demo stack at:
http://earthlearningsolutions.org/google-static-maps-demo/
<http://earthlearningsolutions.org/google-static-maps-demo/> This stack has
benefited from feedback and ideas from folks on this list. Feedback is welcome.
This stack generates a random iv vector and uses AES-256 encryption to encode
an array containing commands for interaction with a mySQL server. The server
side php script that decodes the data and encodes the returned response is
included.
On thing I am still unsure about is the best way to generate a random string of
characters that I use for the random IV (initialization vector) that is used
for the encryption. I’ve included some code below, which is used to encrypt and
decrypt the data sent and returned from the server. The encode and decode
scripts are put into the launcher, or stack that is created when a standalone
or mobile version is built.
Here are the handlers. The encryption key will be more secure if it is
obfuscated by putting it in as a property of a control or hidden in some way. I
am wondering if the generation of the random seed is optimum.
Feedback welcome.
local theRandomSeed
function randomChrs n
if theRandomSeed = "" then
setRandomSeed
end if
put "" into tChars
repeat with i=1 to n
put random(256) into nChar
put numToNativeChar(nChar) after tChars
end repeat
return tChars
end randomChrs
on setRandomSeed
put (the milliseconds) into tMS
put trunc(tMs/10000000) into tDiv
put tMS mod tDiv into theRandomSeed
set the randomseed to theRandomSeed
end setRandomSeed
function theRandomIV
if theRandomSeed = "" then
setRandomSeed
end if
put randomChrs(16) into tIVBytes
return tIVBytes
end theRandomIV
--This handler encodes the data. First it generates a random
--initialization vector (iv), then encrypts the data and puts
--adds iv to the encoded data.
--tArray is an array that controls the action of the php script.
function theEncoded tArray
put theRandomIV() into tIV
put base64Encode(tIV) into tB64IV
put ArrayToJSON(tArray,"string”,”") into tJson
put "AFBDDFCFBDBBDDCCFFACGHDFFFFEEDCC" into tEncryptionKey
put "AES-256-CTR" into tCipher
encrypt tJson using tCipher with key tEncryptionKey and iV tIV
put base64encode(it) into tDataToSend
--comment out next statement if iv not included in data
put tB64IV&tDataToSend into tDataToSend
return tDataToSend
end theEncoded
--This decodes the data that is returned by the php on the
--remote server.
--The iv is expected as the first 24 bytes of the returned data.
function theDecoded tData
put byte 1 to 24 of tData into tIVB64
put base64decode(tIVB64) into tIV
put the number of bytes in tData into n
put byte 25 to n of tData into tRetB64Data
put base64decode(tRetB64Data) into tRetData
put "AES-256-CTR" into tCipher
put "AFBDDFCFBDBBDDCCFFACGHDFFFFEEDCC" into tEncryptionKey
decrypt tRetData using tCipher with key tEncryptionKey and iV tIV
put it into tReturn
return tReturn
end theDecoded
-- End of handlers that should be in the main stack
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
