[sqlite] SQLite SEE with FIPS compliant Encryption?

2016-04-27 Thread Mike Nicolino 
Hello Everyone,

We're using SQLite SEE to encrypt our databases and I was wondering if there is 
a version of SEE that is FIPS compliant/certificated?  Even a version that made 
use of the FIPS Windows APIs for encryption since our target platform is 
limited to Windows.  (I'm aware that the enterprise version of SQLCipher lists 
a FIPS version; I was hoping we could keep our current implementation which 
uses SEE however).

I'm considering a local modification to SEE to have it call the Windows APIs 
rather that doing its own encryption; has anyone tried such a thing before?

Thanks,
Mike Nicolino
Lead Engineer
Centrify Corporation  |  Follow Us!   
LinkedIn  
Twitter

[sqlite] SQLite SEE with FIPS compliant Encryption?

2016-04-26 Thread Richard Hipp 
On 4/26/16, Mike Nicolino  wrote:
> Hello Everyone,
>
> We're using SQLite SEE to encrypt our databases and I was wondering if there
> is a version of SEE that is FIPS compliant/certificated?

If you will read FIPS 140-2, you will find that it has many
requirements that are outside the purview of SQLite and SEE (and
SQLCypher) - things such as tamper resistance and detection, key
management, process isolation, etc.  FIPS 140-2 is a system-level
specification.  But SEE is not a system.  SEE is a component part.
Hence, it makes no sense to talk about SQLite and/or SEE being FIPS
140-2 compliant/certified.

Asking for FIPS 140-2 compliance/certification for SQLite/SEE is like
asking for the IIHS crash test rating for your in-dash navigation
system.  In-dash navigation systems do not have crash test ratings.
Crash test ratings only apply to complete cars.

SEE uses AES which is an FIPS 140-2 compliant algorithm.  So SEE can
be used within FIPS 140-2 compliant/certified systems.

>
> I'm considering a local modification to SEE to have it call the Windows APIs
> rather that doing its own encryption; has anyone tried such a thing before?
>

The cccrypt version of SEE calls the built-in CCCrypt libraries on
Mac/iOS.  You can probably adapt that code to invoke whatever Windows
APIs you like.

Note that CCCrypt uses AES just like the default SEE module.  So they
are completely interoperable.  You can encrypt with one and decrypt
with the other.  If you manage your port to Windows correctly, you can
probably achieve portability there as well.

-- 
D. Richard Hipp
drh at sqlite.org