Part of the interface design to the SQLite Encryption Extension makes it possible for an application to accidentally supply weak keys. This only happens if the keying interface is misused. Though to be fair, the documentation could be clearer about how to avoid misusing the interface.
If an application does misuse the keying interface and supplies a weak key, then SEE offers no warning. The database appears to be fully encrypted. But an attacker will be able to easily guess the encryption key. I will publish patches to SEE in about two weeks that better document how to avoid misusing the keying interface and perhaps also to provide feedback (errors) in the case where the keying interface is misused in a way that results in weak keys. In the meantime, if you are an SEE licensee and are concerned that you might be using weak keys in your application, you can contact me privately (via email to drh at sqlite.org or by phone at +1.704.948.4565) to learn more about the problem and how you can mitigate the problem before it is disclosed. Note that the details of the problem will only be disclosed to other SEE licensees and not to the general public. -- D. Richard Hipp drh at sqlite.org
