i will be looking at this thank you William. On Mon, Jul 2, 2018 at 11:37 PM, William Prothero via use-livecode < use-livecode@lists.runrev.com> wrote:
> Folks: > I’ve been working on a sample stack to demonstrate encryption, best > practices (as far as I can determine). > The online lessons are not adequate for a robust solution to this vital > security issue. I’ve posted a demo stack at: > http://earthlearningsolutions.org/google-static-maps-demo/ <http:// > earthlearningsolutions.org/google-static-maps-demo/> This stack has > benefited from feedback and ideas from folks on this list. Feedback is > welcome. > > This stack generates a random iv vector and uses AES-256 encryption to > encode an array containing commands for interaction with a mySQL server. > The server side php script that decodes the data and encodes the returned > response is included. > > On thing I am still unsure about is the best way to generate a random > string of characters that I use for the random IV (initialization vector) > that is used for the encryption. I’ve included some code below, which is > used to encrypt and decrypt the data sent and returned from the server. The > encode and decode scripts are put into the launcher, or stack that is > created when a standalone or mobile version is built. > > Here are the handlers. The encryption key will be more secure if it is > obfuscated by putting it in as a property of a control or hidden in some > way. I am wondering if the generation of the random seed is optimum. > > Feedback welcome. > > local theRandomSeed > > function randomChrs n > if theRandomSeed = "" then > setRandomSeed > end if > put "" into tChars > repeat with i=1 to n > put random(256) into nChar > put numToNativeChar(nChar) after tChars > end repeat > return tChars > end randomChrs > > on setRandomSeed > put (the milliseconds) into tMS > put trunc(tMs/10000000) into tDiv > put tMS mod tDiv into theRandomSeed > set the randomseed to theRandomSeed > end setRandomSeed > > function theRandomIV > if theRandomSeed = "" then > setRandomSeed > end if > put randomChrs(16) into tIVBytes > return tIVBytes > end theRandomIV > > --This handler encodes the data. First it generates a random > --initialization vector (iv), then encrypts the data and puts > --adds iv to the encoded data. > --tArray is an array that controls the action of the php script. > function theEncoded tArray > put theRandomIV() into tIV > put base64Encode(tIV) into tB64IV > put ArrayToJSON(tArray,"string”,”") into tJson > put "AFBDDFCFBDBBDDCCFFACGHDFFFFEEDCC" into tEncryptionKey > put "AES-256-CTR" into tCipher > encrypt tJson using tCipher with key tEncryptionKey and iV tIV > put base64encode(it) into tDataToSend > --comment out next statement if iv not included in data > put tB64IV&tDataToSend into tDataToSend > return tDataToSend > end theEncoded > > --This decodes the data that is returned by the php on the > --remote server. > --The iv is expected as the first 24 bytes of the returned data. > function theDecoded tData > put byte 1 to 24 of tData into tIVB64 > put base64decode(tIVB64) into tIV > put the number of bytes in tData into n > put byte 25 to n of tData into tRetB64Data > put base64decode(tRetB64Data) into tRetData > put "AES-256-CTR" into tCipher > put "AFBDDFCFBDBBDDCCFFACGHDFFFFEEDCC" into tEncryptionKey > decrypt tRetData using tCipher with key tEncryptionKey and iV tIV > put it into tReturn > return tReturn > end theDecoded > -- End of handlers that should be in the main stack > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
