General philosophy of encryption / decryption (Windows)


#1

Hi

A brief explanation in order to understand the mode of operation of the sqlite encryption / decryption with sqlcipher?

Decrypt the entire database and works with a memory copy?

Decrypts metadata at the beginning and the rest of the information when it is needed?

How it works

Thanks in advance


#2

Hello @jocaro - the SQLCipher Design page should answer most of your questions. Let us know if you have any others after reading through that document.


#3

Hi !

Can you explain me please some terminology that is used in brief description of SQLCipher security features:

  1. What do you mean by the vaulted key (i’ve been googleing for explanation all day long, but i haven’t found anything).
  2. Can you explain what do you mean by the next feature:
  • When encrypted, the entire database file appears to contain random data.
  • What random data is contained after encrypting ?
  • What source of entropy do you use for random data and salt?

Thnx a lot


#4

Hi @Vdk

SQLCipher support accepting a password, which by default with be run through PBDKF2 using an iteration length of 64,000 (by default, but configurable) to compute the key used for encryption/decryption. Alternatively, if you have a source that has already performed some key derivation/generation process, where the key is generated and/or stored out of band from SQLCipher, you can provide a raw key, that is a blob literal, formatted as a 64 character hex string in which the standard key derivation process is skipped. A raw key will be converted into 32 bytes of key data.

When encrypted, the entire database file appears to contain random data.

When viewing the raw hex content of a plain-text SQLite database, you can see the literal schema and content of the database. Alternatively, when viewing the hex content content of a SQLCipher encrypted database, all content from the file appears random. An illustrated example can be found here:

What random data is contained after encrypting ?

The entire contents of the file appear random, as opposed to the structured view of the raw content.

What source of entropy do you use for random data and salt?

This depends on the crypto provider that SQLCipher was built with. By default, SQLCipher will attempt to build with OpenSSL in which we will use RAND_bytes. If compiled with CommonCrypto we utilize SecRandom, and finally fortuna_read for LibTomCrypt.


#5

Oh, didn’t realise LibTomCrypt was an option. It’s not something I personally use, but one of the main project guys for it pinged me earlier today mentioning they’ll likely cut a new release next month (after 7 years! :grin:). Just a heads up I guess. :wink:


#6

Hi @justinclift

Nice, thanks for sharing, we’ll keep that on our radar!