Where is Delphi crypto suite? Open letter to Embarcadero

Delphi really needs cross platform crypto library as crypto is now everywhere. Seems Embarcadero has decided to fill the void by partly adopting ancient TurboPower LockBox suite. But they are not adopting it completely but just keeping someone else to maintain it so they don't need to waste their own resources on it. On paper there is now crypto library for Delphi but in reality there is no stability like when the library could be officially maintained and updated by Embarcadero.

I'm listing some of the issues with LockBox 3.5 here. It is interesting to note that I'm not an expert programmer myself and if someone like me finds this kind of issues then how this software has been existed and used for so long, likely used in thousands of applications that require real security?

1) The first thing is that there is basically no documentation about LockBox. Is it really only used by some oldtimers who bought LockBox 1.0 some 25 years ago from TurboPower and got some documentation? 

2) The real issue is that if you look at the code in most current version LockBox 3.5, you'll start scratching head and asking „WTF!?”. *There are plain text leaks all over the place and seems the practice to burn any sensitive data after use was completely unknown to developers*.

Few examples:
{code}
procedure TLbRijndael.GenerateKey(const Passphrase: string);
begin
  TLMD.GenerateLMDKey(FKey, FKeySizeBytes, GetBytes(Passphrase));
end;
{code}
Above we see typical example how easy is to leak your plain text password to memory and that eventually ends up in memory dump or swap file. Note temporary plain text password bytes returned by GetBytes function are never burned. Same happens when you call any LockBox hash function on string and in numerous other places.

But if you want to be completely sure that someone must find your plain text then you can call EncryptString:
{code}
function TLbRijndael.EncryptString(const InString: string): string;
begin
  case CipherMode of
    cmECB : Result := GetString(TRDLBytes.RDLEncryptBytesEx(GetBytes(InString), FKey, FKeySizeBytes, True));
    cmCBC : Result := GetString(TRDLBytes.RDLEncryptBytesCBCEx(GetBytes(InString), FKey, FKeySizeBytes, True));
  end;
end;
{code}
Again notice GetBytes which leak plain text. But RDLEncryptBytesEx that is internally used by above function creates several temp streams that are never burned. 
{code}
class function TRDLBytes.RDLEncryptBytesEx(const InBytes: TBytes; const Key; KeySize: Integer; Encrypt: Boolean): TBytes;
var
  InStream  : TMemoryStream;
  OutStream : TMemoryStream;
  WorkStream : TMemoryStream;
begin
  InStream := TMemoryStream.Create;
  OutStream := TMemoryStream.Create;
  WorkStream := TMemoryStream.Create;
  InStream.Write(InBytes[0], Length(InBytes));
  InStream.Position := 0;

  if Encrypt then begin
    RDLEncryptStream(InStream, WorkStream, Key, KeySize, True);
    WorkStream.Position := 0;
    TLbBase64.LbEncodeBase64(WorkStream, OutStream);
  end else begin
    TLbBase64.LbDecodeBase64(InStream, WorkStream);
    WorkStream.Position := 0;
    RDLEncryptStream(WorkStream, OutStream, Key, KeySize, False);
  end;
  OutStream.Position := 0;
  SetLength(Result, OutStream.Size);
  OutStream.Read(Result[0], OutStream.Size);

  InStream.Free;
  OutStream.Free;
  WorkStream.Free;
end;
{code}
That code is painful to look at. What about efficiency? Error handling? Security? It seems we get bonus BASE64 encoding as well (functions that operate with TBytes type actually are only meant for string encrytoption, it seems).

3) *Error handling in LockBox is non-existent, sensitive information is not burned on exception and usually also not burned after use.*

4) *Design of the suite is overly complex.*

5) On some reason copy of crypto cipher keys are kept in memory as property of class (and also not automatically burned on destroy), while best practice is burn key after initializing cipher with key and IV.

It is painful exterience to look at this widely used crypto library with these issues. Yes, it is possible to write more secure code with LockBox by avoiding some high-level functions. But how is it possible this situation has been existing for so long time and no one pointing out? That tells us another thing  – open source code is not always better because it is open, although many like to think that way. People just assume in good faith it is all good, it must be good.

My suggestion for Embarcadero is to include a crypto library with Delphi VCL. Users need stability and crypto is one area which especially requires stability. I don't want to worry from where I get crypto and if I do, does it really work? Does it work with the next Delphi release?

My recommendation is to *adopt DCPcrypt and drop LockBox*. DCPcrypt has very nice, sensible and clean architecture, and is not as complex. http://www.cityinthesky.co.uk/opensource/dcpcrypt/
-1
Ahto
7/24/2015 12:08:11 PM
embarcadero.delphi.non-tech 5933 articles. 1 followers. Follow

5 Replies
778 Views

Similar Articles

[PageSpeed] 30

I agree with you LockBox quality is not enough for any sensible application requiring true security.

> My recommendation is to *adopt DCPcrypt and drop LockBox*. DCPcrypt has very nice, sensible and clean architecture, and is not as complex. http://www.cityinthesky.co.uk/opensource/dcpcrypt/

No. My recommendation is wrap Windows CryptoAPI (CNG, not the old one) under Windows, and wrap OpenSSL - or whatever can be a good replacement - on other platforms (don't use OpenSSL under Windows because you need to update it yourself...). If the wrap is well done, it could be cross-platform.

This way application will always use the updated crypto libraries the platform offers and maintains, without any need for Embarcadero to have to maintain the libraries itself, or wait for some volunteer to update them.

Edited by: Luigi Sandon on Jul 24, 2015 6:35 PM
0
Luigi
7/24/2015 4:35:57 PM
I agree with you LockBox quality is not enough for any sensible application requiring true security. I've pointing out lack of proper security features for a long time, but no one listen to me...

> My recommendation is to *adopt DCPcrypt and drop LockBox*. DCPcrypt has very nice, sensible and clean architecture, and is not as complex. http://www.cityinthesky.co.uk/opensource/dcpcrypt/

No. My recommendation is wrap Windows CryptoAPI (CNG, not the old one) under Windows, and wrap OpenSSL - or whatever can be a good replacement - on other platforms (don't use OpenSSL under Windows because you need to update it yourself...). If the wrap is well done, it could be cross-platform.

This way application will always use the updated crypto libraries the platform offers and maintains, without any need for Embarcadero to have to maintain the libraries itself, or wait for some volunteer to update them.
0
Luigi
7/24/2015 4:37:32 PM
I agree with you LockBox quality is not enough for any sensible application requiring true security. I've pointing out lack of proper security features for a long time, but no one listens to me... <G> Probably the average Delphi developer doesn't really care about security.

> My recommendation is to *adopt DCPcrypt and drop LockBox*. DCPcrypt has very nice, sensible and clean architecture, and is not as complex. http://www.cityinthesky.co.uk/opensource/dcpcrypt/

No. My recommendation is wrap Windows CryptoAPI (CNG, not the old one) under Windows, and wrap OpenSSL - or whatever can be a good replacement - on other platforms (don't use OpenSSL under Windows because you need to update it yourself...). If the wrap is well done, it could be cross-platform.

This way application will always use the updated crypto libraries the platform offers and maintains, without any need for Embarcadero to have to maintain the libraries itself, or wait for some volunteers to update them as often as required.
0
Luigi
7/24/2015 4:40:55 PM
Luigi Sandon wrote:

> I agree with you LockBox quality is not enough for any sensible
> application requiring true security.
> 
> > My recommendation is to *adopt DCPcrypt and drop LockBox*. DCPcrypt
> > has very nice, sensible and clean architecture, and is not as
> > complex. http://www.cityinthesky.co.uk/opensource/dcpcrypt/
> 
> No. My recommendation is wrap Windows CryptoAPI (CNG, not the old
> one) under Windows, and wrap OpenSSL - or whatever can be a good
> replacement - on other platforms (don't use OpenSSL under Windows
> because you need to update it yourself...). If the wrap is well done,
> it could be cross-platform.
> 
> This way application will always use the updated crypto libraries the
> platform offers and maintains, without any need for Embarcadero to
> have to maintain the libraries itself, or wait for some volunteer to
> update them.
> 
> Edited by: Luigi Sandon on Jul 24, 2015 6:35 PM

Whatever goes under the hood, they need a library that will keep up
with practices and methods.  The ability to sign XML (needing C14N and
friends) are common needs.  Most/all of that stuff is available in
OpenSSL but dandy/standardized wrappers for Delphi would be most useful.

That said, I'm holding at XE2 right now and maybe it is magically in
later versions already.

Dan
0
Dan
7/24/2015 5:05:45 PM
Emb will tell you that is "impossible, really impossible, no one does it, exporting encryption algorithms!" - then they sell you the new encryption capabilities of Interbase....

That's why wrapping CNG - for which MS already took care of the paperwork for exporting - or OpenSSL and whatever OSX uses - which again are already available - makes sense so Embarcadero doesn't need to spend your subscription money to hire someone to fill the forms for exporting commercial cryptography.
0
Luigi
7/24/2015 6:47:06 PM
Reply:

Similar Artilces:

Delphi 2010 and Delphi XE5 shuts down when opening projects
Over the last week I have found it increasingly difficult to open projects. Even really simple projects, some more complex. For example if start Delphi 2010 Enterprise Edition. I see the list of recently opened projects. I then click on a simple existing project, I get a hour glass for about a second and then Delphi IDE has gone. In the windows task manager, there are now no applications running. I have not changed the installation, being using Delphi 2010 enterprise on the same computer for a few years. I'm not a full time developer, but do internal development of our compa...

Delphi and Delphi for .Net
It seems that Delphi for .Net is slower than Delphi Win32 native applicaiton. I would like to know is it true all .Net application is slower than Win32 native applicaiton or it is Delphi for .Net only. Your information is great appreciated, Inung On 2011-06-21 18:20:17 +0100, Inung Huang said: > It seems that Delphi for .Net is slower than Delphi Win32 native applicaiton. > I would like to know is it true all .Net application is slower than > Win32 native applicaiton or it is Delphi for .Net only. If you are only running the code in the application once then, yes, yo...

Delphi 2010 and Delphi XE5 shuts down when opening projects
Over the last week I have found it increasingly difficult to open projects. Even really simple projects, some more complex. For example if start Delphi 2010 Enterprise Edition. I see the list of recently opened projects. I then click on a simple existing project, I get a hour glass for about a second and then Delphi IDE has gone. In the windows task manager, there are now no applications running. I have not changed the installation, being using Delphi 2010 enterprise on the same computer for a few years. I'm not a full time developer, but do internal development of our compa...

Stack overflow when opening a Delphi 7 frame in Delphi XE4
I am trying to port a Delphi 7 application to Delphi XE4. I have installed all the required component libraries in Delphi XE4 and I managed to open the Delphi 7 project in Delphi XE4. However, when I try to open one of the units containing a VCL frame I get the error "stack overflow - Save your work and restart RAD studio XE4". If I don't open any frames and try to build the project, the compiler can't find the components in the above mentioned frame unit and stops with an error. What should I do? Pier I figured out what the problem was. I has a TsiLang compo...

SEPA components for Delphi with Source Code (Delphi 5
Hi all, in the european union change next year the Bankingformat to the SEPA Format. All peoples and companies must change the bankingssoftware and the costumer data form acountnummers in the new IBAN and BIC numbers. See: http://www.arma-it.de/shop/artikelueber.php?wgruppeid=211&wgruppe_offen=211 Functions: - generate SEPA XML'S - Calc IBAN - BIC Database (DE,AT and CH) Questions: vertrieb@arma-it.de PS: Bankinssoftware for Develpoers (Germany only) http://www.arma-it.de/shop/artikelueber.php?wgruppeid=212&wgruppe_offen=212 El 26/10/13 21:38, A...

Delphi 7 to Delphi XE
Have been using Delphi 7 for many moons ( have got later versions but never upgraded to ) My first problem is: Component Palette. in XE it is a small toolbar docked in top right in Delphi 7 it gives a large view of all the components. I am struggling to be able to cope/access my components.in Delphi XE. Can I make the component pallette tool bar the same size as Delphi 7, or is there a fast way to view/choose all available components in XE, that I have not spotted yet? Kind Regards, Robert. Hi, What I know is that in Delphi 2010 and XE you can choose between t...

Delphi 2007 to Delphi 7
I've written a class in Delphi 2007 that is not supported in Delphi 7. What would be the best way to achive what I've done in Delphi 2007 in Delphi 7? Thanks, Tom type BondConstants = class { Bond Types } type BondType = record const TREASURY = 3; AGENCY = 0; CORP = 1; MUNI = 2; SBA = 5; MBS = 4; CMO = 6; end; { Day Count Methods } type DayCount = record const ACTUAL_360 = 2; ACTUAL_365 = 1; ACTUAL_ACTUAL = 1; d30_360 = 0; ...

Delphi for PHP or Delphi PRISM
Hi, I have the opportunity to develop a web-based library management system. Nothing fancy, just being able to do the usual CRUD stuff for books and provide a search facility. Borrowing is to be done via an email request to the library admin who then sends out the book(s). Since both Delphi for PHP and Delphi PRISM will enable me to develop the app, which one will allow me to deliver it in less time and also increase (even how small) my marketability as a web developer? Thanks. Phillip Flores Phillip Flores wrote: > Hi, > > I have the opportunity to develop a...

Delphi XE / Delphi 2010
Hello! I noticed that Embarcadero® Delphi® 2010 Version is not on the list of products on Embarcadero page. Or is it still possible to buy it? Will RAD Studio XE compile programs written in Delphi 2010 without problems.? Thanks. Am 13.09.2010 09:04, schrieb Petra Nemec: > Will RAD Studio XE compile programs written in Delphi 2010 without problems.? As always you will probably have to recreate the projects as the import is still a bit -- special. Christian Hello! Does anybody know if it is still possible to get a Delphi2010 trial version (if yes where)? ...

Delphi 5 to Delphi 6 and up
Dear List, Trying to add 7Zip compression support to my delphi application. I am using the ported 7Zip sdk (see their website, they have a link). I am stumped on how to rewrite a single function: function ReverseDecode(var Models: array of SmallInt; ....): ..... where the input is mostly a fixed size array of SmallInt. This code perfectly compiles and functions in Delphi 6 and up, but in Delphi 5 I get the error: There is no overloaded version of 'ReverseDecode' that can be called with these arguments And obviously, the input (fixed) isn't the same as the param de...

Delphi and virus, or virus and Delphi.
Hi all. There is some discussion about a 'new' virus, that targets Delphi (and developers). The article is in danish: <http://www.version2.dk/artikel/11833-delphi-udviklere-jages-af-ny-type-malware> but refers to this article: <http://news.cnet.com/8301-27080_3-10312628-245.html> From the Danish article POV, it seems like Delphi itself is vunerable, which is not true. As far as i can see, is the attack vector, injection of (source) code in the 'Sysconst' unit. What's going on? -- Best regards Stig Johansen Perhaps checking other thre...

Delphi 5 to Delphi XE4
Thinking about making the conversion. Of course we have numerous components such as: TurboPower AsyncPro, TurboPower Orpheus ICS2 Synactis All-In-The-Box. You guys have any advice as to the effort and time it may possibly take. It is a large application, several hundred thousand lines. And that's what happens when using third party components, a lot of extra work. I have been burned a few times. I now minimize the use to a few well known suppliers, like TMS. I have "banned" a lot of other components. Regards, Ole > > Thinking about making the conver...

Delphi 4 to Delphi 2009
Hello, Thanks to all who answered my previous question. That was a great help. And atlast our client agreed to upgrade our delphi version from 4 to Delphi 2009. *Sigh*. But before that, I need to give the estimation and cost regarding the migration to delphi 2009. Can anyone tell me is there any tool to migrate from delphi 4 to delphi 2009 or just I need to compile our Delphi 4 application in Delphi 2009. I have read from the delphi 2009 feature matrix that Delphi 1 through Delphi 2007 import is possible in delphi 2009. But i am not that sure considering the size of our application. ...

Delphi 7 to Delphi XE2
Hi, Still using that old workhorse, Delphi7, but am going to the conference in London hosted by Embarcadero on Delphi XE2. Although I would like to "move with the times" and am keen to get the UNICODE and 64-bit support offered by the latest IDEs, I confess to being more than a little scared about all the UNICODE/String/AnsiString and 32/64 bit issues I'm probably going to fall over. Anyone recently upgraded from Delphi7 to one of the latest Delphi IDEs? Thanks, Alain On 03/02/2012 08:55, Alain Dekker wrote: > Still using that old workhorse, Delphi7, but...

from delphi 6 to delphi 2010
Hi. It is possible, with component RX, dxforumlibrary, InfoPower3000Pro, StringAlignGrid. Accepts communication BDE. Thank by comments. excequiel arostica wrote: >Hi. > It is possible, with component RX, dxforumlibrary, >InfoPower3000Pro, StringAlignGrid. Accepts communication BDE. > >Thank by comments. Rx is dead and sources are taken over by jcl/jvcl. I dont know about the rest of the components and i have no experiences with bde over the last 9 years. excequiel arostica wrote: > Hi. > It is possible, with component RX, dxforumlibrary,...

Web resources about - Where is Delphi crypto suite? Open letter to Embarcadero - embarcadero.delphi.non-tech

Embarcadero (San Francisco) - Wikipedia, the free encyclopedia
...  37.79944°N 122.395°W  / 37.79944; -122.395 Coordinates : 37°47′58″N 122°23′42″W  /  37.79944°N 122.395°W  / 37.79944; -122.395 The Embarcadero ...

Planet Bay Bridge from the Embarcadero in San Francisco - Flickr - Photo Sharing!
Stitched from 24 photos with Autopano Pro, and shot with a 40D using the 17 - 55 IS lens.

Embarcadero’s Sydney-based senior director - ARN
The source for IT industry news, views and analysis across the channel, business and technology

Embarcadero Brings Millions of C++ and Delphi Developers to Windows 10 with its Latest RAD Product Release ...
CSO Australia - News, Industry Blogs, Tools and Resources for Data Security Executives SYDNEY, Australia – September 1, 2015 – Embarcadero Technologies, ...

Embarcadero developers write once to multiple platforms
With the release of Embarcadero Technologies' RAD Studio XE7 code editor, C++ and Delphi application developers can maintain a single code base ...

Sunset Magazine property sells to Embarcadero Capital Partners
... long. Barely a month after putting the property up for sale, Time Inc. has found a buyer for the Sunset Magazine campus in Menlo Park. Embarcadero ...

Embarcadero « CBS San Francisco
San Francisco Radio.com CBS Local Sports CBS Sports Radio Tailgate Fan Atlanta Baltimore Boston Chicago Cleveland Connecticut Dallas Denver Detroit ...

Embarcadero moves RAD Studio beyond Windows
Software development is moving beyond the desktop computer. With this in mind, Embarcadero has strengthened its flagship Windows RAD Studio IDE ...

Embarcadero Launches RAD Studio XE7 - Press Release - Digital Journal
... network with thousands of Digital Journalists in 200 countries around the world. Join us! SAN FRANCISCO, CA(Marketwired - Sep 2, 2014) - Embarcadero ...

Embarcadero Opens Up On Commercial Grade C++
64-bit support and ARM support on the way soon…

Resources last updated: 1/22/2016 7:30:48 PM