Apologies for the long post, but I hope that it will answer you question.
-----------------------------------------------------
ENCRYPTING DATA WITH AES
-----------------------------------------------------
There are many ways to encrypt data, using mathematical methods called 'ciphers'. As clever as the ciphers are, so are the code breakers, and eventually they come up with mathematics that render the cipher useless - ie., it becomes relatively easy to guess the password/passphrase used to encode the data.
At the moment, the 'AES-256' cipher is considered to be 'safe'. One particularly good thing about it, is that it is quite quick to encode data with, even for large amounts of data. One bad thing about it, is that it is what is called a 'symmetrical' encryption cipher, meaning that the same 'key' (a password or passphrase) is used to both encrypt and decrypt the data. In order to increase the security of the encryption, you can also use a 'salt' - a small, random sequence of characters - that will further 'scramble' the encrypted data. But that means that in order to decrypt it, you will need both the password and the salt at the other end.
To encrypt any data with AES-256 in LiveCode:
1) put the data to be encrypted into a variable, like 'tData'
2) put the password or passphrase into a variable, like tPassword
3) put 8 random characters into a variable, like tSalt
4) encrypt the data with:
Code: Select all
encrypt tData using "aes256" with password tPassword and salt tSalt
To decrypt the same data:
1) put the encrypted data into a variable - tData
2) put the password or passphrase into a variable - like tPassword
3) put the same salt characters into tSalt
4) decrypt the data with:
Code: Select all
decrypt tData using "aes256" with password tPassword and salt tSalt
-----------------------------------------------------
THE PASSWORD PROBLEM
-----------------------------------------------------
The problem with symmetrical encryption, however, is that the key must be known in order for you to encode and decode the message. This means, that if you want to use this to send/receive information in your programs, both the sender and receiver will have to know the key. If you hard-code the key into your program, a hacker can try to decompile your code and retrieve the key from it. The fact that you have to know or keep the password at hand, is just not safe.
So, the problem is: I *do* want to send my encrypted data using AES-256, as it is quite safe. But I don't want to have the sender or the receiver know the password beforehand, or have to keep it in the system - all of which cause major security holes.
-----------------------------------------------------
ENCRYPTING PASSWORDS WITH RSA
-----------------------------------------------------
Another method of encrypting data is using private and public keys. In this kind of encryption, the public key can be distributed publicly and seen by everyone, because you cannot guess the private key by the public key alone. The public key is used to encrypt data that you want to be seen only by the holder of the private key. The private key can then be used to decrypt the data - the public key cannot do that. The private key can also be used to 'sign' data, so that people with the public key can confirm that the data really came from the private key holder.
The problem with public-private key encryption is that, due to the mathematics involved, you can only encrypt a relatively small amount of data - an amount smaller than the size of your key. Although you could, in theory, 'break down' the data to be encrypted into encodable chunks, you would not do this for two reasons: this kind of encryption is slow, and doing this makes it much easier for hackers to guess your private key. So, you should only really encrypt a small amount of data with this kind of encryption - like, for instance, a password...
LiveCode uses RSA for public-private key encryption. You need to generate a public and private key pair, first. The LiveCode dictionary has instructions on how to do that using the command line. The instructions are easy to follow, but I would recommend that you create a key that is 4096 bits, not 512 - a key that small is considered insecure nowadays.
In order to encrypt a password/passphrase with RSA in LiveCode:
1) put the password/passphrase into a variable, like tPassword
2) put the public key into a variable, such as tPublicKey
3) encrypt the password with:
Code: Select all
encrypt tPassword using rsa with public key tPublicKey
In order to decrypt the password/passphrase using the private key:
1) put the encrypted password into a variable - tPassword
2) put the private key into a variable, like tPrivateKey
3) decrypt the password:
Code: Select all
decrypt tPassword using rsa with private key tPrivateKey
-----------------------------------------------------
PUTTING IT ALL TOGETHER
-----------------------------------------------------
Using both encryption methods together, we can now send any amount of data with security.
Let's say that Alice wants to send a document securely to Bob. She can do it like this:
1) Alice creates a random password - it really doesn't matter what it is - and a random salt.
2) Using the random password and salt, Alice encrypts her document using AES-256.
3) Alice has Bob's public key. Using RSA, she then encodes the *password* and *salt* with his public key.
4) Alice sends Bob the data containing: the RSA-encrypted password+salt and the AES-encrypted document.
In order for Bob to receive it, he does this:
1) Bob separates the RSA-encrypted data (encrypted password+salt) from the AES-encrypted one (document).
2) Bob decrypts the password and salt using his RSA private key.
3) Using the decrypted password and salt, Bob now decrypts the document using AES.
Note that neither Alice nor Bob need to even *know* what the password and salt are, and these values can be disposed of right after they are used. This ensures that there are new passwords and salts being used all the time, which makes it more difficult for hackers to break your security.
-----------------------------------------------------
FINAL CONCERNS
-----------------------------------------------------
All encryption functions produce BINARY data, which is not safe to transmit over the internet - the data may get 'misinterpreted' or corrupted by servers along the way. In order to make binary data safe to include in your 'net transmissions, you need to encode it first. LiveCode has 'base64Encode' and 'base64Decode' functions, which are great for that.
Data in base64 format is wrapped at 72 characters, which mean that your data may end up having several return characters. This may or may not cause issues, depending on your application - you may need to further encode your data to get rid of these returns - ie., by using the URLEncode and URLDecode functions.
I hope this helps.
