search

utelle / SQLite3MultipleCiphers

SQLite3 encryption extension with support for multiple ciphers
https://utelle.github.io/SQLite3MultipleCiphers/
MIT License
420 stars 77 forks source link

Support for hexadecimal passwords of System.Data.SQLite/RC4 #70

Closed professor-k closed 2 years ago

professor-k commented 2 years ago

System.Data.SQLite supported hexadecimal passwords, like this: data source=mydb.sqlite;hexpassword=6d696c6b. In case I'm playing in sandbox, and those four bytes are 'milk' in ASCII encoidng, I can also access such database with data source=mydb.sqlite;password=milk, and respectively later with SQLite3MultipleCiphers PRAGMA cipher = rc4 and PRAGMA key = 'milk'.

It's reasonable to assume that under the hood there is just binary key used by the algorithm whatsoever, so it's just a matter of finding a way to pass it down.

Problem is that when it comes to real world databases encrypted with random sets of 32 bytes, just straight decoding them into ASCII (or in local code page, or something similar), chances of getting string valid from the point of view of SQLite are pretty slim. Furthermore, SQLite doesn't let any operators left of pragma's equal, so CASTs, CHARs and ||s are out of option, and there are no variables in SQLite that I know of. So I was not able to access such databases using SQLite3MultipleCiphers. Still I tried passing the key using both special ways (SQLCipher and sqleet) too, but obviously it didn't work.

It would be really handy if it was possible to pass hex passwords in similar way for RC4.

utelle commented 2 years ago

[...] It's reasonable to assume that under the hood there is just binary key used by the algorithm whatsoever, so it's just a matter of finding a way to pass it down.

Typically, a hash algorithm is used to derive the actual encryption key. For the cipher schemes sqleet (ChaCha20) and SQLCipher there exist methods to use a special key syntax to circumvent the key derivation. Those methods are supported by SQLite3MultipleCiphers as well to be compatible with the original implementations of the ciphers.

It would be really handy if it was possible to pass hex passwords in similar way for RC4.

Currently, SQLite3MultipleCiphers allows to specify hex passwords via URI parameter hexkey (see URI parameters). However, I have to admit that it would be convenient to be able to specify hex passwords via pragma as well.

I will add pragma support for hex passwords with the next release of SQLite3MultipleCiphers.

professor-k commented 2 years ago

Thank you. I thought I missed something. In paticular, all the URI parameters went under radar for me :)

utelle commented 2 years ago

Release 1.3.10 now includes this enhancement.

professor-k commented 2 years ago

Thank you, much appreciated! (and separate thank you for fix with 40 bytes)