0

Anyone knows how to generate key from a plain-text password? I mean a secure Key derivation function with salt.

ie.

function KeyDerivationProc(APassword : String) : String;
begin
     // ...
end;

I'm using Delphi (2010). I thought about DCPcrypt2 and OpenPGPBlackbox, but I'm really lost here.

Any help would be greatly appreciated, thanks!

TheDude
  • 3,045
  • 4
  • 46
  • 95
  • There is no general answer here, it is implementation specific of the library used. You need to evaluate the library (i.e. play with the demo projects) to figure out how it is used. – Hendra Sep 25 '12 at 01:11
  • 1
    SecureBlackbox 10 (now in pre-release state) offers both Key derivation and BCrypt functions (and both have been added in version 10). – Eugene Mayevski 'Callback Sep 25 '12 at 19:15
  • @EugeneMayevski'EldoSCorp: Yep, I indeed finally went with SecureBlackbox 10 after all :) – TheDude Sep 26 '12 at 00:06

1 Answers1

1

For PBKDF2, which is more or less the standard, you can only get the Chilkat libs it seems:

http://www.example-code.com/delphi/crypt2_pbkdf2.asp

So you might be better off looking at bcrypt, for which an implementation is on this spectacular site, and if you search for it, a few others as well.

Community
  • 1
  • 1
Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • 3
    DCPcrypt already has this inbuilt with the InitStr procedure: `procedure InitStr(const Key: string; HashType: TDCP_hashclass);` – Shambhala Sep 24 '12 at 22:43
  • @Shambhala good to know, because Googling for DCPcrypt and bcrypt gave me 0 usable results (which is not a good sign for a crypto library to be honest) – Maarten Bodewes Sep 24 '12 at 22:52
  • @WarrenP: Well, as you seem to be a high ranking stackoverflow Delphi expert, I'll happily take your word for it. And it was the lib that Gdhami was wanting to use anyway. – Maarten Bodewes Sep 24 '12 at 23:12
  • I'm indeed looking for something **exactly** like the Chilkat code (with salt & iteration count) but to be honnest the use of ActiveX in delphi is an *absolute no-no* for me. – TheDude Sep 25 '12 at 05:12
  • The TBCrypt code you mentioned seems to be what I'm after, but I'm worried about the code quality (no offense, but how secure is it? I'm no security expert, so I can't decide / know) – TheDude Sep 25 '12 at 05:13
  • @Shambhala and @WarrenP: Care to expand please? I read the `InitStr()` code, but I not sure how to set/change dynamic salt / iteration count. I'm not sure either how can I use DCPcrypt with bcrypt – TheDude Sep 25 '12 at 05:18
  • @Gdhami - The security issue is not that important here, because you can just compare the hashes with other implementations of BCrypt (e.g. PHP's crypt). You are probably concerned about the security of the algorithm, not of the implementation, if the library returns correct results you may use it. – martinstoeckli Sep 25 '12 at 08:56
  • does this related question show you enough of how to do bcrypt? http://stackoverflow.com/questions/9710205/is-there-a-bcrypt-implementation-available-for-delphi – Warren P Sep 27 '12 at 03:00