1

I'm on a team creating an application used in a medical setting. We are looking to store local data encrypted using AES based on passwords that are stored in an SQLite database (hashed and salted). There doesn't seem to be very much information out there on doing this. Am I missing a trick?

Edit:

As I seem to be getting down voted here's some of what I know already.

I'm assuming that I'll need to use PBKDF2 key derivation (seen on SO here). Then I'll need to do something along the lines of this answer. My issue is that all of this is C code which doesn't utilise any of the OOP niceties of C++. I'm hoping that I'm missing some nice C++ wrapper for OpenSSL or some other 3rd party library that I can use to write clean, readable and OO code to solve the problem.

P.S. I'm not being paid for this application as it's a software engineering project at Uni and the recipient of the software is a charity.

Community
  • 1
  • 1
Prydie
  • 1,807
  • 1
  • 20
  • 30
  • I'm thinking the down votes comes from being a pretty vague question. A few things: So you encrypt data that is fine, how about the password for that encryption how is that input or (please no...)stored? – r_ahlskog Feb 15 '13 at 11:33
  • I stated in the original post (pre edit) that the password is stored in an SQLite database hashed using salted SHA256. There is a login interface when the application starts and they enter the password, which is validated using the SQLite database, and then gets attached to the user object and will be used to decrypt the data. – Prydie Feb 15 '13 at 12:01
  • Sorry for doubting you, I have just been tainted by working in an industry where I have nearly facepalmed my face off from listening to peoples approaches to encryption and key-storage. Ok, so the user enters it for every session, that is good. To me you seem to be on the right track for security. As for support libs that depends on what your target is, creating a C++ wrapper for a C lib is always an option. – r_ahlskog Feb 15 '13 at 12:34
  • I totally agree. I have a reasonable grounding in security (which is why this area of the project is my responsibility). It's the C++ (Windows target) development I'm a little hazy on. – Prydie Feb 15 '13 at 13:54

1 Answers1

2

Your question now seems to focus on a object oriented cryptographic library for C++. For that question I can recommend Botan. It does seem to focus on modern computing algorithms and includes PBKDF2.

Note that I cannot vouch for the security of this library, I haven't used or evaluated it personally.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263