AES encryption over HTTP
In addition to regular HTTPS flow encryption, which is not easy to setup due to the needed certificates, mORMot proposes a proprietary encryption scheme. It is based on SHA-256 and AES-256/CTR algorithms, so is known to be secure.
You do not need to setup anything on the server or the client configuration,
just run the
classes with the corresponding parameters.
Note that this encryption uses a global key for the whole process, which
should match on both Server and Client sides. You should better hard-code this
public key in your Client and Server Delphi applications, with some variants
depending on each end-user service. You can use
CompressShaAesSetKey() as defined in
set globally this Encryption Key, and an optional Initialization Vector. You
can even customize the AES chaining mode, if the default
mode is not what you expect.
aHttpServerSecurity parameter is set to
secSynShaAes for the
constructor, this proprietary encryption will be enabled on the server side.
MyServer := TSQLHttpServer.Create('888',[DataBase],'+',useHttpApiRegisteringURI,32,secSynShaAes);
On the client side, you can just set the
TSQLHttpClientGeneric.Compression property as expected:
MyClient.Compression := [hcSynShaAes];
Once those parameters have been set, a new proprietary encoding will be defined in the HTTP headers:
Then all HTTP body content will be compressed via our SynLZ algorithm, and encoded using the very secure AES-CTR/256 encryption.
Since it is a proprietary algorithm, it will work only for Delphi clients.
When accessing for a plain AJAX client, or a Delphi application with
TSQLHttpClientGeneric.Compression = , there won't be any
encryption at all, due to way HTTP accepts its encoding.
For safety, you should therefore use it in conjunction with our per-URI Authentication.
Feedback is welcome on our forum, as usual!