Why OpenSSL? OpenSSL is the reference library for cryptography and secure TLS/HTTPS communication. It is part of most Linux/BSD systems, and covers a lot of use cases and algorithms. Even if it had some vulnerabilities in the past, it has been audited and validated for business use. Some algorithms […]
In the last weeks/months, we worked a lot with FPC.
Delphi is still our main IDE, due to its better debugging experience under Windows, but we target to have premium support of FPC, on all platforms, especially Linux.
The new Delphi Linux compiler is out of scope, since it is heavily priced,
its performance is not so good, and ARC broke memory management so would need a
deep review/rewrite of our source code, which we can't afford - since we have
FPC which is, from our
opinion, a much better compiler for Linux.
Of course, you can create clients for Delphi Linux and FMX, as usual, using the cross-platform client parts of mORMot. But for server side, this compiler is not supported, and will probably never be.
A common feature request for professional software is to prevent abuse of
For licensing or security reasons, you may be requested to "lock" the execution of programs, maybe tools or services.
Our Open-Souce mORMot framework can leverage
Asymmetric Cryptography to ensure that only allowed users could run some
executables, optionally with dedicated settings, on a given computer.
It offers the first brick on which you may build your own system upon.
From the User point of view, he/she will transmit
firstname.lastname@example.org file, then receives a corresponding
email@example.com file, which will unlock the application.
Pretty easy to understand - even if some complex asymmetric encryption is involved behind the scene.
JSON Web Token (
JWT) is an open standard (RFC 7519) that defines a compact
and self-contained way for securely transmitting information between parties as
a JSON object. This information can be verified and trusted because it is
digitally signed. JWTs can be signed using a secret (with the HMAC algorithm)
or a public/private key pair using RSA or ECDSA.
They can be used for:
- Authentication: including a
JWTto any HTTP request allows Single Sign On user validation across different domains;
- Secure Information Exchange: a small amount of data can be stored in the JWT payload, and is digitally signed to ensure its provenance and integrity.
See http://jwt.io for an introduction to JSON Web Tokens.
Our mORMot framework now implements
ES256(256-bit ECDSA) algorithms (with the addition of the
- Validates all claims (validation dates, audiences, JWT ID);
- Thread-safe and high performance (2 µs for a
HS256verification under x64), with optional in-memory cache if needed (e.g. for slower
- Stand-alone and cross-platform code (no external
dll, works with Delphi or FPC);
- Enhanced security and strong design - per instance, it is by design immune from https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries
- Full integration with the framework.
In order to follow best practice, our
.private key files are
always protected by a password. A random value with enough length and
entropy is always proposed by the
ECC tool when a key pair is
generated, and could be used directly.
It is always preferred to trust a computer to create true randomness (and
TAESPRNG was designed to be
the best possible seed, using hardware entropy if available), than using our
human brain, which could be defeated by dictionary-based password
Brute force cracking would be almost impossible, since
PBKDF2_HMAC_SHA256 Password-Based Key Derivation Function with
60,000 rounds is used, so rainbow tables (i.e. pre-computed passwords list)
will be inoperative, and each password trial would take more time than with a
regular Key Derivation Function.
The issue with strong passwords is that they are difficult to remember. If
you use not pure random passwords, but some easier to remember values with good
entropy, you may try some tools like https://xkpasswd.net/s which returns values like
But even then, you will be able to remember only a dozen of such passwords. In a typical public key infrastructure, you may create hundredths of keys, so remembering all passwords is no option for an average human being as (you and) me.
At the end, you end up with using a tool to store all your passwords (last
trend is to use an online service with browser integration), or - admit it -
store them in an
Excel document protected by a password. Most IT
people - and even security specialists - end with using such a mean of storage,
just because they need it.
The weaknesses of such solutions can be listed:
- How could we trust closed source software and third-party online services?
- Even open source like http://keepass.info/help/base/security.html may appear weak (no PBKDF, no AFSplit, managed C#, SHA as PRNG);
- The storage is as safe as the "master password" is safe;
- If the "master password" is compromised, all your passwords are published;
- You need to know the master password to add a new item to the store.
ECC tool is able to work in "cheat mode", storing all
.private key files generated passwords in an associated
.cheat local file, encrypted using a
As a result:
- Each key pair will have its own associated
.cheatfile, so you only unleash one key at a time;
.cheatfile content is meaningless without the
cheat.privatekey and its master password, so you can manage and store them together with your
- Only the
cheat.publickey is needed when creating a key pair, so you won't leak your master password, and even could generate keys in an automated way, on a distant server;
cheat.privatekey will be safely stored in a separated place, only needed when you need to recover a password;
- It uses strong File Encryption, with proven PBKDF, AFSplit, AES-PRNG, and ECDH/ECIES algorithms.
After weeks of implementation and testing, we introduce today a new feature of our mORMot Open-Source Framework.
Asymmetric encryption, also known as public-key cryptography, uses pairs of keys:
- Public keys that may be disseminated widely;
- Paired with private keys which are known only to the owner.
SynEcc unit features a full asymmetric encryption system, based on
cryptography (ECC), which may be used at application level (i.e. to
protect your application data, by signing or encrypting it), or at transmission
level (to enhance communication safety).
A full set of high-level features, including certificates and command line tool, offers a stand-alone but complete public-key infrastructure (PKI).