Improving an Encrypted Database's Security
A better way to handle the encryption key is to tie it to a user-entered password. Because the key must be 16 bytes in length, you'd need to add some magic that would pad or trim the supplied password accordingly. An even better solution is to use an encryption mechanism on a user-supplied password. There are two ways of doing so, both of which involve calling on an ActionScript library:
In theory, the ActionScript 3.0 core library includes the EncryptionKeyGenerator class. I say "in theory" because, at the time of this writing, three months after the release of Adobe AIR 1.5, the prebuilt ActionScript 3.0 core library (version .92.1), still doesn't include this class. Eventually, using the EncryptionKeyGenerator class will be the logical choice. Once it's properly supported, see the Adobe documentation for instructions on its usage.
In the interim, the ActionScript 3.0 crypto library will more than suffice. It defines a number of useful encryption-related functions, such as those for creating an MD5 hash of a string. (A hash is a relatively secure mathematical representation of something.) To use an MD5 hash (or, later, the core library) in an Ajax AIR project, you have to jump through a couple of hoops:
- Download the as3crypto.swc file.
- Rename the downloaded file as as3crypto.zip.
- Extract everything from the newly created zip file (that is, treat it as if it were always a zip file).
- From the extracted files, rename the library.swf file as as3crypto.swf.
Once you have the SWF file, you can add it to your HTML project and include it as follows:
<script type="application/x-shockwave-flash" src="lib/as3crypto.swf" />
From the cryptography library, we want to use the MD5 class's hash() function. That function takes a ByteArray object as an argument and returns a 16-bit ByteArray object. Start by creating the input ByteArray object, using the user-supplied password:
var key = new air.ByteArray(); key.writeUTFBytes('Actual User Password');
The length of the password doesn't matter in this case.
Now create an MD5 object:
var crypto = new window.runtime.com.hurlant.crypto.hash.MD5();
Next, invoke the hash() method of that object:
var newKey = crypto.hash(key);
Now this newKey ByteArray object is a secure, 16-bit piece of data that can be used with an encrypted database.