Encryption library for Delphi

Question

I'm looking for a free and up to date encryption library for Delphi 2010 that implements RSA and AES (Rijndael).

I want a free library because I plan to write and publish some sample code that will use it.

A Delphi 2010 version of TurboPower LockBox has been posted to the SongBeamer site, that implements both of these, but I'm concerned that it's getting a little old. For example, small RSA key sizes and no new security features for many years.

Update: Is the perception that LockBox is out of date or lacks important features incorrect? Is it still relevant for production development? (Particularly the RSA key sizes)

Answer 1

I have not tried it in D2010, but DCPcrypt supposedly works in D2009.

Answer 2

Looks like the D2010 work is done:

TurboPower LockBox . Data Encryption . Sep 04 2009 . Download

Status: Should be working fine.
This library has been extended so that it supports encryption of Ansi and UnicodeStrings.
09/04/2009
* Delphi 2010 packages
* should compile without hints and warnings

Answer 3

• As mentioned by Argalatyr, DCPCrypt works with Delphi 2009 but it doesn't do RSA;

• ChillKat does support RSA and AES for Delphi, but it's not free;

• Sergey Kirichenko made a free Rijndael implementation that you can download here: http://rcolonel.tripod.com/dwnload/rc_rnd.zip. The files are dated november 2000, so I don't know if it'll work directly in the newer Delphi's.

• There used to be a zipfile with Delphi code for download here: http://ace.ulyssis.student.kuleuven.ac.be/~triade/GInt/bin/RSA.zip, but the developer probably finished his study and the university removed his homepage. On this chinese webpage I could see the contents of the file (search for RSA.pas on the page and click the link).

I don't know exactly what you mean with "long in the tooth" (old?), but I'd just go for Lockbox, because it provides everything you need. Except for the 2009 update, the last official changes were made in 2003. But hey, if it works it works.

Answer 4

Hi Bruce i use this library since Delphi 5,

Delphi Encryption Compedium Part I v.5.2

• Complete Rewrite of the former DEC 3, Update to the DEC 5.1 (released back in 2006)
• Many Ciphers (Blowfish, Twofish, 3DES, Rijndael...)
• Many Hashs (MD2/4/5, SHA1-512, RipeMD128-320...)
• Checksum Functions (CRC32, CRC16...)
• Text conversion Functions (MIME Base 64, XX/UU Coding...)
• Secure Random Number Functions
• with Ciphers encryption in Modes (CTS/CBC/CFB/OFB/ECB...)
• Full and easy object oriented
• Highly optimized, fast core
• Supports ANSI and Unicode in D2009 (and below by using WideStrings)...

Is Freeeware and With Sorce Code, unfortunately does not implement RSA.

Answer 5

For sample code LockBox may be ok, but I would not use it in production any longer. Encryption does go "long in the tooth". Algorithms become old. Previously undiscoverd flaws, improved cryptoanalysis techniques, mathematical advancements, increasing processor power make once secure algorithms and key sizes no longer enough secure. 3DES, MD5, SHA-1 are already considered not enough. Attacks against AES have been recently published (http://eprint.iacr.org/2009/374). The minum recommended RSA key size is now 1024 bits, while 2048 and 3072 keys are recommended if data needs to be protected for years. Lockbox offers only keys of 1024 bits or less. The right block cipher mode has to be selected too. And LockBox TLbRijndael (AES) class by default uses ECB which has known flaws, and don't offer anything more than CBC. Due to the importance electronic security gained in these years, and the consequent researches both by good and bad guys, a seven years old library is really old - just recompiling it and adding support for UTF-16 strings is not enough. Be aware that false security is worse than no security at all. If a system administrator is told "we don't have any security in place" he will work to implement security himself (say IPSec, VPNs or the like). If he's told "yes, we have RSA and AES!" he will feel ok, even if your implementation of AES and RSA is outdated and no longer secure.

Answer 6

The RSA algorithm is not necessarily out of date, but the key size is important. It is still used regularly all over the place. An RSA key length of 3072 bits should be used if security is required beyond 2030. This is just a function of the improvements in computing power and not a weakness in the algorithm.

I was looking at the LockBox prior to SongBeamer starting to maintain it (Delphi 2007) I found the RSA unstable - just crashing or producing wrong results from time to time. It may have been fixed since then though. If you are going to use it, make sure it supports the key lengths you need, and then create some automated tests with known inputs and outputs. Make sure it runs stable. If it does, then use it by all means.

You can also use the Microsoft Crypto API to do your RSA encryption. I wrote a wrapper for Delphi 2007, but have not updated it for Unicode (I know, shame on me). Someone else might be able to update it to work with Unicode easily.

Another option would be to use the .NET Framework cryptography functions via COM interoperability or something.

Answer 7

It seems like there are lots of free Delphi AES implementations. Feel free to add your favourites here.

There don't seem to be as many free RSA implementations, and very few libraries that offer both.

It looks like LockBox is still a pretty reasonable option. Especially since I don't need encryption that will take literally years to crack.

I think using Microsoft's Crypto API directly might be the most practical option.

Answer 8

Daniele Teti has released a collection of DataSnap filters for Delphi 2010, which includes hash, cipher and compression. He mentions that he may also implement asymmetric ciphers in the future.

http://www.danieleteti.it/

This is open source, so please feel free to contribute.

Answer 9

TurboPower LockBox 3.1.0 is now released. It supports:

• Delphi 2007 and Delphi 2010
• Unicodestrings for Delphi 2010
• AES, DES, 3DES, Blowfish and Twofish ciphers
• A long list of block chaining modes
• MD5 and SHA1 hashes
• RSA encryption, decryption, signature and verification
• Variable length RSA keys - Almost no contraints on the range.
• D-Unit test code
• Automatic salting
• Proper mangement of IV's (in contrast to DCPcrypt)
• White Box, Free and Open Source
• 100% visible native source code (no DLL's)

http://sourceforge.net/projects/tplockbox/ and http://lockbox.seanbdurkin.id.au/