(Delphi DLL) Duplicate SQL Server ENCRYPTBYPASSPHRASE

See more Encryption Examples

Demonstrates how to duplicate SQL Server's ENCRYPTBYPASSPHRASE.

Chilkat for Delphi Downloads Chilkat non-ActiveX DLL for Delphi Chilkat ActiveX DLL for Delphi * The examples here use the non-ActiveX DLL.

uses
    Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
    Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, StringBuilder, Prng, BinData, Crypt2;

...

procedure TForm1.Button1Click(Sender: TObject);
var
password: PWideChar;
encryptedHex_v1: PWideChar;
encryptedHex_v2: PWideChar;
sbEncHex: HCkStringBuilder;
crypt: HCkCrypt2;
v1: Boolean;
ivLen: Integer;
hashAlg: PWideChar;
ivHex: PWideChar;
sbPassword: HCkStringBuilder;
pwd_hash: PWideChar;
sbKey: HCkStringBuilder;
bd: HCkBinData;
plainText: PWideChar;
encryptor: HCkCrypt2;
prng: HCkPrng;
plainTextLen: Integer;
bdData: HCkBinData;
sbEnc: HCkStringBuilder;

begin
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// For SQL Server 2008 - SQL Server 2016 we must use TripleDES with SHA1
// For SQL Server 2017 and later, use AES256 / SHA256.

password := 'tEst1234';
encryptedHex_v1 := '0x010000001E8E7DCDBD4061B951999E25D18445D2305474D2D71EEE98A241C755246F58AB';

// Here's an encrypted string using AES256/SHA256
encryptedHex_v2 := '0x02000000FFE880C0354780481E64EF25B6197A02E2A854A4BA9D8D9BDDFDAB27EB56537ABDA0B1D9C4D1050C91B313550DECF429';

sbEncHex := CkStringBuilder_Create();
CkStringBuilder_Append(sbEncHex,encryptedHex_v1);

// If present, we don't want the leading "0x"
if (CkStringBuilder_StartsWith(sbEncHex,'0x',False) = True) then
  begin
    CkStringBuilder_RemoveCharsAt(sbEncHex,0,2);
  end;

crypt := CkCrypt2_Create();
CkCrypt2_putEncodingMode(crypt,'hex');

// The encrypted hex string will begin with either 01000000 or 02000000
// version 1 is produced by SQL Server 2008 to SQL Server 2016, and we must use TripleDES with SHA1
// version 2 is for SQL Server 2017 and later, and uses AES256 / SHA256.
v1 := CkStringBuilder_StartsWith(sbEncHex,'01',False);

ivLen := 0;

if (v1 = True) then
  begin
    CkCrypt2_putCryptAlgorithm(crypt,'3des');
    CkCrypt2_putCipherMode(crypt,'cbc');
    CkCrypt2_putKeyLength(crypt,168);
    ivLen := 8;
    hashAlg := 'sha1';
  end
else
  begin
    CkCrypt2_putCryptAlgorithm(crypt,'aes');
    CkCrypt2_putCipherMode(crypt,'cbc');
    CkCrypt2_putKeyLength(crypt,256);
    ivLen := 16;
    hashAlg := 'sha256';
  end;

// Remove the SQL Server version info (i.e. the "01000000")
CkStringBuilder_RemoveCharsAt(sbEncHex,0,8);

// Get the IV part of the sbEncHex, and also remove it from the StringBuilder.
ivHex := CkStringBuilder__getRange(sbEncHex,0,ivLen * 2,True);
Memo1.Lines.Add('IV = ' + ivHex);
CkCrypt2_SetEncodedIV(crypt,ivHex,'hex');

sbPassword := CkStringBuilder_Create();
CkStringBuilder_Append(sbPassword,password);
pwd_hash := CkStringBuilder__getHash(sbPassword,hashAlg,'hex','utf-16');
sbKey := CkStringBuilder_Create();
CkStringBuilder_Append(sbKey,pwd_hash);
if (v1 = True) then
  begin
    // For v1, we only want the 1st 16 bytes of the 20 byte hash.
    // (remember, the hex encoding uses 2 chars per byte, so we remove the last 8 chars)
    CkStringBuilder_Shorten(sbKey,8);
  end;

Memo1.Lines.Add('crypt key: ' + CkStringBuilder__getAsString(sbKey));

CkCrypt2_SetEncodedKey(crypt,CkStringBuilder__getAsString(sbKey),'hex');

// Decrypt
bd := CkBinData_Create();
CkBinData_AppendEncoded(bd,CkStringBuilder__getAsString(sbEncHex),'hex');
CkCrypt2_DecryptBd(crypt,bd);

// The result is composed of a header of 8 bytes which we can discard.
// The remainder is the decrypted text.

// The header we are discarding is composed of:
// Bytes 0-3: Magic number equal to 0DF0ADBA
// Bytes 4-5: Number of integrity bytes, which is 0 unless an authenticator is used. We're assuming no authenticator is used.
// Bytes 6-7: Number of plain-text bytes. We really don't need this because the CBC padding takes care of it.

// Therefore, just return the data after the 1st 8 bytes.
// Assuming the encrypted string was utf-8 text...
CkBinData_RemoveChunk(bd,0,8);
plainText := CkBinData__getString(bd,'utf-8');
Memo1.Lines.Add('decrypted plain text: ' + plainText);

// The output:

// IV = 1E8E7DCDBD4061B9
// crypt key: 710B9C2E61ACCC9570D4112203BD9738
// decrypted plain text: Hello world.

// ------------------------------------------------------------------------------------------
// To encrypt, do the reverse...

// Let's do v1 with TripleDES with SHA1

encryptor := CkCrypt2_Create();
CkCrypt2_putEncodingMode(encryptor,'hex');

CkCrypt2_putCryptAlgorithm(encryptor,'3des');
CkCrypt2_putCipherMode(encryptor,'cbc');
CkCrypt2_putKeyLength(encryptor,168);

// Generate a random 8-byte IV
prng := CkPrng_Create();
ivHex := CkPrng__genRandom(prng,8,'hex');
CkCrypt2_SetEncodedIV(encryptor,ivHex,'hex');

// The binary password is generated the same as above.
// We'll use the same password (and same binary password)
CkCrypt2_SetEncodedKey(encryptor,CkStringBuilder__getAsString(sbKey),'hex');

plainTextLen := 8;
plainText := 'ABCD1234';

// Encrypt the header + the plain-text.
bdData := CkBinData_Create();
CkBinData_AppendEncoded(bdData,'0DF0ADBA','hex');
CkBinData_AppendEncoded(bdData,'0000','hex');
CkBinData_AppendInt2(bdData,plainTextLen,True);
Memo1.Lines.Add('header: ' + CkBinData__getEncoded(bdData,'hex'));
CkBinData_AppendString(bdData,plainText,'utf-8');
CkCrypt2_EncryptBd(encryptor,bdData);

// Compose the result..
sbEnc := CkStringBuilder_Create();
CkStringBuilder_Append(sbEnc,'0x01000000');
CkStringBuilder_Append(sbEnc,ivHex);
CkStringBuilder_Append(sbEnc,CkBinData__getEncoded(bdData,'hex'));

Memo1.Lines.Add('result: ' + CkStringBuilder__getAsString(sbEnc));

CkStringBuilder_Dispose(sbEncHex);
CkCrypt2_Dispose(crypt);
CkStringBuilder_Dispose(sbPassword);
CkStringBuilder_Dispose(sbKey);
CkBinData_Dispose(bd);
CkCrypt2_Dispose(encryptor);
CkPrng_Dispose(prng);
CkBinData_Dispose(bdData);
CkStringBuilder_Dispose(sbEnc);

end;