Where is the encryption performed? On the client?
Why are you encrypting the passwords? To avoid sending them in plaintext over the network? (If so, this is ineffective, since an attacker can intercept and replay an encrypted password as easily as a plaintext one.) To avoid storing plaintext passwords on disk? (If so, what you really want is a one-way hash function. Encrypted data can be decrypted.)
Admittedly I'm guessing here, so please let me know.
Regards,
--Dave
Geert Cobbaut wrote:
Hi Dave.
Thanks for your response.
My problem is that, for the moment, I don't know nothing about encryption, but that I'm now forced to use these matters without getting the time to look deeper into these matters.
I only wanted to check a user-password entered in our old Cach�-programs against the same user-password generated with our new programs in ASP.NET These Rijndael-encrypted passwords are now stored in the database generated with Visual Studio.NET using System.Security.Cryptography where a key AND a vector are used to encrypt the password
I thought using Cach� $System.Encryption to check the passwords was a good try to check user-passwords in our old Cach�-programs. If this is not possible, I have some other solutions in mind.
Regards Geert
"David Shambroom" <[EMAIL PROTECTED]> schreef in bericht news:[EMAIL PROTECTED]
In order to specify an encryption function based on a block cipher you
need to
define several things in addition to the encryption algorithm:
1. A block padding algorithm, if the input plaintext is not guaranteed to always be a multiple of the cipher block size (16 bytes for AES, the
cipher
previously known as Rijndael).
2. A cipher mode. Electronic code book (ECB) is the simplest, but has
several
weaknesses and is not recommended. Cipher block chained (CBC) is a
popular
alternative that requires an initialization vector in addition to the
cipher key.
3. A key generation function, if the key is derived from a password, passphrase, or other human-readable token.
The method $System.Encryption.RijndaelBase64Encode embeds an InterSystems-specific data block in the ciphertext, uses ECB mode, null
padding
for key generation, performs Base 64 encoding in addition to encryption,
and is
suitable only for use with $System.Encryption.RijndaelBase64Decode.
All this explains why you are not getting the same ciphertext from two
different
functions. What are you trying to accomplish? Are you encrypting
passwords for
later recovery? Are you using the encryption function to generate a
one-way
hash? If you provide more details we can advise you.
Regards,
--Dave
Geert Cobbaut wrote:
Hi all,
We have an ASP.NET-application in which we use Rijndael-encrypted
passwords.
We create the password in the ASP.NET-application and store it in a Cach�-database-global. So far, no problem.
Now we want to use this password in our older Cach�-applications, so I
want
to check the password in Cach�. I found a method $System.Encryption.RijndaelBase64Encode with 'text' and 'key' as arguments, but I don't get the same cipher. This seems normal as the Rijndael-encryption also needs an extra
argument
'vector' to encrypt a string. But I can't find this argument in the $System.Encryption- methods.
Does anybody know why the vector-argument is not in the Cach�
classmethod
and how this argument can be passed.
Thanks in advance.
Regards,
Geert Cobbaut SERVICO bvba Belgium
-- W. David Shambroom, Ph.D. Security Architect 617.551.2143 InterSystems Corporation [EMAIL PROTECTED]
