Re: decrypt error junk
Hi Mark, Thanks for your response. I understand. I will try to reproduce this in an empty stack and submit report. Thanks, Tom On Thu, Nov 2, 2023 at 2:20 AM Mark Waddingham via use-livecode < use-livecode@lists.runrev.com> wrote: > On 2023-11-02 02:06, Tom Glod via use-livecode wrote: > > I have found a "wrong decryption key" that does not return a bad > > decrypt > > error, but returns garbage into "the result". > > Every other wrong key correctly gives the usual error. > > The right key works to decrypt. > > What exact error do you get with a wrong key vs the not-so-wrong key? > > > the length of the encryption/decryption key is always 64 characters > > it is always alphanumeric, because its a hash derivative, no weird > > characters, always the correct length. > > and the salt is the same for every key i tried. > > > > I can program around it, but its unsettling. > > I will report it, but in the meantime has anyone ever come across this > > garbage in "the result" as a result of an incorrect. decryption key? > > So I don't think this is a bug, but expected behavior. > > The encrypt/decrypt operations are very low-level they 'simply' apply > the specified > algorithm to the data. > > Encryption/decryption is 'just' a mathematical function which uses the > 'key bytes' > and 'input data' to derive an output - in particular, decryption does > not include > any validation checks to ensure the provided decryption key is what was > used to > encrypt in the first place - that's something you have to do yourself. > > There's a huge variety of ways to do this - but perhaps the simplest is > to add your > favorite (simple) hash of the encryption key before the data being > encrypted: > > > > (pseudo encryption code - I don't know exactly what form of encrypt you > are using!): > >local tKey, tHash >put deriveMyEncryptionKey(tPassword) into tKey >put md5Digest(tKey) into tHash > >encrypt tHash & tData using ... with password tKey > > (pseudo decryption code - I don't know exactly what form of encrypt you > are using!): > >decrypt tEncryptedData using ... with password tKey > >if byte 1 to 16 of tData is not md5Digest(tKey) then > throw "incorrect password" >end if > > > > Of course I'm now slightly intrigued as to what checks OpenSSL *can* > actually do to > be able to generate a 'bad decrypt' message - so by all means file a > bug/send a test > stack to support and we can at least advise on that (and potentially > update the > docs). > > Warmest Regards, > > Mark. > > -- > Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/ > LiveCode: Build Amazing Things > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: decrypt error junk
On 2023-11-02 02:06, Tom Glod via use-livecode wrote: I have found a "wrong decryption key" that does not return a bad decrypt error, but returns garbage into "the result". Every other wrong key correctly gives the usual error. The right key works to decrypt. What exact error do you get with a wrong key vs the not-so-wrong key? the length of the encryption/decryption key is always 64 characters it is always alphanumeric, because its a hash derivative, no weird characters, always the correct length. and the salt is the same for every key i tried. I can program around it, but its unsettling. I will report it, but in the meantime has anyone ever come across this garbage in "the result" as a result of an incorrect. decryption key? So I don't think this is a bug, but expected behavior. The encrypt/decrypt operations are very low-level they 'simply' apply the specified algorithm to the data. Encryption/decryption is 'just' a mathematical function which uses the 'key bytes' and 'input data' to derive an output - in particular, decryption does not include any validation checks to ensure the provided decryption key is what was used to encrypt in the first place - that's something you have to do yourself. There's a huge variety of ways to do this - but perhaps the simplest is to add your favorite (simple) hash of the encryption key before the data being encrypted: (pseudo encryption code - I don't know exactly what form of encrypt you are using!): local tKey, tHash put deriveMyEncryptionKey(tPassword) into tKey put md5Digest(tKey) into tHash encrypt tHash & tData using ... with password tKey (pseudo decryption code - I don't know exactly what form of encrypt you are using!): decrypt tEncryptedData using ... with password tKey if byte 1 to 16 of tData is not md5Digest(tKey) then throw "incorrect password" end if Of course I'm now slightly intrigued as to what checks OpenSSL *can* actually do to be able to generate a 'bad decrypt' message - so by all means file a bug/send a test stack to support and we can at least advise on that (and potentially update the docs). Warmest Regards, Mark. -- Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/ LiveCode: Build Amazing Things ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
decrypt error junk
Hi Folks, I'm having bizarre issues with livecode's decrypt command. strap in, its a weird one. I have found a "wrong decryption key" that does not return a bad decrypt error, but returns garbage into "the result". Every other wrong key correctly gives the usual error. The right key works to decrypt. But this one key gives a different result. the length of the encryption/decryption key is always 64 characters it is always alphanumeric, because its a hash derivative, no weird characters, always the correct length. and the salt is the same for every key i tried. I can program around it, but its unsettling. I will report it, but in the meantime has anyone ever come across this garbage in "the result" as a result of an incorrect. decryption key? the even more bizzare part is that my test password was "abc123" and the key that does not work is "abc12" ...although those become hash derivatives that are 64 characters, so that has nothing to do with it. its ...just...so weird. I spend nearly all my working time in Livecode these days, so I will find all the bugs. Thanks,Tom ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
