Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

What type of Encryption is "Legacy Encryption"?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    What type of Encryption is "Legacy Encryption"?

    All the encrypted passwords on my database for the Username and Password field in my app are using the "Password use legacy encryption" function in Control Panel -> Web Security -> Web Security Configuration -> User Id and Password Options

    This legacy encryption description is:

    Select to use the legacy encryption used by Alpha Five versions before Alpha Anywhere for new passwords.

    What exactly was the encryption method used here!?

    Thanks :D

    #2
    Re: What type of Encryption is "Legacy Encryption"?

    Why do you need to know?
    See our Hybrid Option here;
    https://hybridapps.example-software.com/


    Apologies to anyone I haven't managed to upset yet.
    You are held in a queue and I will get to you soon.

    Comment


      #3
      Re: What type of Encryption is "Legacy Encryption"?

      Originally posted by Ted Giles View Post
      Why do you need to know?
      Because we need to encrypt passwords in exactly the same way using out new component which is outside of Alpha, so that everyone encrypted passwords are the same in every instance in our software

      Every single encryption method used in Alpha is in the documentation EXCEPT the legacy encryption method, which after doing some blackbox testing appears to be a type of Blowfish implementation

      Comment


        #4
        Re: What type of Encryption is "Legacy Encryption"?

        This may help. I have gone back to V9. If you have an earlier version you are converting then I suggest you contact Lenny at Alpha.
        Hope I understand what you are after.

        V12
        Included Encryption Algorithms
        The OpenSSL DLLs distributed with Alpha Five, and used by the INET::SSLContext object and the A5_Decrypt_Binary(), A5_Decrypt_String(), A5_Encrypt_Binary(), and A5_Encrypt_String() functions, support the following encryption algorithms.
        • Blowfish
        • CAST
        • DES
        • RC2
        • RC4
        Additionally, Blowfish has several modes available. Specifying "blowfish" or not specifying any algorithm at all will default to CBC. You can explicitly specify a mode by using the following algorithm names
        • blowfish-cbc
        • blowfish-ecb
        • blowfish-cfb
        • blowfish-ofb

        V9
        The INET::SSLContext object and the A5_Encrypt_String(), functions support the following encryption algorithms.
        • Blowfish - no patent
        • DES - patent expired 6/1/1993 http://www.rsasecurity.com/rsalabs/node.asp?id=2324
        • RC2 - no patent, RSA placed it in the public domain in 1998
        • RSA - no patent, placed into public domain by RSA on 9/6/2000 http://www.rsasecurity.com/rsalabs/node.asp?id=2322
        • RC4 - no patent, but a trademark of RSA
        • IDEA - patented by Ascom ( http://www.ascom.ch/en/home_ch.htm), expires 5/25/2010. Supposedly can be used freely for non-commercial use.
        • RC5 - patented by RSA
        • DSA - patented by RSA
        See our Hybrid Option here;
        https://hybridapps.example-software.com/


        Apologies to anyone I haven't managed to upset yet.
        You are held in a queue and I will get to you soon.

        Comment


          #5
          Re: What type of Encryption is "Legacy Encryption"?

          I've got the encryption turned on for passwords in the web security settings but now am trying to figure out how I can decrypt those passwords. I thought I would just be able to take the key I put in the settings and use a5_decrypt_string(pw,key) but I am getting the following error when debugging:

          Error decrypting string. Is your pass phrase correct? OpenSSL Description: error:06065604:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

          I am not putting in an algorithm or initializer to use as I would assume since I didn't set these in the web security settings anywhere then the system should have used the default CBC mode and my a5_decrypt_string() would use the same default.

          Any idea what I am missing here? Is there an extra encoding on the string when a password is set to be encrypted in the web security settings?

          Comment


            #6
            Re: What type of Encryption is "Legacy Encryption"?

            Rock/ Hard place.
            Instead of relying on other people's encryption, create your own.
            Example.
            Concatinate Username and Password. Add SALT. Encrypt.
            Salt is your common denominator.
            See our Hybrid Option here;
            https://hybridapps.example-software.com/


            Apologies to anyone I haven't managed to upset yet.
            You are held in a queue and I will get to you soon.

            Comment


              #7
              Re: What type of Encryption is "Legacy Encryption"?

              I thought I would just be able to take the key I put in the settings and use a5_decrypt_string(pw,key) but I am getting the following error when debugging:
              unless i am misunderstanding you, you cannot decrypt a password as your example code says, you have to decrypt what was encrypted like
              password = a5_decrypt_string(encrypted_password_string, key)
              an example
              Code:
              dim password as c
              password = "gandhi!4629"
              dim txt as c
              txt = a5_encrypt_string(password,"ggandhi344")
              ?txt
              = "B9r6R1D8gZmQq1ygQfUMfA=="
              
              dim password2 as c
              password2 = a5_decrypt_string(txt, "ggandhi344")
              ?password2
              = "gandhi!4629"
              thanks for reading

              gandhi

              version 11 3381 - 4096
              mysql backend
              http://www.alphawebprogramming.blogspot.com
              [email protected]
              Skype:[email protected]
              1 914 924 5171

              Comment


                #8
                Re: What type of Encryption is "Legacy Encryption"?

                Hey Govindan! How you doing?
                See our Hybrid Option here;
                https://hybridapps.example-software.com/


                Apologies to anyone I haven't managed to upset yet.
                You are held in a queue and I will get to you soon.

                Comment


                  #9
                  Re: What type of Encryption is "Legacy Encryption"?

                  very well, ted,

                  how are you? good to see you here on the board. hope all is well.
                  thanks for reading

                  gandhi

                  version 11 3381 - 4096
                  mysql backend
                  http://www.alphawebprogramming.blogspot.com
                  [email protected]
                  Skype:[email protected]
                  1 914 924 5171

                  Comment


                    #10
                    Re: What type of Encryption is "Legacy Encryption"?

                    That’s my fault my message was misleading, in my case my “pw” variable is the encrypted password. The issue is when I grab the encrypted password out of the database and pass it into a5_decrypt_string() I get the error I mentioned (and to be clear I am using the key I set up in the web security settings).

                    In other parts of the system I do create encrypted passwords myself using the a5_encrpty_string() function but with a different key and I have no issues using the a5_decrypt_string() function to get the original values back. So my guess is there is something special with the way the web security encrypted passwords (maybe it doesn’t use the default algorithm and therefore I need to pass in the correct algorithm mode but I don’t know what this is)?

                    I don’t want to encrypt the passwords myself before sending them to the database, I’d rather just let the web security handle all the moving parts but if I need to do that I will (though I’m sure I’m just missing something dumb that’s stopping me from decrypting the passwords already in there).

                    Comment


                      #11
                      Re: What type of Encryption is "Legacy Encryption"?

                      Far as I know, that's internal encryption and not exposed... thank goodness. It's completely different than the a5_encrpty_string()... again... thank goodness. It'd be too insecure otherwise. I don't think you can decrypt a security password... you're not supposed to... or be able to.

                      Comment


                        #12
                        Re: What type of Encryption is "Legacy Encryption"?

                        I mean being able to decrypt that encryption doesn’t seem like a bad thing or out of the ordinary considering I’m providing the key (why have me provide a key if I’m not even going to be able to decrypt with it, might as well encrypt it with a secret key if they wanted to make sure it was completely secure, or at least that’s be my philosophy in this case).

                        Comment


                          #13
                          Re: What type of Encryption is "Legacy Encryption"?

                          Not sure why a user key is employed. It doesn't matter to me, really... I'm just glad the password can't be decrypted using Alpha functions. Here's another discussion... focus on the posts by Jerry Brightbill.

                          https://www.alphasoftware.com/alphaf...crypt+password

                          Comment


                            #14
                            Re: What type of Encryption is "Legacy Encryption"?

                            this is my understanding of the current methodology,
                            if you are able to decrypt a password, the the chances of that being hacked is lot easier than when you are not able to.
                            if the encryption is one way street then when authenticating you need to encrypt the typed in response and compare to the stored in value to authenticate it. generating a longer uuid as a key makes this difficult if not impossible. the person has to generate an uuid if by chance they find out the key is uuid then supply a password that will match the user name with that encrypted password then only they will succeed. hackers will be able to do but will take longer time and repeated attempts by then you can black list them,
                            this is my feeling, how this works. i am sure others will have their own impression on this matter. if someone tries hard enough no system is safe, just difficult.
                            thanks for reading

                            gandhi

                            version 11 3381 - 4096
                            mysql backend
                            http://www.alphawebprogramming.blogspot.com
                            [email protected]
                            Skype:[email protected]
                            1 914 924 5171

                            Comment


                              #15
                              Re: What type of Encryption is "Legacy Encryption"?

                              Yeah I Get The Philosophy I Was Just a Little Confused since I Was The One Providing The Key, just assumed the only logical reason behind that was so I could decrypt.

                              Comment

                              Working...
                              X