Alpha Video Training
Results 1 to 17 of 17

Thread: What type of Encryption is "Legacy Encryption"?

  1. #1
    Member
    Real Name
    Barns McBarns
    Join Date
    May 2017
    Posts
    2

    Default What type of Encryption is "Legacy Encryption"?

    All the encrypted passwords on my database for the Username and Password field in my app are using the "Password use legacy encryption" function in Control Panel -> Web Security -> Web Security Configuration -> User Id and Password Options

    This legacy encryption description is:

    Select to use the legacy encryption used by Alpha Five versions before Alpha Anywhere for new passwords.

    What exactly was the encryption method used here!?

    Thanks :D

  2. #2
    "Certified" Alphaholic Ted Giles's Avatar
    Real Name
    Ted Giles
    Join Date
    Aug 2000
    Location
    In the Wolds, Louth, Lincolnshire, UK
    Posts
    4,400

    Default Re: What type of Encryption is "Legacy Encryption"?

    Why do you need to know?
    Ted Giles
    Example Consulting - UK
    .

    http://ec12.example-software.com//
    See our site for Alpha Support, Conversion and Upgrade.

  3. #3
    Member
    Real Name
    Barns McBarns
    Join Date
    May 2017
    Posts
    2

    Default Re: What type of Encryption is "Legacy Encryption"?

    Quote Originally Posted by Ted Giles View Post
    Why do you need to know?
    Because we need to encrypt passwords in exactly the same way using out new component which is outside of Alpha, so that everyone encrypted passwords are the same in every instance in our software

    Every single encryption method used in Alpha is in the documentation EXCEPT the legacy encryption method, which after doing some blackbox testing appears to be a type of Blowfish implementation

  4. #4
    "Certified" Alphaholic Ted Giles's Avatar
    Real Name
    Ted Giles
    Join Date
    Aug 2000
    Location
    In the Wolds, Louth, Lincolnshire, UK
    Posts
    4,400

    Default Re: What type of Encryption is "Legacy Encryption"?

    This may help. I have gone back to V9. If you have an earlier version you are converting then I suggest you contact Lenny at Alpha.
    Hope I understand what you are after.

    V12
    Included Encryption Algorithms
    The OpenSSL DLLs distributed with Alpha Five, and used by the INET::SSLContext object and the A5_Decrypt_Binary(), A5_Decrypt_String(), A5_Encrypt_Binary(), and A5_Encrypt_String() functions, support the following encryption algorithms.
    • Blowfish
    • CAST
    • DES
    • RC2
    • RC4
    Additionally, Blowfish has several modes available. Specifying "blowfish" or not specifying any algorithm at all will default to CBC. You can explicitly specify a mode by using the following algorithm names
    • blowfish-cbc
    • blowfish-ecb
    • blowfish-cfb
    • blowfish-ofb

    V9
    The INET::SSLContext object and the A5_Encrypt_String(), functions support the following encryption algorithms.
    • Blowfish - no patent
    • DES - patent expired 6/1/1993 http://www.rsasecurity.com/rsalabs/node.asp?id=2324
    • RC2 - no patent, RSA placed it in the public domain in 1998
    • RSA - no patent, placed into public domain by RSA on 9/6/2000 http://www.rsasecurity.com/rsalabs/node.asp?id=2322
    • RC4 - no patent, but a trademark of RSA
    • IDEA - patented by Ascom ( http://www.ascom.ch/en/home_ch.htm), expires 5/25/2010. Supposedly can be used freely for non-commercial use.
    • RC5 - patented by RSA
    • DSA - patented by RSA
    Ted Giles
    Example Consulting - UK
    .

    http://ec12.example-software.com//
    See our site for Alpha Support, Conversion and Upgrade.

  5. #5
    Member
    Real Name
    Jmo
    Join Date
    May 2013
    Posts
    367

    Default Re: What type of Encryption is "Legacy Encryption"?

    I've got the encryption turned on for passwords in the web security settings but now am trying to figure out how I can decrypt those passwords. I thought I would just be able to take the key I put in the settings and use a5_decrypt_string(pw,key) but I am getting the following error when debugging:

    Error decrypting string. Is your pass phrase correct? OpenSSL Description: error:06065604:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

    I am not putting in an algorithm or initializer to use as I would assume since I didn't set these in the web security settings anywhere then the system should have used the default CBC mode and my a5_decrypt_string() would use the same default.

    Any idea what I am missing here? Is there an extra encoding on the string when a password is set to be encrypted in the web security settings?

  6. #6
    "Certified" Alphaholic Ted Giles's Avatar
    Real Name
    Ted Giles
    Join Date
    Aug 2000
    Location
    In the Wolds, Louth, Lincolnshire, UK
    Posts
    4,400

    Default Re: What type of Encryption is "Legacy Encryption"?

    Rock/ Hard place.
    Instead of relying on other people's encryption, create your own.
    Example.
    Concatinate Username and Password. Add SALT. Encrypt.
    Salt is your common denominator.
    Ted Giles
    Example Consulting - UK
    .

    http://ec12.example-software.com//
    See our site for Alpha Support, Conversion and Upgrade.

  7. #7
    "Certified" Alphaholic
    Real Name
    Govindan Gandhi
    Join Date
    Aug 2008
    Location
    New York, NY
    Posts
    4,294

    Default Re: What type of Encryption is "Legacy Encryption"?

    I thought I would just be able to take the key I put in the settings and use a5_decrypt_string(pw,key) but I am getting the following error when debugging:
    unless i am misunderstanding you, you cannot decrypt a password as your example code says, you have to decrypt what was encrypted like
    password = a5_decrypt_string(encrypted_password_string, key)
    an example
    Code:
    dim password as c
    password = "gandhi!4629"
    dim txt as c
    txt = a5_encrypt_string(password,"ggandhi344")
    ?txt
    = "B9r6R1D8gZmQq1ygQfUMfA=="
    
    dim password2 as c
    password2 = a5_decrypt_string(txt, "ggandhi344")
    ?password2
    = "gandhi!4629"
    thanks for reading

    gandhi

    version 11 3381 - 4096
    mysql backend
    http://www.alphawebprogramming.blogspot.com
    ggandhi344@gmail.com
    Skype:ggandhi344@gmail.com
    1 914 924 5171

  8. #8
    "Certified" Alphaholic Ted Giles's Avatar
    Real Name
    Ted Giles
    Join Date
    Aug 2000
    Location
    In the Wolds, Louth, Lincolnshire, UK
    Posts
    4,400

    Default Re: What type of Encryption is "Legacy Encryption"?

    Hey Govindan! How you doing?
    Ted Giles
    Example Consulting - UK
    .

    http://ec12.example-software.com//
    See our site for Alpha Support, Conversion and Upgrade.

  9. #9
    "Certified" Alphaholic
    Real Name
    Govindan Gandhi
    Join Date
    Aug 2008
    Location
    New York, NY
    Posts
    4,294

    Default Re: What type of Encryption is "Legacy Encryption"?

    very well, ted,

    how are you? good to see you here on the board. hope all is well.
    thanks for reading

    gandhi

    version 11 3381 - 4096
    mysql backend
    http://www.alphawebprogramming.blogspot.com
    ggandhi344@gmail.com
    Skype:ggandhi344@gmail.com
    1 914 924 5171

  10. #10
    Member
    Real Name
    Jmo
    Join Date
    May 2013
    Posts
    367

    Default Re: What type of Encryption is "Legacy Encryption"?

    That’s my fault my message was misleading, in my case my “pw” variable is the encrypted password. The issue is when I grab the encrypted password out of the database and pass it into a5_decrypt_string() I get the error I mentioned (and to be clear I am using the key I set up in the web security settings).

    In other parts of the system I do create encrypted passwords myself using the a5_encrpty_string() function but with a different key and I have no issues using the a5_decrypt_string() function to get the original values back. So my guess is there is something special with the way the web security encrypted passwords (maybe it doesn’t use the default algorithm and therefore I need to pass in the correct algorithm mode but I don’t know what this is)?

    I don’t want to encrypt the passwords myself before sending them to the database, I’d rather just let the web security handle all the moving parts but if I need to do that I will (though I’m sure I’m just missing something dumb that’s stopping me from decrypting the passwords already in there).

  11. #11
    "Certified" Alphaholic
    Real Name
    David Kates
    Join Date
    Apr 2008
    Location
    Unionville, ON
    Posts
    7,815

    Default Re: What type of Encryption is "Legacy Encryption"?

    Far as I know, that's internal encryption and not exposed... thank goodness. It's completely different than the a5_encrpty_string()... again... thank goodness. It'd be too insecure otherwise. I don't think you can decrypt a security password... you're not supposed to... or be able to.

  12. #12
    Member
    Real Name
    Jmo
    Join Date
    May 2013
    Posts
    367

    Default Re: What type of Encryption is "Legacy Encryption"?

    I mean being able to decrypt that encryption doesn’t seem like a bad thing or out of the ordinary considering I’m providing the key (why have me provide a key if I’m not even going to be able to decrypt with it, might as well encrypt it with a secret key if they wanted to make sure it was completely secure, or at least that’s be my philosophy in this case).

  13. #13
    "Certified" Alphaholic
    Real Name
    David Kates
    Join Date
    Apr 2008
    Location
    Unionville, ON
    Posts
    7,815

    Default Re: What type of Encryption is "Legacy Encryption"?

    Not sure why a user key is employed. It doesn't matter to me, really... I'm just glad the password can't be decrypted using Alpha functions. Here's another discussion... focus on the posts by Jerry Brightbill.

    https://www.alphasoftware.com/alphaf...crypt+password

  14. #14
    "Certified" Alphaholic
    Real Name
    Govindan Gandhi
    Join Date
    Aug 2008
    Location
    New York, NY
    Posts
    4,294

    Default Re: What type of Encryption is "Legacy Encryption"?

    this is my understanding of the current methodology,
    if you are able to decrypt a password, the the chances of that being hacked is lot easier than when you are not able to.
    if the encryption is one way street then when authenticating you need to encrypt the typed in response and compare to the stored in value to authenticate it. generating a longer uuid as a key makes this difficult if not impossible. the person has to generate an uuid if by chance they find out the key is uuid then supply a password that will match the user name with that encrypted password then only they will succeed. hackers will be able to do but will take longer time and repeated attempts by then you can black list them,
    this is my feeling, how this works. i am sure others will have their own impression on this matter. if someone tries hard enough no system is safe, just difficult.
    thanks for reading

    gandhi

    version 11 3381 - 4096
    mysql backend
    http://www.alphawebprogramming.blogspot.com
    ggandhi344@gmail.com
    Skype:ggandhi344@gmail.com
    1 914 924 5171

  15. #15
    Member
    Real Name
    Jmo
    Join Date
    May 2013
    Posts
    367

    Default Re: What type of Encryption is "Legacy Encryption"?

    Yeah I Get The Philosophy I Was Just a Little Confused since I Was The One Providing The Key, just assumed the only logical reason behind that was so I could decrypt.

  16. #16
    "Certified" Alphaholic
    Real Name
    Govindan Gandhi
    Join Date
    Aug 2008
    Location
    New York, NY
    Posts
    4,294

    Default Re: What type of Encryption is "Legacy Encryption"?

    that will be the logical conclusion, but as of version 12, alphanywhere, that legacy style decrypting is not possible any more using any known key including the one the was used to encrypt the password.
    thanks for reading

    gandhi

    version 11 3381 - 4096
    mysql backend
    http://www.alphawebprogramming.blogspot.com
    ggandhi344@gmail.com
    Skype:ggandhi344@gmail.com
    1 914 924 5171

  17. #17
    "Certified" Alphaholic Ted Giles's Avatar
    Real Name
    Ted Giles
    Join Date
    Aug 2000
    Location
    In the Wolds, Louth, Lincolnshire, UK
    Posts
    4,400

    Default Re: What type of Encryption is "Legacy Encryption"?

    OK. Open the application in an earlier version of Alpha, remove the key and save it. Try again.
    May not work, but again it might.
    Ted Giles
    Example Consulting - UK
    .

    http://ec12.example-software.com//
    See our site for Alpha Support, Conversion and Upgrade.

Similar Threads

  1. How to add a "Legacy Style?"
    By Rich Hartnett in forum Mobile & Browser Applications
    Replies: 5
    Last Post: 02-16-2014, 12:40 AM
  2. "Object Is Not Defined" Error When I Use "Close Form" in the "OnInit"
    By nigeldude in forum Alpha Five Version 11 - Desktop Applications
    Replies: 5
    Last Post: 03-23-2013, 05:22 AM
  3. Error "Extra characters at end of expression" when LINK field is type "K"
    By RichCPT in forum Application Server Version 11 - Web/Browser Applications
    Replies: 1
    Last Post: 10-29-2011, 01:11 AM
  4. "File Select" Control reverts to "Type in Field"
    By Citadel in forum Alpha Five Version 9 - Desktop Applications
    Replies: 3
    Last Post: 03-03-2010, 07:22 AM
  5. property-sheet "Record List Combo" item type
    By Daniel Weiss in forum Web Application Server v7
    Replies: 0
    Last Post: 01-26-2006, 01:16 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •