Decrypting AES-128-ECB string with no salt

[lightman]

Hello,

I've just started using LiveCode community edition and am trying to use the encrypt/decrypt commands to store and retrieve passwords locally for a legacy application on another platform.

The scenario is that I have a 32 character alphanumeric string representing the password stored in a text field -
ec16882f9fd3a59077fae786fc46a233, which is 'password' encrypted with 'secret' using AES-128-ECB.

My understanding is that I would use the decrypt command to convert this to plaintext.

I have two fields (tHexValue and tClearText) in the stack and a button with code in the onmouseup event:

decrypt field tHexValue using "aes128" with password "secret"
put it into tClearText

This fails and there's no obvious error.

To troubleshoot, I tried encrypting using the equivalent, but got a string I wasn't expecting.

encrypt field tClearText using "aes128" with password "secret"
put it into tHexValue

Result:
Salted__U¹)T–[Ÿ³%ÁFd"ºo¡©j/µ

My question is how do I convert the output into a 32 character alphanumeric string 'ec16882f9fd3a59077fae786fc46a233'?
I'm also not sure how to handle the lack of a salt value, as the documentation seems to indicate a random salt is used if one isn't specified in the command?
I'm probably missing something really obvious, but would appreciate any pointers or assistance.

Thank you.

Calvin.

[Simon]

Hi Calvin,
Welcome to the forum!:)

ec16882f9fd3a59077fae786fc46a233 looks like an md5 hash not an encrypted password.
As you've seen encryption does this U¹)T–[Ÿ³%ÁFd"ºo¡©j/µ and is the sort of thing I'd expect.
Check out md5 in the Dictionary there is a very useful note at the bottom (if I remember correctly).

Simon

[lightman]

Thanks for the welcome and for replying, Simon.

The string does look like an MD5 hash, but is actually the hex representation of the encrypted password.

You can check this here: aes[dot]online-domain-tools[dot]com

Screenshot for confirmation:

Based on the result, it might also be padded in blocks of 32 characters.

1234567890123456 = 8dcde5eafebe57bd0addef5c90a5fa6a
12345678901234567= 8dcde5eafebe57bd0addef5c90a5fa6adb06daae0c3c9421d098ed2f8f292557

I'm guessing the legacy app has a 16 character limit on passwords, so all the strings stored in the field are 32 characters which is why it looks like a hash.

I suspect what I need to do is somehow convert the U¹)T–[Ÿ³%ÁFd"ºo¡©j/µ to hex?

Once again, thanks for taking the time to reply, and if you have any further insights, I'd be grateful for the input.

[Klaus]

Hi Calvin,

being no encryption expert, just one caveat:
"encrypt ..." will return BINARY data and putting BINARY data into a TEXT (sic!) FIELD might cause data corruption!
Looks like this does happen here.

Store the data in a custom property and see if that works:
...
## Always use QUOTES around object names (= strings)!
encrypt field "tClearText" using "aes128" with password "secret"
put it into tHexValue
set the cEncryptedData of this stack to tHexValue
...
put the cEncryptedData of this stack to tHexValue
decrypt tHexValue using "aes128" with password "secret"
put it into tClearText
...

Best

Klaus

[FourthWorld]

I suspect what I need to do is somehow convert the U¹)T–[Ÿ³%ÁFd"ºo¡©j/µ to hex?

See the binaryDecode function in the Dictionary, e.g.:

Code: Select all

function CleanHash s
   local tHex
   get binaryDecode("h*", sha1digest(s &"SomeRandomSalt"), tHex)
   return tHex
end CleanHash

[lightman]

Thank you all for the help. Got a prototype working.