Re: decrypt error junk

Wed, 01 Nov 2023 23:21:08 -0700 

On 2023-11-02 02:06, Tom Glod via use-livecode wrote:
I have found a "wrong decryption key" that does not return a bad decrypt 
error, but returns garbage into "the result".
Every other wrong key correctly gives the usual error.
The right key works to decrypt.


What exact error do you get with a wrong key vs the not-so-wrong key?


the length of the encryption/decryption key is always 64 characters
it is always alphanumeric, because its a hash derivative, no weird
characters, always the correct length.
and the salt is the same for every key i tried.

I can program around it, but its unsettling.
I will report it, but in the meantime has anyone ever come across this
garbage in "the result" as a result of an incorrect. decryption key?


So I don't think this is a bug, but expected behavior.


The encrypt/decrypt operations are very low-level they 'simply' apply 
the specified

algorithm to the data.


Encryption/decryption is 'just' a mathematical function which uses the 
'key bytes'
and 'input data' to derive an output - in particular, decryption does 
not include
any validation checks to ensure the provided decryption key is what was 
used to

encrypt in the first place - that's something you have to do yourself.


There's a huge variety of ways to do this - but perhaps the simplest is 
to add your
favorite (simple) hash of the encryption key before the data being 
encrypted:


----


(pseudo encryption code - I don't know exactly what form of encrypt you 
are using!):


  local tKey, tHash
  put deriveMyEncryptionKey(tPassword) into tKey
  put md5Digest(tKey) into tHash

  encrypt tHash & tData using ... with password tKey


(pseudo decryption code - I don't know exactly what form of encrypt you 
are using!):


  decrypt tEncryptedData using ... with password tKey

  if byte 1 to 16 of tData is not md5Digest(tKey) then
    throw "incorrect password"
  end if

----


Of course I'm now slightly intrigued as to what checks OpenSSL *can* 
actually do to
be able to generate a 'bad decrypt' message - so by all means file a 
bug/send a test
stack to support and we can at least advise on that (and potentially 
update the

docs).

Warmest Regards,

Mark.

--
Mark Waddingham ~ m...@livecode.com ~ http://www.livecode.com/
LiveCode: Build Amazing Things

_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode






















					Reply via email to