Is VBscript?s URL decoding an exact reciprocal of Lingo?s encoding from postNetText?
Applied CD
a WinTel server via postNetText. The output of RC4 encryption is not URL safe,
however, Lingo?s postNextText encodes the string (when sent as part of a
property list) and VBScript?s request.form(?myString?) decodes the string
automatically ? more or less. When I decrypt the string server side I get about
75% of the original string, or I get the entire string with letter shifts
scattered throughout. RC4 encryption is symmetrical, ie: the encrypted output
may be sent back though the same code with the same key and results in the
decrypted string. My VBscript is symmetrical with its own output, the same is
true for my lingo script ? it?s only when I send the lingo output to the
vbscript that I get this odd result. I tried various combinations of URL
encoding the string explicitly before sending to postNetText, no luck. I?m
going to try base64 encoding the output but maybe there?s another problem. I?ve
attached the encoding scripts for the curious.
<%
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
'::: :::
'::: This script performs 'RC4' Stream Encryption :::
'::: (Based on what is widely thought to be RSA's RC4 :::
'::: algorithm. It produces output streams that are identical :::
'::: to the commercial products) :::
'::: :::
'::: This script is Copyright ? 1999 by Mike Shaffer :::
'::: ALL RIGHTS RESERVED WORLDWIDE :::
'::: :::
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
dim sbox(255)
dim key(255)
sub RC4Initialize(strPwd)
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
'::: This routine called by EnDeCrypt function. Initializes the :::
'::: sbox and the key array) :::
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
dim tempSwap
dim a
dim b
intLength = len(strPwd)
for a = 0 To 255
key(a) = asc(mid(strpwd,(a mod intLength)+1,1))
sbox(a) = a
next
b = 0
for a = 0 To 255
b = (b + sbox(a) + key(a)) mod 256
tempSwap = sbox(a)
sbox(a) = sbox(b)
sbox(b) = tempSwap
next
end sub
function EnDeCrypt(plaintxt, psw)
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
'::: This routine does all the work. Call it both to ENcrypt :::
'::: and to DEcrypt your data. :::
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
dim temp
dim a
dim i
dim j
dim k
dim cipherby
dim cipher
i = 0
j = 0
RC4Initialize psw
for a = 1 to len(plaintxt)
i = (i + 1) mod 256
j = (j + sbox(i)) mod 256
temp = sbox(i)
sbox(i) = sbox(j)
sbox(j) = temp
k = sbox((sbox(i) + sbox(j)) mod 256)
cipherby = asc(mid(plaintxt,a,1)) xor k
cipher = cipher & chr(cipherby)
next
EnDeCrypt = cipher
end function
%>
Lingo:
--------------------------------------------------------
-- RC4 Algorithm
--
-- Adapted from VB code written by Luke Bailey
-- Copyright 2002 PsychicParrot
-- ora...@psychicparrot.com
--
-- You are welcome to use this script as you wish, but keep these comments
intact please!
--
-- Cleaned up a little by Bob Gallo (b...@bobgallosolutions.com)
-- removed extraneous globals, standardized variable names
-- made the initialise function a subroutine of the encoder
-- (strictly speaking gSbox doesn't change if you use the same password
thoughout, I preferred
-- to integrate the two routines eventhough it's a little more processing)
-- redesigned to simulate base zero arrays to make compatable with VBscript
--
-- call: encodedString = Security_RC4(clearTextString,strongPassword)
global gSbox
on Security_RC4Initialise(strpwd)
gSbox = []
kee = []
intlength = strpwd.length
repeat with a = 0 to 255
kee[a+1] = charToNum(strpwd.char[(a mod intlength+1)..(a mod
intlength+1)])
gSbox[a+1] = a
end repeat
b = 0
repeat with a = 0 to 255
b = ((b+gSbox[a+1]+kee[a+1]) mod 256)
tempswap = gSbox[a+1]
gSbox[a+1] = gSbox[b+1]
gSbox[b+1] = tempswap
end repeat
end
--------------------------------------------------------
on Security_RC4(plaintxt,strpwd)
Security_RC4Initialise(strpwd)
cipher = ""
i = 0
j = 0
alert plaintxt.char[plaintxt.length-5..plaintxt.length]
repeat with a = 1 to plaintxt.length
i = ((i+1) mod 256)
j = ((j+gSbox[i+1]) mod 256)
temp = gSbox[i+1]
gSbox[i+1] = gSbox[j+1]
gSbox[j+1] = temp
k = gSbox[((gSbox[i+1]+gSbox[j+1]) mod 256)+1]
cipherby = bitXor(charToNum(plaintxt.char[a..a]),k)
cipher = cipher & numToChar(cipherby)
end repeat
return cipher
end
Applied CD
with $ delimiter rather than % (which gets encoded to %25) and added a function
server side to convert hex back to ascii again recognizing $ as the delimiter.
The two encryption routines are now completely symmetrical with themselves and
each other.
Base64 would probably be more efficient but for the amount of data I?m passing
this works fine. If anyone wants to fill me on why the encoding in postNetText
doesn?t exactly match the decoding by VBScript I?d love to know.
LOOPING_Richard
"Applied CD" <webfor...@macromedia.com> schreef in bericht
news:f4n6d8$1gf$1...@forums.macromedia.com...
Hi Applied,
base64 is not an ecryption algorithm like RC4.
Base64 is an encoding technique, and in itself doesnt "hide"anything.
Its in the same league as "quoted printable" encoding.
Regards,
Richard
LOOPING Multimedia
Applied CD
doesn?t replace the RC4 encryption, it?s required to convert the output of RC4
encryption to a string that is URL safe.
Here?s the scheme:
Client/Lingo: SQL string -> RC4 encryption with local key -> HEX encoding ->
postNetText ----> Server/VBS: HEX decoding -> RC4 decryption with local key ->
execute SQL string
I?m also modifying the scripts so that the server response can be RC4
encrypted if desired. Same process as above, just reversed.
- bob