Code-Bytes

How to Decrypt RC4 Encrypted Parameters passed into Actuate Reports

Problem: So, you manage a site that has been sending sensitive information like DB Login and Password via HTTP Post or Get! Well this is exactly what I ran into with a web application that was sending Database login and password information to Actuate Reports via HTTP Get! 

 

Here is a visual example of the problem I encountered: www.some-site.com\runreport.asp?dbname=Marketing&dblogin=admin&dbpassword=admin123

 

Yes, stuff like this still happens. But how does one fix this with out having to radically change the design of both website and Actuate reports that have come to rely on this design? Well, the solution I came up with was to encrypt the values using what is widely believed to RSA RC4 encryption algorithm and it didnt break the bank!

Solution Requirements:

  • Encrypt and Decrypt any parameters using an encryption and decryption algorithm that would passed muster if challenged by internal security audits. So were looking for something that would be accepted as "strong".
  • Create versions of the encryption and decryption algorithms for both ASP pages and Actuate Reports using the Actuate Basic language.
  • Encryption and Decryption Keys should be stored in a secure place and never transmitted between system.

Solution Design

  • Lets reuse a VBScript Function that Mike Shaffer wrote back in 2000. It is some ASP code that solves the ASP problem of encrypting the values that will be sent to our Actuate Reports. His source code can be found @ http://www.4guysfromrolla.com/webtech/010100-1.shtml
  • Create an Actuate function that follows Mikes RC4 implementation.

Code for some of the Actuate functions that needed to be written for this implementation. NOTE: ALL working source code can be downloaded via the link on the right of the page in the source file named RC4.BAS


Function Bin2Dec(ByVal Num As String) As Integer
Function Dec2Bin(ByVal n As Integer) As String
Function XorBin(ByVal Num1 As String, ByVal Num2 As String) As String
'************************************************************** '*Because Actuate does not have a BITWIZE Xor (Function) one had '*to be written here --JMM-- I though a bit about calling out to a '*windows API (or writing this in my own DLL,but felt that hurt the '*maintainability /portability of the reports going forward Function XorBin(ByVal Num1 As String, ByVal Num2 As String) As String Dim Num1Array(15) 'hold a 16 bit num Dim Num2Array(15) 'hold a 16 bit num Dim counter as Integer Dim resultString as String resultString = "" Call Put16BitBinInArray(Num1, Num1Array) Call Put16BitBinInArray(Num2, Num2Array) For counter = 0 To 15 'XOR Truth Table translation BIT by BIT can NOW be Done!!!!! If Num1Array(counter) = 0 And Num2Array(counter) = 0 Then resultString = resultString & "0" If Num1Array(counter) = 1 And Num2Array(counter) = 0 Then resultString = resultString & "1" If Num1Array(counter) = 0 And Num2Array(counter) = 1 Then resultString = resultString & "1" If Num1Array(counter) = 1 And Num2Array(counter) = 1 Then resultString = resultString & "0" Next XorBin = resultString End Function '************************************************************** '* Converts Dec to String Representation of Binary value '************************************************************** Function Dec2Bin(ByVal n As Integer) As String 'user created function - called from cmdcalculate_click() 'declare Variables - Bin holds the Binary number, BinDig Holds the next (higher bit) Dim Bin As String Dim BinDig As String 'test for Loop Do While n >= 1 'get next bit (remainder) BinDig = Trim(Str(n Mod 2)) 'string next Bit with previous Bin Number Bin = BinDig + Bin 'integer division (by 2 for Binary) to get result n = n \ 2 'loop until done Loop 'return binary number to calling sub Procedure Dec2Bin = CStr(Bin) End Function '************************************************************** '************************************************************** '* Converts String Binary to Decimal value '************************************************************** Function Bin2Dec(ByVal Num As String) As Integer Dim n As Integer Dim a As Integer Dim x As String n = Len(Num) - 1 a = n Do While n > -1 x = Mid(Num, ((a + 1) - n), 1) Bin2Dec = IIf((x = "1"), Bin2Dec + (2 ^ (n)), Bin2Dec) n = n - 1 Loop End Function '**************************************************************