Converting AES Algorithm to work on strings

YukonJJR

Moderator: Split off from https://bytes.com/topic/access/insig...m-vba-vbscript


I am desperately searching for a routine to AES encrypt a password that is submitted in an access form as a string and then I will use DAO to write it to a linked SQL table. I have tried over and over to convert the example you gave but am totally lost and its nowhere close to working. I have been looking for a solution for over a year. Any help would be greatly appreciated.

Jun 8 '18 #1

NeoPa

I don't have code for AES but there is some for the RC4 algorithm that Rabbit also posted (RC4 Encryption Algorithm for VBA and VBScript).

Jun 9 '18 #2

Rabbit

Before you decide to encrypt a password, I would say that the standard practice with passwords is to store a hash.

Jun 10 '18 #3

YukonJJR

I am sorry, I am probably using the wrong terminology.

We currently have two databases that use SQL server as a backend. We have a web based front end that is very user 'Not Friendly'. We also have an Access front end that is connected to the same DB. The web based (.NET) stores passwords in the backend in the format, rnIsAJU2Gu80bH51pNrgovB+FiS8fdONtu6n5FBwMKc= (this represents the user password - default123).

We are not trying to create Fort Knox. I simply want to make sure the real passwords are not visible anywhere if someone should happen to gain access to the tables. Typically other IT staff.

We want to be able to create the same passwords that would be generated in the web base front end through the Access front end so we can use the same passwords for both applications. We have tons more information that we collect on the Access end and it is far easier to create new users there with the exception of creating an encrypted pw. Currently the users have two passwords. One for the web front end that is encrypted and one for the Access front end that is not. I want to get rid of the non-encrypted Access password on only have one for both. I am told the web front end uses AES encryption and we have enough knowhow to get the 'encryption key' out of the .NET code. (Im sure I didn't use the right terminology, HASH, Key, etc.).

I simply want to convert the desired password such as the default123 to the example given and be able to store it in the same fashion the web front end is already doing. I will also convert the password entered at login and compare it to the stored value to allow or disallow access to the system.

I hope this is a better explanation of what I am trying to do. I have a pretty good grasp on basic VBA and can usually decipher what is going on in the code but I wasn't able to convert your example to something I could use. I actually got it to take a variable and return an encrypted string at the end but I still have no idea where the (key or HASH or whatever it is call should go).

All help is greatly appreciated!!

Jun 11 '18 #4

Rabbit

Before you go the path of modifying the code to spit out a string, you should make sure you're both using the same version of the algorithm.

The code in the linked article is for the 256-bit version of AES in CBC or EBC mode. There is no salt/nonce/IV incorporated.

Security Disclaimer: Refrain from storing passwords, encrypted or not. It should be stored as a hash with a salt. If you must store a password in encrypted format, then you should use a salt.

Once you have confirmed that both of you are using the same version of the algorithm. Then to modify it to spit out a string, you will need to rewrite all references to files and file writing to work on string variables.

Also, it looks like the output from the web version is further encoded in Base-64. You will need to create your own version of that as that's not part of AES.

Jun 12 '18 #5