It (3DES Wrapper) will encrypt them, but any attempt to decrypt a string greater than 7 characters generates the error Invalid length for a Base-64 char array. I have reproduced on several machines running 1.6.6 using very simple code to decrypt and enrypt a string (no BO's, no custom anything).

For example "1111111" encrypts and decrypts fine, but "11111111" will encrypt but not decrypt.

Any insight appreciated as always.

The occurs in tripledeswrapper.vb at the function Decrypt, in the first line of the function:

Public Function Decrypt(ByVal text As String) As String

Dim input() As Byte = Convert.FromBase64String(text)

Dim output() As Byte = Transform(input, m_des.CreateDecryptor(m_key, m_iv))

Return m_utf8.GetString(output)

End Function

Keith Chisarik

Keith,

I am unsure of what your code may look like as I have tested this using your example and it all seems to work fine.  Also, this is a class that we use extensively in the framework and within our medical software as well, so I am pretty confident that it is sound.  But just in case, I created a sample that works and have attached it here.  You can tweak it and let me know if you are doing something else that will spawn the error.  But you might look at this sample and see if you are doing something outside of these specs.

thanks Trent, that lead me to the answer. I had written a quick program that encrypted the field data a few days ago, by bad luck the field was not long enough for all the new values since the encryption algorithm adds to the length, some were OK but some got truncated and since they were encrypted it didnt catch my eye and the error lead me down the wrong path.

Now, all is good except I have browse dialogs that use the encrypted field to search, they are using the raw encrypted field data from the server, returning incorrect records. How can I make them use the decrypted values like I set in my BO field property?

I know the BD creates the query dynamically and I think that is can only use actual fields and not custom (or customized) ones (???) so I am not sure how to accomplish my goal, to allow the encrypted field (SSN) to be included in the BD as a search field (with advanced options).

Keith

Keith Chisarik

Keith,



I'm not the best person to answer the question (I don't use the browse dialog), but some times even a bad answer can spark a thought and help you move forward.



I'd try using the Searching event to change the query. Since it is an SSN, hopefully, you will always be providing the full SSN and using an equality comparison. If so, I'd look through the where collection for SSN field and then encrypt the value provided by the user and use that value instead of the one they provided. That way you'll be comparing encrypted value to encrypted value.



No idea if it will work, but that's were I'd start...good luck!

Hmm lll think on that Greg thanks for the reply. I do know I have to be able to search for the last 4 digits of the SSN, in fact the customer requires that the SSN is always shown as ***-**-9999 except for very high level users. 

Keith Chisarik

This is the best forum ever!

Keith Chisarik

That could be tough. I just checked and if you encrypt the last four, it won't be anything like the equivalent last four in the full SSN.



I.e. here is an example (SSN -> encrypted text)



555-55-5555 -> zScg4jyKGSbryxUfHJktAQ==

5555 -> Z8cKO1v0OfI=



One option might be to denormalize a bit and store the last four in another column...



Hopefully somebody a lot smarter than me will respond soon!

Let me know if you didn't get your question answered...I have been more busy than a one legged man in a butt whoopin' contest lately...there is some more Texas lingo for ya .  I have been trying to create a POS (Point of Sale) interface and getting some of these hardware companies to work with you do give you the information to write software for their devices has been a pain!  If anyone has any experience with writing an app towards a Verifone 1000SE device, then please feel free to share!!!  I think I just finally signed the last required NDA to get a development guide with all of the commands to send to the device...I have my fingers crossed!  I have been trying to write towards OPOS for all devices, but I have finally given up that pipe dream as I don't think I am going to be able to shoot par with OPOS as some of these devices won't support it...but I suppose that is life in the development world..OK, I will shut up now!

Gregs idea for the full SSN would probably work, but I need partial SSN searches, if you have any thoughs on that I would appreciate it. There may just not be a way around this since the BD queries the table directly and not the BO property that is decrypted, but I would like to hear that from "the man" before looking for another less desireable solution.

Keith Chisarik

Querying on a partial SSN will not work because the encryption string would not be the same with 3 chars versus 9, etc.  However, you can encrypt the data prior to sending the query to the server through the Searching event.  In the Searching event you can encrypt the text and sent the encrypted value back to the server instead of the clear text.  So in the Searching event you would just enumerate through the passed in event args which includes the raw Where clauses and of the SSN was supplied then encrypt the value.  The only thing that would be required in order for this to work is that they would have to enter the full SSN number.