Solved

SSPI encryption/decryption problem

Posted on 2002-07-10
5
846 Views
Last Modified: 2012-06-21
I have a client/server system that uses the Windows SSPI interface to authenticate NT user accounts and allow encrypted data to be passed across the network (via NTLM / Kerberos). It all works fine but there is a problem with the encrypted data transfer.

If a encrypt a message on the client side and then decrypt it on the server everything is ok. If I encrypt the data on the client side, then encrypt another message on the server side and try to decrypt the original message, I get SEC_E_MESSAGE_ALTERED returned from both DecryptMessage calls. Obviously it doesn't like the fact that the message Encrypt / Decrypt sequence is not in order, but I need to send encrypted messages in both directions at any time.

I have tried removing the ISC_REQ_SEQUENCE_DETECT and ISC_REQ_REPLAY_DETECT flags in InitializeSecurityContext but this has no effect. I've also tried jst about everything else I can think of.

Happens under NT4 and Win2K.

Thanks,

Jamie
0
Comment
Question by:JamieR
  • 3
  • 2
5 Comments
 
LVL 49

Accepted Solution

by:
DanRollins earned 500 total points
ID: 7148349
What parameters are you using in EncryptMessage and DecryptMessage?  The MessageSeqNo might be critical.  Perhaps you need to get a second SecurityContext

Q245565 mentions a problem encountered by MsExchange in which two packets are processed in a single I/O operation, so when it tries to process the second block there is no data and it fails with that error.  Maybe you are hitting the same sort of thing.  Have you verified that there is good, decryptable data in the buffer when you call DecrpytMessage?

-- Dan  

0
 
LVL 1

Author Comment

by:JamieR
ID: 7151735
Actually I figured it out. Thanks for the help anyway.
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 7151778
I'd rather that you not sully my grading record with a C, and I'm certain that most Experts here feel the same.  Please refer to the grading guidelines:

   http://www.experts-exchange.com/jsp/cmtyQuestAnswer.jsp#3

It is your responsibility to provide feedback to the Expert.  For instance, you could say "Shall I delete this, or do you want to me stick you with a C?"  Then when the experts replies with "You can stick that C where the sun don't shine" then you'll know the way the wind is blowing.

On another matter:
When you grade a question it gets saved into the PAQ database.  When someone later searches with keywords such as SEC_E_MESSAGE_ALTERED or DecryptMessage, then this question will be listed.  They might then purchase this question (50 points) and be rather unsatisfied since there is no answer here (C-level or otherwise).  

So could you please post a brief synopsis of what you did to solve this problem?  Thanks!

-- Dan
0
 
LVL 1

Author Comment

by:JamieR
ID: 7152909
Dan,

We resolved the issue before I had the opportunity to read your response. I started to describe the solution, but decided not to post it since there were several obscure issues in our code (not the CryptoAPI) and it would have been of little benefit to anyone else. It's also not my property.

I thought your reply was intelligent and helpful. I assumed you'd be grateful for the easy 500 points, not offended!

Jamie
0
 
LVL 49

Expert Comment

by:DanRollins
ID: 7152986
>>I assumed you'd be grateful for the easy 500 points, not offended!

Then this is a pivotal moment for you as you learn how Experts feel about getting bad grades.  Looking at your grading histroy I see that you have even given D's to experts who help you!  Nobody likes to be told that they are a third-class expert and nobody want s C or a D tarnishing their record.  If you want to thank an expert, you can post a 500-point question "Points For..." (and please, give an A!) but don't accept a non-answer as a low-grade answer.

Please review the grading guidelines carefully and please follow them in the future.  Thanks!

-- Dan
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Often, when implementing a feature, you won't know how certain events should be handled at the point where they occur and you'd rather defer to the user of your function or class. For example, a XML parser will extract a tag from the source code, wh…
C++ Properties One feature missing from standard C++ that you will find in many other Object Oriented Programming languages is something called a Property (http://www.experts-exchange.com/Programming/Languages/CPP/A_3912-Object-Properties-in-C.ht…
The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now