rc4 asp page not passing values into login page

hi,

i have a form on a page that sends the username and password values across the internet to the login page, what i need to do is encrypt and decrypt the values. The form sends the encrypt string to the login page, but it does not login??  an example link for the login page is pasted below;

https://secure.mysite.co.uk/login.asp?crypt=%C3%B9%BA%BB%86%CC%CC%9C%B3%1F%7C%17%05%3DW%9E%86%06%23%17%1F%AD%BFF%F8iM%17%23%96x%F7%F3+%2A%07v

i  have pasted the encrypt script and also the login script below, any ideas??  i think it is the form on the login page that is not picking it up the values from the address bar..  by the way, the login page works fine using the form within the login page, so that part is fine..
encrypt script
--------------------------------------------------
 
Dim sbox(255)
   Dim key(255)
 
 
   Sub RC4Initialize(strPwd)
   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
   ':::  This routine called by EnDeCrypt function. Initializes the :::
   ':::  sbox and the key array)                                    :::
   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 
      dim tempSwap
      dim a
      dim b
 
      intLength = len(strPwd)
      For a = 0 To 255
         key(a) = asc(mid(strpwd, (a mod intLength)+1, 1))
         sbox(a) = a
      next
 
      b = 0
      For a = 0 To 255
         b = (b + sbox(a) + key(a)) Mod 256
         tempSwap = sbox(a)
         sbox(a) = sbox(b)
         sbox(b) = tempSwap
      Next
   
   End Sub
   
   Function EnDeCrypt(plaintxt, psw)
   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
   ':::  This routine does all the work. Call it both to ENcrypt    :::
   ':::  and to DEcrypt your data.                                  :::
   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 
      dim temp
      dim a
      dim i
      dim j
      dim k
      dim cipherby
      dim cipher
 
      i = 0
      j = 0
 
      RC4Initialize psw
 
      For a = 1 To Len(plaintxt)
         i = (i + 1) Mod 256
         j = (j + sbox(i)) Mod 256
         temp = sbox(i)
         sbox(i) = sbox(j)
         sbox(j) = temp
   
         k = sbox((sbox(i) + sbox(j)) Mod 256)
 
         cipherby = Asc(Mid(plaintxt, a, 1)) Xor k
         cipher = cipher & Chr(cipherby)
      Next
 
      EnDeCrypt = cipher
 
   End Function
 
 
%>
 
Login script
----------------------------------
<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>
<!--#include file="w3.asp" -->
<!--#include file="rc4.asp"-->
 
<html>
   <body>
      <form method="post" action="
https://secure.mysite.co.uk/login.asp">
         Enter username: <input type="text" name="username"><br>
         Enter password: <input type="text" name="password"><br><br>
         <input type="submit">
      </form>
   </body>
</html>

Open in new window

ckawebcreationAsked:
Who is Participating?
 
kevp75Commented:
p.s.   I use something called SkipJack encryption, along with a MD5 hash
0
 
kevp75Commented:
first things first

If Request.QueryString <> "" Then TT_LoginAction = TT_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
TT_valUsername = CStr(Request.Form("username"))


only requests a username, nowhere in your code to you reference the querystring "crypt"
0
 
ckawebcreationAuthor Commented:
hi kevp75,

the login page has always worked using the form on the actual login page, this is the first time the login details are being sent from a form on another page, i guess this changes things a bit, especially when the login details on the querystring are encrypted.  i am not too sure what the crypt= does??  
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
kevp75Commented:
crypt is the querystring in your original post URL
0
 
ckawebcreationAuthor Commented:
hi kev,

i realised that, lol! i am not sure where it is referenced in the encryption script?  i think that is the problem, the string is being sent and encrypted and the login page is calling the encryption script but nothing is happening because crypt means nothing to the encryption script, so how do I get the encryption script to read the querystring and decrypt it???
0
 
kevp75Commented:
strCrypt = Request.QueryString("crypt")
If strCrypt = "" Then
    strCrypt = Request.Form("password")
End If

and change:
TT_rsUser_cmd.Parameters.Append TT_rsUser_cmd.CreateParameter("param2", 200, 1, 30, Request.Form("password")) ' adVarChar


to:
TT_rsUser_cmd.Parameters.Append TT_rsUser_cmd.CreateParameter("param2", 200, 1, 30, strCrypt) ' adVarChar


I think?

It's tough to tell, without more info...  is crypt supposed to be a the password, the username, a combination of both?

0
 
ckawebcreationAuthor Commented:
Hi keV,

crypt is the username and password key value pair, the receiving page is a https would this make a difference??
0
 
kevp75Commented:
ok...   using the code you posted above, I come up with a string like this as the decrypted value of 'crypt'

ïoÆ$c7&¬[+-0íS=’u ¿ùôÏQ6·xSF'íRZº¬ëÙKÄà :ÒÆÍíUË`=?[ÙÎSÜÒ¿ú *ØwüÜÑ'5¤½Ú­³ûcîO²t©SÏ´

does that look like it's a username password combo to you?

I would recommend using something else...   no https doesn't matter as it encrypts the packets
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.