Solved

rc4 asp page not passing values into login page

Posted on 2009-05-06
9
319 Views
Last Modified: 2012-05-06
hi,

i have a form on a page that sends the username and password values across the internet to the login page, what i need to do is encrypt and decrypt the values. The form sends the encrypt string to the login page, but it does not login??  an example link for the login page is pasted below;

https://secure.mysite.co.uk/login.asp?crypt=%C3%B9%BA%BB%86%CC%CC%9C%B3%1F%7C%17%05%3DW%9E%86%06%23%17%1F%AD%BFF%F8iM%17%23%96x%F7%F3+%2A%07v

i  have pasted the encrypt script and also the login script below, any ideas??  i think it is the form on the login page that is not picking it up the values from the address bar..  by the way, the login page works fine using the form within the login page, so that part is fine..
encrypt script

--------------------------------------------------
 

Dim sbox(255)

   Dim key(255)
 
 

   Sub RC4Initialize(strPwd)

   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

   ':::  This routine called by EnDeCrypt function. Initializes the :::

   ':::  sbox and the key array)                                    :::

   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 

      dim tempSwap

      dim a

      dim b
 

      intLength = len(strPwd)

      For a = 0 To 255

         key(a) = asc(mid(strpwd, (a mod intLength)+1, 1))

         sbox(a) = a

      next
 

      b = 0

      For a = 0 To 255

         b = (b + sbox(a) + key(a)) Mod 256

         tempSwap = sbox(a)

         sbox(a) = sbox(b)

         sbox(b) = tempSwap

      Next

   

   End Sub

   

   Function EnDeCrypt(plaintxt, psw)

   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

   ':::  This routine does all the work. Call it both to ENcrypt    :::

   ':::  and to DEcrypt your data.                                  :::

   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 

      dim temp

      dim a

      dim i

      dim j

      dim k

      dim cipherby

      dim cipher
 

      i = 0

      j = 0
 

      RC4Initialize psw
 

      For a = 1 To Len(plaintxt)

         i = (i + 1) Mod 256

         j = (j + sbox(i)) Mod 256

         temp = sbox(i)

         sbox(i) = sbox(j)

         sbox(j) = temp

   

         k = sbox((sbox(i) + sbox(j)) Mod 256)
 

         cipherby = Asc(Mid(plaintxt, a, 1)) Xor k

         cipher = cipher & Chr(cipherby)

      Next
 

      EnDeCrypt = cipher
 

   End Function
 
 

%>
 

Login script

----------------------------------

<%@LANGUAGE="VBSCRIPT" CODEPAGE="1252"%>

<!--#include file="w3.asp" -->

<!--#include file="rc4.asp"-->
 

<html>

   <body>

      <form method="post" action="

https://secure.mysite.co.uk/login.asp">

         Enter username: <input type="text" name="username"><br>

         Enter password: <input type="text" name="password"><br><br>

         <input type="submit">

      </form>

   </body>

</html>

Open in new window

0
Comment
Question by:ckawebcreation
  • 5
  • 3
9 Comments
 
LVL 25

Expert Comment

by:kevp75
ID: 24327159
first things first

If Request.QueryString <> "" Then TT_LoginAction = TT_LoginAction + "?" + Server.HTMLEncode(Request.QueryString)
TT_valUsername = CStr(Request.Form("username"))


only requests a username, nowhere in your code to you reference the querystring "crypt"
0
 

Author Comment

by:ckawebcreation
ID: 24334278
hi kevp75,

the login page has always worked using the form on the actual login page, this is the first time the login details are being sent from a form on another page, i guess this changes things a bit, especially when the login details on the querystring are encrypted.  i am not too sure what the crypt= does??  
0
 
LVL 25

Expert Comment

by:kevp75
ID: 24337967
crypt is the querystring in your original post URL
0
 

Author Comment

by:ckawebcreation
ID: 24338948
hi kev,

i realised that, lol! i am not sure where it is referenced in the encryption script?  i think that is the problem, the string is being sent and encrypted and the login page is calling the encryption script but nothing is happening because crypt means nothing to the encryption script, so how do I get the encryption script to read the querystring and decrypt it???
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 25

Expert Comment

by:kevp75
ID: 24339199
strCrypt = Request.QueryString("crypt")
If strCrypt = "" Then
    strCrypt = Request.Form("password")
End If

and change:
TT_rsUser_cmd.Parameters.Append TT_rsUser_cmd.CreateParameter("param2", 200, 1, 30, Request.Form("password")) ' adVarChar


to:
TT_rsUser_cmd.Parameters.Append TT_rsUser_cmd.CreateParameter("param2", 200, 1, 30, strCrypt) ' adVarChar


I think?

It's tough to tell, without more info...  is crypt supposed to be a the password, the username, a combination of both?

0
 

Author Comment

by:ckawebcreation
ID: 24373438
Hi keV,

crypt is the username and password key value pair, the receiving page is a https would this make a difference??
0
 
LVL 25

Expert Comment

by:kevp75
ID: 24374022
ok...   using the code you posted above, I come up with a string like this as the decrypted value of 'crypt'

ïoÆ$c7&¬[+-0íS=’u ¿ùôÏQ6·xSF'íRZº¬ëÙKÄà :ÒÆÍíUË`=?[ÙÎSÜÒ¿ú *ØwüÜÑ'5¤½Ú­³ûcîO²t©SÏ´

does that look like it's a username password combo to you?

I would recommend using something else...   no https doesn't matter as it encrypts the packets
0
 
LVL 25

Accepted Solution

by:
kevp75 earned 500 total points
ID: 24374044
p.s.   I use something called SkipJack encryption, along with a MD5 hash
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you tried to learn about Unicode, UTF-8, and multibyte text encoding and all the articles are just too "academic" or too technical? This article aims to make the whole topic easy for just about anyone to understand.
This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
In this tutorial viewers will learn how to position items using CSS's three positioning types Create a new HTML document with an internal stylesheet.: Create another div in CSS and name it Absolute : Type "position:absolute;" and "top:10px; left:50p…
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now