7 Replies Latest reply on Feb 3, 2015 1:29 PM by nmreynoso

# AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

Hi There,

I confess to be a total novice when it comes to VB.  My issue is that a long time ago, someone wrote a Access file that queries our product cart database for encrypted credit cards and then exported the query (Containing the de-encrypted card numbers) to excel, which was then imported into our Filemaker database.

So now that we currently use 360Works Plastic and are on our way to becoming fully PCI compliant, this exposure must be dealt with.  I have tried using the TROI, ScriptMaster and BaseElements versions of AES de-encryption, but I always fail.  If I am understanding correctly, this is probably because there is no way to manage a VI?  I am a novice as to encryption as well so I am including the VB code below in hopes that someone can give me some assistance in replicating this, if there is a way.

Sub RC4Initialize(strPwd)
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
':::  This routine called by EnDeCrypt function. Initializes the :::
':::  sbox and the key array)                                    :::
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Dim tempSwap
Dim a
Dim b

intLength = Len(strPwd)
For a = 0 To 255
key(a) = Asc(Mid(strPwd, (a Mod intLength) + 1, 1))
sbox(a) = a
Next

b = 0
For a = 0 To 255
b = (b + sbox(a) + key(a)) Mod 256
tempSwap = sbox(a)
sbox(a) = sbox(b)
sbox(b) = tempSwap
Next

End Sub

Function EnDeCrypt(plaintxt, psw)
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
':::  This routine does all the work. Call it both to ENcrypt    :::
':::  and to DEcrypt your data.                                  :::
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Dim temp
Dim a
Dim i
Dim j
Dim k
Dim cipherby
Dim cipher
Dim plaintxt1

i = 0
j = 0

RC4Initialize psw

'restore special character
plaintxt1 = Replace(plaintxt, Chr(1) & "DD", Chr(0))

For a = 1 To Len(plaintxt1)
i = (i + 1) Mod 256
j = (j + sbox(i)) Mod 256
temp = sbox(i)
sbox(i) = sbox(j)
sbox(j) = temp

k = sbox((sbox(i) + sbox(j)) Mod 256)

cipherby = Asc(Mid(plaintxt1, a, 1)) Xor k
cipher = cipher & Chr(cipherby)
Next

EnDeCrypt = cipher
' remove quotes and special character
EnDeCrypt = Replace(EnDeCrypt, "'", "''")
EnDeCrypt = Replace(EnDeCrypt, Chr(0), Chr(1) & "DD")
End Function

The EnDeCrypt is being called from a SQL query within access thus creating a view:

IIf(Not IsNull([cardnumber]),EnDeCrypt([cardnumber],'THISISTHEAESKEY'),'') AS car

NOTE: We did consider using our product carts authorize.net plug in so that we didn't have to worry at all about compliance, but so many of our customer orders are for highly customized products and always get changed so often that it is not worth even running a simple authorization.  My goal is to be able to query the encrypted card number and then de-encrypt into a variable that I will pass to create the payment profile in Authorize.net then store only the encrypted card number for a short period of time then purge it leaving only the first and last four of the card number and then expiration date.

FYI, we are using Filemaker 13 Clients and Servers and the most recent version of 360Works Plastic.  Any assistance you can provide is appreciated!

-Nancy

• ###### 1. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

If you can post an an example (not real data!) of the AES key, the specific algorithm being used, and some sample encrypted data, I'd be happy to take a look at doing it in 360Works ScriptMaster.

• ###### 2. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

Hi There jbarnum!

Sorry it took me so long to respond, but I am glad I looked for more info.  The key was not in the .asp file I was told it would be, and also this is not an AES encryption.  So now I have a key and the algorithm is RC4 or ARCFOUR, and not AES as you might have suspected, but not me but at least I am learning.

Here is the info:

KEY: BVPQENQFHQDMOCHPW824632215130

ENCRYPTED DATA: T[‰[@6/µº l†Ó Q

ACTUAL TEXT: 5248877045311950 (Don't worry, not a real credit card number)

I hope this will help!

• ###### 3. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

I need to convert the key and the encrypted data into bytes before I can do anything with them.

Is the key in Base64 format, or something else?

The data itself is in a strange format. Could you tell me how that is encoded?

• ###### 4. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

Let me see if I can find a reference to how the key is formatted in the .asp files.  As for the data, it is strange but as an example I have that Access macro that runs this DeEncrypt (see below) and I am successfully able to get a decryption, so if we could do the same thing in Filemaker we should be able to get the same result.

This VB is supposedly used a lot as a method of En/Decrypting RC4 but I can't find anything online that really explains what it is doing in a way I understand.  Someone online said that they were MD5 Hashing the Key as an extra layer of PCI compliance.  Maybe the Wikipedia explanation will make more sense to you:  RC4 - Wikipedia, the free encyclopedia

Sub RC4Initialize(strPwd)
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
':::  This routine called by EnDeCrypt function. Initializes the :::
':::  sbox and the key array)                                    :::
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Dim tempSwap
Dim a
Dim b

intLength = Len(strPwd)
For a = 0 To 255
key(a) = Asc(Mid(strPwd, (a Mod intLength) + 1, 1))
sbox(a) = a
Next

b = 0
For a = 0 To 255
b = (b + sbox(a) + key(a)) Mod 256
tempSwap = sbox(a)
sbox(a) = sbox(b)
sbox(b) = tempSwap
Next

End Sub

Function EnDeCrypt(plaintxt, psw)
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
':::  This routine does all the work. Call it both to ENcrypt    :::
':::  and to DEcrypt your data.                                  :::
':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Dim temp
Dim a
Dim i
Dim j
Dim k
Dim cipherby
Dim cipher
Dim plaintxt1

i = 0
j = 0

RC4Initialize psw

'restore special character
plaintxt1 = Replace(plaintxt, Chr(1) & "DD", Chr(0))

For a = 1 To Len(plaintxt1)
i = (i + 1) Mod 256
j = (j + sbox(i)) Mod 256
temp = sbox(i)
sbox(i) = sbox(j)
sbox(j) = temp

k = sbox((sbox(i) + sbox(j)) Mod 256)

cipherby = Asc(Mid(plaintxt1, a, 1)) Xor k
cipher = cipher & Chr(cipherby)
Next

EnDeCrypt = cipher
' remove quotes and special character
EnDeCrypt = Replace(EnDeCrypt, "'", "''")
EnDeCrypt = Replace(EnDeCrypt, Chr(0), Chr(1) & "DD")
End Function

• ###### 5. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

This is the code behind the key.  It is also out on the internet so nothing really unique.  Hope this helps:

' Gen Key Functions
Function gen_pass(GEN_NUM)

dim gen_array(26)
' ------- Setup array of characters to chose from ------

gen_array(0) = "A"
gen_array(1) = "B"
gen_array(2) = "C"
gen_array(3) = "D"
gen_array(4) = "E"
gen_array(5) = "F"
gen_array(6) = "G"
gen_array(7) = "H"
gen_array(8) = "I"
gen_array(9) = "J"
gen_array(10) = "K"
gen_array(11) = "L"
gen_array(12) = "M"
gen_array(13) = "N"
gen_array(14) = "O"
gen_array(15) = "P"
gen_array(16) = "Q"
gen_array(17) = "R"
gen_array(18) = "S"
gen_array(19) = "T"
gen_array(20) = "U"
gen_array(21) = "V"
gen_array(22) = "W"
gen_array(23) = "X"
gen_array(24) = "Y"
gen_array(25) = "Z"

Randomize
' ------- Generate the string until the length of max_num is met ------
do while len(output) < GEN_NUM
num = gen_array(Int((25 - 0 + 1) * Rnd + 0))
output = output + num
loop

' ------- Let function result = output ------

gen_pass = output
End Function

Function gen2_pass(GEN_NUM)

dim gen2_array(10)
' ------- Setup array of characters to chose from ------

gen2_array(0) = "0"
gen2_array(1) = "1"
gen2_array(2) = "2"
gen2_array(3) = "3"
gen2_array(4) = "4"
gen2_array(5) = "5"
gen2_array(6) = "6"
gen2_array(7) = "7"
gen2_array(8) = "8"
gen2_array(9) = "9"

Randomize
' ------- Generate the string until the length of max_num is met ------
do while len(output) < GEN_NUM
num = gen2_array(Int((9 - 0 + 1) * Rnd + 0))
output = output + num
loop
' ------- Let function result = output ------

gen2_pass = output
End Function

• ###### 6. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

The VB script is not using any standard methodology, it's all proprietary. Unfortunately, that means that there is a lot of work involved in reproducing the VB script. I'm sorry, I thought this would be a quick thing, but I'm not going to be able to help with this.

• ###### 7. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

I do thank you for trying jbarnum.