7 Replies Latest reply on Feb 3, 2015 1:29 PM by nmreynoso

    AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)

    nmreynoso

      Hi There,

       

      I confess to be a total novice when it comes to VB.  My issue is that a long time ago, someone wrote a Access file that queries our product cart database for encrypted credit cards and then exported the query (Containing the de-encrypted card numbers) to excel, which was then imported into our Filemaker database.

       

      So now that we currently use 360Works Plastic and are on our way to becoming fully PCI compliant, this exposure must be dealt with.  I have tried using the TROI, ScriptMaster and BaseElements versions of AES de-encryption, but I always fail.  If I am understanding correctly, this is probably because there is no way to manage a VI?  I am a novice as to encryption as well so I am including the VB code below in hopes that someone can give me some assistance in replicating this, if there is a way.

       

      Sub RC4Initialize(strPwd)
         ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
         ':::  This routine called by EnDeCrypt function. Initializes the :::
         ':::  sbox and the key array)                                    :::
         ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

            Dim tempSwap
            Dim a
            Dim b

            intLength = Len(strPwd)
            For a = 0 To 255
               key(a) = Asc(Mid(strPwd, (a Mod intLength) + 1, 1))
               sbox(a) = a
            Next

            b = 0
            For a = 0 To 255
               b = (b + sbox(a) + key(a)) Mod 256
               tempSwap = sbox(a)
               sbox(a) = sbox(b)
               sbox(b) = tempSwap
            Next
        
         End Sub
        
         Function EnDeCrypt(plaintxt, psw)
         ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
         ':::  This routine does all the work. Call it both to ENcrypt    :::
         ':::  and to DEcrypt your data.                                  :::
         ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

            Dim temp
            Dim a
            Dim i
            Dim j
            Dim k
            Dim cipherby
            Dim cipher
            Dim plaintxt1

            i = 0
            j = 0

            RC4Initialize psw
           
            'restore special character
                  plaintxt1 = Replace(plaintxt, Chr(1) & "DD", Chr(0))
             
            For a = 1 To Len(plaintxt1)
               i = (i + 1) Mod 256
               j = (j + sbox(i)) Mod 256
               temp = sbox(i)
               sbox(i) = sbox(j)
               sbox(j) = temp
        
               k = sbox((sbox(i) + sbox(j)) Mod 256)

               cipherby = Asc(Mid(plaintxt1, a, 1)) Xor k
               cipher = cipher & Chr(cipherby)
            Next

            EnDeCrypt = cipher
            ' remove quotes and special character
            EnDeCrypt = Replace(EnDeCrypt, "'", "''")
            EnDeCrypt = Replace(EnDeCrypt, Chr(0), Chr(1) & "DD")
         End Function

       

      The EnDeCrypt is being called from a SQL query within access thus creating a view:

      IIf(Not IsNull([cardnumber]),EnDeCrypt([cardnumber],'THISISTHEAESKEY'),'') AS car

       

      NOTE: We did consider using our product carts authorize.net plug in so that we didn't have to worry at all about compliance, but so many of our customer orders are for highly customized products and always get changed so often that it is not worth even running a simple authorization.  My goal is to be able to query the encrypted card number and then de-encrypt into a variable that I will pass to create the payment profile in Authorize.net then store only the encrypted card number for a short period of time then purge it leaving only the first and last four of the card number and then expiration date.

       

      FYI, we are using Filemaker 13 Clients and Servers and the most recent version of 360Works Plastic.  Any assistance you can provide is appreciated!

       

      -Nancy

        • 1. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)
          jbarnum

          If you can post an an example (not real data!) of the AES key, the specific algorithm being used, and some sample encrypted data, I'd be happy to take a look at doing it in 360Works ScriptMaster.

          • 2. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)
            nmreynoso

            Hi There jbarnum!

             

            Sorry it took me so long to respond, but I am glad I looked for more info.  The key was not in the .asp file I was told it would be, and also this is not an AES encryption.  So now I have a key and the algorithm is RC4 or ARCFOUR, and not AES as you might have suspected, but not me but at least I am learning.

             

            Here is the info:

             

            KEY: BVPQENQFHQDMOCHPW824632215130

            ENCRYPTED DATA: T[‰[@6/µº l†Ó Q

            ACTUAL TEXT: 5248877045311950 (Don't worry, not a real credit card number)

             

            I hope this will help!

            • 3. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)
              jbarnum

              I need to convert the key and the encrypted data into bytes before I can do anything with them.

              Is the key in Base64 format, or something else?

              The data itself is in a strange format. Could you tell me how that is encoded?

              • 4. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)
                nmreynoso

                Let me see if I can find a reference to how the key is formatted in the .asp files.  As for the data, it is strange but as an example I have that Access macro that runs this DeEncrypt (see below) and I am successfully able to get a decryption, so if we could do the same thing in Filemaker we should be able to get the same result.

                 

                This VB is supposedly used a lot as a method of En/Decrypting RC4 but I can't find anything online that really explains what it is doing in a way I understand.  Someone online said that they were MD5 Hashing the Key as an extra layer of PCI compliance.  Maybe the Wikipedia explanation will make more sense to you:  RC4 - Wikipedia, the free encyclopedia

                 

                Sub RC4Initialize(strPwd)
                   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
                   ':::  This routine called by EnDeCrypt function. Initializes the :::
                   ':::  sbox and the key array)                                    :::
                   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

                      Dim tempSwap
                      Dim a
                      Dim b

                      intLength = Len(strPwd)
                      For a = 0 To 255
                         key(a) = Asc(Mid(strPwd, (a Mod intLength) + 1, 1))
                         sbox(a) = a
                      Next

                      b = 0
                      For a = 0 To 255
                         b = (b + sbox(a) + key(a)) Mod 256
                         tempSwap = sbox(a)
                         sbox(a) = sbox(b)
                         sbox(b) = tempSwap
                      Next
                  
                   End Sub
                  
                   Function EnDeCrypt(plaintxt, psw)
                   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
                   ':::  This routine does all the work. Call it both to ENcrypt    :::
                   ':::  and to DEcrypt your data.                                  :::
                   ':::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

                      Dim temp
                      Dim a
                      Dim i
                      Dim j
                      Dim k
                      Dim cipherby
                      Dim cipher
                      Dim plaintxt1

                      i = 0
                      j = 0

                      RC4Initialize psw
                     
                      'restore special character
                            plaintxt1 = Replace(plaintxt, Chr(1) & "DD", Chr(0))
                       
                      For a = 1 To Len(plaintxt1)
                         i = (i + 1) Mod 256
                         j = (j + sbox(i)) Mod 256
                         temp = sbox(i)
                         sbox(i) = sbox(j)
                         sbox(j) = temp
                  
                         k = sbox((sbox(i) + sbox(j)) Mod 256)

                         cipherby = Asc(Mid(plaintxt1, a, 1)) Xor k
                         cipher = cipher & Chr(cipherby)
                      Next

                      EnDeCrypt = cipher
                      ' remove quotes and special character
                      EnDeCrypt = Replace(EnDeCrypt, "'", "''")
                      EnDeCrypt = Replace(EnDeCrypt, Chr(0), Chr(1) & "DD")
                   End Function

                • 5. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)
                  nmreynoso

                  This is the code behind the key.  It is also out on the internet so nothing really unique.  Hope this helps:

                   

                  ' Gen Key Functions
                  Function gen_pass(GEN_NUM)

                  dim gen_array(26)
                  ' ------- Setup array of characters to chose from ------

                  gen_array(0) = "A"
                  gen_array(1) = "B"
                  gen_array(2) = "C"
                  gen_array(3) = "D"
                  gen_array(4) = "E"
                  gen_array(5) = "F"
                  gen_array(6) = "G"
                  gen_array(7) = "H"
                  gen_array(8) = "I"
                  gen_array(9) = "J"
                  gen_array(10) = "K"
                  gen_array(11) = "L"
                  gen_array(12) = "M"
                  gen_array(13) = "N"
                  gen_array(14) = "O"
                  gen_array(15) = "P"
                  gen_array(16) = "Q"
                  gen_array(17) = "R"
                  gen_array(18) = "S"
                  gen_array(19) = "T"
                  gen_array(20) = "U"
                  gen_array(21) = "V"
                  gen_array(22) = "W"
                  gen_array(23) = "X"
                  gen_array(24) = "Y"
                  gen_array(25) = "Z"

                  Randomize
                  ' ------- Generate the string until the length of max_num is met ------
                  do while len(output) < GEN_NUM
                    num = gen_array(Int((25 - 0 + 1) * Rnd + 0))
                    output = output + num
                  loop

                  ' ------- Let function result = output ------

                  gen_pass = output
                  End Function
                    
                  Function gen2_pass(GEN_NUM)

                  dim gen2_array(10)
                  ' ------- Setup array of characters to chose from ------

                  gen2_array(0) = "0"
                  gen2_array(1) = "1"
                  gen2_array(2) = "2"
                  gen2_array(3) = "3"
                  gen2_array(4) = "4"
                  gen2_array(5) = "5"
                  gen2_array(6) = "6"
                  gen2_array(7) = "7"
                  gen2_array(8) = "8"
                  gen2_array(9) = "9"

                  Randomize
                  ' ------- Generate the string until the length of max_num is met ------
                  do while len(output) < GEN_NUM
                    num = gen2_array(Int((9 - 0 + 1) * Rnd + 0))
                    output = output + num
                  loop
                  ' ------- Let function result = output ------

                  gen2_pass = output
                  End Function

                  • 6. Re: AES 256 CBC Decryption (PCI Compliance  Credit Cards on Product Cart)
                    jbarnum

                    The VB script is not using any standard methodology, it's all proprietary. Unfortunately, that means that there is a lot of work involved in reproducing the VB script. I'm sorry, I thought this would be a quick thing, but I'm not going to be able to help with this.