EldoS | Feel safer!

Software components for data protection, secure storage and transfer

ElMessageEncryptor/Decryptor or ElXmlEncryptor/Decryptor

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#11194
Posted: 09/29/2009 10:19:45
by David MICHEL (Standard support level)
Joined: 09/23/2009
Posts: 48

Hello,

I carry out the following operations :

For <TransactionKey> :
1. To decode in base64 of TransactionKey.
2. To decipher TransactionKey by using my private key RSA.

For <OrderData> :
3. To decode in base64 the statistical data.
4. To decipher the data with TransactionKey by using algorithm AES-256.
5. To decompress the result.

The various values is in a XML syntax :

Code
  <DataTransfer>
    <DataEncryptionInfo authenticate="true">
      <EncryptionPubKeyDigest Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" Version="E002">
        jq06ChCzE65e4aQ6mndJhZBoUxSGh/Sz00blDwgDx3s=
      </EncryptionPubKeyDigest>
      <TransactionKey>
        lQVQI2ngrZGGb92ItFN3Iyg60...
      </TransactionKey>
    </DataEncryptionInfo>
    <OrderData>
      mmYrJA2t0BhgMx8+z15G9IHpn6ocMIMpo8w//qx7xcXueTXY06cJth1QyEuzRLQLYWOyPxkvu...
    </OrderData>
  </DataTransfer>


Must one use the components ElMessageEncryptor/Decryptor or ElXmlEncryptor/Decryptor

In my code, I have an error on the level of the Decrypt function. I use ElMessageEncryptorDecryptor

Code
  //Select Public Key Certificate
  AssignFile(F, fileCertChif);
  Reset(F, 1);
  SetLength(Buf, FileSize(F));
  BlockRead(F, Buf[0], Length(Buf));
  System.CloseFile(F);
  Cert := TElX509Certificate.Create(nil);

  Cert.LoadFromBufferPEM(@Buf[0], Length(Buf), '');

  Sz := 0;
  Cert.SaveKeyToBuffer(nil, Sz);

  //Select private key file
  if (Sz = 0) then
  begin
    AssignFile(F, fileKeyChif);
    Reset(F, 1);
    SetLength(Buf, FileSize(F));
    BlockRead(F, Buf[0], Length(Buf));
    System.CloseFile(F);

    Cert.LoadKeyFromBufferPEM(@Buf[0], Length(Buf), Trim(UFonctions.LectureFichierDonnees(fichPass)));
  end;

  //Composant sur la fiche
  MemCertStore.Add(Cert);
  Cert.Free;

  fileDecodeB64 => Contains the value of the TransactionKey node decoded in base64.
  fileTransactCle => Contains the value of the OrderData node decoded in base64.

  //Read
  AssignFile(F, fileDecodeB64);
  Reset(F, 1);
  SetLength(InBuf, FileSize(F));
  BlockRead(F, InBuf[0], Length(InBuf));
  System.CloseFile(F);
  Sz := 0;

  //ERROR
  MsgDecrypt.Decrypt(@InBuf[0], Length(InBuf), nil, Sz);
  SetLength(OutBuf, Sz);
  
  //ERROR
  i := MsgDecrypt.Decrypt(@InBuf[0], Length(InBuf), @OutBuf[0], Sz);

  if i = 0 then
  begin
    //Write
    ShowMessage('Successfully decrypted');
    SetLength(OutBuf, Sz);
    AssignFile(F, fileTransactCle);
    Rewrite(F, 1);
    BlockWrite(F, OutBuf[0], Sz);
    System.CloseFile(F);
  end
  else
   ShowMessage('Decryption failed');


Sincerely yours,
David MICHEL.
#11196
Posted: 09/29/2009 10:49:57
by Ken Ivanov (EldoS Corp.)

TElMessageEncryptor/TElMessageDecryptor deal with PKCS#7-encrypted messages. Please use TElXMLEncryptor/TElXMLDecryptor for securing XML documents.
#11197
Posted: 09/29/2009 13:54:22
by Dmytro Bogatskyy (EldoS Corp.)

In fact ElXMLEncryptor/TElXMLDecryptor will not help here, as it is an EBICS standard.
To decrypt this kind of message you need:
1. Retrieve an appropriate RSA key based on EncryptionPubKeyDigest value.
2. Decrypt session key from TransactionKey element using TElRSAPublicKeyCrypto class.
3. Decrypt a data from OrderData element using TElAESSymmetricCrypto class (in CBC mode) and decrypted session key.
#11198
Posted: 09/30/2009 09:34:40
by David MICHEL (Standard support level)
Joined: 09/23/2009
Posts: 48

ok, Thank you.

I modified my code :

//Step 1 : Decrypt session key from TransactionKey element using TElRSAPublicKeyCrypto class.

Code
  DecryptRSA := TElRSAPublicKeyCrypto.Create();
  ClePrivate := TElRSAKeyMaterial.Create();
  try
    try

      //Load Private Key
      fsClePriv := TFileStream.Create(fichCleChif, fmOpenRead or fmShareDenyWrite);
      try
        ClePrivate.Passphrase := '123ABC';
        ClePrivate.LoadSecret(fsClePriv);
      finally
        FreeAndNil(fsClePriv);
      end;


      DecryptRSA.KeyMaterial := ClePrivate;
      DecryptRSA.InputEncoding := pkeBase64;
      DecryptRSA.OutputEncoding := pkeBinary;

      fichSource := 'D:\GestionEBICS\GestionEBICS\Temp\CleTransactCoderB64.b64';
      fichDest   := 'D:\GestionEBICS\GestionEBICS\Temp\CleTransact.txt';

      //Decrypt
      fsSource := TFileStream.Create(fichSource, fmOpenRead);
      try
        fsDest := TFileStream.Create(fichDest, fmCreate);
        try
          DecryptRSA.Decrypt(fsSource, fsDest);
        finally
          FreeAndNil(fsDest);
        end;
      finally
        FreeAndNil(fsSource);
      end;

    finally
      FreeAndNil(ClePrivate);
      FreeAndNil(DecryptRSA);
    end;

    MessageDlg('La cle de transaction a ete decrypter avec succes.', mtInformation, [mbOk], 0);

  except
    on E : Exception do
      MessageDlg(E.Message, mtError, [mbOk], 0);
  end;


//Step 2 : Decrypt a data from OrderData element using TElAESSymmetricCrypto class (in CBC mode) and decrypted session key.

Code
  DechiffreAES := TElAESSymmetricCrypto.Create(cmCBC);
  CleTransact  := TElSymmetricKeyMaterial.Create();
  try
    try

      //Load Session Key
      fsCleTransact := TFileStream.Create(fichDest, fmOpenRead or fmShareDenyWrite);
      try
        CleTransact.Load(fsCleTransact);
      finally
        FreeAndNil(fsCleTransact);
      end;

      DechiffreAES.KeyMaterial := CleTransact;
      DechiffreAES.Padding := cpNone;  //Padding PKCS#1

      fichSource := 'D:\GestionEBICS\GestionEBICS\Temp\DataChiff.enc';
      fichDest   := 'D:\GestionEBICS\GestionEBICS\Temp\Data.txt';

      //Decrypt Data with session key
      fsSource := TFileStream.Create(fichSource, fmOpenRead);
      try
        fsDest := TFileStream.Create(fichDest, fmCreate);
        try
          DechiffreAES.Decrypt(fsSource, fsDest);
        finally
          FreeAndNil(fsDest);
        end;
      finally
        FreeAndNil(fsSource);
      end;

    finally
      FreeAndNil(CleTransact);
      FreeAndNil(DechiffreAES);
    end;

    MessageDlg('Les donnees ont ete dechiffre avec succes.', mtInformation, [mbOk], 0);

  except
    on E : Exception do
      MessageDlg(E.Message, mtError, [mbOk], 0);
  end;


In step 2, I have the error :
Invalid Key Format

Code
CleTransact.Load(fsCleTransact);


For information, in the standard ebics, the key of session to a length of 128 bits.

The result of the session key is :
Code
&#235;&#196;(&#249;[&#253;QE
‚   j&#226;&#186;

Is what I forgot of the parameters ?


Sincerely yours,
David MICHEL.
#11199
Posted: 09/30/2009 12:32:07
by Dmytro Bogatskyy (EldoS Corp.)

Quote
In step 2, I have the error :
Invalid Key Format

The key and IV can be loaded if they were previously saved using Save method. It's not a standard format.
Set a session key to CleTransact.Key property directly.
#11207
Posted: 10/01/2009 09:11:07
by David MICHEL (Standard support level)
Joined: 09/23/2009
Posts: 48

How to use the method save ?

Apparently, it needs also parameter IV to decipher my data with AES 128 and session key.

However, I do not know value IV.


Sincerely yours,
David MICHEL.
#11210
Posted: 10/01/2009 10:50:16
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Apparently, it needs also parameter IV to decipher my data with AES 128 and session key.
However, I do not know value IV.

On page 263 of EBICS standard version 2.4.1 is written:
Quote

- AES-128 (key length 128 bit) in CBC mode
- ICV (Initial Chaining Value) = 0

So, I assume that it is a zero vector. You can set it in the following way:
Code
  var IV: ByteArray;
  SetLength(IV, 16);
  CleTransact.IV := IV;
#11218
Posted: 10/02/2009 02:57:57
by David MICHEL (Standard support level)
Joined: 09/23/2009
Posts: 48

Thank you very much. That goes very well. :-)


The only problem, it is the reading of a key of session which contains a CR/LF.

I have at the time of the deciphering, the message “Invalid symmetric cipher padding”.

Code
      fsCleTransact := TFileStream.Create(fichDest, fmOpenRead or fmShareDenyWrite);
      try

        SetLength(key,16);
        fsCleTransact.ReadBuffer(Pointer(Key)^,length(Key));
        CleTransact.Key := Key;  

        SetLength(IV,16);
        CleTransact.IV  := IV;

      finally
        FreeAndNil(fsCleTransact);
      end;      
      
      DechiffreAES.KeyMaterial := CleTransact;
      DechiffreAES.Padding     := cpNone;


Sincerely yours,
David MICHEL.
#11221
Posted: 10/02/2009 06:47:23
by Eugene Mayevski (EldoS Corp.)

Keys are binary values and should not be used as is. If you have some key that you want to represent as string, you need to encode it with Base16 (0-9,A-F) or Base64 encoding.


Sincerely yours
Eugene Mayevski
#11224
Posted: 10/02/2009 07:40:46
by David MICHEL (Standard support level)
Joined: 09/23/2009
Posts: 48

I should have specified that my key of session already was decoded in base64 and was deciphered with my private key RSA.

It is in the result of the key of session, or there are a CR/LF who must be badly interpreted in this code :

Code
  DechiffreAES := TElAESSymmetricCrypto.Create(cmCBC);
  CleTransact  := TElSymmetricKeyMaterial.Create();
  try
    try

      //Load Session Key
      fsCleTransact := TFileStream.Create(fichDest, fmOpenRead or fmShareDenyWrite);
      try

        SetLength(key,16);
        fsCleTransact.ReadBuffer(Pointer(Key)^,length(Key));
        CleTransact.Key := Key;  

        SetLength(IV,16);
        CleTransact.IV  := IV;

      finally
        FreeAndNil(fsCleTransact);
      end;

      DechiffreAES.KeyMaterial := CleTransact;
      DechiffreAES.Padding := cpNone;

      //Decrypt Data with session key
      fsSource := TFileStream.Create(fichSource, fmOpenRead);
      try
        fsDest := TFileStream.Create(fichDest, fmCreate);
        try
          DechiffreAES.Decrypt(fsSource, fsDest);
        finally
          FreeAndNil(fsDest);
        end;
      finally
        FreeAndNil(fsSource);
      end;

    finally
      FreeAndNil(CleTransact);
      FreeAndNil(DechiffreAES);
    end;

    MessageDlg('Les donnees ont ete dechiffre avec succes.', mtInformation, [mbOk], 0);

  except
    on E : Exception do
      MessageDlg(E.Message, mtError, [mbOk], 0);
  end;


...
But, after a new test, I did not have this problem any more...

Thank you for your assistance.




Sincerely yours,
David MICHEL.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 2655 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!