EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SB_MESSAGE_ERROR_CONTENT_DECRYPTION_FAILED in some MIME message

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#4801
Posted: 01/28/2008 10:46:50
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

I have an application that reads mail from a dedicated POP3 mailbox, decrypt the content of the message (using a private key stored in a iToken 32k USB token) and then verify the signature of the attached PDF file.

I'm experiencing some problem with a user. Specifically, when calling TElMessagePartHandlerSMIME(myobject).MessagePartHandler.Decode(false), I receive an exception with the text "Decrypt message error code: 8197"

Looking up that code in the source, I found out that it means SB_MESSAGE_ERROR_CONTENT_DECRYPTION_FAILED. Specifically, if an internal call to "DecryptContent" returns false, that error is raised.

Now:
- The mail sender sends a lot of other files (a few dozens a day). All are encrypted with the same public key (the one of the message recipient)
- The recipient is able to decrypt correctly most messages, only a few have problems.
- The error can be reproduced ON THE SAME MESSAGE several time, even if the user reboots the machine (to make sure it's not a token access error).

Now, I have no idea what's causing this error. I don't have access to the original message so I can't run any tests on it.

Anyone got an idea about what the problem could be ? How to fix it ?
#4802
Posted: 01/28/2008 11:09:20
by Eugene Mayevski (EldoS Corp.)

This error is returned when DecryptContent function fails. And it can fail in jsut two cases - (a) the output buffer size was calculated wrong and the buffer is too small and (b) for RC2 algorithm the key parameters couldn't be extracted.

Both of these errors should not happen under normal circumstances. The easiest way to solve the problem is try to encrypt the data that causes the error with the test certificate (the one included with SecureBlackbox, for example) and send us this data. We will investigate the issue deeper.


Sincerely yours
Eugene Mayevski
#4809
Posted: 01/29/2008 09:02:55
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Thank you for your answer.

I can't get the original data, I'm afraid. I'm still trying to collect more information about this.

However, the program works by downloading the mail locally, saving it in a local folder and reading it from there. When it starts, it will also check if there is some locally saved message that hasn't be processed.

Could it be that the original download was cut off in the middle of the transmission ? Assuming that the base64 encoded string was cut at multiple of 4 length, it will decode correctly, if incompletely.

Thank you again,
Stephane
#4810
Posted: 01/29/2008 09:33:01
by Eugene Mayevski (EldoS Corp.)

Unfortunately it's hard to say without having the actual data at hand :(. I doubt that it can be due to incomplete package.


Sincerely yours
Eugene Mayevski
#5068
Posted: 02/19/2008 09:36:20
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Hello,

Sorry to practice thread necromancy, but the customer came back to me concerning that issue. I have a few more details, but I have no idea what I should ask for next:

1/ The error happens quite frequently. That means about once a day which means roughly once every 50 messages.
2/ There is no apparent pattern to the problem: all senders are affected, a first message from a sender will go through, the next will fail and the next will work fine again.
3/ It's not a program state issue: restarting the program and feeding it the same data fails systematically (although other messages encrypted with the same public key will work fine).

Now for the fun part: getting more information:

- I've asked the customer for a sample. I'm not sure what I could do with it since I don't have the private key.
- Asking for the sender to resend the message with a different key (the demo one) is not an option since the problem is not systematic (i.e. I haven't been able to find a way to reproduce it consistently).
- Both the signing/encryption and decryption/validation are done with SBB.

How should I handle this ? I'm getting out of ideas.

Thank you,
Stephane
#5069
Posted: 02/19/2008 11:02:03
by Ken Ivanov (EldoS Corp.)

You asked your customer for the right things, thank you.

Actually, it would be great to have (a) both unencrypted and encrypted message and (b) the code that is used for message encryption and decryption. Having these information, we can investigate the issue and try to find the reason for it.

BTW, would you be so kind to clarify your words:
Quote
However, the program works by downloading the mail locally, saving it in a local folder and reading it from there. When it starts, it will also check if there is some locally saved message that hasn't be processed.

Did you mean that *the same "bad" message* is decrypted correctly if it is read from some other location?
#5070
Posted: 02/19/2008 11:26:47
by Eugene Mayevski (EldoS Corp.)

The easiest you can do is strip down your application to the small test case which creates and processes the mail. Then run it on thousands of random data pieces until you get some data on which it fails. IF it doesn't fail, then the problem is somewhere else, for example in the mail servers that corrupt the message.

As you can remember, we issued the license keys for SecureBlackbox. Initially we encoded them using Base64. But it appeared, that base64-encoded key is damaged by Outlook and the key becomes unusable. There's no indication of the damage (the one that the user could observe) though. I.e. the user just got a broken text. This happened frequently but not always. And it took us about a month to understand what the problem is. It can be that the user experiences the same problem somewhere on the way.


Sincerely yours
Eugene Mayevski
#5091
Posted: 02/20/2008 07:56:42
by Stephane Grobety (Priority Standard support level)
Joined: 04/18/2006
Posts: 170

Quote
Innokentiy Ivanov wrote:

Actually, it would be great to have (a) both unencrypted and encrypted message and (b) the code that is used for message encryption and decryption. Having these information, we can investigate the issue and try to find the reason for it.


I'll see if I can get the cleartext as well. It's a bit hard because I don't have a direct commercial relation with the end user of the message sender so I can't promize anything. However, I'll try.

BTW, should I take that off this group ?

Quote
BTW, would you be so kind to clarify your words:
Quote
However, the program works by downloading the mail locally, saving it in a local folder and reading it from there. When it starts, it will also check if there is some locally saved message that hasn't be processed.

Did you mean that *the same "bad" message* is decrypted correctly if it is read from some other location?


Not quite. I mean that the sending app has an option to resend the same document. When that happens, the same cleartext is re-encrypted (with the same public key) and sent as a new email. When the user does this, it usually works.

When a "bad message" is received, it consistently fails to decrypt with the same error.

Quote
The easiest you can do is strip down your application to the small test case which creates and processes the mail. Then run it on thousands of random data pieces until you get some data on which it fails.


I'm afraid that's not a workable solution given the complexity of the different pieces involved (crypto tokens+S/MIME+SMTP/POP3+crypto token + PDF signing). That would require a significant amount of work.

Quote
IF it doesn't fail, then the problem is somewhere else, for example in the mail servers that corrupt the message.


Wouldn't that produce a different error message ?
#5094
Posted: 02/20/2008 08:17:54
by Eugene Mayevski (EldoS Corp.)

Quote
Stephane Grobety wrote:
I'll see if I can get the cleartext as well. It's a bit hard because I don't have a direct commercial relation with the end user of the message sender so I can't promize anything. However, I'll try.


In fact, the data won't give any hint. We need to reproduce the situation, and the data is only a tiny piece of the picture.

Quote
Stephane Grobety wrote:
Wouldn't that produce a different error message ?


That would produce this particular message.


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.

Reply

Statistics

Topic viewed 2616 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!