Decrypt password to a textbox using AES_DECRYPT

Question

0.00/5 (No votes)

See more:

I am able to encrypt password using AES_ENCRYPT in VB.NET 2010 and MySQL, but while trying to retrieve the encrypted password into a textbox using AES_DECRYPT it is showing null.
Please anyone can help me with the missing code.

My code is....

What I have tried:

encryption code:

sql.CommandText = "INSERT INTO users(uid,uname,urole,upwd,mob)VALUES('" & Me.lblUID.Text & "','" & Me.txtUser.Text & "','" & Me.cmbRole.SelectedValue & "', AES_ENCRYPT('" & pwd & "','" & ed & "'),'" & Me.txtPwd.Text & "')"

decryption code which I tried:

comm.CommandText = "SELECT uname,uid,urole FROM users WHERE uid= '" & Trim(Me.txtUID.Text) & "' AND upwd= '" & AES_DECRYPT(Me.txtPwd.Text) & "' "

DECRYPT FUNCTION:

Dim cipherBytes As Byte() = Convert.FromBase64String(cipherText)
        Using encryptor As Aes = Aes.Create()
            Dim pdb As New Rfc2898DeriveBytes(EncryptionKey, New Byte() {&H49, &H76, &H61, &H6E, &H20, &H4D, _
             &H65, &H64, &H76, &H65, &H64, &H65, _
             &H76})
            encryptor.Key = pdb.GetBytes(32)
            encryptor.IV = pdb.GetBytes(16)
            Using ms As New MemoryStream()
                Using cs As New CryptoStream(ms, encryptor.CreateDecryptor(), CryptoStreamMode.Write)
                    cs.Write(cipherBytes, 0, cipherBytes.Length)
                    cs.Close()
                End Using
                cipherText = Encoding.Unicode.GetString(ms.ToArray())
            End Using
        End Using
        Return cipherText

Posted 19-Jun-17 5:59am

ramen79

Updated 19-Jun-17 8:50am

Add a Solution

Comments

Dave Kreskowiak 19-Jun-17 12:09pm

NEVER store a clear test or encrypted password in the database. Use a cryptographic hash of the salted password instead and store the resulting bytes. The hash cannot be reversed back into the password and is thus more secure.

Also, NEVER use string concatenation to build an SQL query. Always use parameterized queries to mitigate against SQL Injection Attacks. Your code, as it stands, can be easily broken just by putting a ' character in the user ID or password.

F-ES Sitecore 19-Jun-17 12:12pm

Implementing encryption when your code is open to SQL injection attacks is a bit pointless. That aside, surely you need to search on the encrypted version of the text?

comm.CommandText = "SELECT uname,uid,urole FROM users WHERE uid= '" & Trim(Me.txtUID.Text) & "' AND upwd= '<THIS SHOULD BE THE AES ENCRYPTED PASSWORD>'"

However what you traditionally do is retrieve the password based just on the ID, then encrypt the password supplied and check the encrypted version matches the stored version.

Richard MacCutchan 19-Jun-17 12:44pm

Actually passwords should never be encrypted.

F-ES Sitecore 20-Jun-17 4:14am

Not in a real world app, no.

Richard MacCutchan 20-Jun-17 4:18am

And you think these questions are not connected to real world apps? :)

F-ES Sitecore 20-Jun-17 4:25am

No, this particular app looks more like a school project or a learning project. You learn things by trying, failing, then fixing so there is great benefit in the OP getting this working even if it's not an ideal real-world solution. If he then moves on to hashing (as already suggested) as he has implemented both methods he will be in an excellent position to truly understand the difference in the methods.

Richard MacCutchan 20-Jun-17 4:33am

I beg to differ. There are far too many real world situations where systems are failing because people have been taught the wrong way to do things, and never change once they get beyond college.

F-ES Sitecore 20-Jun-17 4:37am

I'm not here to change the world, only to answer questions that are asked. Maybe there is a reason the passwords need to be encrypted that you don't know about? It's not for us to deem who is "worthy" to have their question answered and who isn't.

Richard MacCutchan 20-Jun-17 4:54am

https://www.codeproject.com/Messages/5408280/almost-million-US-citizens-have-been-accidentally.aspx.

F-ES Sitecore 20-Jun-17 5:14am

What does someone putting an unprotected database on a public internet server (sorry...we're calling servers "the cloud" now, aren't we) have to do with this topic?

Richard MacCutchan 20-Jun-17 6:03am

Not a lot, but it's just another example of a security failure by so-called "professionals" in this industry.

Richard Deeming 19-Jun-17 12:14pm

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]

Richard Deeming 19-Jun-17 12:14pm

Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^]

Michael_Davies 19-Jun-17 13:19pm

Not sure it has been mentioned but you need two parameters to AES_DECRYPT/ENCRYPT, the text and the key, you only pass the text so the answer is NULL.

Also you need to ENCRYPT not DECRYPT the data supplied byt the user to compare or you DECRYPT the field to compare, see below.

comm.CommandText = "SELECT uname,uid,urole FROM users WHERE uid= '" & Trim(Me.txtUID.Text) & "' AND upwd= AES_ENcrypt(Me.txtPwd.Text,<YOU NEED THE KEY HERE>)"

I am sure you will have people telling you about SQL Injection attacks so will pass it by...

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

ZurdoDev · Answer 1 · 2017-06-19T06:20:00

The comments are all good, don't do sql concatenation and change how you do passwords, if possible.

However, to answer the immediate question, you encrypt the string using a key of whatever is in the variable ed but when you decrypt you do not provide the same key.

See MySQL :: MySQL 5.7 Reference Manual :: 12.13 Encryption and Compression Functions[^]

Patrice T · Answer 2 · 2017-06-19T08:50:00

Not directly a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]

Decrypt password to a textbox using AES_DECRYPT

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0