Encryption and character sets

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Encryption and character sets

Jussi Hirvi-2
I have a problem with a bank gateway, which is used for online
identification. The bank loads a page on our site (actually my
customer's site) with get params that contain the customer's name,
social security code, other data, and an encrypted message
authentication code (MAC).

We (on the customer's site) are supposed to calculate our own MAC and
then compare it with the MAC provided by the bank.

This works fine, but when the customer's name (and thus the message sent
by the bank) contains ä,ö,å or other non-ascii character, the two MAC's
do not match anymore.

This MUST be somehow connected with the handling of charsets. But how?

The bank I am working with now says that they use ISO-8859-1, and for
example "Ä" is replaced with "%c4" in the get parameter.

I have trouble testing this - the charset does NOT seem to change my
encryption results, which baffles me.

I tried with this simplified test:

Content_Type: 'text/html; charset=iso-8859-1';
'Content encoding: ' + Content_Encoding + ', '  + Encode_URL('émigré');
'<br>';
var('i') = 'ä';
'ä, encrypted ' + encrypt_md5($i);
'<br>';

I tested with
1) enabling the content_type tag like above
- removing the bom from the file (in vim)
- setting fileencoding of the file to "latin1" (in vim)
- retyping the special characters in the file (in vim)
- when loading the page I could verify that charset is ISO-8859-1 and
the special chars are displayed as one-byte characters

2) commenting out the content_type tag
- setting bom, and setting fileencoding to utf8 (in vim)
- saving, closing, opening the file
- retyping the special characters in the file (in vim)
- when loading the page I could verify that charset is utf-8 and
the special chars are displayed as two-byte characters

However, the encrypted version of 'ä' stays the same in both cases, 1)
and 2). Why? I would have expected that the result would be different.

Regards,
Jussi

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Brad Lindsay
On January 27, 2015 at 8:02:29 AM, Jussi Hirvi ([hidden email]) wrote:
> However, the encrypted version of 'ä' stays the same in both cases, 1)
> and 2). Why? I would have expected that the result would be different.

To answer the second question, the reason the encrypted value stays the same is that you are encrypting the lasso string. The lasso string’s internal representation has nothing to do with the character set of the web page.

In Lasso 9, you can do something like this to see what I’m talking about:

encrypt_md5(bytes('ä')->exportString('ISO-8859-1'))
// => c98843981d859d8836e90a3191edc1a9

encrypt_md5('ä')
// => 8419b71c87a225a2c70b50486fbee545

You need to specify the encoding type for the string you are passing to encrypt_md5 (which is separate from the encoding type of the final page).


HTH,
Brad

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Jolle Carlestam-2
In reply to this post by Jussi Hirvi-2
> 27 jan 2015 kl. 14:02 skrev Jussi Hirvi <[hidden email]>:
>
> I have a problem with a bank gateway

Oh, boy. When I glanced at my inbox email listing the above was all that fit the first row. And I read it as "I have problem with a bank getaway"...

I watch too many Hollywood movies...

HDB
Jolle

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Jussi Hirvi-2
On 27.1.2015 17.43, Jolle Carlestam wrote:
> Oh, boy. When I glanced at my inbox email listing the above was all
> that fit the first row. And I read it as "I have problem with a bank
> getaway"...
>
> I watch too many Hollywood movies...

Maybe I will try the getaway if I cannot get this job done. Might be
easier.

- Jussi

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Jussi Hirvi-2
In reply to this post by Brad Lindsay
On 27.1.2015 17.30, Brad Lindsay wrote:

> To answer the second question, the reason the encrypted value stays
> the same is that you are encrypting the lasso string. The lasso
> string’s internal representation has nothing to do with the character
> set of the web page.
>
> In Lasso 9, you can do something like this to see what I’m talking
> about:
>
> encrypt_md5(bytes('ä')->exportString('ISO-8859-1'))
> // => c98843981d859d8836e90a3191edc1a9
>
> encrypt_md5('ä') // => 8419b71c87a225a2c70b50486fbee545
>
> You need to specify the encoding type for the string you are passing
> to encrypt_md5 (which is separate from the encoding type of the final
> page).

Ok, I will try that! BTW, I am on Lasso 8, but the same tag exist there
too (bytes -> exportString).

- Jussi

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Bil Corry-3
In reply to this post by Jussi Hirvi-2
Which version of Lasso?

- Bil

> On Jan 27, 2015, at 2:02 PM, Jussi Hirvi <[hidden email]> wrote:
>
> I have a problem with a bank gateway, which is used for online identification. The bank loads a page on our site (actually my customer's site) with get params that contain the customer's name, social security code, other data, and an encrypted message authentication code (MAC).
>
> We (on the customer's site) are supposed to calculate our own MAC and then compare it with the MAC provided by the bank.
>
> This works fine, but when the customer's name (and thus the message sent by the bank) contains ä,ö,å or other non-ascii character, the two MAC's do not match anymore.
>
> This MUST be somehow connected with the handling of charsets. But how?
>
> The bank I am working with now says that they use ISO-8859-1, and for example "Ä" is replaced with "%c4" in the get parameter.
>
> I have trouble testing this - the charset does NOT seem to change my encryption results, which baffles me.
>
> I tried with this simplified test:
>
> Content_Type: 'text/html; charset=iso-8859-1';
> 'Content encoding: ' + Content_Encoding + ', '  + Encode_URL('émigré');
> '<br>';
> var('i') = 'ä';
> 'ä, encrypted ' + encrypt_md5($i);
> '<br>';
>
> I tested with
> 1) enabling the content_type tag like above
> - removing the bom from the file (in vim)
> - setting fileencoding of the file to "latin1" (in vim)
> - retyping the special characters in the file (in vim)
> - when loading the page I could verify that charset is ISO-8859-1 and the special chars are displayed as one-byte characters
>
> 2) commenting out the content_type tag
> - setting bom, and setting fileencoding to utf8 (in vim)
> - saving, closing, opening the file
> - retyping the special characters in the file (in vim)
> - when loading the page I could verify that charset is utf-8 and
> the special chars are displayed as two-byte characters
>
> However, the encrypted version of 'ä' stays the same in both cases, 1) and 2). Why? I would have expected that the result would be different.
>
> Regards,
> Jussi
>
> #############################################################
>
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Jussi Hirvi-2
On 27.1.2015 18.22, Bil Corry wrote:
> Which version of Lasso?

8.6. I am now trying out Brad's idea. Finally I have something more
constructive to try than scratching my head.

- Jussi

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Jussi Hirvi-2
No luck yet, though now I can actually change the charset of the string
that is encrypted - thanks, Brad.

Strange. I will keep experimenting.

- Jussi

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Alex Betz-2
In reply to this post by Jussi Hirvi-2
Had a similar problem. Try the following (lasso 9):

local(to_be_encrypted = 'string you want to encrypt)

encrypt_MD5(#to_be_encrypted->asBytes('iso-8859-1'))


Good Luck

Alex

On 27 January 2015 at 13:02, Jussi Hirvi <[hidden email]> wrote:

> I have a problem with a bank gateway, which is used for online
> identification. The bank loads a page on our site (actually my customer's
> site) with get params that contain the customer's name, social security
> code, other data, and an encrypted message authentication code (MAC).
>
> We (on the customer's site) are supposed to calculate our own MAC and then
> compare it with the MAC provided by the bank.
>
> This works fine, but when the customer's name (and thus the message sent
> by the bank) contains ä,ö,å or other non-ascii character, the two MAC's do
> not match anymore.
>
> This MUST be somehow connected with the handling of charsets. But how?
>
> The bank I am working with now says that they use ISO-8859-1, and for
> example "Ä" is replaced with "%c4" in the get parameter.
>
> I have trouble testing this - the charset does NOT seem to change my
> encryption results, which baffles me.
>
> I tried with this simplified test:
>
> Content_Type: 'text/html; charset=iso-8859-1';
> 'Content encoding: ' + Content_Encoding + ', '  + Encode_URL('émigré');
> '<br>';
> var('i') = 'ä';
> 'ä, encrypted ' + encrypt_md5($i);
> '<br>';
>
> I tested with
> 1) enabling the content_type tag like above
> - removing the bom from the file (in vim)
> - setting fileencoding of the file to "latin1" (in vim)
> - retyping the special characters in the file (in vim)
> - when loading the page I could verify that charset is ISO-8859-1 and the
> special chars are displayed as one-byte characters
>
> 2) commenting out the content_type tag
> - setting bom, and setting fileencoding to utf8 (in vim)
> - saving, closing, opening the file
> - retyping the special characters in the file (in vim)
> - when loading the page I could verify that charset is utf-8 and
> the special chars are displayed as two-byte characters
>
> However, the encrypted version of 'ä' stays the same in both cases, 1) and
> 2). Why? I would have expected that the result would be different.
>
> Regards,
> Jussi
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Jussi Hirvi-2
Cool. Probably the corresponding Lasso 8 way is
(bytes('string','charset')) - I will give it a try.

- Jussi

On 28.1.2015 13.45, Alex Betz wrote:

> Had a similar problem. Try the following (lasso 9):
>
> local(to_be_encrypted = 'string you want to encrypt)
>
> encrypt_MD5(#to_be_encrypted->asBytes('iso-8859-1'))
>
>
> Good Luck
>
> Alex
>
> On 27 January 2015 at 13:02, Jussi Hirvi <[hidden email]> wrote:
>
>> I have a problem with a bank gateway, which is used for online
>> identification. The bank loads a page on our site (actually my customer's
>> site) with get params that contain the customer's name, social security
>> code, other data, and an encrypted message authentication code (MAC).
>>
>> We (on the customer's site) are supposed to calculate our own MAC and then
>> compare it with the MAC provided by the bank.
>>
>> This works fine, but when the customer's name (and thus the message sent
>> by the bank) contains ä,ö,å or other non-ascii character, the two MAC's do
>> not match anymore.
>>
>> This MUST be somehow connected with the handling of charsets. But how?
>>
>> The bank I am working with now says that they use ISO-8859-1, and for
>> example "Ä" is replaced with "%c4" in the get parameter.
>>
>> I have trouble testing this - the charset does NOT seem to change my
>> encryption results, which baffles me.
>>
>> I tried with this simplified test:
>>
>> Content_Type: 'text/html; charset=iso-8859-1';
>> 'Content encoding: ' + Content_Encoding + ', '  + Encode_URL('émigré');
>> '<br>';
>> var('i') = 'ä';
>> 'ä, encrypted ' + encrypt_md5($i);
>> '<br>';
>>
>> I tested with
>> 1) enabling the content_type tag like above
>> - removing the bom from the file (in vim)
>> - setting fileencoding of the file to "latin1" (in vim)
>> - retyping the special characters in the file (in vim)
>> - when loading the page I could verify that charset is ISO-8859-1 and the
>> special chars are displayed as one-byte characters
>>
>> 2) commenting out the content_type tag
>> - setting bom, and setting fileencoding to utf8 (in vim)
>> - saving, closing, opening the file
>> - retyping the special characters in the file (in vim)
>> - when loading the page I could verify that charset is utf-8 and
>> the special chars are displayed as two-byte characters
>>
>> However, the encrypted version of 'ä' stays the same in both cases, 1) and
>> 2). Why? I would have expected that the result would be different.
>>
>> Regards,
>> Jussi
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>   the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>    the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Encryption and character sets

Jussi Hirvi-2
In reply to this post by Alex Betz-2
Thanks a million, Alex - the problem is now solved. This is what I use
(on Lasso 8):

     local('i') = bytes(#mac,'ISO-8859-1');
     string_uppercase(encrypt_md5(#i));

I am not sure why I could not get the same result with

     local('i') = bytes(#mac)->exportString('ISO-8859-1');

- Jussi


On 28.1.2015 13.45, Alex Betz wrote:
> Had a similar problem. Try the following (lasso 9):
>
> local(to_be_encrypted = 'string you want to encrypt)
>
> encrypt_MD5(#to_be_encrypted->asBytes('iso-8859-1'))


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>