Archived Forum Post

Index of archived forum posts

Question:

Detect invalid bad password CK Encrypt

May 26 '13 at 05:45

How do I check the users password or key is correct when decryping and encrypted file with Chilkat Encrypt component in vb.net?

Currently, if the users enters the wrong password, it just decrypts the file in a corrupted state, but it does not raise an error, so there is no way to check if they entered the correct password.

Help, needed please?


Answer

it's harder than I thought to find something on this... but I found at least 2 relevant forum questions

this one is kind of like the one I suggested (which seems to me to be the quickest way to get a pass/fail) http://stackoverflow.com/questions/11577341/java-aes-decryption-detect-incorrect-key

and this one looks pretty cool to me- use a hash to validate the decryption. but if you have large files, you have to decrypt the entire file to find out if it failed... http://stackoverflow.com/questions/3999126/net-cryptography-is-there-a-way-to-tell-that-something-has-been-decrypted-wro

but those both assume that your application is doing the encryption and can make such modifications at the time of encryption...


Answer

I believe this is the same as another question already answered on this forum

http://www.chilkatforum.com/questions/652/decrypt-always-returns-success-even-if-the-file-is-not-encrypted

The gist of which (as I understand) is that the component itself not really capable, or intended to do so. Which if you think about it kinda makes sense, if the component could so easily return a pass fail for each attempt it would make a brute force attack just a little bit easier... right?

What I did not see in the answer for the above question was a possible solution, but I've thought about it myself and I can think of several ways to work around this. If you are decrypting an unknown file type you can check the beginning of the file against a list of header data from known filetypes. If your application is the one doing the encryption, you can pair each encryption with a small data file whose output is known and run each decryption against that first to verify the password. This gives you your pass/fail and you don't have to bother with the file if the password fails. You could probably do that in several ways, store the data file in a db, or even prepend the encrypted bytes to the encrypted file (if it moves around and a db is not accessible). If all your settings are the same for the CK component and the cleartext of your known data sample is always of the same length, then you would always produce the same number of bytes regardless of password used. So you can just separate that many bytes from the file and decrypt them independently.

That's just what comes to mind, I'm sure people have worked out lots of ways of addressing this, as it is a limitation (byproduct really) of the process and not the CK components. You could probably find all kinds of workarounds with a little googling :)

I hope that helps. Good Luck!


Answer

hmm, sounds interesting. I will give the link a look.

The reason I ask is because I used to use a COM Component in the old days called RSP Encrypt, it could detect a CRC error, this same error would also apply if the user entered the wrong password. So all I did when I it got an error of type CRC Error, I would tell the user that it was a CRC error and to check the password. And it did have to decrypt the entire file, before it knew it was an CRC error. That's not a problem.

Thanks for your help.