Kbase P130264: ABL Encrypted data can't be decrypted by SSH, and vice versa
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
4/9/2008 |
|
Status: Unverified
FACT(s) (Environment):
All Supported Operating Systems
Progress 9.x
OpenEdge 10.x
SYMPTOM(s):
ABL Encrypted data can't be decrypted by SSH, and vice versa
ABL ENCRYPT function is being used to encrypt data before sending to SSH.
ABL DECRYPT function is being used to decrypt data received from SSH.
AES_CBC_128 encryption algorithm is being used
The length of data being encrypted or decrypted is exactly a multiple of the cipher block size.
ABL DECRYPT function returns the error "DECRYPT Error" when decrypting an SSH encrypted message.
CAUSE:
The ABL ENCRYPT function uses PKCS padding, whereas the library that SSH uses to encrypt has configurable padding and SSH disables the padding because each encrypted packet will always be a multiple of the cipher block according to the specification.
Although ABL and SSH both use AES_128_CBC encryption, the padding used by ABL and SSH is different.
FIX:
There is no ability for ABL ENCRYPT and DECRYPT functions to change the padding being used at the time of this writing (10.1C).
It may be possible to write ABL code to check the length of a string being encrypted. If the string is a multiple of the cipher block size then:
a) When sending; Prior to sending the encrypted data from ABL to SSH, remove the padding bytes before sending to the SSH server.
b) When receiving; Prior to sending the data to the Decrypt function, add padding to the encrypted string.
If you would like to see the ABL Encrypt and Decrypt functions enhanced to implement different padding schemes, please log an Enhancement Request using the online Enhancement Request System available on the Progress website.