Obfuscation of url LINKS - Pitch in ?

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Post by aware_support »

An example of using these functions for a URL is shown on pages 83-84 of the Users Guide (just search for "encrypt").

You encrypt the URL using the function as described in the User Guide. (you need to encrypt all your parameters and then assign the result to a special parameter called "e"). When Aware IM handles parameters of the URL encrypted in such a way it will automatically DECRYPT the parameters on the SERVER.
Aware IM Support Team
nlarson
Posts: 597
Joined: Thu Apr 14, 2011 7:56 pm

Post by nlarson »

Does this feature not work with test mode. Whn I encode this a link whihc includeds this '&testingMode=true' I get an invalid credentials. Same link encoded in normal mode works fine.
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Userinfo not populated?

Post by hpl123 »

Hi support, all.

Trying to use the ENCRYPT function but having some issues with populating userinfo in the ENCRYPT function parameters and need some help.

This is the code i´m currently using in a process and the encryption works and the link is correct etc. when i´m manually typing in userinfo in the process action but not when trying to populate userinfo through the process action.

Here is the working action:
EncryptLink.Link=ENCRYPT_B64('domain=MyDomain&userName=user1&password=password1&testingMode=true&firstCommand=startProcess,OpenSupportcenter,main')

Here is the not working action:
EncryptLink.Link=ENCRYPT_B64('domain=MyDomain&userName=LoggedInSystemUser.LoginName&password=LoggedInSystemUser.Password&testingMode=true&firstCommand=startProcess,OpenSupportcenter,main')

I have also tried:
EncryptLink.Link=ENCRYPT_B64('domain=MyDomain&userName=<<LoggedInSystemUser.LoginName>>&password=<<LoggedInSystemUser.Password>>&testingMode=true&firstCommand=startProcess,OpenSupportcenter,main')

The problem is that the tags isn´t converted to the correct info. PS: The process is executed when a user is logged in.

Any tips appreciated, thanks.
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

OK

Post by hpl123 »

I managed to figure it out through the other ENCRYPT_B64 posts in the forum. Serach for ENCRYPT_B64 if you arre facing issues like the ones I did.

The problem with @@BAS_PASSWORD@@ is not ideal though (ClearPassword attribute with the password stored in a non encrypted attribute). Support, having a way to decrypt the password attribute temporarily through rules etc. would be VERY MUCH APPRECIATED especially when working with encrypted links through the ENCRYPT_B64 function. Really hope this can be added, security is paramount and having this option is a must I think.
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Base64?

Post by hpl123 »

ACDC wrote:Thanks for the clarification, I have tried to decrypt your encrypted url on a number of online Base64 decrypt sites and still don't have any success.

So this seems to confirm that there is additional encryption taking place on the server which therefore makes it more secure than plain base64 encrypt
Support, I have also tried decrypting a string on various decode sites but the "right" string is not displayed. Can you comment on if there is additional encryption used (not necessary to know the details, just if) so we can rest assured the encryotion is more secure than standard base64?
Thanks
Henrik (V8 Developer Ed. - Windows)
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Re: OK

Post by aware_support »

hpl123 wrote:I managed to figure it out through the other ENCRYPT_B64 posts in the forum. Serach for ENCRYPT_B64 if you arre facing issues like the ones I did.

The problem with @@BAS_PASSWORD@@ is not ideal though (ClearPassword attribute with the password stored in a non encrypted attribute). Support, having a way to decrypt the password attribute temporarily through rules etc. would be VERY MUCH APPRECIATED especially when working with encrypted links through the ENCRYPT_B64 function. Really hope this can be added, security is paramount and having this option is a must I think.
What was your solution and what does @@BAS_PASSWORD@@ have to do with it?
Aware IM Support Team
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Clarification

Post by hpl123 »

The problem was that tags wasn´t populated correctly with user information when tags were placed directly in the ENCRYPT_B64 parameter i.e. this didn´t work:
EncryptLink.Link=ENCRYPT_B64('domain=MyDomain&userName=<<LoggedInSystemUser.LoginName>>&password=<<LoggedInSystemUser.Password>>&testingMode=true&firstCommand=startProcess,OpenSupportcenter,main')

The solution was to add another attribute which populated the parameter string tags through rules :
domain=MyDomain&userName=<<LoggedInSystemUser.LoginName>>&password=<<LoggedInSystemUser.Password>>&testingMode=true&firstCommand=startProcess,OpenSupportcenter,main

The NewAttribute with the correct userinfo would then be used with the ENCRYPT_B64 function i.e.:
EncryptLink.Link=ENCRYPT_B64(NewAttribute)

The next problem is/was that AwareIM did not decrypt the password attribute so when the password tag was populated "@@BAS_PASSWORD@@" was the result ('domain=MyDomain&userName=user1&password=@@BAS_PASSWORD@@&testingMode=true&firstCommand=startProcess,OpenSupportcenter,main'). The solution for the @@BAS_PASSWORD@@ problem was to workaround this limitation with a plain text attribute "ClearPassword" which would hold the unencrypted password (the recommended solution was to use the "ClearPassword" attribute as the password attribute i.e. the user type in their password in the "ClearPassword" attribute and then rules would populate the real "Password" attribute) and then the "ClearPassword" attribute would be used in the ENCRYPT_B64 string above and this is the not ideal solution I mentioned in my previous post i.e. you have to have the password unencrypted to use a users password in for example a ENCRYPT_B64 string and this is were I suggested a way to decrypt the real password attribute temporarily through rules when needed for for example a function.

Thanks
Henrik (V8 Developer Ed. - Windows)
aware_support
Posts: 7523
Joined: Sun Apr 24, 2005 12:36 am
Contact:

Post by aware_support »

You have to use your solutions for now...
Aware IM Support Team
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Password

Post by hpl123 »

Ok, thanks. Hope this can be prioritized/realized (@@BAS_PASSWORD@@ problem) in the future.
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2579
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Password

Post by hpl123 »

hpl123 wrote:Ok, thanks. Hope this can be prioritized/realized (@@BAS_PASSWORD@@ problem) in the future.
I have read up on the base64 / XOR encryption used (see previous questions about which additional encryption used) and this encryption is not very secure and another solution for the @@BAS_PASSWORD@@ problem would be to further develop the encryption functions so they use a more secure encryption. This would mean we could use the ClearPassword solution described above but encrypt this attribute when not used i.e. decrypt the ClearPassword when needed. This would of course be the better solution of the 2 suggestions I have posted in these latest posts.

Thanks
Henrik (V8 Developer Ed. - Windows)
yuri.rj
Posts: 223
Joined: Tue Jan 11, 2011 8:05 pm

Re: Obfuscation of url LINKS - Pitch in ?

Post by yuri.rj »

Dear Friends,

I don't know what was your solution to this, but i'll explain mine to help someone who needs it:
1) Add another attribute called B64_PassWord
2) Add attribute HasEncryptedB64Password
Using these flags and another form showing only the attribute B64_Password, i made every user to UPDATE their passwords on next login.
Then, once they update this attribute, i ENCRYPTED_B64 it(now i can DECRYPT_B64 it too) and set the same value to Password attribute(the system does its own encryption here)
Now, the Password attribute is used to login and B64_Password is used to obfuscation links

Code bellow:

Code: Select all

Process:  P_UPDATE_PASSWORD

If LoggedInRegularUser.HasEncryptedLogin<>'Yes' Then 
LoggedInRegularUser.B64_Password='' 
EDIT LoggedInRegularUser USING B64PasswordForm 

If LoggedInRegularUser.B64_Password IS DEFINED AND LoggedInRegularUser.HasEncryptedLogin<>'Yes' Then 
LoggedInRegularUser.Password=LoggedInRegularUser.B64_Password 
LoggedInRegularUser.B64_Password=ENCRYPT_B64(LoggedInRegularUser.B64_Password) 
LoggedInRegularUser.HasEncryptedLogin='Yes' 

If LoggedInRegularUser.B64_Password IS UNDEFINED Then 
REPORT ERROR 'You need to update your password' 
P_UPDATE_PASSWORD 
swiftinitpvtltd
Posts: 370
Joined: Sat Apr 28, 2018 3:33 am
Location: India
Contact:

Re: Obfuscation of url LINKS - Pitch in ?

Post by swiftinitpvtltd »

This seems to be an issue when I was 17 years old... :D but is there any solution now with new releases

@@BAS_PASSWORD@@ I am getting this when I access password via API when I access systemsetting password.
tford
Posts: 4238
Joined: Sat Mar 10, 2007 6:44 pm

Re: Obfuscation of url LINKS - Pitch in ?

Post by tford »

Njal,

This won't work for every scenario, but I use this for emailing a link to parents to set up conferences. They click a link to log into a screen to choose conference times. High security not needed in this case for a variety of reasons. Here is the rule:

Parent.Login_link='http://awareim.domain.com:8080/AwareIM/ ... de=false')

With this BSV, the Password_Text attribute is actually a randomly generated attribute because the parent has not set up their own account. We set it up for them & they never see a login page or have to know their password.

Not foolproof of course, but works well for this scenario.
Tom - V8.8 build 3137 - MySql / PostGres
Post Reply