Password and crypting

Hello I will Save a pasword in a table. But how can i do to mask this password when anybody do a run on this table. What for instructions has NAVISION to do CRYPTING ? Sorry for my englisch Thank you for your HELP Didier

A quick and dirty solution would be to create a small ROT13 routine to scramble the information.


Rot13(String : Text[250]) : Text[250]
exit(CONVERTSTR(
       String,
       'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',
       'nopqrstuvwxyzabcdefghijklmNOPQRSTUVWXYZABCDEFGHIJKLM'));

then use this function in your code to encrypt and decrypt. Soren Nielsen, moderator Integration/Developer NOLUG

OR you can use NF crypting:


crypt(String : Text[10]) : Text[10]

VAR userRec: Table 2000000002 User

userRec.VALIDATE(Password,String);
EXIT(userRec.password);

Compare only crypted passwords. Soren, you can’t hide your code, so any owner of deloper licence are able decrypt your password. Edited by - db on 2001 Jul 26 16:00:09

The Issue I see here is with Soren’s logic I can reverse it and un-encrypt whatever i have encrypted. I don’t think that there is any way to unencrypt the Navision Encryption (Anyone?) This could be useful for some sort of internal mailer routine where you wanted to keep some level of security… Darren Bezzant Development Specialist dbezzant@csbsystems.com CSB Systems 1560 - 333 11th Avenue SW Calgary, Alberta T2R 1L9 Tel: (403) 233-2955 Fax: (403) 233-2957

Darren you hit the point. The other we had the tour of Navisions encrypt function in this forum. Hmm, i dont know where my enhancement went, but here it is. It allows you to “seed” the encryption with a text string. Here goes:


Variables are:
String1	  Text250
String2	  Text250
SeedValue Integer		
idx	  Integer		

ROT13(String : Text[250];Seed : Code[20]) : Text[250]
String1 := 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
String2 := 'nopqrstuvwxyzabcdefghijklmNOPQRSTUVWXYZABCDEFGHIJKLM';
FOR idx := 1 TO STRLEN(Seed) DO
  SeedValue := SeedValue + Seed[idx];
SeedValue := SeedValue MOD STRLEN(String1);
FOR idx := 1 TO STRLEN(String1) DO BEGIN
  String1[idx] := String1[idx] + SeedValue;
  String2[idx] := String2[idx] + SeedValue;
END;
EXIT(CONVERTSTR(String,String1,String2));

Soren Nielsen, moderator Integration/Developer NOLUG

That’s correct there’s no way to unencrypt the Navision password, which can only be a good thing from a security point of view. The best you can do is to check that the password entered by the user in the form is the same than the crypted one. My prefered solution to manage password encryption in Navision is as follow : One Function crypt the passoword (Encryptpassword) the other one check the passord (VerifyPassword) PROCEDURE EncryptPassword@1(UserName : Code[20];PasswordToEncrypt : Text[10]) EncryptedPassword : Text[10]; BEGIN User.“User ID” := UserName; User.VALIDATE(Password, PasswordToEncrypt); EncryptedPassword := User.Password; EXIT(EncryptedPassword); END; PROCEDURE VerifyPassword@2(UserEnteredPassword : Text[10];UserName : Code[20];EncryptedPassword : Text[10]) PasswordOK : Boolean; BEGIN User.“User ID” := UserName; User.VALIDATE(Password, UserEnteredPassword); IF User.Password = EncryptedPassword THEN EXIT(TRUE) ELSE EXIT(FALSE); END;

quote:


Originally posted by DarrenBezzant: I don’t think that there is any way to unencrypt the Navision Encryption (Anyone?)


tarek_demiati@ureach.com Edited by - Tarek Demiati on 2001 Jul 27 07:35:28

Tarek, sorry, but your code looks like rookie work


BEGIN
User.VALIDATE(Password, PasswordToEncrypt);
EXIT(User.Password);
END;

And next proc:


BEGIN
User.VALIDATE(Password, UserEnteredPassword);
EXIT(User.Password = EncryptedPassword);
END;

I don’t think that Navision crypting is insuperable. This question worth it or not, and how much it will cost (time). Another security trick is limitation of access to such tables like this. So, in this way defence covers crypting and access limitation. To crack such combination is N-times harder.

Well, Making sure that my code will be readable by most programmer (my colleagues)is what matter the most for me. So it might be rookie in terms of optimization, certainly but at least a Junior programmer won’t get lost when maintaining the code, so it’s a trade off … But then I am not in the video game industry trying to push a graphics card to his limits and save 3 CPU cycles here and there in my ASM code because I don’t have much raster time left. Programming tricks work well for video games since once the game is written and on the shop shelf, no one will ever look at your code again which is not the case in our industry where changes do occurs. So you want to show off your tricks and confuse non hard-core programmer or be disciplined and make it easy for everybody with in your programming team ? Also from my experience I have found that big chunck of code who have been heaviliy optimized are pretty hard to maintain when changes occurs. Concerning security I agree wih you, anything is crackable, it’s just a question of time … Cheers, Tarek

quote:


Originally posted by db: Tarek, sorry, but your code looks like rookie work


BEGIN
User.VALIDATE(Password, PasswordToEncrypt);
EXIT(User.Password);
END;

And next proc:


BEGIN
User.VALIDATE(Password, UserEnteredPassword);
EXIT(User.Password = EncryptedPassword);
END;

I don’t think that Navision crypting is insuperable. This question worth it or not, and how much it will cost (time). Another security trick is limitation of access to such tables like this. So, in this way defence covers crypting and access limitation. To crack such combination is N-times harder.


tarek_demiati@ureach.com Edited by - Tarek Demiati on 2001 Jul 27 09:01:12

Originally posted by Tarek Demiati: Well, Making sure that my code will be readable by most programmer (my colleagues)is what matter the most for me. … bla bla bla … No, Tarek, Dalius is right. All programmers will say You a wrong. Because not a count of code lines makes code readable for your colleagues, but comments. A lot of comments. Program code must be always optimized (in all applications, not only in 3D games ;)). And sorry for offtopic.

And thanks for all the input. Feel free to take up a new issue on good programming practice. Soren Nielsen, moderator Integration/Developer NOLUG