cancel
Showing results for 
Search instead for 
Did you mean: 

Decrypt error

0 Kudos
1,091

Hi,

To store (and use) our users password in the database, we use the couple of function ENCRYPT and DECRYPT.

To encrypt the password we use the following instruction :

UPDATE USR SET UsrPass = ENCRYPT('toto', 'TheVeryLongKey', '(AES256') WHERE ...

Lately we decide to change the key of encryption, so to get all the users password of a database we execute the folowing select :

SELECT UsrID, CAST(DECRYPT(UsrPass, 'TheVeryLongKey, 'AES256') AS LONG NVARCHAR) AS UsrPass FROM USR ORDER BY UsrID"

For most of the our client database we didn't have problems but on two database we have this error : ERROR : -851 08W63 Decryption error: Input must be a multiple of 16 bytes in length for AES

I d'ont understand why we have this error and how to "fix" it.

VolkerBarth
Contributor
0 Kudos

Aside: Do you need to store actual (albeit encrypted) passwords? Often it is more secure to never store them but only their (probably salted) hash. That's what SQL Anywhere does itself, too.

VolkerBarth
Contributor

FWIW: Is the according column a (LONG) BINARY? AFAIK, otherwise character set conversion could lead to issues.

0 Kudos

Yes the column is a long binary.

0 Kudos

It is the fastest way for us to secure this part, but I know it is not the optimal way to do it.

chinmaydixit
Explorer
0 Kudos

We had a similar situation where we had to change the encryption key. After much QA and discussions we decided to prompt the users with new passwords. We also lost the password history for each user but it was deemed that it is a one time effort for the users. There may be bad data in the databases due to whatever reasons.

VolkerBarth
Contributor
0 Kudos

There may be bad data in the databases due to whatever reasons.

Oops. That's undesireable.

View Entire Topic

I finally found the solution : the "usrpass" was not encrypted for only one user in those twoe database !

Thank you all for your responses. I will have a little chit chat with some people on monday :).

Fun fact, when I execute "SELECT UsrID, CAST(DECRYPT(UsrPass, 'TheVeryLongKey', 'AES256') AS LONG NVARCHAR) AS UsrPass FROM USR ORDER BY UsrID" in interactive sql I don't have the error message, it manage to give me a readable string.