Triple DES decryption in classic ASP?

Question

How can I decrypt a string in classic-ASP/VBScript? The string comes from a php application that uses 3DES encryption.

Answer 1

I have a Javascript implementation of DES/TripleDES. It does CBC and ECB modes, and for padding supports PKCS7, Spaces, or Zeroes. It's integrated with a RFC2898-compliant PBKDF2, so it can generate encryption keys and IV's from passwords if you like. You can also set the crypto key and IV explicitly.

It is usable when calling directly from Javascript - any browser, or from Rhino, or WScript.exe, or maybe closer to your case, classic ASP using Javascript.

I've also packaged it as a COM component, so it is possible to call it from any COM-compliant environment, like VBScript running in classic ASP, or Perl, or VBA, etc.

It is an independent implementation, and is fully compliant with and interoperable with the .NET DESCryptoServiceProvider and TripleDESCryptoServiceProvider.

Get it here: http://cheeso.members.winisp.net/srcview.aspx?dir=DES

When calling it directly from Javascript, it looks like this:

var pbkdf2 = new PBKDF2(password, salt, iterations);
var key = pbkdf2.deriveBytes(8); // use 24 for 3DES
var iv = pbkdf2.deriveBytes(8);  // always 8 (==blocksize)
var des = new DES(key,iv);
var plaintext = "Hello. This is a test. of the emergency broadcasting system.";
var ciphertext = des.encrypt(plaintext);

When calling the COM component from VBScript, it looks like this:

Dim des
set des = CreateObject("Ionic.Com.DES")
des.Password = "This is my password"
des.Mode = "CBC"
des.TripleDES = True
des.Rfc2898Iterations = 1000
Dim result
result = des.EncryptString(plainText)
Dim decrypted
decrypted = des.DecryptBytes(result)
WScript.echo "decrypted       : " & decrypted

The encryption is pretty fast but the key generation is not.

---

Edit:

you can also use the Javascript DES stuff in a browser.
here's an example: http://jsbin.com/oguye3

Answer 2

There's a TripleDES JavaScript implementation here: http://www.tero.co.uk/des/. It works as JScript (Microsoft's Classic ASP version of JavaScript, basically ECMAScript 3), is checked against PHP, supports EBC and CBC, padding (zeroes, PKCS7(buggy) or spaces) and also does plain DES. You can use it in a Classic ASP VBScript page like this:

<%@ Language=VBScript %>
<script language="JScript" runat="server">
   PASTE DES JAVASCRIPT SOURCE HERE, or include by adding src="..." in previous line 
</script>
<%
key = "this is a 24 byte key !!"
message = "This is a test message."
' Use TripleDES (24-byte key) in ECB mode (0, Null iv) with 0 padding
encrypted = des(key, message, 1, 0, Null, 0)
decrypted = des(key, encrypted, 0, 0, Null, 0)
Response.Write "<PRE>"
Response.Write "Key: " & key & vbCrLf
Response.Write "Message(length=" & Len(message) & "): " & message & vbCrLf
Response.Write "Encrypted 3DES ECB: " & stringToHex(encrypted) & vbCrLf
Response.Write "Decrypted 3DES ECB: " & decrypted
Response.Write "</PRE>"
%>

Resulting in:

Key: this is a 24 byte key !!
Message(length=23): This is a test message.
Encrypted 3DES ECB: 0x83af8c3f5507e100b182f90f5f5d834b085ca8439b35eee4
Decrypted 3DES ECB: This is a test message.

If you use PKCS7 padding, note that there's a bug in the JavaScript: padding code. The initial if (padding == block should be enclosed in an if (encrypt) {...} test, and the last two lines of des() should be replaced with:

  result += tempresult;

  //when decrypting, remove padding for PKCS7 but leave space/zero padding (cannot be distinguished from real trailing spaces/zeroes)
  if (!encrypt) {
    if (padding == 1) {temp = result.charCodeAt(result.length-1); result = result.substring(0,result.length-temp);} //PKCS7 padding
  }

  //return the result as an array
  return result;

Answer 3

I would try using CAPICOM from Microsoft. There are examples included with the SDK that will get you rolling.

Old overview:

http://msdn.microsoft.com/en-us/library/ms995332.aspx

CAPICOM SDK:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=860ee43a-a843-462f-abb5-ff88ea5896f6

The example you'll want to check out is located here on my machine:

C:\Program Files (x86)\Microsoft CAPICOM 2.1.0.2 SDK\Samples\html\EncryptedData.htm