From: Steve on
I have been tasked with creating a feature in an existing VB6 app that
will interact with a clients web portal. The problem I am having is
that the web interface requires I send the data (this is simply
context info...no passwords) packed in a SHA1 hash. My hashing
function(s) must create the exact same value as theirs does so that
they can read the data. I have found several examples online for
using the CryptoAPI to do SHA1 hashing but I can not figure out how to
specify the "secret key"

Here is the C# code the client uses to create the hash:

byte[] sharedSecretBytes;
string stringToHash;

ASCIIEncoding encoding = new ASCIIEncoding();

this.Token = "56FCEFC9-579C-445E-9FD3-AFFD76C8619E";
sharedSecretBytes = encoding.GetBytes("SomeSecretKey");
stringToHash = this.Plan + this.Claim + this.Csr + this.Token +
this.Date;


HMACSHA1 hasher = new HMACSHA1(sharedSecretBytes);
byte[] bytesToHash = encoding.GetBytes(stringToHash);
hasher.ComputeHash(bytesToHash);
string computedHash = Convert.ToBase64String(hasher.Hash);
hasher.Clear();

if (computedHash != this.Hash.Replace(" ","+"))
{
exceptions.Exceptions.Add(new InvalidFieldException("Invalid
hash.", "Hash"));
}

Can anyone help me to create a VB6 version of this same thing.


Thanks,
Steve
From: Steve on
On May 10, 11:54 am, Steve <sredm...(a)rfcorp.com> wrote:
> I have been tasked with creating a feature in an existing VB6 app that
> will interact with a clients web portal.  The problem I am having is
> that the web interface requires I send the data (this is simply
> context info...no passwords) packed in a SHA1 hash.  My hashing
> function(s) must create the exact same value as theirs does so that
> they can read the data.  I have found several examples online for
> using the CryptoAPI to do SHA1 hashing but I can not figure out how to
> specify the "secret key"
>
> Here is the C# code the client uses to create the hash:
>
> byte[] sharedSecretBytes;
> string stringToHash;
>
> ASCIIEncoding encoding = new ASCIIEncoding();
>
> this.Token = "56FCEFC9-579C-445E-9FD3-AFFD76C8619E";
> sharedSecretBytes = encoding.GetBytes("SomeSecretKey");
> stringToHash = this.Plan + this.Claim + this.Csr + this.Token +
> this.Date;
>
> HMACSHA1 hasher = new HMACSHA1(sharedSecretBytes);
> byte[] bytesToHash = encoding.GetBytes(stringToHash);
> hasher.ComputeHash(bytesToHash);
> string computedHash = Convert.ToBase64String(hasher.Hash);
> hasher.Clear();
>
> if (computedHash != this.Hash.Replace(" ","+"))
> {
>     exceptions.Exceptions.Add(new InvalidFieldException("Invalid
> hash.", "Hash"));
>
> }
>
> Can anyone help me to create a VB6 version of this same thing.
>
> Thanks,
> Steve
Thought I might provide a bit more information on what I have actually
tried.

I have tried using the SHA1.bas file (found here http://vb.wikia.com/wiki/SHA-1.bas)
but as stated in the previous message, I can not figure out how to use
the "secret key". When reading the documentation on the website for
the module mentioned, it looks like I could call the SHA1 function.
Further it looks like the key would be passed in the args Key1 trhough
Key4 and the resulting hash would be returned in H1 through H4. If
these assumptions are true, how do I get the secret ket (which is a
single string value) into the Key1 through Key4 longs? Then how do I
get the result (from H1 through H4) into a single string.

Thanks,
Steve
From: GS on
Steve laid this down on his screen :
> On May 10, 11:54�am, Steve <sredm...(a)rfcorp.com> wrote:
>> I have been tasked with creating a feature in an existing VB6 app that
>> will interact with a clients web portal. �The problem I am having is
>> that the web interface requires I send the data (this is simply
>> context info...no passwords) packed in a SHA1 hash. �My hashing
>> function(s) must create the exact same value as theirs does so that
>> they can read the data. �I have found several examples online for
>> using the CryptoAPI to do SHA1 hashing but I can not figure out how to
>> specify the "secret key"
>>
>> Here is the C# code the client uses to create the hash:
>>
>> byte[] sharedSecretBytes;
>> string stringToHash;
>>
>> ASCIIEncoding encoding = new ASCIIEncoding();
>>
>> this.Token = "56FCEFC9-579C-445E-9FD3-AFFD76C8619E";
>> sharedSecretBytes = encoding.GetBytes("SomeSecretKey");
>> stringToHash = this.Plan + this.Claim + this.Csr + this.Token +
>> this.Date;
>>
>> HMACSHA1 hasher = new HMACSHA1(sharedSecretBytes);
>> byte[] bytesToHash = encoding.GetBytes(stringToHash);
>> hasher.ComputeHash(bytesToHash);
>> string computedHash = Convert.ToBase64String(hasher.Hash);
>> hasher.Clear();
>>
>> if (computedHash != this.Hash.Replace(" ","+"))
>> {
>> � � exceptions.Exceptions.Add(new InvalidFieldException("Invalid
>> hash.", "Hash"));
>>
>> }
>>
>> Can anyone help me to create a VB6 version of this same thing.
>>
>> Thanks,
>> Steve
> Thought I might provide a bit more information on what I have actually
> tried.
>
> I have tried using the SHA1.bas file (found here
> http://vb.wikia.com/wiki/SHA-1.bas) but as stated in the previous message, I
> can not figure out how to use the "secret key". When reading the
> documentation on the website for the module mentioned, it looks like I could
> call the SHA1 function. Further it looks like the key would be passed in the
> args Key1 trhough Key4 and the resulting hash would be returned in H1 through
> H4. If these assumptions are true, how do I get the secret ket (which is a
> single string value) into the Key1 through Key4 longs? Then how do I
> get the result (from H1 through H4) into a single string.
>
> Thanks,
> Steve

Typically, a hash is a one-way deal. You also need a corresponding
algorythm designed to unhash, which isn't how hashes work<IMO>. The
article you refer to creates a hash based on the values you specify for
Hi to H5 and Key1 to Key4. These are just placeholders for values, and
can be whatever you want them to be. This is typically how passwords
are used, where a user types in their username and password and these
are used to create the hash. The hash is then compared to the stored
hash for that user. If they match, they're in!

The actual code returns a 5 part serial key containing 40 characters.
To validate this serial it must be rehashed at the other end using the
same input data, meaning both parties have to use the same hash
algorythm AND have exactly the same data so that a comparison can be
made. -OR- the receiving party must have an exact copy of the
"expected" hash stored somewhere in order to do the comparison without
having the original data.

If you're looking for a way to share (encrypt/decrypt) data using a
private key or private/public key pair then you want to use a different
function set in the CryptoAPI.dll. The DLL can generate key pairs for
you if going that route. In this case, the other people you pass files
to/from needs the your public key, or you need theirs. In this case, if
you are required to use their key then you're going to have to ask them
for it.

Try googling "CryptoAPI VB6" to get info on how to use it. Frankly, I
don't think you'll get much useful info from MSDN or any MSFT sites,
but there's other sources out there that will show up in the search.
Another keyword to try is "Cryptography Algorythms"

Garry


From: Steve on
On May 10, 1:29 pm, GS <G...(a)discussions.microsoft.com> wrote:
> Steve laid this down on his screen :
>
>
>
>
>
> > On May 10, 11:54 am, Steve <sredm...(a)rfcorp.com> wrote:
> >> I have been tasked with creating a feature in an existing VB6 app that
> >> will interact with a clients web portal.  The problem I am having is
> >> that the web interface requires I send the data (this is simply
> >> context info...no passwords) packed in a SHA1 hash.  My hashing
> >> function(s) must create the exact same value as theirs does so that
> >> they can read the data.  I have found several examples online for
> >> using the CryptoAPI to do SHA1 hashing but I can not figure out how to
> >> specify the "secret key"
>
> >> Here is the C# code the client uses to create the hash:
>
> >> byte[] sharedSecretBytes;
> >> string stringToHash;
>
> >> ASCIIEncoding encoding = new ASCIIEncoding();
>
> >> this.Token = "56FCEFC9-579C-445E-9FD3-AFFD76C8619E";
> >> sharedSecretBytes = encoding.GetBytes("SomeSecretKey");
> >> stringToHash = this.Plan + this.Claim + this.Csr + this.Token +
> >> this.Date;
>
> >> HMACSHA1 hasher = new HMACSHA1(sharedSecretBytes);
> >> byte[] bytesToHash = encoding.GetBytes(stringToHash);
> >> hasher.ComputeHash(bytesToHash);
> >> string computedHash = Convert.ToBase64String(hasher.Hash);
> >> hasher.Clear();
>
> >> if (computedHash != this.Hash.Replace(" ","+"))
> >> {
> >>     exceptions.Exceptions.Add(new InvalidFieldException("Invalid
> >> hash.", "Hash"));
>
> >> }
>
> >> Can anyone help me to create a VB6 version of this same thing.
>
> >> Thanks,
> >> Steve
> > Thought I might provide a bit more information on what I have actually
> > tried.
>
> > I have tried using the SHA1.bas file (found here
> >http://vb.wikia.com/wiki/SHA-1.bas) but as stated in the previous message, I
> > can not figure out how to use the "secret key".  When reading the
> > documentation on the website for the module mentioned, it looks like I could
> > call the SHA1 function. Further it looks like the key would be passed in the
> > args Key1 trhough Key4 and the resulting hash would be returned in H1 through
> > H4.  If these assumptions are true, how do I get the secret ket (which is a
> > single string value) into the Key1 through Key4 longs?  Then how do I
> > get the result (from H1 through H4) into a single string.
>
> > Thanks,
> > Steve
>
> Typically, a hash is a one-way deal. You also need a corresponding
> algorythm designed to unhash, which isn't how hashes work<IMO>. The
> article you refer to creates a hash based on the values you specify for
> Hi to H5 and Key1 to Key4. These are just placeholders for values, and
> can be whatever you want them to be. This is typically how passwords
> are used, where a user types in their username and password and these
> are used to create the hash. The hash is then compared to the stored
> hash for that user. If they match, they're in!
>
> The actual code returns a 5 part serial key containing 40 characters.
> To validate this serial it must be rehashed at the other end using the
> same input data, meaning both parties have to use the same hash
> algorythm AND have exactly the same data so that a comparison can be
> made. -OR- the receiving party must have an exact copy of the
> "expected" hash stored somewhere in order to do the comparison without
> having the original data.
>
> If you're looking for a way to share (encrypt/decrypt) data using a
> private key or private/public key pair then you want to use a different
> function set in the CryptoAPI.dll. The DLL can generate key pairs for
> you if going that route. In this case, the other people you pass files
> to/from needs the your public key, or you need theirs. In this case, if
> you are required to use their key then you're going to have to ask them
> for it.
>
> Try googling "CryptoAPI VB6" to get info on how to use it. Frankly, I
> don't think you'll get much useful info from MSDN or any MSFT sites,
> but there's other sources out there that will show up in the search.
> Another keyword to try is "Cryptography Algorythms"
>
> Garry- Hide quoted text -
>
> - Show quoted text -

I guess I am not making myself clear...let me try again.

I am not trying to encrypt anything I am trying to hash some data
using the same algorythms as will be used on the other side. The data
and the hash is passed as plain text to the website. The site then
runs it's hash calculation on the provided data and if the hash value
it comes up with matches the one I passed then it assumes the request
is from a valid user.

The problem I am having is with adding the "secrect key" portion. In
the C# code (used by the website) the "secret key" is integrated into
the hash by the line:
HMACSHA1 hasher = new HMACSHA1(sharedSecretBytes);
Where "sharedSecretBytes" is a string variable defined earlier.

In order for my hash calculation to produce the same results I need to
include that same key in the same way that C# class initializer
does.

So again my question is, how do I represent the "secret key" + the
data elements into the K1 - K4 parameters...then how do I get a string
representation (which is what the website is looking for) of the
resulting hash (H1 - H5)?

Thanks,
Steve
From: Larry Serflaten on

"Steve" <sredmyer(a)rfcorp.com> wrote

So again my question is, how do I represent the "secret key" + the
data elements into the K1 - K4 parameters...then how do I get a string
representation (which is what the website is looking for) of the
resulting hash (H1 - H5)?
---

At first glance you seem to need to change some string into longs,
and some longs into a string.

Take a look at LSet. Its used in the SHA1 routine to change four
bytes into one long. Some might prefer CopyMemory, but as you
can see, LSet does the job. Instead of FourBytes and OneLong,
you'd need types like FourLongs and OneString (although Byte Array
would probably be a better option).

For example:

Option Explicit
Private Type FourLongs
L1 As Long
L2 As Long
L3 As Long
L4 As Long
End Type

Private Type OneString
S(0 To 15) As Byte
End Type

Private Sub Form_Load()
Dim msg As String, tmp() As Byte
Dim i&, OS As OneString, FL As FourLongs

msg = "Is 16 correct???"
tmp = StrConv(msg, vbFromUnicode)
For i = 0 To 15
OS.S(i) = tmp(i)
Next
LSet FL = OS
With FL
Debug.Print Hex(.L1), Hex(.L2), Hex(.L3), Hex(.L4)
Debug.Print "1 sI", "oc 6", "cerr", "???t"
End With
End Sub