Encrypted/Decrypted Password in Navision tables

ckndr47

Hello Everybody,

Just wanted to know somethin; can we use store enrcypted passwords in Navision table. Like i have a Employee form, now i want to store Employee password as encrypted. Is it possible? If yes then please guide me. Thanks in advance.

Regards,

kine

If you want to encrypt the password, you need to do that through C/AL code. How will you encrypt the password, it is on you... but you must be able to "compare" the password entered by the user with this encrypted password in the table. But there is no build-in functionality for that...

ckndr47

is thr any ocx or dll, that i can use in my codeunit.. if yes then please provide any reference...

Thanks and regards

ara3n

Here is an example of how to encrypt password.

You can use USER TABLE TO ENCRYPT

ScramblePassWord(NewPWD : Text[10]) ResPWD : Text[20]
UserRec."User ID" := ID;
UserRec.VALIDATE(Password,NewPWD);
ResPWd :=  UserRec.Password

In order to validate that the user has given you the right password during login you will do the same function and what ever it returns compare it to the field where the password is. BTW this way you cannot find decrypt the password. It's one way only.

Phenno

ara3n wrote:

In order to validate that the user has given you the right password during login you will do the same function and what ever it returns compare it to the field where the password is. BTW this way you cannot find decrypt the password. It's one way only.

Does anybody knows what standard is used for encrypting? md5? (haven't looked at raw data on table...)

ckndr47

I am still not clear
can you please tell me in a bit more detail?

Thanks and Regards,

kine

1 - ScramblePassWord(ID:Text[20];NewPWD : Text[10]) ResPWD : Text[20] 
2 - UserRec."User ID" := ID;
3 - UserRec.VALIDATE(Password,NewPWD);
4 - Exit(UserRec.Password);

1) It is new function with name ScamblePassword with two text parameters (user ID and the password) and return type text (is returning the encrypted password)
2) UserRec is Record of type User (Table 2000000002), the code is "inserting" the user ID and the password into this table (but the record is not inserted into the table...)
3) inserting the password into the field with validation will encrypt the password... (this process is done in Client logic, there is no C/AL code for that, but after the validate process, in the field Password is the value encrypted)
4) The encrypted password is returned as result of the function...

What else is not clear?

ajhvdb

This should be in the Tips forum. Very good. =D>

ckndr47

Thanks Rashed and Kamil,

Its working, so nice of you. I am 100% clear now.

Regards,

SteveO

I know this thread is quite old but in case someone reads it...

There is a security concern with this solution in that the user could enter an already encypted password and then gain access to your "secure" functionality (without knowing the actual password).

eg.
User ID = 'user123';
Password = test (encrpyted this would be ~ö3W²Ù)!b[);

on the form where you prompt the user for the password they could just enter ~ö3W²Ù)!b[ and Navision will say that the input password = password already stored in the database.

When you call validate on the Password field Navision will not encrypt anything that starts with a ~.

Try it out and see... and remember all users have inherent access to read the User table (so if a user can create a Report/Dataport/Form then they can access the encrypted version of the password, copy + paste)

This is why I would not recommend this approach. Instead would be to use a recognised hash algorithm such as SHA1 etc.

edit-- I suppose you could also just error if the user enters anything that starts with ~ as you could probably assume that they are trying this "attack".

kine

Thanks Steve for this remark. It is good to know that. Yes, testing the password for ~°is good solution for that.