topic Re: Blue Prism credentials database criptography in Product Forum

Blue Prism credentials database criptography

Vitor_HugoVicen — Mon, 02 May 2022 16:33:49 GMT

Hello everyone,

I was trying to understand how credentials criptography works in blue prism. I saw in BP community that blue prism uses AES 256 to encrypt data. I'm using default encryption scheme, so I though all data that I want to encrypt would be in the following format (just an example):

/2WIRTIxR/JzFhb7K5DXvcRekqbDh6MDnfp+eFExCUE=

But the encrypted password that I see in SQL Server interface is something like this (just an example):

/2WIRTIxR/JzFhb7K5DXvcRekqbDh6MDnfp+eFExCUE=:K5DXvcRekqbDhIxR/JzFhb7MDnfp+e

Notice the data is separated by " : ". And passwords are all in this format.
I made an extended research to find the reason, thought it was a SQL procedure in the background or other kind of encryption, but no answers.
My goal is to create a better method to update our bots credentials.

There's someone who can help me? 🙂

Re: Blue Prism credentials database criptography

TobiasArnold — Tue, 03 May 2022 13:50:03 GMT

Hi Vitor,

Due to the nature of AES256 you need a key and an IV (salt).
If I remember correctly the first part (left side of ':') is the IV and right part is the crypted password.
If you have the key you can decrypt the password with this .NET code (maybe in a VBO) https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=netframework-4.8

static string DecryptStringFromBytes_Aes(byte[] cipherText, byte[] Key, byte[] IV)
        {
            // Check arguments.
            if (cipherText == null || cipherText.Length <= 0)
                throw new ArgumentNullException("cipherText");
            if (Key == null || Key.Length <= 0)
                throw new ArgumentNullException("Key");
            if (IV == null || IV.Length <= 0)
                throw new ArgumentNullException("IV");

            // Declare the string used to hold
            // the decrypted text.
            string plaintext = null;

            // Create an Aes object
            // with the specified key and IV.
            using (Aes aesAlg = Aes.Create())
            {
                aesAlg.Key = Key;
                aesAlg.IV = IV;

                // Create a decryptor to perform the stream transform.
                ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);

                // Create the streams used for decryption.
                using (MemoryStream msDecrypt = new MemoryStream(cipherText))
                {
                    using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                    {
                        using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                        {

                            // Read the decrypted bytes from the decrypting stream
                            // and place them in a string.
                            plaintext = srDecrypt.ReadToEnd();
                        }
                    }
                }
            }

            return plaintext;
        }

Re: Blue Prism credentials database criptography

flavio.lara — Tue, 26 Sep 2023 22:22:53 GMT

Hello @Tobias Arnold and @Vitor.

Do you know hot to convert the secret key we have in BP (44 byte string) to a 32 byte string necessary to submit to AES 256 decrypt routine?

We have the encrypted text, the IV, the secret key, but the secret key is not accepted by the routine Tobias sent.

Thank you very much!

Flavio

Re: Blue Prism credentials database criptography

TobiasArnold — Wed, 27 Sep 2023 06:02:13 GMT

Hi Flavio,

I've checked the routine and it is still working. I call the decode method the following way

        {
            var key = Convert.FromBase64String("<Key>");
            var secret = "<IV>:<SecretText>";
            var parts = secret.Split(':');
            var IV = Convert.FromBase64String(parts[0]);
            var text = Convert.FromBase64String(parts[1]);

            var decodedText = DecryptStringFromBytes_Aes(text, key, IV);
        }

Re: Blue Prism credentials database criptography

flavio.lara — Wed, 27 Sep 2023 10:06:56 GMT

Thank you @Tobias Arnold!

It worked!!!!