Blue Prism credentials database criptography

Vitor_HugoVicen · ‎02-05-22

Hello everyone,

I was trying to understand how credentials criptography works in blue prism. I saw in BP community that blue prism uses AES 256 to encrypt data. I'm using default encryption scheme, so I though all data that I want to encrypt would be in the following format (just an example):

/2WIRTIxR/JzFhb7K5DXvcRekqbDh6MDnfp+eFExCUE=

But the encrypted password that I see in SQL Server interface is something like this (just an example):

/2WIRTIxR/JzFhb7K5DXvcRekqbDh6MDnfp+eFExCUE=:K5DXvcRekqbDhIxR/JzFhb7MDnfp+e

Notice the data is separated by " : ". And passwords are all in this format.
I made an extended research to find the reason, thought it was a SQL procedure in the background or other kind of encryption, but no answers.
My goal is to create a better method to update our bots credentials.

There's someone who can help me? 🙂

TobiasArnold · ‎03-05-22

Hi Vitor,

Due to the nature of AES256 you need a key and an IV (salt).
If I remember correctly the first part (left side of ':') is the IV and right part is the crypted password.
If you have the key you can decrypt the password with this .NET code (maybe in a VBO) https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=netframework-4.8

static string DecryptStringFromBytes_Aes(byte[] cipherText, byte[] Key, byte[] IV)
        {
            // Check arguments.
            if (cipherText == null || cipherText.Length <= 0)
                throw new ArgumentNullException("cipherText");
            if (Key == null || Key.Length <= 0)
                throw new ArgumentNullException("Key");
            if (IV == null || IV.Length <= 0)
                throw new ArgumentNullException("IV");

            // Declare the string used to hold
            // the decrypted text.
            string plaintext = null;

            // Create an Aes object
            // with the specified key and IV.
            using (Aes aesAlg = Aes.Create())
            {
                aesAlg.Key = Key;
                aesAlg.IV = IV;

                // Create a decryptor to perform the stream transform.
                ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);

                // Create the streams used for decryption.
                using (MemoryStream msDecrypt = new MemoryStream(cipherText))
                {
                    using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                    {
                        using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                        {

                            // Read the decrypted bytes from the decrypting stream
                            // and place them in a string.
                            plaintext = srDecrypt.ReadToEnd();
                        }
                    }
                }
            }

            return plaintext;
        }

View answer in original post

TobiasArnold · ‎03-05-22

Hi Vitor,

Due to the nature of AES256 you need a key and an IV (salt).
If I remember correctly the first part (left side of ':') is the IV and right part is the crypted password.
If you have the key you can decrypt the password with this .NET code (maybe in a VBO) https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=netframework-4.8

static string DecryptStringFromBytes_Aes(byte[] cipherText, byte[] Key, byte[] IV)
        {
            // Check arguments.
            if (cipherText == null || cipherText.Length <= 0)
                throw new ArgumentNullException("cipherText");
            if (Key == null || Key.Length <= 0)
                throw new ArgumentNullException("Key");
            if (IV == null || IV.Length <= 0)
                throw new ArgumentNullException("IV");

            // Declare the string used to hold
            // the decrypted text.
            string plaintext = null;

            // Create an Aes object
            // with the specified key and IV.
            using (Aes aesAlg = Aes.Create())
            {
                aesAlg.Key = Key;
                aesAlg.IV = IV;

                // Create a decryptor to perform the stream transform.
                ICryptoTransform decryptor = aesAlg.CreateDecryptor(aesAlg.Key, aesAlg.IV);

                // Create the streams used for decryption.
                using (MemoryStream msDecrypt = new MemoryStream(cipherText))
                {
                    using (CryptoStream csDecrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read))
                    {
                        using (StreamReader srDecrypt = new StreamReader(csDecrypt))
                        {

                            // Read the decrypted bytes from the decrypting stream
                            // and place them in a string.
                            plaintext = srDecrypt.ReadToEnd();
                        }
                    }
                }
            }

            return plaintext;
        }

flavio.lara · ‎26-09-23

Hello @Tobias Arnold and @Vitor.

Do you know hot to convert the secret key we have in BP (44 byte string) to a 32 byte string necessary to submit to AES 256 decrypt routine?

We have the encrypted text, the IV, the secret key, but the secret key is not accepted by the routine Tobias sent.

Thank you very much!

Flavio

TobiasArnold · ‎27-09-23

Hi Flavio,

I've checked the routine and it is still working. I call the decode method the following way

        {
            var key = Convert.FromBase64String("<Key>");
            var secret = "<IV>:<SecretText>";
            var parts = secret.Split(':');
            var IV = Convert.FromBase64String(parts[0]);
            var text = Convert.FromBase64String(parts[1]);

            var decodedText = DecryptStringFromBytes_Aes(text, key, IV);
        }

flavio.lara · ‎27-09-23

Thank you @Tobias Arnold!

It worked!!!!

SS&C Blue Prism Community

Blue Prism credentials database criptography