
Show HN: Aes.vbs – AES-256-CBC Encrypt and Decrypt in VBScript for legacy apps - susam
https://github.com/susam/aes.vbs
======
amanzi
Nice work. I don't know much about the cryptography to comment on whether this
is a good implementation or not, but it's cool to see a VBScript link on
Hacker News! :-)

------
rickette
If you're gonna use AES-CBC then please use Encrypt-then-MAC.

Now you're performing encryption without an authentication tag (HMAC), also
known as [https://moxie.org/blog/the-cryptographic-doom-
principle/](https://moxie.org/blog/the-cryptographic-doom-principle/).

~~~
susam
That's a good point. Indeed, that's the right way to use AES-256-CBC. There is
an HMACSHA256 class available[1] which is quite straightforward to use, so I
did not think about providing a wrapper for it in my project. It can be used
like this:

    
    
      Set hmac = CreateObject("System.Security.Cryptography.HMACSHA256")
    
      Function HMACSHA256(key, msg)
          hmac.Key = B64Decode(key)
          HMACSHA256 = hmac.ComputeHash_2(utf8.GetBytes_4(msg))
      End Function
    

B64Decode and utf8 in the above examples are defined in the source code[2] of
the project.

I think it would be useful to provide convenient wrappers to compute and
validate the HMAC along with the ciphertext. Thank you for this feedback. I
might expose a wrapper for this later. In the meantime, if someone has the
time to do this before I do it, pull requests are welcome.

[1]: [https://docs.microsoft.com/en-
us/dotnet/api/system.security....](https://docs.microsoft.com/en-
us/dotnet/api/system.security.cryptography.hmacsha256)

[2]:
[https://github.com/susam/aes.vbs/blob/master/aes.vbs](https://github.com/susam/aes.vbs/blob/master/aes.vbs)

~~~
susam
Update: I have now updated[1] the Encrypt() and Decrypt() functions in
VBScript to compute and verify an authentication tag during encryption and
decryption, respectively.

The remainder of the project[2] (README and OpenSSL examples) has also been
updated accordingly.

[1]:
[https://github.com/susam/aes.vbs/commit/328c38e272880b4da0e2...](https://github.com/susam/aes.vbs/commit/328c38e272880b4da0e26fdfdad1c77c735ff6ed)

[2]: [https://github.com/susam/aes.vbs](https://github.com/susam/aes.vbs)

------
jsilence
Nice, but why is this on HN?

~~~
thejosh
Because why not?

~~~
jsilence
This is weird, I was asking on a totally different thread. Not sure what
happened.

