topic Re: How to decrypt password which is encrypted using proc pwencode. in SAS Data Management

How to decrypt password which is encrypted using proc pwencode.

venkatnaveen — Wed, 10 Sep 2014 18:32:43 GMT

Hi,

How to decrypt password which is encrypted using proc pwencode.

Re: How to decrypt password which is encrypted using proc pwencode.

SASKiwi — Wed, 10 Sep 2014 20:13:05 GMT

Here is no functionality in SAS for decrypting a password encrypted using proc pwencode. You can still use the encrypted password in your SAS programs without knowing what the original password is. The whole point of encrypting a password is to ensure that it cannot be easily decrypted.

It is the responsibility of the person encrypting the password to safely remember or store it somewhere secure such as in a password safe application.

I am curious to know why you want to decrypt - is it simply because the oroginal password has been forgotten?

Re: How to decrypt password which is encrypted using proc pwencode.

Patrick — Wed, 10 Sep 2014 22:04:49 GMT

Which "encryption" algorithm have you used? The password should tell you (SAS1, SAS2, or SAS3).

And same question like SASKiwi: Why do you want to decrypt?

Re: How to decrypt password which is encrypted using proc pwencode.

Ksharp — Thu, 11 Sep 2014 12:14:21 GMT

No way .

Re: How to decrypt password which is encrypted using proc pwencode.

Patrick — Fri, 12 Sep 2014 04:44:20 GMT

Proc Pwencode method SAS001 and SAS002 is only encoding. So for these 2 methods there is a way. SAS001 uses Base 64 so this is very simple. What SAS002 uses is not published but I would assume SAS TechSupport could help if really required and proven justified and legal.

SAS003 and SAS004 is real encryption so there I would also say "no way" as much as this can be said considering the SSL story.

Base SAS(R) 9.4 Procedures Guide, Third Edition

Re: How to decrypt password which is encrypted using proc pwencode.

bl_jyskebank_dk — Fri, 12 Sep 2014 05:45:40 GMT

Agreed!

Re: How to decrypt password which is encrypted using proc pwencode.

jakarman — Fri, 12 Sep 2014 08:39:41 GMT

Not agreed.... SAS002 is MD5 (somewhere) found. SAS003 is coming with SAS/secure must be AES.

Think about the following:

- You can pwencode passwords for external databases.
- External databases can not understand the SAS pwencoding (it is starting with sas isn't it)

- Conclude there is a password decrypt function for pwencode in the SAS environments.
This function is not published, but must be there. How can it work when it does not exist?

When you are in a SAS environment and see a pwencoded string there is no need for decrypting, just do a copy paste to any other location you want and it will work.

There are several other things to think about before claiming pwencode is secure. These two (used obscurity of a function) and being copy paste-able are already serious enough for distrust.

Re: How to decrypt password which is encrypted using proc pwencode.

Patrick — Fri, 12 Sep 2014 10:44:33 GMT

Isn't the question if "you" can reverse the password if given to you? Good luck with AES.

Re: How to decrypt password which is encrypted using proc pwencode.

jakarman — Fri, 12 Sep 2014 11:51:58 GMT

If the question is can the password be reverted? Is somebody capable doing that?

The answer is yes. Please give me the function that SAS has hidden and all passwords are capable to be reverted by me.

When I can get in the middle somewhere I could capture the uncrypted versions of passwords. The SAS code could be injected with some malicious software around that.

As there is a technical way to uncrypt it, it is a possible vulnerability.

For fun a similar story with MS-office. You can encrypt that file (AES).

Plan cryptography and encryption settings for Office 2013

Too many issue people losing password in business environments. There is a docrecrypt tool

Remove or reset file passwords in Office 2013 Using a public key with an escrow key for recovery.

Re: How to decrypt password which is encrypted using proc pwencode.

AndreasMenrath — Fri, 12 Sep 2014 12:54:07 GMT

decrypting SAS01 is very easy as it is a simple base 64 encoding.

decrypting SAS02 is not that easy, but if you know the trick it is quite easy and just takes a fraction of a second to do it. But this is not officially supported by SAS.

decrypting SAS03 and SAS04: SAS needs to have an internal algorithm to do it. It is just a matter of energy you want to invest to revert it.

Actually i would not rely on any of these methods to be considered secure.

Re: How to decrypt password which is encrypted using proc pwencode.

venkatnaveen — Tue, 16 Sep 2014 08:18:38 GMT

Thanks to all

Re: How to decrypt password which is encrypted using proc pwencode.

AndreasMenrath — Sat, 04 Oct 2014 12:50:12 GMT

Patrick schrieb:

Jaap Karman

Isn't the question if "you" can reverse the password if given to you? Good luck with AES.

Update to my former post:

i found a way to nicely ask the SAS software to decrypt a SAS01-SAS04 password for me. So i can decrypt any password in seconds.

So even even the SAS04 method is not secure. It may use AES internally, but the key for the encryption has to be always the same to reuse the encoded password across different SAS machines and that you can promote your metadata and SAS programs.

I quote from Concepts: PWENCODE Procedure :: Base SAS(R) 9.4 Procedures Guide, Third Edition:

"PROC PWENCODE is intended to prevent casual, non-malicious viewing of passwords. You should not depend on PROC PWENCODE for all your data security needs; a determined and knowledgeable attacker can decode the encoded passwords."

So the conclusion is: using pwencode might prevent 99% of all your users from decrypting the password as clear text. But if the last 1% of users could do any damage with the clear text password or could gain access to highly sensitive data you should never rely on PROC PWENCODE!

PROC PWENCODE passwords are not save!

Re: How to decrypt password which is encrypted using proc pwencode.

jakarman — Sat, 04 Oct 2014 20:55:50 GMT

Andreas, great you proved that is possible as that decrypt routine should be there (see the why in one of my previous posts)

Coding the pwencode in direct in source is an unsafe habit you can copy it and reuse that everywhere as it is code. The mental switch to make is that there is no need for decryption to do that. The only way to get that save is by storing that in safe well protected OS location.

Reviewing this discussing I do not see the argumentation why someone is asking this kind of questions.

I have seen this coming is a result of the regulations requiring a prudent IT organization and implementation. For that auditors are passing by with some list with questions. The common practiced approach is getting the auditor happy. By that may be ignoring the goal of that list.

Andreas, regulations and Germany that must be DIN ISO/IEC 27002:2008 (27005:2008?). Do you have the content details for those auditability traceability.

http://www.din.de/sixcms_upload/media/2896/Kompass%20der%20IT-Sicherheitsstandards.pdf

Re: How to decrypt password which is encrypted using proc pwencode.

AndreasMenrath — Mon, 06 Oct 2014 07:11:59 GMT

I am not sure what you mean. I never did an audit, so i don't know the regulations.

Still the key part about security depending on PROC PWENCODED passwords is:

do not think it is save and the password cannot be reverted.

Prefer operating system security (like Integrated Windows Authentication, File System user access rights, ...) or prompt the user for a password.

Re: How to decrypt password which is encrypted using proc pwencode.

jakarman — Mon, 06 Oct 2014 09:43:33 GMT

Andreas, That document I have linked to is an excellent compass for all laws and regulations(D). Most of those are international similar.

It is mentioning: Cobit, ITIL, IDW PS 330 (D prufing oder English auditing) and Kontrag(D) BaseslII SOX Euro-SOX BDSG(D dataprivacy) and cryptography (PKI). There is nice table for type of the company and the relevant standards (page 11-12).

It is ashtonishing IT suppliers exists that are not aware of this and offering solutions that are unnecessary conflicting with them.

Re: How to decrypt password which is encrypted using proc pwencode.

Venkat4 — Tue, 28 Jul 2015 17:38:27 GMT

Try Proc pwdecode

Re: How to decrypt password which is encrypted using proc pwencode.

SASKiwi — Wed, 29 Jul 2015 04:22:05 GMT

ERROR: Procedure PWDECODE not found.

Re: How to decrypt password which is encrypted using proc pwencode.

jakarman — Wed, 29 Jul 2015 05:51:31 GMT

SAS PWDECODE - SAS PWENCODE DECODE Looks a rainbow approach.
Still te question what SAS has implemented as decode routine to pass that decrypted to Oracle. With a trace it should be able to catch those at that level between SAS and the external client.

Re: How to decrypt password which is encrypted using proc pwencode.

LB — Thu, 19 Jan 2017 21:38:19 GMT

Can you share how you got SAS to do that?

Thanks

Re: How to decrypt password which is encrypted using proc pwencode.

RonAgresta — Wed, 30 Aug 2017 14:38:11 GMT

The PWENCODE procedure enables you to encode passwords. Encoding obfuscates the data. Unlike encryption, encoding is a reversible permutation of the data and uses no keys.

Encoded passwords can be used in place of plaintext passwords in SAS programs that access relational database management systems (RDBMSs) and various servers. Examples are SAS/CONNECT servers, SAS/SHARE servers, SAS Integrated Object Model (IOM) servers, SAS Metadata Servers, and more.

More on encoding and encryption can be found in the Encryption in SAS documentation.

Ron