C# Winform Application: Decoding 64bit Web Tokens On 32bit Client Machines

Question

My company has an eternal pointing web server that allows our clients to complete questionnaires and submit the results to an internal database.

Each external user's form gets a unique GUID. For example [9C43207A-FD84-499A-82C3-247E7337335F]. For security purposes a token is generated with C# code using the form GUID, on the 64 bit web-server.

In order for an internal user to see the form, in our winforms application, a web browser has been embedded and the following URL is entered into a web browser address bar... [https://company_domain_name.com/formonline.aspx?token=TOKEN_GENERATED_BY_64_BIT_WEBSERVER].

The code below generates the token...

//**************************************************************
// Example Code 
//**************************************************************
System.Guid MY_GUID = 
    new System.Guid("9C43207A-FD84-499A-82C3-247E7337335F");

string txtID = MY_GUID.ToString();

System.Text.StringBuilder str = 
    new System.Text.StringBuilder();

str.Append(txtID);

//**************************************************************
// Other string values are appended to StringBuilder for 
// security reasons
//**************************************************************

string hashResult = txtID.GetHashCode().ToString();
str.Append(hashResult);
string finalResult = EncodeTo64(str.ToString());

//**************************************************************
// Method
//**************************************************************
private string EncodeTo64(string toEncode)
{
    byte[] toEncodeAsBytes = 
        System.Text.ASCIIEncoding.ASCII.GetBytes(toEncode);

    string returnValue = 
        System.Convert.ToBase64String(toEncodeAsBytes);

    return returnValue;
}

Unfortunately the web token generated on the internal users 32bit client machine is completely different from the web server version and the web page fails to open.

Actual Examples below.

[GUID] [9C43207A-FD84-499A-82C3-247E7337335F]

[64bit Token] [QgT7FcAkB4EtZmQ4NC00OTlhLTgyYzMtMjQ3ZTczMzczMzVmI1RydWUjLTMyMDYzMzU4MQ==]

[32bit Token] [QgT7FcAkB4EtZmQ4NC00OTlhLTgyYzMtMjQ3ZTczMzczMzVmI0ZhbHNlIzEyNjcyNjM0NTI=]

Downgrading the web server from 64bit to 32bit is not an option.

Altering the code on the web server is also not an option, as it is a proprietary software system and I was very lucky that the developers gave me the code that they use to create the token.

Is it even possible to use the calculation to get the same 64bit result on a 32bit client?

Sticking the output through a base64 decode shows the txtID is different: 1267263452 (32bit) vs -320633581 (64bit). It looks like you have integer overflow happening. — Eterm, Jun 18 '14 at 12:45

C# Winform Application: Decoding 64bit Web Tokens On 32bit Client Machines

0 Answers0