Odwek getdocid in different format

[hakan_carlberg]

Hi
Stupid question..
We are upgrading from V8.5.0 to V9.5.0... and get a strange behaviour in a ODWek Java application...
well strange and strange, but we can not find any information about it..

In 8.5.0 getdocid = DocID: "v7126-24826-24827-22773-FFK1-52FAAA-0-5396-0-2727-85-79-46......"
in 9.5.0 getdocid =  DocID: "Z2HlzcTg08nUBm4lkDIm8y8uPzMI6sFGbg+sBrvgXJTNozxMiHgmTCCuUoTAjydetpyI7tZ4MOAjuPUhGMzR..."

Anybody got any idead ?

Regards
/H Carlberg

[Justin Derrick]

It's to obscure (not encrypt) the internal DocID information, which can be easily modified to retrieve different objects than the one that was intended.  There's mention of it in the v10.1 Webinar -- I think it's Base64 encoded.

-JD.

[hakan_carlberg]

Hi
Yeah, there was the text regarding it, I did read it but forgot it.
but.. it doesn't say it's retrofitted to 9.5 ?

Regards
/H Carlberg

[Ed_Arnold]

Hakan - you're making work for me.   

As part of the security enhancements added at 9.5.0.3, ODWEK no longer generates docids as clear text. The referenced information in the readme is only to instruct ODWEK to accept the unencrypted docids (via recreateHit) but has no affect on the generated docids (getDocId). All docids that ODWEK generates will be encrypted (as of 9.5.0.3).

Ed

[Justin Derrick]

Just to clarify, ODWEK is *obscuring* the clear text of the DocID by presenting it to the end user formatted as "base64", which anyone can encode / decode with a simple command.  It's *obscured*, not *encrypted*.

Here's an example... I enter the text, and the base64-encoded text is returned...  By pasting it in with the -d "decode" option, it turns it back into plain text.  Notice that I'm never prompted for a password / key:

Code: [Select]

$ openssl
OpenSSL> enc -base64
This is encoded text!
VGhpcyBpcyBlbmNvZGVkIHRleHQhCg==
OpenSSL> enc -d -base64
VGhpcyBpcyBlbmNvZGVkIHRleHQhCg==
This is encoded text!

-JD.

[hakan_carlberg]

Hi

Ok, thx for the info.

Regards
/H Carlberg

[Alessandro Perucchi]

Justin,

I have tested today a docid to read it by decoding it via base64... and it doesn't work.
Are you 100% of what you said?

I know for a fact, that the docid for security reasons they use the user ID for the user requesting the docid to "encrypt" the docid.
So if userA gets a docid, and gives it to userB, then userB cannot use the docid, since he is not userA.
For me this is like an encryption of the docid using the userA "key", and only userA can decrypt it, since he has his secret key.

Now what is the exact algorithm used, I have no idea. But from my simple test it doesn't seems to be base64, at least when I use base64 I receive an error saying that there are garbage characters.

If you have more juicy info, I am all hears :-D

[Justin Derrick]

Hey Alessandro,

I'm just going on what was mentioned in the webinar by Greg -- I haven't tried to reverse engineer it. 

-JD.