Sample code for 30+ languages & platforms
Objective-C

Duplicate SQL Server ENCRYPTBYPASSPHRASE

See more Encryption Examples

Demonstrates how to duplicate SQL Server's ENCRYPTBYPASSPHRASE.

Chilkat Objective-C Downloads

Objective-C
#import <NSString.h>
#import <CkoStringBuilder.h>
#import <CkoCrypt2.h>
#import <CkoBinData.h>
#import <CkoPrng.h>

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// For SQL Server 2008 - SQL Server 2016 we must use TripleDES with SHA1
// For SQL Server 2017 and later, use AES256 / SHA256.

NSString *password = @"tEst1234";
NSString *encryptedHex_v1 = @"0x010000001E8E7DCDBD4061B951999E25D18445D2305474D2D71EEE98A241C755246F58AB";

// Here's an encrypted string using AES256/SHA256
NSString *encryptedHex_v2 = @"0x02000000FFE880C0354780481E64EF25B6197A02E2A854A4BA9D8D9BDDFDAB27EB56537ABDA0B1D9C4D1050C91B313550DECF429";

CkoStringBuilder *sbEncHex = [[CkoStringBuilder alloc] init];
[sbEncHex Append: encryptedHex_v1];

// If present, we don't want the leading "0x"
if ([sbEncHex StartsWith: @"0x" caseSensitive: NO] == YES) {
    [sbEncHex RemoveCharsAt: [NSNumber numberWithInt: 0] numChars: [NSNumber numberWithInt: 2]];
}

CkoCrypt2 *crypt = [[CkoCrypt2 alloc] init];
crypt.EncodingMode = @"hex";

// The encrypted hex string will begin with either 01000000 or 02000000
// version 1 is produced by SQL Server 2008 to SQL Server 2016, and we must use TripleDES with SHA1
// version 2 is for SQL Server 2017 and later, and uses AES256 / SHA256.
BOOL v1 = [sbEncHex StartsWith: @"01" caseSensitive: NO];

int ivLen = 0;
NSString *hashAlg = 0;

if (v1 == YES) {
    crypt.CryptAlgorithm = @"3des";
    crypt.CipherMode = @"cbc";
    crypt.KeyLength = [NSNumber numberWithInt:168];
    ivLen = 8;
    hashAlg = @"sha1";
}
else {
    crypt.CryptAlgorithm = @"aes";
    crypt.CipherMode = @"cbc";
    crypt.KeyLength = [NSNumber numberWithInt:256];
    ivLen = 16;
    hashAlg = @"sha256";
}

// Remove the SQL Server version info (i.e. the "01000000")
[sbEncHex RemoveCharsAt: [NSNumber numberWithInt: 0] numChars: [NSNumber numberWithInt: 8]];

// Get the IV part of the sbEncHex, and also remove it from the StringBuilder.
NSString *ivHex = [sbEncHex GetRange: [NSNumber numberWithInt: 0] numChars: [NSNumber numberWithInt: (ivLen * 2)] removeFlag: YES];
NSLog(@"%@%@",@"IV = ",ivHex);
[crypt SetEncodedIV: ivHex encoding: @"hex"];

CkoStringBuilder *sbPassword = [[CkoStringBuilder alloc] init];
[sbPassword Append: password];
NSString *pwd_hash = [sbPassword GetHash: hashAlg encoding: @"hex" charset: @"utf-16"];
CkoStringBuilder *sbKey = [[CkoStringBuilder alloc] init];
[sbKey Append: pwd_hash];
if (v1 == YES) {
    // For v1, we only want the 1st 16 bytes of the 20 byte hash.
    // (remember, the hex encoding uses 2 chars per byte, so we remove the last 8 chars)
    [sbKey Shorten: [NSNumber numberWithInt: 8]];
}

NSLog(@"%@%@",@"crypt key: ",[sbKey GetAsString]);

[crypt SetEncodedKey: [sbKey GetAsString] encoding: @"hex"];

// Decrypt
CkoBinData *bd = [[CkoBinData alloc] init];
[bd AppendEncoded: [sbEncHex GetAsString] encoding: @"hex"];
[crypt DecryptBd: bd];

// The result is composed of a header of 8 bytes which we can discard.
// The remainder is the decrypted text.

// The header we are discarding is composed of:
// Bytes 0-3: Magic number equal to 0DF0ADBA
// Bytes 4-5: Number of integrity bytes, which is 0 unless an authenticator is used. We're assuming no authenticator is used.
// Bytes 6-7: Number of plain-text bytes. We really don't need this because the CBC padding takes care of it.

// Therefore, just return the data after the 1st 8 bytes.
// Assuming the encrypted string was utf-8 text...
[bd RemoveChunk: [NSNumber numberWithInt: 0] numBytes: [NSNumber numberWithInt: 8]];
NSString *plainText = [bd GetString: @"utf-8"];
NSLog(@"%@%@",@"decrypted plain text: ",plainText);

// The output:

// IV = 1E8E7DCDBD4061B9
// crypt key: 710B9C2E61ACCC9570D4112203BD9738
// decrypted plain text: Hello world.

// ------------------------------------------------------------------------------------------
// To encrypt, do the reverse...

// Let's do v1 with TripleDES with SHA1

CkoCrypt2 *encryptor = [[CkoCrypt2 alloc] init];
encryptor.EncodingMode = @"hex";

encryptor.CryptAlgorithm = @"3des";
encryptor.CipherMode = @"cbc";
encryptor.KeyLength = [NSNumber numberWithInt:168];

// Generate a random 8-byte IV
CkoPrng *prng = [[CkoPrng alloc] init];
ivHex = [prng GenRandom: [NSNumber numberWithInt: 8] encoding: @"hex"];
[encryptor SetEncodedIV: ivHex encoding: @"hex"];

// The binary password is generated the same as above.
// We'll use the same password (and same binary password)
[encryptor SetEncodedKey: [sbKey GetAsString] encoding: @"hex"];

int plainTextLen = 8;
plainText = @"ABCD1234";

// Encrypt the header + the plain-text.
CkoBinData *bdData = [[CkoBinData alloc] init];
[bdData AppendEncoded: @"0DF0ADBA" encoding: @"hex"];
[bdData AppendEncoded: @"0000" encoding: @"hex"];
[bdData AppendInt2: [NSNumber numberWithInt: plainTextLen] littleEndian: YES];
NSLog(@"%@%@",@"header: ",[bdData GetEncoded: @"hex"]);
[bdData AppendString: plainText charset: @"utf-8"];
[encryptor EncryptBd: bdData];

// Compose the result..
CkoStringBuilder *sbEnc = [[CkoStringBuilder alloc] init];
[sbEnc Append: @"0x01000000"];
[sbEnc Append: ivHex];
[sbEnc Append: [bdData GetEncoded: @"hex"]];

NSLog(@"%@%@",@"result: ",[sbEnc GetAsString]);