A recent message on the Hardhats mailing list exposed an interesting problem with an instance of VistA built from the code in OSEHRA’s VistA-M repository and a subset of VistA’s Delphi GUIs. This problem lies in the cipher that VistA uses to encrypt and decrypt the Access and Verify codes during remote sign-on.
The key to this cipher is found in two places: first in the XUSRB1.m routine and also in the Broker Development Kit for Delphi file named Hash.pas. If the two keys are not identical on either side of a connection, the Access/Verify codes will not be decrypted to their original value and will likely be rejected by the EHR as incorrect. This error manifests in the user receiving a “Not a valid ACCESS CODE/VERIFY CODE pair” pop-up message when attempting to sign on through a Delphi GUI but the user is able to log into the Roll-and-Scroll interface with the same set of codes.
Due to an update to the VistA-M repository, specifically the addition of the code in the November 2014 FOIA release, the key for the cipher found in the XUSRB1 routine in the VistA-M repository has been changed. This change has caused a large amount of the available binaries of these GUIs to not be able to connect to an instance built from this version of the VistA-M code.
While OSEHRA does not have access to or a method to build from the source code of all of the VistA GUIs, we have prepared a version of the CPRS v30.15 executable that is compatible with an OSEHRA-built EHR instance. It can be found on the code.osehra.org server at the following address:
The executable has a SHA1 hash of 5dac623bcb253f3e065aa9a0050bb2
OSEHRA is currently determining the best course of action to take regarding the long term answer to the cipher problem. Stay tuned for more information!