Exactly my points from the get go. I asked the questions that I did to show
that we were both saying essentially the same thing. I should have been
clearer when I said that CF would incur an unacceptable amount of overhead.
I took it to be understood that the alternatives, 3DES, 128-bit, etc., would
carry with them an increased CPU/memory utilization that would not be
acceptable in a high volume environment without purchasing costly equipment.
Reading the source of the cfdecrypt utility makes it very clear how the
header is used.
>CF uses DES all the time. ... There is no need to determine the algorithm.
>1 - Triple DES is not used because it is CPU intensive
>2 - 56 bit encryption is the limit due to export restrictions
> > CF uses DES for encryption. This is used because it has good performance
> > while maintaining decent encryption. The "cracker" as you put it simply
> > decrypts DES. If Allaire were to change the encryption algorithm
> > templates encrypted by the previous algorithm would no longer work
unless the
> > system first interrogated the file to discover it's encryption method.
Regards,
Steve
-----Original Message-----
From: Howie Hamlin [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 26, 2000 4:04 PM
To: [EMAIL PROTECTED]
Subject: Re: does everyone always encrypt?? decrypter?
----- Original Message -----
From: Steve Bernard <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 26, 2000 2:29 PM
Subject: RE: does everyone always encrypt?? decrypter?
> Does this header act as an identifier to differentiate between various
> flavors of encryption or is it just a standard DES header?
It is not a DES header. Here are the different headers:
Version 1:
Allaire Cold Fusion Template
Header Size:
Version 2:
Allaire Cold Fusion Template
Header Size: New Version
There is a counter at a specific offset to determine the size of the header
and the version 2 header has the "New Version" text as well. Also, as far
as I know DES does not have a header at all...
> If it is an
> identifier, what are the other possibilities and where did you get this
> information?
>
Just look at the encrypted template - it's fairly straightforward.
> Part of the header is encrypted:
>
> Allaire Cold Fusion Template
> Header Size: New VersionÙ"*S5&âÕÞ5k£M. ... blah, blah, blah
>
Yes, a version 2 header.
> Presumeably, this is DES. That being the case, CF must first decrypt the
> message using DES. If it then came upon another form of encryption, it
would
> have to first identify that algorithm, unless it was already known, load
> another decryption module, decrypt again, then execute the template. This
> would incur additional overhead, varying upon what algorithm was used,
which
> would then effect the performance of the server.
>
No. CF uses DES all the time. I think the only difference between version
1 and version 2 is the encryption key and the header that differentiates the
versions. There is no need to determine the algorithm. Also, you have to
take into account that:
1 - Triple DES is not used because it is CPU intensive
2 - 56 bit encryption is the limit due to export restrictions
HTH,
Howie
> Regards,
>
> Steve
>
>
> -----Original Message-----
> From: Howie Hamlin [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 26, 2000 11:46 AM
> To: [EMAIL PROTECTED]
> Subject: Re: does everyone always encrypt?? decrypter?
>
>
>
> ----- Original Message -----
> From: Steve Bernard <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, April 26, 2000 11:02 AM
> Subject: RE: does everyone always encrypt?? decrypter?
>
>
> > CF uses DES for encryption. This is used because it has good performance
> > while maintaining decent encryption. The "cracker" as you put it simply
> > decrypts DES. If Allaire were to change the encryption algorithm
templates
> > encrypted by the previous algorithm would no longer work unless the
system
> > first interrogated the file to discover it's encryption method. This
would
> > incur an unacceptable performance hit in high volume applications.
>
> Not true. Allaire does not simply encrypt the file as-is...they include a
> custom header to the encrypted file which they use to easily determine the
> encryption method.
>
> Regards,
>
> Howie
>
> > Allaire has stated in the past that encrypting templates does not
provide
> > complete security, but it does provide enough so that the typical user
can
> > not read the plain text. Once someone has uninterrupted access to any
code
> > it is only a matter of time before it is cracked.
> >
> > Regards,
> >
> > Steve
>
> --------------------------------------------------------------------------
----
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
----------------------------------------------------------------------------
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
