subject:"Encrypt\/Decrypt"


Yes, somewhere in the code you need to do   
generateSecretKey(Form.encryptType);  This is line 44 of the example code in my 
blog post. 



Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Nov 4, 2012, at 10:23 PM, "Eric Bourland"  wrote:

> 
> Making progress on this task. I'm getting an error about decoding. Here is
> my current insert statement:
> 
> CreditCardNumber =  value="#encrypt(form.CreditCardNumber,request.encryptionkey,"AES","UU")#">
> 
> When I submit my update form, I get this error:
> 
> An error occurred while trying to encrypt or decrypt your input string: ''
> Can not decode string "(string value from request.encryption key)"
> 
> So, in application.cfc, I think I need to set up a value for
> #request.encryption# that the AES / UU method is able to decode.
> 
> What do you think is a good way for me to derive a value for
> #request.encryption# that the AES / UU method will understand?
> 
> I hope this question makes sense. Thank you again for your advice.
> 
> Eric
> 
> -Original Message-----
> From: Wil Genovese [mailto:jugg...@trunkful.com] 
> Sent: Sunday, November 04, 2012 9:58 PM
> To: cf-talk
> Subject: Re: encrypt / decrypt question
> 
> 
> Eric,
> 
> A while back I was testing all the encryption and decryption types and wrote
> a short cfm page that let me do the testing. The code there is a good
> example of how it all works. Instead of trying to write it up and post here
> I created a very short and sweet blog post about this.
> 
> http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col
> dFusion
> 
> I hope this helps.
> 
> Wil Genovese
> Sr. Web Application Developer/
> Systems Administrator
> CF Webtools
> www.cfwebtools.com
> 
> wilg...@trunkful.com
> www.trunkful.com
> 
> 
> 
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353059
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: encrypt / decrypt question


Making progress on this task. I'm getting an error about decoding. Here is
my current insert statement:

CreditCardNumber = 

When I submit my update form, I get this error:

An error occurred while trying to encrypt or decrypt your input string: ''
Can not decode string "(string value from request.encryption key)"

So, in application.cfc, I think I need to set up a value for
#request.encryption# that the AES / UU method is able to decode.

What do you think is a good way for me to derive a value for
#request.encryption# that the AES / UU method will understand?

I hope this question makes sense. Thank you again for your advice.

Eric

-Original Message-
From: Wil Genovese [mailto:jugg...@trunkful.com] 
Sent: Sunday, November 04, 2012 9:58 PM
To: cf-talk
Subject: Re: encrypt / decrypt question


Eric,

A while back I was testing all the encryption and decryption types and wrote
a short cfm page that let me do the testing. The code there is a good
example of how it all works. Instead of trying to write it up and post here
I created a very short and sweet blog post about this.

http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col
dFusion

I hope this helps.

Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353058
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: encrypt / decrypt question

I put the new JCE JAR files in c:\ColdFusion9\runtime\jre\lib\security\ and
restarted ColdFusion. Nothing exploded. =) Now I will run some tests based
on the code examples that Wil has provided. I will let you know my results.
Thanks very much! Eric

-Original Message-
From: Wil Genovese [mailto:jugg...@trunkful.com] 
Sent: Sunday, November 04, 2012 10:43 PM
To: cf-talk
Subject: Re: encrypt / decrypt question

Sure thing.

The best way to know the correct one is to open your jvm.config file in
c:\ColdFusion9\runtime\jre\bin and looking at the java path. 

>From the options you gave below I would guess, based on experience, that
this is the correct folder. c:\ColdFusion9\runtime\jre\lib\security\

For those with Multi-instance installs the paths will be different. For
those that have updated their Java versions the paths may be different.
That's why I say look in your jvm.config file(s). 

Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Nov 4, 2012, at 9:37 PM, "Eric Bourland"  wrote:

> c:\ColdFusion9\runtime\jre\lib\security\

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353057
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: encrypt / decrypt question

Sure thing.

The best way to know the correct one is to open your jvm.config file in 
c:\ColdFusion9\runtime\jre\bin and looking at the java path. 

>From the options you gave below I would guess, based on experience, that this 
>is the correct folder. c:\ColdFusion9\runtime\jre\lib\security\

For those with Multi-instance installs the paths will be different. For those 
that have updated their Java versions the paths may be different. That's why I 
say look in your jvm.config file(s). 

Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Nov 4, 2012, at 9:37 PM, "Eric Bourland"  wrote:

> c:\ColdFusion9\runtime\jre\lib\security\

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353056
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: encrypt / decrypt question

2012-11-04 Thread Dave Watts


> I downloaded and unzipped the unlimited strength JCE JAR policy files. No
> problem there. The README says to place the JAR files in the \lib\security\
> folder.
>
> However, there are several  \lib\security\ folders on my server, all under
> the c:\ColdFusion9\ folder. For example:
>
> c:\ColdFusion9\runtime\jre\lib\security\
> c:\ColdFusion9\inbridge\jre\lib\security\
> c:\ColdFusion9\solr\jre\lib\security\
>
> In which of these folders, do you think, I should place these JAR files?

I would think the first one. The other two folders are for separate
JVMs that are used by bundled applications.

> Also, should I turn off the ColdFusion service before I place these files?

I think you'll need to restart CF afterwards, yes.

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353055
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: encrypt / decrypt question


Wil,

Thanks very much for this! I will check it out. Presently I am working on
installing the Java Cryptography Extension (JCE) JAR files. Do you have a
moment to consider a question about installation?

I downloaded and unzipped the unlimited strength JCE JAR policy files. No
problem there. The README says to place the JAR files in the \lib\security\
folder.

However, there are several  \lib\security\ folders on my server, all under
the c:\ColdFusion9\ folder. For example:

c:\ColdFusion9\runtime\jre\lib\security\
c:\ColdFusion9\inbridge\jre\lib\security\
c:\ColdFusion9\solr\jre\lib\security\

In which of these folders, do you think, I should place these JAR files?

Also, should I turn off the ColdFusion service before I place these files?

Thank you again.

Best from Eric

-Original Message-
From: Wil Genovese [mailto:jugg...@trunkful.com] 
Sent: Sunday, November 04, 2012 9:58 PM
To: cf-talk
Subject: Re: encrypt / decrypt question


Eric,

A while back I was testing all the encryption and decryption types and wrote
a short cfm page that let me do the testing. The code there is a good
example of how it all works. Instead of trying to write it up and post here
I created a very short and sweet blog post about this.

http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col
dFusion

I hope this helps.

Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353054
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: encrypt / decrypt question


Eric,

A while back I was testing all the encryption and decryption types and wrote a 
short cfm page that let me do the testing. The code there is a good example of 
how it all works. Instead of trying to write it up and post here I created a 
very short and sweet blog post about this.

http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-ColdFusion

I hope this helps.

Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353053
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: encrypt / decrypt question

Wil,

>>>Which encryption method are you using?  The stronger ones require that
you also install the Java Cryptography Extension.

Yes, I was reading up on that in the Adobe documentation. OK, I will proceed
to do that. I had read that an encryption method was optional, but I
understand that I should include it.

Assuming I use the encryption method, I am guessing my insert statement
would look something like:

CreditCardNumber = ,

And then the decrypt would look like:

Display Decrypted Credit Card Number:
#decrypt(form.CreditCardNumber,request.encryptionkey,"AES","UU")#"

Look ok? Thank you for your advice. =)

Eric

Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Nov 4, 2012, at 7:32 PM, "Eric Bourland"  wrote:

> 
> Greetings. I have what is probably a very basic question, about which 
> I have done a lot of reading - I still need some help.
> 
> 
> 
> I am trying to use the encrypt function to encrypt a credit card number.
> 
> 
> 
> I am placing the key as a variable in application.cfc, thus:
> 
> 
> 
> 
> 
> 
> 
> To encrypt the credit card number, I use this line in my insert statement:
> 
> 
> 
> CreditCardNumber =  value="#encrypt(form.CreditCardNumber,request.encryptionkey,"AES")#">,
> 
> 
> 
> ColdFusion returns this error: An error occurred while trying to 
> encrypt or decrypt your input string: '' Can not decode string
"(encryption key)"..
> 
> 
> 
> How would you handle this? I simply want to:
> 
> 
> 
> 1)  Encrypt the credit card number that is placed in the database - so
> that even if someone compromises the database, the data is encrypted
> 
> 2)  Decrypt the credit card number when it is displayed on a secure
> administration page
> 
> 
> 
> Should I not place the 128-bit key in application.cfc - but instead 
> use the generatesecretkey function?
> 
> 
> 
> Thank you for any advice.
> 
> 
> Eric
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353052
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: encrypt / decrypt question


Which encryption method are you using?  The stronger ones require that you also 
install the Java Cryptography Extension.

http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html


  
Wil Genovese
Sr. Web Application Developer/
Systems Administrator
CF Webtools
www.cfwebtools.com

wilg...@trunkful.com
www.trunkful.com

On Nov 4, 2012, at 7:32 PM, "Eric Bourland"  wrote:

> 
> Greetings. I have what is probably a very basic question, about which I have
> done a lot of reading - I still need some help.
> 
> 
> 
> I am trying to use the encrypt function to encrypt a credit card number.
> 
> 
> 
> I am placing the key as a variable in application.cfc, thus:
> 
> 
> 
> 
> 
> 
> 
> To encrypt the credit card number, I use this line in my insert statement:
> 
> 
> 
> CreditCardNumber =  value="#encrypt(form.CreditCardNumber,request.encryptionkey,"AES")#">,
> 
> 
> 
> ColdFusion returns this error: An error occurred while trying to encrypt or
> decrypt your input string: '' Can not decode string "(encryption key)"..
> 
> 
> 
> How would you handle this? I simply want to:
> 
> 
> 
> 1)  Encrypt the credit card number that is placed in the database - so
> that even if someone compromises the database, the data is encrypted
> 
> 2)  Decrypt the credit card number when it is displayed on a secure
> administration page
> 
> 
> 
> Should I not place the 128-bit key in application.cfc - but instead use the
> generatesecretkey function?
> 
> 
> 
> Thank you for any advice.
> 
> 
> Eric
> 
> 
> 
> ***
> 
> Eric Bourland
> 
> Internet Project Development
> 
> Washington DC
> 
> email:   e...@ebwebwork.com
> 
> web: ebwebwork.com
> 
> mobile: 202-390-0185
> 
> fax: 202-315-5809
> 
> Skype: ericbourland1968
> 
> Yahoo IM: eab_68
> 
> AOL IM: ebwebwork
> 
> ICQ IM: 23780065
> 
> MSN IM: ebwebwork
> 
> Google IM: ebwebwork
> 
> 
> 
> 
> 
> 
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353051
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

encrypt / decrypt question


Greetings. I have what is probably a very basic question, about which I have
done a lot of reading - I still need some help.

 

I am trying to use the encrypt function to encrypt a credit card number.

 

I am placing the key as a variable in application.cfc, thus:

 



 

To encrypt the credit card number, I use this line in my insert statement:

 

CreditCardNumber = ,

 

ColdFusion returns this error: An error occurred while trying to encrypt or
decrypt your input string: '' Can not decode string "(encryption key)"..

 

How would you handle this? I simply want to:

 

1)  Encrypt the credit card number that is placed in the database - so
that even if someone compromises the database, the data is encrypted

2)  Decrypt the credit card number when it is displayed on a secure
administration page

 

Should I not place the 128-bit key in application.cfc - but instead use the
generatesecretkey function?

 

Thank you for any advice.


Eric

 

***

Eric Bourland

Internet Project Development

Washington DC

email:   e...@ebwebwork.com

web: ebwebwork.com

mobile: 202-390-0185

fax: 202-315-5809

Skype: ericbourland1968

Yahoo IM: eab_68

AOL IM: ebwebwork

ICQ IM: 23780065

MSN IM: ebwebwork

Google IM: ebwebwork

 




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353050
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: error with encrypt / decrypt and generatesecretkey

2011-09-06 Thread Justin Scott


> All I'm doing with it is encrypting the user's ID so they don't
> see "1003" and then try to mess with it and change it to 2003
> or 134567.. all it is is the user's ID encrypted.

Hi Greg, Cameron's advice is a better approach, though if you want to
continue with the URL parameters, I'd suggest using a salted hash
rather than dealing with reversible encryption.  Encryption keys need
to be handled with care as the tiniest bit of change to them will
cause problems.  Trying to pass them around in URLs can be tricky,
though it's possible.  In your first example, I would put the key in
base64 using toBase64() before putting it on the url, then convert it
back using toBinary() on the receiving end rather than using
URLEncode() and relying on the browser to get it right.

As for a hash, you could use one URL parameter consisting of
[member_id];[salted_hash_of_member_id] put into a base64-encoded
string (e.g. .  On the receiving end, convert url.id back to
a string with toString(toBinary(url.id)), parse out the ID,
re-generate a hash using the same salt, and compare the new hash to
the one passed through.  It avoids passing around encryption keys,
hides the value from the user (though they could decode the base64
string if they wanted to), and provides the security you're looking
for since even if they did decode the string and replace the ID, the
salted hash won't match up and it would fail.

Cameron's single-use token suggestion is still better in this case though, imho.


-Justin

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347259
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: error with encrypt / decrypt and generatesecretkey

2011-09-06 Thread Greg Morphis

I tried this

with storing the key in the database and I get
An error occurred while trying to encrypt or decrypt your input
string: '' Can not decode string "[my_secret_key]"..

when I take out the "DES" and "Hex" I get a string I can't decode...
something like %' ,(SP<  (with no URL encoding)..

On Tue, Sep 6, 2011 at 9:06 AM, Cameron Childress  wrote:
>
> On Tue, Sep 6, 2011 at 9:53 AM, Greg Morphis  wrote:
>
>> All I'm doing with it is encrypting the user's ID so they don't see
>> "1003" and then try to mess with it and change it to 2003 or 134567..
>> all it is is the user's ID encrypted.
>>
>
> If I am understanding what you are doing, I'd be able to change someone
> else's password if I knew the page to visit.  If you give me a public URL to
> test I can show you how.  :)
>
>
>> I just ran 5 iterations of this and not once did it tell me that one
>> didn't equal the other
>
>
> That may be, but it's not really an accurate representation of what you are
> doing.  If you are sending it via email, I could see it getting double
> URLencoded perhaps...  To simulate your problem, you might try saving the SK
> as a session var too, then going through the entire email process, clicking
> the link in the email, and THEN outputting and comparing the session SK with
> the URL SK values.
>
> I am not sure what the difference would be, but doing that would likely
> expose it to you.
>
> -Cameron
>
> --
> Cameron Childress
> --
> p:   678.637.5072
> im: cameroncf
> facebook  |
> twitter |
> google+ 
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347230
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: error with encrypt / decrypt and generatesecretkey

2011-09-06 Thread Cameron Childress

On Tue, Sep 6, 2011 at 9:53 AM, Greg Morphis  wrote:

> All I'm doing with it is encrypting the user's ID so they don't see
> "1003" and then try to mess with it and change it to 2003 or 134567..
> all it is is the user's ID encrypted.
>

If I am understanding what you are doing, I'd be able to change someone
else's password if I knew the page to visit.  If you give me a public URL to
test I can show you how.  :)

> I just ran 5 iterations of this and not once did it tell me that one
> didn't equal the other

That may be, but it's not really an accurate representation of what you are
doing.  If you are sending it via email, I could see it getting double
URLencoded perhaps...  To simulate your problem, you might try saving the SK
as a session var too, then going through the entire email process, clicking
the link in the email, and THEN outputting and comparing the session SK with
the URL SK values.

I am not sure what the difference would be, but doing that would likely
expose it to you.

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook  |
twitter |
google+ 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347229
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: error with encrypt / decrypt and generatesecretkey

2011-09-06 Thread Greg Morphis


All I'm doing with it is encrypting the user's ID so they don't see
"1003" and then try to mess with it and change it to 2003 or 134567..
all it is is the user's ID encrypted.
Plus


generates a random key every time.

I just ran 5 iterations of this and not once did it tell me that one
didn't equal the other








THIS ONE DIDN'T EQUAL 
o: #original_sk# d: #urldecode(encoded_sk)# 


 







On Tue, Sep 6, 2011 at 8:31 AM, Cameron Childress  wrote:
>
> This smells similar to a problem someone else posted about recently where
> they were using trim() on the key, tampering with it just enough (removing
> meaningful whitespace) to make it no longer work.  URLEncode/Decode may do
> something similar.
>
> However, I would very strongly suggest not sending your encryption key in
> any format to the browser or anyone's email account.  It makes more sense to
> generate a random "once time use token", store that in the DB, then send
> that to the user via email - no crypto needed.  Once the token is used to
> reset the password, remove it form the DB.  Additionally you could time that
> token out after a day (or less) so it can't be floating around out there
> forever.
>
> -Cameron
>
> On Tue, Sep 6, 2011 at 8:59 AM, Greg Morphis  wrote:
>
>> I'm trying to encrypt a string with encrypt and generatesecretkey..
>> I'm passing the string as a URL variable and then trying to decrypt
>> the string. I'm getting errors like
>> *  An error occurred while trying to encrypt or decrypt your input
>> string: Input length must be multiple of 8 when decrypting with padded
>> cipher.
>> *  The key specified is not a valid key for this encryption: Invalid
>> key length: 7 bytes.
>>
>> I'm using it to allow users to reset their passwords.
>> What's weird is that the code works the majority of the time. We only
>> see the error every now and then.
>>
>> What I do is on the forgot page I generate a secret key and then I
>> encrypt the user's ID and then URLEncode them to pass within a link.
>>
>>                
>>                
>>
>>                
>>                
>>
>> The link is sent to the user and the user clicks on it and is taken to
>> the reset page
>>
>> I pass the values in a form
>>        > />
>>        > />
>>
>> And then I decrypt the string so I can find the user's ID:
>> > />
>>
>> So why is this generating an error sometimes?
>
>
> --
> Cameron Childress
> --
> p:   678.637.5072
> im: cameroncf
> facebook  |
> twitter |
> google+ 
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347228
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: error with encrypt / decrypt and generatesecretkey

2011-09-06 Thread Cameron Childress

This smells similar to a problem someone else posted about recently where
they were using trim() on the key, tampering with it just enough (removing
meaningful whitespace) to make it no longer work.  URLEncode/Decode may do
something similar.

However, I would very strongly suggest not sending your encryption key in
any format to the browser or anyone's email account.  It makes more sense to
generate a random "once time use token", store that in the DB, then send
that to the user via email - no crypto needed.  Once the token is used to
reset the password, remove it form the DB.  Additionally you could time that
token out after a day (or less) so it can't be floating around out there
forever.

-Cameron

On Tue, Sep 6, 2011 at 8:59 AM, Greg Morphis  wrote:

> I'm trying to encrypt a string with encrypt and generatesecretkey..
> I'm passing the string as a URL variable and then trying to decrypt
> the string. I'm getting errors like
> *  An error occurred while trying to encrypt or decrypt your input
> string: Input length must be multiple of 8 when decrypting with padded
> cipher.
> *  The key specified is not a valid key for this encryption: Invalid
> key length: 7 bytes.
>
> I'm using it to allow users to reset their passwords.
> What's weird is that the code works the majority of the time. We only
> see the error every now and then.
>
> What I do is on the forgot page I generate a secret key and then I
> encrypt the user's ID and then URLEncode them to pass within a link.
>
>
>
>
>
>
>
> The link is sent to the user and the user clicks on it and is taken to
> the reset page
>
> I pass the values in a form
> />
> />
>
> And then I decrypt the string so I can find the user's ID:
>  />
>
> So why is this generating an error sometimes?

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook  |
twitter |
google+ 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347227
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

error with encrypt / decrypt and generatesecretkey

2011-09-06 Thread Greg Morphis


I'm trying to encrypt a string with encrypt and generatesecretkey..
I'm passing the string as a URL variable and then trying to decrypt
the string. I'm getting errors like
*  An error occurred while trying to encrypt or decrypt your input
string: Input length must be multiple of 8 when decrypting with padded
cipher.
*  The key specified is not a valid key for this encryption: Invalid
key length: 7 bytes.

I'm using it to allow users to reset their passwords.
What's weird is that the code works the majority of the time. We only
see the error every now and then.

What I do is on the forgot page I generate a secret key and then I
encrypt the user's ID and then URLEncode them to pass within a link.







The link is sent to the user and the user clicks on it and is taken to
the reset page

I pass the values in a form



And then I decrypt the string so I can find the user's ID:


So why is this generating an error sometimes?

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:347225
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Encrypt/Decrypt

2011-06-17 Thread Justin Scott


> My preferred encryption algorithm is AES, as this is what the
> Government uses to encrypt classified documents. :)

AES with a 256-bit key is authorized for use up to top secret, if
memory serves.  Remember, with any encryption, it's only as safe as
the keys you use which is why key management is seeing a lot more
scrutiny these days from security auditors.  See the FIPS-140-2 guide
for the juicy details on the US government's standards for
cryptography and key management.


-Justin

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345417
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Encrypt/Decrypt

2011-06-17 Thread Paul Alkema


My preferred encryption algorithm is AES, as this is what the Government
uses to encrypt classified documents. :)

Paul Alkema
http://paulalkema.com
http://twitter.com/#!/paulalkema


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345416
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Encrypt/Decrypt

2011-06-17 Thread Judah McAuley

No, not really as long as you're using a cipher that hasn't been
broken. Encryption uses a special class of functions that are easy to
perform one direction but prohibitively hard to perform the other
direction. For instance, if you take two very large prime numbers and
multiply them together to produce a really big number, that's pretty
easy to do. However, it is really really really difficult to take a
really big number and figure out which two large prime numbers were
used to compose the new number.

You can look up the details of a particular algorithm if you want to
get a better understanding of how it is implemented. There are
differences between public/private key systems, straight up
encryption/decryption with a single key and then one way hashing, but
essentially, if the private key is kept safe, knowing the input text
and the output of the cipher will not generally tell anyone enough to
be able to guess the key.

Cheers,
Judah

On Fri, Jun 17, 2011 at 10:00 AM, Steve Reich  wrote:
>
> If I have Encrypt(x,y) which equals z OR Decrypt(x,y) which equals z, can z
> be determined (encrypted or decrypted) without having both x and y?
>
> Example:
>
>  "dj0yJmk9TTJOUXFnakphWjVlJmQ9WVdrOVVtMU9jak5rTjJNbWNHbzlPREV4TVRrNE5EWXkmcz1jb25zdW1lcnNlY3JldCZ4PWQx">
> 
>
> if you output variables.value, you get:
>  *<'Y^MZ!]F;*=V@
>
> So... if someone gets my MYPASSWORD and *<'Y^MZ!]F;*=V@, can they figure out
> the value of variables.secretKey?
>
> Thanks,
> Steve

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345412
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Encrypt/Decrypt

2011-06-17 Thread Russ Michaels

perhaps I really should say "virtually impossible" just to
be syntactically correct.

On Fri, Jun 17, 2011 at 8:49 PM, Russ Michaels  wrote:

> Technically yes as this is how hackers reverse engineer encryption keys to
> create keygens etc.
> However it does depend on what encryption type you use, some have not yet
> been hacked, so the chances are of course very very minute, and you would
> need to be encrypting something that some desperately wanted in order for
> them to put the effort in.
>
> This might help
>
> http://en.wikipedia.org/wiki/Blowfish_(cipher)
>
> Russ
>
>
> On Fri, Jun 17, 2011 at 6:00 PM, Steve Reich wrote:
>
>>
>> If I have Encrypt(x,y) which equals z OR Decrypt(x,y) which equals z, can
>> z
>> be determined (encrypted or decrypted) without having both x and y?
>>
>> Example:
>>
>> >
>> "dj0yJmk9TTJOUXFnakphWjVlJmQ9WVdrOVVtMU9jak5rTjJNbWNHbzlPREV4TVRrNE5EWXkmcz1jb25zdW1lcnNlY3JldCZ4PWQx">
>> 
>>
>> if you output variables.value, you get:
>>  *<'Y^MZ!]F;*=V@
>>
>> So... if someone gets my MYPASSWORD and *<'Y^MZ!]F;*=V@, can they figure
>> out
>> the value of variables.secretKey?
>>
>> Thanks,
>> Steve
>>
>>
>> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345411
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Encrypt/Decrypt

2011-06-17 Thread Russ Michaels

Technically yes as this is how hackers reverse engineer encryption keys to
create keygens etc.
However it does depend on what encryption type you use, some have not yet
been hacked, so the chances are of course very very minute, and you would
need to be encrypting something that some desperately wanted in order for
them to put the effort in.

This might help

http://en.wikipedia.org/wiki/Blowfish_(cipher)

Russ

On Fri, Jun 17, 2011 at 6:00 PM, Steve Reich wrote:

>
> If I have Encrypt(x,y) which equals z OR Decrypt(x,y) which equals z, can z
> be determined (encrypted or decrypted) without having both x and y?
>
> Example:
>
> 
> "dj0yJmk9TTJOUXFnakphWjVlJmQ9WVdrOVVtMU9jak5rTjJNbWNHbzlPREV4TVRrNE5EWXkmcz1jb25zdW1lcnNlY3JldCZ4PWQx">
> 
>
> if you output variables.value, you get:
>  *<'Y^MZ!]F;*=V@
>
> So... if someone gets my MYPASSWORD and *<'Y^MZ!]F;*=V@, can they figure
> out
> the value of variables.secretKey?
>
> Thanks,
> Steve
>
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345410
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Encrypt/Decrypt

2011-06-17 Thread Steve Reich


If I have Encrypt(x,y) which equals z OR Decrypt(x,y) which equals z, can z
be determined (encrypted or decrypted) without having both x and y?

Example:




if you output variables.value, you get:
 *<'Y^MZ!]F;*=V@

So... if someone gets my MYPASSWORD and *<'Y^MZ!]F;*=V@, can they figure out
the value of variables.secretKey?

Thanks,
Steve


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345400
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: Encrypt/Decrypt error

2009-09-02 Thread Azadi Saryev

Hi Les,

fyi, adobe issued CF 8.0.1 cumulative hotfix 3 yesterday (September 1),
which fixes the CFMX_COMPAT bug (among other 20+ bugs).

get the hf here: http://kb2.adobe.com/cps/511/cpsid_51180.html

Azadi Saryev
Sabai-dee.com
http://www.sabai-dee.com/

On 28/07/2009 03:30, Les Mizzell wrote:
> 
> I'm on CF7.
> 
> Here's my code:
> (in Application.cfc)
> 
> 
> 
> 
> 
> (encrypt)
> encrypt(FORM.password,request.seed,request.algorithm,request.encoding)
> 
> (decrypt)
> decrypt(FORM.password,request.seed,request.algorithm,request.encoding)
> 
> This is my error:
> There has been an error while trying to encrypt or decrypt your input 
> string: The input and output encodings are not same.
> 
> 
> Ideas?
> 
> 

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325929
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Encrypt/Decrypt error

2009-07-27 Thread Jason Fisher


Your example shows the same input for decrypt as you used for encrypt ... 
hopefully that was just a typo, otherwise it's probably your issue.

> (decrypt)
> decrypt(FORM.password,request.seed,request.algorithm,request.encoding)

In other words, I would expect something more like this:

 encPwd = encrypt(FORM.password, request.seed, request.algorithm, 
request.encoding);

pwd = decrypt(encPwd, request.seed, request.algorithm, request.encoding);

decrypt() is expecting string which is already encoded with the requested 
algorithm.

Just a thought.

 


~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325016
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Encrypt/Decrypt error

2009-07-27 Thread Kris Jones


If the form.password contains characters that the encryption seed will cause
to result in a string that contains a space or plus-sign, you will have
trouble with the CFMX_COMPAT mode. Suggest going with a different mode.

Cheers,
Kris


> I'm on CF7.
>
> Here's my code:
> (in Application.cfc)
>
> 
> 
> 
>
> (encrypt)
> encrypt(FORM.password,request.seed,request.algorithm,request.encoding)
>
> (decrypt)
> decrypt(FORM.password,request.seed,request.algorithm,request.encoding)
>
> This is my error:
> There has been an error while trying to encrypt or decrypt your input
> string: The input and output encodings are not same.
>
>


~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325015
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Encrypt/Decrypt error

2009-07-27 Thread Les Mizzell


I'm on CF7.

Here's my code:
(in Application.cfc)





(encrypt)
encrypt(FORM.password,request.seed,request.algorithm,request.encoding)

(decrypt)
decrypt(FORM.password,request.seed,request.algorithm,request.encoding)

This is my error:
There has been an error while trying to encrypt or decrypt your input 
string: The input and output encodings are not same.


Ideas?

~|
Want to reach the ColdFusion community with something they want? Let them know 
on the House of Fusion mailing lists
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325014
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: encrypt/decrypt bug

2007-04-27 Thread Dana Kowalski

This is going to sound weird but I've seen two issues nesting a trim() inside 
other functions in the past. When I moved it above the function and cfset to a 
temp it fixed the error. May not apply here but its only a 15 second test :)

~|
Upgrade to Adobe ColdFusion MX7
The most significant release in over 10 years. Upgrade & see new features.
http://www.adobe.com/products/coldfusion?sdid=RVJR

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276464
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: encrypt/decrypt bug

2007-04-27 Thread Les Mizzell

Interesting - changing the value of #encCODE# to a longer string seems 
to have fixed the problem.

Haven't tested with every possible combination of letters/numbers on the 
input yet, so ya never know - but it seems to like 2s now. Very odd...


> For this code:
> 
> 
>
> 
> 
> Figure this out. Here's a few test:
> ---
> Form Entry:   Decrypted output: 
> Form Entry: 2 Decrypted output: =
> form Entry: 22Decrypted output: 22
> form entry: 3332  Decrypted output: 333=
> form entry: abcdef2   Decrypted output: abcdef2
> form entry: abcdef32  Decrypted output abcdef3=
> form entry: abcdef33  Decrypted output abcdef33
> 
> 
> I can pretty much put anything I want into the form field and it 
> encrypts correctly - UNLESS it ends in a "2". Then it's screwed - 
> sometimes. I can't tell if the problem is on the encrypt or decrypt side 
> either.
> 
> During these test, the var "encCODE" was kept constant. I haven't tried 
> yet, but wonder if changing it would make a difference. Will try that next.
> 
> Something I'll get a ">" some instead of the equal sign. It's ONLY a "2" 
> that does this. WTF?
> 
> Any ideas at all? Is there a patch from the version below to fix this? 
> It's driving myself and a client insane right now!!!
> 
> 
> Level: Enterprise
> Name: ColdFusion Server
> Version 7,0,2,142559
> 
> 

~|
Macromedia ColdFusion MX7
Upgrade to MX7 & experience time-saving features, more productivity.
http://www.adobe.com/products/coldfusion?sdid=RVJW

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276428
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: encrypt/decrypt bug

2007-04-27 Thread Mike Chabot

Since you are running CFMX 7, you might give the new encryption
methods a try. If you encode using Hex, you should be able to use the
encrypted string directly in a URL without encoding it.

example:


Good luck,
Mike Chabot

On 4/27/07, Kris Jones <[EMAIL PROTECTED]> wrote:
> Hi Les,
>
> I've seen similar behavior most typically when I'm also urlencoding
> the the encrypted value. What I figured out was happening is that if
> the encrypted value contained a space, when urlencodedformat() was run
> on it, the space would get converted to "%20" as expected. However,
> when it was decoded, the spaces were converted to "+" instead of a
> space, then the decrypt would  not function properly. In my situation
> that either resulted in strange characters being added or usually
> resulting in a null pointer reference error. Also, this was under
> CFMX6.1.
>
> Cheers,
> Kris
>
>
> On 4/27/07, Les Mizzell <[EMAIL PROTECTED]> wrote:
> > This is driving me crazy!!
> >
> > For this code:
> >
> > 
> >
> > 
> >
> > Figure this out. Here's a few test:
> > ---
> > Form Entry: Decrypted output: 
> > Form Entry: 2   Decrypted output: =
> > form Entry: 22  Decrypted output: 22
> > form entry: 3332Decrypted output: 333=
> > form entry: abcdef2 Decrypted output: abcdef2
> > form entry: abcdef32Decrypted output abcdef3=
> > form entry: abcdef33Decrypted output abcdef33
> >
> >
> > I can pretty much put anything I want into the form field and it
> > encrypts correctly - UNLESS it ends in a "2". Then it's screwed -
> > sometimes. I can't tell if the problem is on the encrypt or decrypt side
> > either.
> >
> > During these test, the var "encCODE" was kept constant. I haven't tried
> > yet, but wonder if changing it would make a difference. Will try that next.
> >
> > Something I'll get a ">" some instead of the equal sign. It's ONLY a "2"
> > that does this. WTF?
> >
> > Any ideas at all? Is there a patch from the version below to fix this?
> > It's driving myself and a client insane right now!!!
> >
> >
> > Level: Enterprise
> > Name: ColdFusion Server
> > Version 7,0,2,142559
> >
> >
>
> 

~|
Macromedia ColdFusion MX7
Upgrade to MX7 & experience time-saving features, more productivity.
http://www.adobe.com/products/coldfusion?sdid=RVJW

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276421
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4

Re: encrypt/decrypt bug

2007-04-27 Thread Kris Jones

Hi Les,

I've seen similar behavior most typically when I'm also urlencoding
the the encrypted value. What I figured out was happening is that if
the encrypted value contained a space, when urlencodedformat() was run
on it, the space would get converted to "%20" as expected. However,
when it was decoded, the spaces were converted to "+" instead of a
space, then the decrypt would  not function properly. In my situation
that either resulted in strange characters being added or usually
resulting in a null pointer reference error. Also, this was under
CFMX6.1.

Cheers,
Kris

On 4/27/07, Les Mizzell <[EMAIL PROTECTED]> wrote:
> This is driving me crazy!!
>
> For this code:
>
> 
>
> 
>
> Figure this out. Here's a few test:
> ---
> Form Entry: Decrypted output: 
> Form Entry: 2   Decrypted output: =
> form Entry: 22  Decrypted output: 22
> form entry: 3332Decrypted output: 333=
> form entry: abcdef2 Decrypted output: abcdef2
> form entry: abcdef32Decrypted output abcdef3=
> form entry: abcdef33Decrypted output abcdef33
>
>
> I can pretty much put anything I want into the form field and it
> encrypts correctly - UNLESS it ends in a "2". Then it's screwed -
> sometimes. I can't tell if the problem is on the encrypt or decrypt side
> either.
>
> During these test, the var "encCODE" was kept constant. I haven't tried
> yet, but wonder if changing it would make a difference. Will try that next.
>
> Something I'll get a ">" some instead of the equal sign. It's ONLY a "2"
> that does this. WTF?
>
> Any ideas at all? Is there a patch from the version below to fix this?
> It's driving myself and a client insane right now!!!
>
>
> Level: Enterprise
> Name: ColdFusion Server
> Version 7,0,2,142559
>
> 

~|
Macromedia ColdFusion MX7
Upgrade to MX7 & experience time-saving features, more productivity.
http://www.adobe.com/products/coldfusion?sdid=RVJW

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276414
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: encrypt/decrypt bug

2007-04-27 Thread Rob O'Brien

Could you post the entire encrypt/decrypt code snip?

-Original Message-
From: Les Mizzell [mailto:[EMAIL PROTECTED] 
Sent: Friday, April 27, 2007 11:45 AM
To: CF-Talk
Subject: encrypt/decrypt bug

This is driving me crazy!!

For this code:

Figure this out. Here's a few test:
---
Form Entry: Decrypted output: 
Form Entry: 2   Decrypted output: =
form Entry: 22  Decrypted output: 22
form entry: 3332Decrypted output: 333=
form entry: abcdef2 Decrypted output: abcdef2
form entry: abcdef32Decrypted output abcdef3=
form entry: abcdef33Decrypted output abcdef33

I can pretty much put anything I want into the form field and it 
encrypts correctly - UNLESS it ends in a "2". Then it's screwed - 
sometimes. I can't tell if the problem is on the encrypt or decrypt side 
either.

During these test, the var "encCODE" was kept constant. I haven't tried 
yet, but wonder if changing it would make a difference. Will try that next.

Something I'll get a ">" some instead of the equal sign. It's ONLY a "2" 
that does this. WTF?

Any ideas at all? Is there a patch from the version below to fix this? 
It's driving myself and a client insane right now!!!

Level: Enterprise
Name: ColdFusion Server
Version 7,0,2,142559

~|
Macromedia ColdFusion MX7
Upgrade to MX7 & experience time-saving features, more productivity.
http://www.adobe.com/products/coldfusion?sdid=RVJW

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276409
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: cf encrypt/decrypt

2006-12-06 Thread Tom Chiverton

On Wednesday 06 December 2006 14:10, rick kennerly wrote:
> > Define segregate.
> I usually restrict access to those pages based on account level. Is there
> a better way?

You mean building role based access into an app ?
Perfectly normal.

--
Tom Chiverton
Helping to synergistically synergize world-class content

This email is sent for and on behalf of Halliwells LLP.

Halliwells LLP is a limited liability partnership registered in England and
Wales under registered number OC307980 whose registered office address is at St
James's Court Brown Street Manchester M2 2JF. A list of members is available
for inspection at the registered office. Any reference to a partner in relation
to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law
Society.

CONFIDENTIALITY

This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform
any person other than Halliwells LLP or the addressee of its existence or
contents. If you have received this email in error please delete it and notify
Halliwells LLP IT Department on 0870 365 8008.

For more information about Halliwells LLP visit www.halliwells.com.

~|
Create robust enterprise, web RIAs.
Upgrade & integrate Adobe Coldfusion MX7 with Flex 2
http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU

Archive:
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:263035
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: cf encrypt/decrypt

2006-12-06 Thread rick kennerly

 
> Define segregate.
> 

I usually restrict access to those pages based on account level.  Is there a 
better way?

~|
Create robust enterprise, web RIAs.
Upgrade & integrate Adobe Coldfusion MX7 with Flex 2
http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:263017
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: cf encrypt/decrypt

2006-12-06 Thread Tom Chiverton

On Wednesday 06 December 2006 11:26, rick kennerly wrote:
> What I envision is being able to encrypt/decrypt on the fly specific fields
> (dob, ssn, etc) in a form but not the entire form and then segregate the

Define segregate.

> pages that do the decryption (it's really an intranet backend project).  Is
> this a good scheme?  How does this affect performance?

The encrypt/decrypt functions are fast enough not to worry about them.

-- 
Tom Chiverton
Helping to preemptively lead world-class methodologies

This email is sent for and on behalf of Halliwells LLP.

Halliwells LLP is a limited liability partnership registered in England and 
Wales under registered number OC307980 whose registered office address is at St 
James's Court Brown Street Manchester M2 2JF.  A list of members is available 
for inspection at the registered office. Any reference to a partner in relation 
to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law 
Society.

CONFIDENTIALITY

This email is intended only for the use of the addressee named above and may be 
confidential or legally privileged.  If you are not the addressee you must not 
read it and must not use any information contained in nor copy it nor inform 
any person other than Halliwells LLP or the addressee of its existence or 
contents.  If you have received this email in error please delete it and notify 
Halliwells LLP IT Department on 0870 365 8008.

For more information about Halliwells LLP visit www.halliwells.com.

~|
Create robust enterprise, web RIAs.
Upgrade & integrate Adobe Coldfusion MX7 with Flex 2
http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:263002
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

cf encrypt/decrypt

2006-12-06 Thread rick kennerly

I've been away from cf for awhile working in an asp shop.  However, the legal 
people are getting really hinky about privacy concerns (about time!). And I see 
an opportunity to bring CF into the shop because of it's native handling of 
encryption and decryption.  However, I have no experience with it.  

What I envision is being able to encrypt/decrypt on the fly specific fields 
(dob, ssn, etc) in a form but not the entire form and then segregate the pages 
that do the decryption (it's really an intranet backend project).  Is this a 
good scheme?  How does this affect performance?  

Is there a good tutorial someone can recommend on cf encrypt?  Any 
recommendations welcome.  

~|
Create robust enterprise, web RIAs.
Upgrade & integrate Adobe Coldfusion MX7 with Flex 2
http://ad.doubleclick.net/clk;56760587;14748456;a?http://www.adobe.com/products/coldfusion/flex2/?sdid=LVNU

Archive: 
http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:262996
Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Encrypt Decrypt

2006-01-27 Thread PINE Phyo Z

Hi Larry,
 

 Your immediate problem can be solved by escaping it (##) AND assigning
it to another variable. Use this:


#Decrypt(encryptString,"7xxT533zrt3d9in")#

I have tried and it worked. But just a suggestion, you might want to
work with "GenerateSecretKey" or "hash". (For more info, consult the
livedocs).

Thanks & Regards,

Phyo Pine
Information Systems Specialist
DMV - ODOT

-Original Message-
From: Stephens, Larry V [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 27, 2006 1:51 PM
To: CF-Talk
Subject: Encrypt Decrypt


I'm using a simple encrypt statement to store info:

#Encrypt(SESSION.Customer.xxx, GetX.Item)#',

(this is from my INSERT statement) GetX.Item is the key loaded from a
table.

(I don't profess to be an expert in encryption (obviously) but, other
than being a little obtuse in the code, I don't know how to hide the key
any better on a server I don't control. I'm certainly open to
suggestion.)

Hiding the key aside, my decryption routine looks like (I'm moving it to
another table that is secure):

FieldX = '#Decrypt(FieldSaved, GetX.Item)#',


where aaa is the data retrieved from the table and GetX.Item is the same
key.

And it works, (e.g., decrypting 0&Z[ STK6_,;)*!I+!/  )until the
encrypted data looks like

3&JG$P5[0]<;!/QM#!O

So, I played with it a bit and it became obvious that the problem is the
# imbedded in the encrypted data.

What now? I can't escape it (##) because that throws an error, too.

To illustrate what seems to be happening:





#x#   
#Decrypt(x,"7xxT533zrt3d9in")#

 



Larry Stephens
[EMAIL PROTECTED]



~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:230637
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Encrypt Decrypt

2006-01-27 Thread Stephens, Larry V

I'm using a simple encrypt statement to store info:

#Encrypt(SESSION.Customer.xxx, GetX.Item)#',

(this is from my INSERT statement) GetX.Item is the key loaded from a
table.

(I don't profess to be an expert in encryption (obviously) but, other
than being a little obtuse in the code, I don't know how to hide the key
any better on a server I don't control. I'm certainly open to
suggestion.)

Hiding the key aside, my decryption routine looks like (I'm moving it to
another table that is secure):

FieldX = '#Decrypt(FieldSaved, GetX.Item)#',


where aaa is the data retrieved from the table and GetX.Item is the same
key.

And it works, (e.g., decrypting 0&Z[ STK6_,;)*!I+!/  )until the
encrypted data looks like

3&JG$P5[0]<;!/QM#!O

So, I played with it a bit and it became obvious that the problem is the
# imbedded in the encrypted data.

What now? I can't escape it (##) because that throws an error, too.

To illustrate what seems to be happening:





#x#   
#Decrypt(x,"7xxT533zrt3d9in")#






Larry Stephens
[EMAIL PROTECTED]

~|
Message: http://www.houseoffusion.com/lists.cfm/link=i:4:230634
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Weird Encrypt/Decrypt problem!

2005-09-27 Thread Andy McShane

Thanks all for your help so far. Now I have been looking at the
documentation for encrypt/decrypt and I would like to use one of the more
secure encryption algorithms, such as BLOWFISH or DES. I notice that the
more secure algorithms use the function GenerateSecretKey. Now do this mean
that when the text is encrypted it is a one way process? I assume that the
GenerateSecretKey function will always return a different key so does this
mean that I cannot then decrypt my data when I retrieve it from the
database? I am getting somewhat confused here. :-(


~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219323
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Weird Encrypt/Decrypt problem!

2005-09-26 Thread Rupesh Kumar

Its actually not a bug. The encrypted string that is generated is 
"*5)V%5*.Z59RR$ " with a space at the end. When you decrypt the string, if you 
use the same string it will work as it should. In your case, the string was 
trimmed and hence this behaviour. 
You can verify this using this code snippet.

foo is '#foo#'
bar is #bar#

By default encrypt uses UU-encoding to encode the encrypted data. So to ensure 
that there is no trailing spaces, you should use Base-64 encoding. you can 
specify that in Encrypt/Decrypt function.

Other solution is to base-64 encode the data you get after encrypt and persist. 
And when you retrieve it frm DB, base-64 decode and then pass it to decrypt.

Thanks
Rupesh.
>Whoa. So weird I also tested here, and the encoded "johnmurray" was 
>decoded to "johnmurrax"! It's not with all 10 charcs. string, by the way.
>
>I think this is a CF default algorithm (CFMX_COMPAT, which is compatible 
>do earlier versions of CF) implementation bug.
>
>You should use a more secure and standard algorithm, like TripleDES. 
>Check out the Encrypt() documentation.
>
>--
>Fabio Terracini
>
>
>
>
>Andy Mcshane wrote:
>
>>

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219276
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)

2005-09-26 Thread Fabio Terracini

>There is no bug in encrypt/decrypt, the problem is that in that 
>instance, the encrypt result contains a space at the end.
>  
>
Yeah. It's true. I totally missed that! No bug at all! :-)

[]s
Fabio Terracini





~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219275
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Weird Encrypt/Decrypt problem!

Those 'undocumented' functions have been documented for some time in
various places, including houseoffusion.com.  There has been plenty of
discussion of them over the years.

The trouble with them is they are not guaranteed to be there in future
versions, and if they do remain their behavior is in no way guaranteed
to stay the same.  Better IMHO to work with the published language
than to rely on stuff like this.

Are they still in CFMX7 or were they finally removed?

--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219274
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Weird Encrypt/Decrypt problem!

2005-09-26 Thread Andy Matthews

OR...I found a useful, hidden function in the guts of the cfadmin itself.
The encrypt function returns JUST an alphanumeric string, instead of with
punctuation and other chars.







encrypt: #encrypt#
decrypt: #decrypt#




-Original Message-
From: Matt Robertson [mailto:[EMAIL PROTECTED]
Sent: Monday, September 26, 2005 12:30 PM
To: CF-Talk
Subject: Re: Weird Encrypt/Decrypt problem!


The pre CF7 encrypt() function does not create dbsafe strings. You have to
toake it a further step for that: Wrap the string in toBase64() before you
store the data. IIRC (its been awhile) you use tostring() when decrypting.
 I think the new algorithm options in cfencrypt()/cfdecrypt() could be
enough features to upgrade right then and there.

--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com <http://mysecretbase.com>




~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219273
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Weird Encrypt/Decrypt problem!

Whoops its not tostring that takes something out of base64.  Its decode().

I have a template that I built up years ago from the CF example that
displays a bunch of different ways to skin this cat.  You can pick it
apart to bulletproof your use of CF encryption.




Encrypt Example
Encrypt Example
This function allows for the encryption and decryption of a
string. Try it out by entering your own string and a key of your
own choosing and seeing the results.















The string: #string#
The key: #key#
Encrypted in normal format: #encrypted#
Encrypted in URLEncodedFormat: #urlencrypted#
Encrypted in Base64 format: #base64encrypted#
Encrypted in UrlEncoded Base64 format: 
#urlbase64encrypted#

Decrypted from normal format: #decrypted#
Decrypted from UrlEncoded format: #urldecrypted#
Decrypted from Base64 format: #dbsafedecrypted#
Decrypted from UrlEncoded Base64 format: 
#urldbsafedecrypted#


Input your key:

Input your string to be encrypted:
#form.myString#
Here's an html link with the base64 urlencoded string:
Click
Here
Here's another UUID: #variables.TempString#



Input your key:

Input your string to be encrypted (this is a UUID):
#variables.MyString#
Here's another UUID: #variables.TempString#




~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219271
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)

and that trailing space is being trimmed out by the db. Sooner or later
you would have other issues even if you work around this one somehow. See my
post on this in the other thread. Its an easy fix but you won't make the
'classic' CF algorithm any more secure.

--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com 


~|
Find out how CFTicket can increase your company's customer support 
efficiency by 100%
http://www.houseoffusion.com/banners/view.cfm?bannerid=49

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219269
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Weird Encrypt/Decrypt problem!

The pre CF7 encrypt() function does not create dbsafe strings. You have to
toake it a further step for that: Wrap the string in toBase64() before you
store the data. IIRC (its been awhile) you use tostring() when decrypting.
 I think the new algorithm options in cfencrypt()/cfdecrypt() could be
enough features to upgrade right then and there.

--
--mattRobertson--
Janitor, MSB Web Systems
mysecretbase.com 


~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219268
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)

2005-09-26 Thread Barney Boisvert

Does your database itself provide encrypted storage?  That'd certainly
be easier if it does.

On a different topic, executing the code you listed demonstrated the
error with 'y' becoming 'x', but if the decrypt operation is changed
to use the foo variable directly, the proper result is returned.  The
difference is that they encrypted string has a trailing space that
you're truncating.  So you're not actually decrypting the right
encrypted value, which is why you're getting the invalid result.

cheers,
barneyb

On 9/26/05, Andy Mcshane <[EMAIL PROTECTED]> wrote:
> OK, follow up to this, can anybody suggest ways that they currently 
> encrypt/decrypt sensitive data? I need to encrypt the data to save into the 
> database and then at a later date retrieve that data, decrypt it and let the 
> user edit it. I have looked at using the various algorithms excluding 
> CFMX_COMPAT but I notice that uses the GenerateSecretKey function. I am 
> assuming that the key that is generated is different every time therefore 
> once I have encrypted the data, if I do not save the original key then when I 
> come to decrypt the data it will use a different key and so fail? Or am I 
> completely wrong here?
>
>
> > Hi all, I am trying to store specific data into a database in an
> > encrypted format. This data also has to be decrypted so as to be
> > displayed and edited onscreen therefore ruling out using the hash
> > function. The problem that I am having is on the decrypt.
> >
> > Example:
> >
> > 
> >
> > foo then equals "*5)V%5*.Z59RR$"
> >
> > I save this text to the database. An unusual thing happens when I try
> > to decrypt this text as follows;
> >
> > 
> >
> > foo then equals "johnmurrax"
> >
> > as you can see the 'y' has become an 'x'.
> >
> > Now here is the strange thing,
> >
> >  - with an extra space
> > at the end of johnmurray everything encrypts/decrypts correctly using
> > an 11 character string.
> >
> > also
> >
> >  - if I make it only 9
> > characters then this also encrypts/decrypts correctly.
> >
> > It seems to only happen with 10 letter strings?
> >
> > This is on Coldfusion 7, using a SQL database. I have tried
> > URLEncodedFormat before saving to the database and then using
> > URLDecode after retrieveing. As this text is defined by the user then
> > I cannot simply say that there can be no 10 character strings so has
> > anyone ever come across this?
> >
> > Does anyone have any better encryption ideas I could use? This is a
> > really annoying little quirk as to why it only seems to affect 10
> > character strings, weird
> huh?
>
>

--
Barney Boisvert
[EMAIL PROTECTED]
360.319.6145
http://www.barneyb.com/

Got Gmail? I have 100 invites.

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219262
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)

2005-09-26 Thread Claude Schneegans

There is no bug in encrypt/decrypt, the problem is that in that 
instance, the encrypt result contains a space at the end.
As you can see with the following code, the key is not "*5)V%5*.Z59RR$", 
but "*5)V%5*.Z59RR$ "


[#htmlEditFormat(foo)#],
#decrypt(foo, "wibble")#,
#decrypt("*5)V%5*.Z59RR$", "wibble")#
#decrypt("*5)V%5*.Z59RR$ ", "wibble")#


Then you have to make sure the value will not be trimmed at any step.
I can also foresee some potential problem when the encrypted key 
contains quotes, single or double.

-- 
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.


~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219261
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)

2005-09-26 Thread Andy Mcshane

OK, follow up to this, can anybody suggest ways that they currently 
encrypt/decrypt sensitive data? I need to encrypt the data to save into the 
database and then at a later date retrieve that data, decrypt it and let the 
user edit it. I have looked at using the various algorithms excluding 
CFMX_COMPAT but I notice that uses the GenerateSecretKey function. I am 
assuming that the key that is generated is different every time therefore once 
I have encrypted the data, if I do not save the original key then when I come 
to decrypt the data it will use a different key and so fail? Or am I completely 
wrong here?


> Hi all, I am trying to store specific data into a database in an 
> encrypted format. This data also has to be decrypted so as to be 
> displayed and edited onscreen therefore ruling out using the hash 
> function. The problem that I am having is on the decrypt.
> 
> Example:
> 
> 
> 
> foo then equals "*5)V%5*.Z59RR$"
> 
> I save this text to the database. An unusual thing happens when I try 
> to decrypt this text as follows;
> 
> 
> 
> foo then equals "johnmurrax"
> 
> as you can see the 'y' has become an 'x'.
> 
> Now here is the strange thing, 
> 
>  - with an extra space 
> at the end of johnmurray everything encrypts/decrypts correctly using 
> an 11 character string.
> 
> also 
> 
>  - if I make it only 9 
> characters then this also encrypts/decrypts correctly.
> 
> It seems to only happen with 10 letter strings?
> 
> This is on Coldfusion 7, using a SQL database. I have tried 
> URLEncodedFormat before saving to the database and then using 
> URLDecode after retrieveing. As this text is defined by the user then 
> I cannot simply say that there can be no 10 character strings so has 
> anyone ever come across this?
> 
> Does anyone have any better encryption ideas I could use? This is a 
> really annoying little quirk as to why it only seems to affect 10 
> character strings, weird 
huh?

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219251
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Weird Encrypt/Decrypt problem!

2005-09-26 Thread Andy McShane

I am glad at least that somebody else has managed to replicate it and I am
not going mad! Probably just my luck that it only affected the 10 character
strings that I tried. I will have to look into a more robust encryption
method.

-Original Message-
From: Fabio Terracini [mailto:[EMAIL PROTECTED] 
Sent: 26 September 2005 14:45
To: CF-Talk
Subject: Re: Weird Encrypt/Decrypt problem!

Whoa. So weird I also tested here, and the encoded "johnmurray" was 
decoded to "johnmurrax"! It's not with all 10 charcs. string, by the way.

I think this is a CF default algorithm (CFMX_COMPAT, which is compatible 
do earlier versions of CF) implementation bug.

You should use a more secure and standard algorithm, like TripleDES. 
Check out the Encrypt() documentation.

--
Fabio Terracini

Andy Mcshane wrote:

>Hi all, I am trying to store specific data into a database in an encrypted
format. This data also has to be decrypted so as to be displayed and edited
onscreen therefore ruling out using the hash function. The problem that I am
having is on the decrypt.
>
>Example:
>
>
>
>foo then equals "*5)V%5*.Z59RR$"
>
>I save this text to the database. An unusual thing happens when I try to
decrypt this text as follows;
>
>
>
>foo then equals "johnmurrax"
>
>as you can see the 'y' has become an 'x'.
>
>Now here is the strange thing, 
>
> - with an extra space at the
end of johnmurray everything encrypts/decrypts correctly using an 11
character string.
>
>also 
>
> - if I make it only 9
characters then this also encrypts/decrypts correctly.
>
>It seems to only happen with 10 letter strings?
>
>This is on Coldfusion 7, using a SQL database. I have tried
URLEncodedFormat before saving to the database and then using URLDecode
after retrieveing. As this text is defined by the user then I cannot simply
say that there can be no 10 character strings so has anyone ever come across
this?
>
>Does anyone have any better encryption ideas I could use? This is a really
annoying little quirk as to why it only seems to affect 10 character
strings, weird huh?
>
>

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219236
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Weird Encrypt/Decrypt problem!

2005-09-26 Thread Fabio Terracini

Whoa. So weird I also tested here, and the encoded "johnmurray" was 
decoded to "johnmurrax"! It's not with all 10 charcs. string, by the way.

I think this is a CF default algorithm (CFMX_COMPAT, which is compatible 
do earlier versions of CF) implementation bug.

You should use a more secure and standard algorithm, like TripleDES. 
Check out the Encrypt() documentation.

--
Fabio Terracini




Andy Mcshane wrote:

>Hi all, I am trying to store specific data into a database in an encrypted 
>format. This data also has to be decrypted so as to be displayed and edited 
>onscreen therefore ruling out using the hash function. The problem that I am 
>having is on the decrypt.
>
>Example:
>
>
>
>foo then equals "*5)V%5*.Z59RR$"
>
>I save this text to the database. An unusual thing happens when I try to 
>decrypt this text as follows;
>
>
>
>foo then equals "johnmurrax"
>
>as you can see the 'y' has become an 'x'.
>
>Now here is the strange thing, 
>
> - with an extra space at the 
>end of johnmurray everything encrypts/decrypts correctly using an 11 character 
>string.
>
>also 
>
> - if I make it only 9 characters 
>then this also encrypts/decrypts correctly.
>
>It seems to only happen with 10 letter strings?
>
>This is on Coldfusion 7, using a SQL database. I have tried URLEncodedFormat 
>before saving to the database and then using URLDecode after retrieveing. As 
>this text is defined by the user then I cannot simply say that there can be no 
>10 character strings so has anyone ever come across this?
>
>Does anyone have any better encryption ideas I could use? This is a really 
>annoying little quirk as to why it only seems to affect 10 character strings, 
>weird huh?
>
>

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219234
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Weird Encrypt/Decrypt problem!

2005-09-26 Thread Andy McShane

Checked that, both the variable in my stored procedure and the column in my
DB table are set to nvarchar(100). I did originally think that this may be
it but when I tried different length strings, strings that were longer &
shorter than 10 characters worked fine, that is what is so weird. If you use
my example data you can easily replicate the issue.


-Original Message-
From: Tangorre, Michael [mailto:[EMAIL PROTECTED] 
Sent: 26 September 2005 12:57
To: CF-Talk
Subject: RE: Weird Encrypt/Decrypt problem!

> From: Andy Mcshane [mailto:[EMAIL PROTECTED] 
> This is on Coldfusion 7, using a SQL database. I have tried 
> URLEncodedFormat before saving to the database and then using 
> URLDecode after retrieveing. As this text is defined by the 
> user then I cannot simply say that there can be no 10 
> character strings so has anyone ever come across this?
> Does anyone have any better encryption ideas I could use? 
> This is a really annoying little quirk as to why it only 
> seems to affect 10 character strings, weird huh?

Check to ensure that the length of the column in your database is large
enough to hold the encrypted string since the length of the encrypted
string does not always equal the length of the original string.

HTH,

Mike



~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219227
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

RE: Weird Encrypt/Decrypt problem!

2005-09-26 Thread Tangorre, Michael

> From: Andy Mcshane [mailto:[EMAIL PROTECTED] 
> This is on Coldfusion 7, using a SQL database. I have tried 
> URLEncodedFormat before saving to the database and then using 
> URLDecode after retrieveing. As this text is defined by the 
> user then I cannot simply say that there can be no 10 
> character strings so has anyone ever come across this?
> Does anyone have any better encryption ideas I could use? 
> This is a really annoying little quirk as to why it only 
> seems to affect 10 character strings, weird huh?

Check to ensure that the length of the column in your database is large
enough to hold the encrypted string since the length of the encrypted
string does not always equal the length of the original string.

HTH,

Mike

~|
Logware (www.logware.us): a new and convenient web-based time tracking 
application. Start tracking and documenting hours spent on a project or with a 
client with Logware today. Try it for free with a 15 day trial account.
http://www.houseoffusion.com/banners/view.cfm?bannerid=67

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219226
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Weird Encrypt/Decrypt problem!

2005-09-26 Thread Andy Mcshane

Hi all, I am trying to store specific data into a database in an encrypted 
format. This data also has to be decrypted so as to be displayed and edited 
onscreen therefore ruling out using the hash function. The problem that I am 
having is on the decrypt.

Example:



foo then equals "*5)V%5*.Z59RR$"

I save this text to the database. An unusual thing happens when I try to 
decrypt this text as follows;



foo then equals "johnmurrax"

as you can see the 'y' has become an 'x'.

Now here is the strange thing, 

 - with an extra space at the end 
of johnmurray everything encrypts/decrypts correctly using an 11 character 
string.

also 

 - if I make it only 9 characters 
then this also encrypts/decrypts correctly.

It seems to only happen with 10 letter strings?

This is on Coldfusion 7, using a SQL database. I have tried URLEncodedFormat 
before saving to the database and then using URLDecode after retrieveing. As 
this text is defined by the user then I cannot simply say that there can be no 
10 character strings so has anyone ever come across this?

Does anyone have any better encryption ideas I could use? This is a really 
annoying little quirk as to why it only seems to affect 10 character strings, 
weird huh?

~|
Discover CFTicket - The leading ColdFusion Help Desk and Trouble 
Ticket application

http://www.houseoffusion.com/banners/view.cfm?bannerid=48

Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219225
Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4
Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Donations & Support: http://www.houseoffusion.com/tiny.cfm/54

Re: Encrypt Decrypt?

2004-10-04 Thread Nick Baker

Jochem,

Still with your code there is apparently some part of the code in the 
variable "encrypted" that confuses Cold Fusion. It appears that CF is 
interpreting something in the code as a tag ending.

Thanks,

Nick

At 12:55 PM 10/3/2004, you wrote:
>Nick Baker wrote:
> > We need to Encrypt and email private info. Then using the same key decrypt
> > on the receiving end. However, our Decrypt tag throws and error, not 
> liking
> > some of the Encrypted code. The example below works under the same
> > circumstances. Encrypting in one template and decrypting in another
> > template (by 
> and
> > error. The thing I can think of is there is something that is different in
> > the encrypted code than appears to be visible and copy/pasted??
>
>This can happen with multibyte encodings. Try putting a
>ToBase64() in between:
>
>
>
>
>Jochem
>
>
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]
 [Donations and Support]

Re: Encrypt Decrypt?

2004-10-03 Thread Jochem van Dieten

Nick Baker wrote:
> We need to Encrypt and email private info. Then using the same key decrypt 
> on the receiving end. However, our Decrypt tag throws and error, not liking 
> some of the Encrypted code. The example below works under the same 
> circumstances. Encrypting in one template and decrypting in another 
> template (by 
> error. The thing I can think of is there is something that is different in 
> the encrypted code than appears to be visible and copy/pasted??

This can happen with multibyte encodings. Try putting a 
ToBase64() in between:




Jochem
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]
 [Donations and Support]

Encrypt Decrypt?

2004-10-02 Thread Nick Baker

We need to Encrypt and email private info. Then using the same key decrypt 
on the receiving end. However, our Decrypt tag throws and error, not liking 
some of the Encrypted code. The example below works under the same 
circumstances. Encrypting in one template and decrypting in another 
template (by 
error. The thing I can think of is there is something that is different in 
the encrypted code than appears to be visible and copy/pasted??

Should the encrypted code be conditioned or ?? before trying to Decrypt?

Thanks,

Nick

Example,






    The string: #string# 
 The key: #key#
 Encrypted: #encrypted#
 Decrypted: #decrypted#

 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]
 [Donations and Support]

encrypt() decrypt() mac issues

2004-02-11 Thread Jeremy

I have template passing a url var that is pulled form my db.I happens to
be the key for that table, numerical. I use 
 then I add that 'myid'
value to the url and pass it. Then I decrypt it on the next templete
like 

 
This works fine on my PS in ie and NN but the mac running osx and IE
returns an error saying the url.cid = 0 or have a bytle value of 0. For
some reason the url var is not getting there. Its fine without trying to
encrypt the var. I just dont; want people to be able to see the url var
in the address bar. What could be causing the problem. Thanks for you
time.

Jeremy
 [Todays Threads] 
 [This Message] 
 [Subscription] 
 [Fast Unsubscribe] 
 [User Settings]

Encrypt/Decrypt Functions - Questions

2003-07-02 Thread Ezine

Hey there again

I have been using the Encrypt/Decrypt functions to store encrypted values
into the database.
I have a Visual Basic application that I want to integrate with the user
database..  however the database is encrypted with the Encrypt/Decrypt
functions.   I have the code for the VB application..so I am planning on
editing the code in the VB application to encrypt the password string

I have the string I'm using to seed the Encrypt function as well :)..so
In theory..   I have everything that I need to do that..  except..  VB
provides no encrypt/decrypt function.

So..  My question..   is how does the encrypt function use the key to seed
the 32 bit value that it uses to XOR the string?


I read from macromedia's website that the Encrypt/Decrypt functions use the
XOR method to encrypt and decrypt the string using a 32 BIT seed...The
seed is determined by the key...  but how does it actually take the key
and convert it to the seed?

The end result of this is;  I'm going to replicate the encrypt function so I
can compare against the value encrypted in the database..I'm just
missing how to use the key to make the seed for the XOR of the string.

Any help would be greatly appreciated.


Zine

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. 
http://www.fusionauthority.com/signup.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Encrypt/Decrypt

2003-05-27 Thread Matt Robertson

Using toBase64 and urlencrypt renders a string that should always be db-safe to store. 
 No quote marks and such.

Below is a sample template I worked up to play around with various (documented) 
encryption options.  Run it (name the file anything you like) and it'll encrypt stuff 
in various formats and decrypt it from those formats with results onscreen.  Its 
pretty handy.

FYI I personally don't like using cfusion_encrypt() as its undocumented.  Works 
better, but no telling for how long it'll continue to exist.

---
 Matt Robertson, [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
---



Encrypt Example
Encrypt Example
This function allows for the encryption and decryption of a 
string. Try it out by entering your own string and a key of your 
own choosing and seeing the results.















The string: #string#
The key: #key#
Encrypted in normal format: #encrypted#
Encrypted in URLEncodedFormat: #urlencrypted#
Encrypted in Base64 format: #base64encrypted#
Encrypted in UrlEncoded Base64 format: #urlbase64encrypted#

Decrypted from normal format: #decrypted#
Decrypted from UrlEncoded format: #urldecrypted#
Decrypted from Base64 format: #dbsafedecrypted#
Decrypted from UrlEncoded Base64 format: #urldbsafedecrypted#


Input your key:

Input your string to be encrypted:
#form.myString#  
Here's an html link with the base64 urlencoded string:
Click 
Here
Here's another UUID: #variables.TempString#



Input your key:

Input your string to be encrypted (this is a UUID):
#variables.MyString#
Here's another UUID: #variables.TempString#




 
 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
http://www.cfhosting.com

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Encrypt/Decrypt

2003-05-27 Thread Matt Robertson

Try escaping the string before encrypting it.  Then maybe convert it to base 64 so its 
db-safe.

I'm pretty sure if you try to do this in one step it'll throw an error.  I used 
something very similar to this for strings I had to be able to store and email to 
people.




---
 Matt Robertson, [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
---


-- Original Message --
From: "Greg Luce" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 27 May 2003 16:02:02 -0400

>I encrypted a value to store in the db using the CF encrypt() function.
>It worked a few times, but then it encrypted a value with a double quote
>as one of the encrypted chars. Now when I try to decrypt() the value I
>get an error that the value to be decrypted is not valid. 
>
>
>
>I tried htmlcodeformat() because it escapes double quotes. But it still
>errors:
>
>
>
>Ideas?
>
>
>
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. 
http://www.fusionauthority.com/signup.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Encrypt/Decrypt

2003-05-27 Thread Barney Boisvert

use cfusion_encrypt/cfusion_decrypt.  They'll always result in a hex string,
rather than the random jiberish that encrypt/decrypt use.  Also,
cfusion_encrypt's result is ALWAYS exactly twice as long as the original
value, rather than the undetermined length from encrypt.

---
Barney Boisvert, Senior Development Engineer
AudienceCentral (formerly PIER System, Inc.)
[EMAIL PROTECTED]
voice : 360.756.8080 x12
fax   : 360.647.5351

www.audiencecentral.com

> -Original Message-
> From: Greg Luce [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, May 27, 2003 1:02 PM
> To: CF-Talk
> Subject: Encrypt/Decrypt
>
>
> I encrypted a value to store in the db using the CF encrypt() function.
> It worked a few times, but then it encrypted a value with a double quote
> as one of the encrypted chars. Now when I try to decrypt() the value I
> get an error that the value to be decrypted is not valid.
>
> 
>
> I tried htmlcodeformat() because it escapes double quotes. But it still
> errors:
>
> 
>
> Ideas?
>
>
> 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
http://www.cfhosting.com

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Encrypt/Decrypt

2003-05-27 Thread Greg Luce

The value is validated strictly integer before it's encrypted. It's the
encrypt() function that's generating the double quote.

Can you explain the "convert it to base 64 so it's db safe" idea?

-Original Message-
From: Matt Robertson [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 27, 2003 3:37 PM
To: CF-Talk
Subject: Re: Encrypt/Decrypt

Try escaping the string before encrypting it.  Then maybe convert it to
base 64 so its db-safe.

I'm pretty sure if you try to do this in one step it'll throw an error.
I used something very similar to this for strings I had to be able to
store and email to people.

---
 Matt Robertson, [EMAIL PROTECTED]
 MSB Designs, Inc. http://mysecretbase.com
---

-- Original Message --
From: "Greg Luce" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 27 May 2003 16:02:02 -0400

>I encrypted a value to store in the db using the CF encrypt() function.

>It worked a few times, but then it encrypted a value with a double 
>quote as one of the encrypted chars. Now when I try to decrypt() the 
>value I get an error that the value to be decrypted is not valid.
>
>
>
>I tried htmlcodeformat() because it escapes double quotes. But it still
>errors:
>
>decrypt(htmlcodeformat(get_client.ccnumber),"#request.rag#")>
>
>Ideas?
>
>
>

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.
http://www.cfhosting.com

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

RE: Encrypt/Decrypt

2003-05-27 Thread Heald, Tim

Use cfusion_encrypt() instead.

Tim Heald MCP/CCFD
Information Systems Specialist
Overseas Security Advisory Council
U.S. Department of State
(202) 663-0130

> -Original Message-
> From: Greg Luce [SMTP:[EMAIL PROTECTED]
> Sent: Tuesday, May 27, 2003 4:23 PM
> To:   CF-Talk
> Subject:  Encrypt/Decrypt
> 
> I encrypted a value to store in the db using the CF encrypt() function.
> It worked a few times, but then it encrypted a value with a double quote
> as one of the encrypted chars. Now when I try to decrypt() the value I
> get an error that the value to be decrypted is not valid. 
> 
> 
> 
> I tried htmlcodeformat() because it escapes double quotes. But it still
> errors:
> 
> 
> 
> Ideas?
> 
> 
> 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

Host with the leader in ColdFusion hosting. 
Voted #1 ColdFusion host by CF Developers. 
Offering shared and dedicated hosting options. 
www.cfxhosting.com/default.cfm?redirect=10481

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Encrypt/Decrypt

2003-05-27 Thread Greg Luce

I encrypted a value to store in the db using the CF encrypt() function.
It worked a few times, but then it encrypted a value with a double quote
as one of the encrypted chars. Now when I try to decrypt() the value I
get an error that the value to be decrypted is not valid. 



I tried htmlcodeformat() because it escapes double quotes. But it still
errors:



Ideas?


~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq

Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. 
http://www.fusionauthority.com/signup.cfm

Unsubscribe: 
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4

Re: Encrypt/Decrypt Recommendations

2002-11-08 Thread Bryan Stevenson

Rick,

That's what I usually do, but client requirements are client requirements
;-) (you can only tell 'em so many times)

Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]

-
Macromedia Associate Partner
www.macromedia.com
-
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
- Original Message -
From: "Rick Root" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, November 07, 2002 5:18 PM
Subject: Re: Encrypt/Decrypt Recommendations


> Bryan Stevenson wrote:
> > Yes I do have to decrypt it to give it back to those users that lose it
;-)
>
> If they lose it, create a new password for them... that allows you to
> use the one way encryption which is FAR more secure.
>
>   - Rick
>
>
> 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Get the mailserver that powers this list at http://www.coolfusion.com

Re: Encrypt/Decrypt Recommendations

2002-11-08 Thread Jochem van Dieten

Bryan Stevenson wrote:

> Yes I do have to decrypt it to give it back to those users that lose 
> it ;-)

You should consider hashing anyway and issueing a new password. 
Especially if you combine this with a client side hashing script (there 
are javascripts available for download, just Google) this is quite secure.

Jochem

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm

Re: Encrypt/Decrypt Recommendations

2002-11-07 Thread cf-talk

A really nice way of storing passwords in a database is to use a one way
hash such as an MD5 hash.  That way, if your database is ever hacked or
stolen... the passwords are not decryptable.  An MD5 hash is a "one way
encryption".

-Novak

- Original Message -
From: "Bryan Stevenson" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, November 07, 2002 10:57 AM
Subject: Encrypt/Decrypt Recommendations


> Hey All,
>
> I'm looking for recommendations for an encrypt/decrypt tag or UDF that
will
> always produce the same encrypted value.  This is so I can store encrypted
> passwords in the DB and check the encrypted version of what a user types
in
> a login form against the encrypted version in the DB (and decrypt for lost
> passwords).
>
> I was going to use Cryp.cfm from the DevEx, but it's encrypted value
changes
> almost everytime even though the string and key used are the same.
>
> TIA for any help
>
> Bryan Stevenson B.Comm.
> VP & Director of E-Commerce Development
> Electric Edge Systems Group Inc.
> t. 250.920.8830
> e. [EMAIL PROTECTED]
>
> -
> Macromedia Associate Partner
> www.macromedia.com
> -
> Vancouver Island ColdFusion Users Group
> Founder & Director
> www.cfug-vancouverisland.com
>
> 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

RE: Encrypt/Decrypt Recommendations

2002-11-07 Thread Stacy Young

TO reset a password when using one way hash - just send a re-authorizing
email that will link them back to the site to enter new password...

Stace

-Original Message-
From: Bryan Stevenson [mailto:bryan@;electricedgesystems.com] 
Sent: Thursday, November 07, 2002 7:53 PM
To: CF-Talk
Subject: Re: Encrypt/Decrypt Recommendations

Yes I do have to decrypt it to give it back to those users that lose it ;-)

I've done a workaround for now where I match the usernamedecrypt that
password and compare it to what the user types in the login form (kind of
the long way around...but it works)

Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]

-
Macromedia Associate Partner
www.macromedia.com
-
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
- Original Message -
From: <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, November 07, 2002 12:17 PM
Subject: RE: Encrypt/Decrypt Recommendations


> Just use CF's Hash().  This is a one way encryption.  No need to decrypt
> the password you stroe is there?  Just compare...  Hash(form.password)
> EQ dbquery.password.
>
> Doug
>
> >-Original Message-
> >From: Bryan Stevenson [mailto:bryan@;electricedgesystems.com]
> >Sent: Thursday, November 07, 2002 1:57 PM
> >To: CF-Talk
> >Subject: Encrypt/Decrypt Recommendations
> >
> >
> >Hey All,
> >
> >I'm looking for recommendations for an encrypt/decrypt tag or
> >UDF that will
> >always produce the same encrypted value.  This is so I can
> >store encrypted
> >passwords in the DB and check the encrypted version of what a
> >user types in
> >a login form against the encrypted version in the DB (and
> >decrypt for lost
> >passwords).
> >
> >I was going to use Cryp.cfm from the DevEx, but it's encrypted
> >value changes
> >almost everytime even though the string and key used are the same.
> >
> >TIA for any help
> >
> >Bryan Stevenson B.Comm.
> >VP & Director of E-Commerce Development
> >Electric Edge Systems Group Inc.
> >t. 250.920.8830
> >e. [EMAIL PROTECTED]
> >
> >-
> >Macromedia Associate Partner
> >www.macromedia.com
> >-
> >Vancouver Island ColdFusion Users Group
> >Founder & Director
> >www.cfug-vancouverisland.com
> >
> >
> 

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Get the mailserver that powers this list at http://www.coolfusion.com

Re: Encrypt/Decrypt Recommendations

2002-11-07 Thread Rick Root

Bryan Stevenson wrote:
> Yes I do have to decrypt it to give it back to those users that lose it ;-)

If they lose it, create a new password for them... that allows you to
use the one way encryption which is FAR more secure.

  - Rick


~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Re: Encrypt/Decrypt Recommendations

2002-11-07 Thread Bryan Stevenson

OK, I'm getting some IMO weird behavior from various encryption tags (and
CFs encrypt() function).

Here's an example:


#var1.value#





#var2.value#

With this example, var1.value remains constant and var2.value keeps
changing.  If I decrypt var2.value, it will always be "zippy12".  So the
decryption works fine, but for whatever reason, the encrypted value keeps
changing.  Now it becomes quite obvious that encrypting what a user types
into a password field and checking that against the encrypted password in
the DB isn't going to fly because the encrypted value of the typed password
may not be the same (even though it decrypts to the same original
value)...Arrrggg!!!

I've done this before using MD5, but that's only a one way process.  This
time I need to be able to retrive and decrypt the password (for users that
lose them), so MD5 won't work here.

HELP!!! ;-)

Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]

-
Macromedia Associate Partner
www.macromedia.com
-
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
- Original Message -
From: "Bryan Stevenson" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, November 07, 2002 10:57 AM
Subject: Encrypt/Decrypt Recommendations


> Hey All,
>
> I'm looking for recommendations for an encrypt/decrypt tag or UDF that
will
> always produce the same encrypted value.  This is so I can store encrypted
> passwords in the DB and check the encrypted version of what a user types
in
> a login form against the encrypted version in the DB (and decrypt for lost
> passwords).
>
> I was going to use Cryp.cfm from the DevEx, but it's encrypted value
changes
> almost everytime even though the string and key used are the same.
>
> TIA for any help
>
> Bryan Stevenson B.Comm.
> VP & Director of E-Commerce Development
> Electric Edge Systems Group Inc.
> t. 250.920.8830
> e. [EMAIL PROTECTED]
>
> -
> Macromedia Associate Partner
> www.macromedia.com
> -
> Vancouver Island ColdFusion Users Group
> Founder & Director
> www.cfug-vancouverisland.com
>
> 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
This list and all House of Fusion resources hosted by CFHosting.com. The place for 
dependable ColdFusion Hosting.

Re: Encrypt/Decrypt Recommendations

2002-11-07 Thread Bryan Stevenson

Yes I do have to decrypt it to give it back to those users that lose it ;-)

I've done a workaround for now where I match the usernamedecrypt that
password and compare it to what the user types in the login form (kind of
the long way around...but it works)

Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]

-
Macromedia Associate Partner
www.macromedia.com
-
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com
- Original Message -
From: <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, November 07, 2002 12:17 PM
Subject: RE: Encrypt/Decrypt Recommendations


> Just use CF's Hash().  This is a one way encryption.  No need to decrypt
> the password you stroe is there?  Just compare...  Hash(form.password)
> EQ dbquery.password.
>
> Doug
>
> >-Original Message-
> >From: Bryan Stevenson [mailto:bryan@;electricedgesystems.com]
> >Sent: Thursday, November 07, 2002 1:57 PM
> >To: CF-Talk
> >Subject: Encrypt/Decrypt Recommendations
> >
> >
> >Hey All,
> >
> >I'm looking for recommendations for an encrypt/decrypt tag or
> >UDF that will
> >always produce the same encrypted value.  This is so I can
> >store encrypted
> >passwords in the DB and check the encrypted version of what a
> >user types in
> >a login form against the encrypted version in the DB (and
> >decrypt for lost
> >passwords).
> >
> >I was going to use Cryp.cfm from the DevEx, but it's encrypted
> >value changes
> >almost everytime even though the string and key used are the same.
> >
> >TIA for any help
> >
> >Bryan Stevenson B.Comm.
> >VP & Director of E-Commerce Development
> >Electric Edge Systems Group Inc.
> >t. 250.920.8830
> >e. [EMAIL PROTECTED]
> >
> >-
> >Macromedia Associate Partner
> >www.macromedia.com
> >-
> >Vancouver Island ColdFusion Users Group
> >Founder & Director
> >www.cfug-vancouverisland.com
> >
> >
> 
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Signup for the Fusion Authority news alert and keep up with the latest news in 
ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm

RE: Encrypt/Decrypt Recommendations

2002-11-07 Thread Douglas.Knudsen

Just use CF's Hash().  This is a one way encryption.  No need to decrypt
the password you stroe is there?  Just compare...  Hash(form.password)
EQ dbquery.password.  

Doug

>-Original Message-
>From: Bryan Stevenson [mailto:bryan@;electricedgesystems.com]
>Sent: Thursday, November 07, 2002 1:57 PM
>To: CF-Talk
>Subject: Encrypt/Decrypt Recommendations
>
>
>Hey All,
>
>I'm looking for recommendations for an encrypt/decrypt tag or 
>UDF that will
>always produce the same encrypted value.  This is so I can 
>store encrypted
>passwords in the DB and check the encrypted version of what a 
>user types in
>a login form against the encrypted version in the DB (and 
>decrypt for lost
>passwords).
>
>I was going to use Cryp.cfm from the DevEx, but it's encrypted 
>value changes
>almost everytime even though the string and key used are the same.
>
>TIA for any help
>
>Bryan Stevenson B.Comm.
>VP & Director of E-Commerce Development
>Electric Edge Systems Group Inc.
>t. 250.920.8830
>e. [EMAIL PROTECTED]
>
>-
>Macromedia Associate Partner
>www.macromedia.com
>-
>Vancouver Island ColdFusion Users Group
>Founder & Director
>www.cfug-vancouverisland.com
>
>
~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

Re: Encrypt/Decrypt Recommendations

2002-11-07 Thread Rick Root

Bryan Stevenson wrote:
> 
> I'm looking for recommendations for an encrypt/decrypt tag or UDF that will
> always produce the same encrypted value.  This is so I can store encrypted
> passwords in the DB and check the encrypted version of what a user types in
> a login form against the encrypted version in the DB (and decrypt for lost
> passwords).

Have you considered using the crypt function built into your DB, if any? 
  For example, I know MySQL has a built in crypt function that works 
rather nicely for storing passwords.

  - Rick

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

RE: Encrypt/Decrypt Recommendations

2002-11-07 Thread Sean McCarthy

sha256 i think its on mm site

-Original Message-
From: Bryan Stevenson [mailto:bryan@;electricedgesystems.com]
Sent: Thursday, November 07, 2002 1:57 PM
To: CF-Talk
Subject: Encrypt/Decrypt Recommendations

Hey All,

I'm looking for recommendations for an encrypt/decrypt tag or UDF that will
always produce the same encrypted value.  This is so I can store encrypted
passwords in the DB and check the encrypted version of what a user types in
a login form against the encrypted version in the DB (and decrypt for lost
passwords).

I was going to use Cryp.cfm from the DevEx, but it's encrypted value changes
almost everytime even though the string and key used are the same.

TIA for any help

Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]

-
Macromedia Associate Partner
www.macromedia.com
-
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Get the mailserver that powers this list at http://www.coolfusion.com

Encrypt/Decrypt Recommendations

2002-11-07 Thread Bryan Stevenson

Hey All,

I'm looking for recommendations for an encrypt/decrypt tag or UDF that will
always produce the same encrypted value.  This is so I can store encrypted
passwords in the DB and check the encrypted version of what a user types in
a login form against the encrypted version in the DB (and decrypt for lost
passwords).

I was going to use Cryp.cfm from the DevEx, but it's encrypted value changes
almost everytime even though the string and key used are the same.

TIA for any help

Bryan Stevenson B.Comm.
VP & Director of E-Commerce Development
Electric Edge Systems Group Inc.
t. 250.920.8830
e. [EMAIL PROTECTED]

-
Macromedia Associate Partner
www.macromedia.com
-
Vancouver Island ColdFusion Users Group
Founder & Director
www.cfug-vancouverisland.com

~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription: 
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Your ad could be here. Monies from ads go to support these lists and provide more 
resources for the community. http://www.fusionauthority.com/ads.cfm

Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]

2001-07-04 Thread CFTalk


Steve

I wrote a custom tag called cf_cryp that I use in place of encrypt() 
and decrypt().  It builds on encrypt() and decrypt() by encoding all 
the characters produced by encrypt() with their ASCII values, shifts 
some bits to make it a little more unintelligible and adds a 
similarly encoded checksum to prevent someone from manipulating 
characters to change the value (helpful for url parameters, hidden 
form fields and cookies).

I also set up a test page with some more information on the drawbacks 
of encrypt()/decrypt() at

http://www.iology.com/products/downloads/cryptest.cfm

You can download the code their too; it's free for all commercial 
purposes and open source.

Jackson Moore
[EMAIL PROTECTED]


On Fri, 29 Jun 2001 15:01:22 -0400, Steve Reich wrote:
>> Maybe it's just a wierd browser thing. What do you see if you View
>>SOurce?
>
>
>No.. I checked that. It's very strange because there is no
>consistency to
>it. Some strings encrypt the same everytime, others don't.
>
>If I run this in my browser
>
>kd@kfoe%kfps037")#">
>
>#encryptedPW #-#Len(encryptedPW)#
>
>and then hit refresh... it toggles between these two values...
>
>(78XD6IF#J5&(
>and
>(78XD6IF#J5'
>
>. but it returns the Len of both strings as 14. Something with
>ASCII,
>either spaces or line feeds might be one of the chars that could be
>messing
>me up. In the database field (SQL7), visually you can see some box
>characters that represents an ASCII character that can't be
>displayed.
>Help!!
>
>Thanks,
>Steve
>
>
>
>
~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]

2001-06-29 Thread hof


AFAIK it is a feature that Encrypt() does not always return the same value, but
is always decryptable to the same value. I think I read it in the comment of an
Allaire employee in the Allaire forums.

Anyhow, I believe one should not use the Encrypt() at all. Use Hash(), it is one
way (nice for safety) and a public algorithm (MD5 is the name among
cryptographers I believe), so it is even usable from other applications.
Personally, I have zero faith in any cryptographic algorithm that is not open
source.

Jochem

--
It isn't possible I lied in this message, it is probable.

~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]


>
>  
>


Dick,

That did the trick! I was trying to compare two encrypted strings and I
should have been comparing their decrypted values. Thanks for the help
it was driving me nuts!

Steve



~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]


> Maybe it's just a wierd browser thing. What do you see if you View SOurce?


No.. I checked that. It's very strange because there is no consistency to
it. Some strings encrypt the same everytime, others don't.

If I run this in my browser



#encryptedPW #-#Len(encryptedPW)#

and then hit refresh... it toggles between these two values...

(78XD6IF#J5&(
and
(78XD6IF#J5'

 but it returns the Len of both strings as 14. Something with ASCII,
either spaces or line feeds might be one of the chars that could be messing
me up. In the database field (SQL7), visually you can see some box
characters that represents an ASCII character that can't be displayed.
Help!!

Thanks,
Steve



~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]

2001-06-29 Thread Dick Applebaum


Steve

I encountered a similar problem... here is how I resolved it.

1) I defined the field in the db that holds the encrypted value as 
NVarChar(255).  This is a unicode field. The 255 length takes care of 
encrypted passwords are larger than the original.

2) I do *not* check the password in the SQL, rather in CF after it 
has been retrieved, e.g.:




   

   
 
   
 
 .
 .
 .

HTH

Dick

At 1:57 PM -0400 6/29/01, Steve Reich wrote:
>I am having a problem with the encrypt/decrypt functions. Here is my code:
>
>*** This creates the user when they register...
>
>
>
>username="#application.dsn_username#" password="#application.dsn_password#">
>INSERT INTO users
>(fname,lname,email,username,password)
>VALUES('#fname#','#lname#','#email#','#username#','#dbPassword#')
>
>
>*** This validates a registered user
>
>
>
>username="#application.dsn_username#" password="#application.dsn_password#">
>   SELECT userid
>   FROM users
>   WHERE username='#username#'
>   AND password='#dbPassword#'
>
>
>The problem is that if I output the encrypted password on my page, I get...
>
>(6 W=SO*;E^JD
>
>The field in the DB says...
>
>(6 W=SO*;E^H
>
>Obviously, they don't match, so the user can't get in. I've tried using a
>variety of seed values, including various lengths. It seems that the last
>one or two chars always come out differently? My questions are, what is a
>good length for the seed value and should this be alphnumeric or will any
>ascii character work? Also, I'm not sure why I can encrypt the same value
>twice and not get the same value. I'm thinking my problem must be in the
>seed string length, but I'm not sure? Are there known issues with this? Why
>am I having this problem? Can someone shed some light?
>
>Thanks,
>Steve
>
>
>
>
>
~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

RE: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]

2001-06-29 Thread Raymond Camden


Maybe it's just a wierd browser thing. What do you see if you View SOurce?

===
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email   : [EMAIL PROTECTED]
ICQ UIN : 3679482

"My ally is the Force, and a powerful ally it is." - Yoda

> -Original Message-
> From: Steve Reich [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 29, 2001 1:57 PM
> To: CF-Talk
> Subject: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
>
>
> I am having a problem with the encrypt/decrypt functions. Here is my code:
>
> *** This creates the user when they register...
>
> 
>
>  username="#application.dsn_username#"
> password="#application.dsn_password#">
>INSERT INTO users
>(fname,lname,email,username,password)
>VALUES('#fname#','#lname#','#email#','#username#','#dbPassword#')
> 
>
> *** This validates a registered user
>
> 
>
>  username="#application.dsn_username#"
> password="#application.dsn_password#">
>   SELECT userid
>   FROM users
>   WHERE username='#username#'
>   AND password='#dbPassword#'
> 


~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]


> Also, I'm not sure why I can encrypt the same value
> twice and not get the same value. I'm thinking my problem must be in the
> seed string length, but I'm not sure? Are there known issues with this?
Why
> am I having this problem? Can someone shed some light?


After a little more trial and error, it appears that the first 12 characters
are consistant. Anything after that can change, even if encrypting the same
string with the same seed value. I guess I can do something like..

if password =  Left(dbpassword, "12")

I would still appreciate a logical explanation of this if someone knows more
about this

Thanks,
Steve



~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]