Encrypting Zip File
Hi, What is the best way to encrypt a zip file in ColdFusion? Many thanks, Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359049 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypting Zip File
Maybe http://www.andyscott.id.au/blog/getting-better-zip-support-in-coldfusion-with-zip4j On Thu, Jul 31, 2014 at 12:18 PM, Richard White rich...@re-base.net wrote: Hi, What is the best way to encrypt a zip file in ColdFusion? Many thanks, Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359050 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
re: Encrypting Zip File
In addition to zip4j, you can also look at installing 7Zip (http://www.7-zip.org/) on the server (if possible) and using the CLI interface to that via cfexecute. -- Jeff Original Message From: Richard White rich...@re-base.net Sent: Thursday, July 31, 2014 9:19 AM To: cf-talk cf-talk@houseoffusion.com Subject: Encrypting Zip File Hi, What is the best way to encrypt a zip file in ColdFusion? Many thanks, Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359051 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypting Zip File
cfzip supports encryption out-of-box I believe zip cfzip required file = absolute pathname One of the following: source = source directory cfzipparam source = source directory ... optional encryptionAlgorithm = standard|AES-128|AES-256 password = password string action = zip filter = file filter overwrite = yes|no prefix = string recurse = yes|no storePath = yes|no Should be able to just put in the encryption algorithm and password and have it taken care of. Nick Hi, What is the best way to encrypt a zip file in ColdFusion? Many thanks, Richard ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359052 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
encrypting with initialization vectors
I can't seem to get the encrypt function to take an initialization vector. It doesn't matter what I put there. It returns the exact same result as if there is no initialization vector. Is anyone using that? Can you please provide an example where it works? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351104 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
I can't seem to get the encrypt function to take an initialization vector. It doesn't matter what I put there. It returns the exact same result as if there is no initialization vector. Hi there, please post the line of code where you're calling the encryption function as that will help with troubleshooting. What encryption algorithm are you using? Not all of them will use an IV. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351105 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
Here's the test code. I'll take AES or DESEDE or better. Running cf enterprise. !--- testenc.cfm ** Purpose:test encryption --- html headtitleTest ENC/title/head body style=margin:20px; font-family:Arial, Helvetica, sans-serif; font-size:12px; background-color:#f2f0db; h3Test ENC/h3 !--- Do the following if the form has been submitted. --- cfif IsDefined(Form.myString) cfscript theKey=generateSecretKey(Form.myAlgorithm); anotherKey=generateSecretKey(Form.myAlgorithm); useasiv = encryptBinary(anotherkey,theKey,Form.myAlgorithm,Form.myEncoding); //Encrypt the string. encrypted=encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding); IVencrypted = encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding,useasiv); //Decrypt it. decrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding); IVdecrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding,useasiv); /cfscript !--- Display the values and the results. --- cfoutput bThe algorithm:/b #Form.myAlgorithm#br br bThe key:nbsp;nbsp;/B #theKey#br br bThe string:/b #Form.myString# br br bEncrypted:nbsp;nbsp;nbsp;/b #encrypted#br bIVencrypted:/b #IVencrypted#br br bDecrypted:/b #decrypted#br bIVecrypted:/b #ivdecrypted#br brbr /cfoutput /cfif cfparam name=myEncoding default= cfparam name=myAlgorithm default= !--- The input form. --- form action=cfoutput#CGI.SCRIPT_NAME#/cfoutput method=post input type=hidden name=onetimeid value=cfoutput#onetimeid#/cfoutput bSelect the encoding/bbr select size=1 name=myEncoding option cfif myEncoding IS UUselected/cfifUU/option option cfif myEncoding IS Base64selected/cfifBase64/option option cfif myEncoding IS Hexselected/cfifHex/option /selectbr br bSelect the algorithm/bbr select size=1 name=myAlgorithm option cfif myAlgorithm IS AESselected/cfifAES/option option cfif myAlgorithm IS DESselected/cfifDES/option option cfif myAlgorithm IS DESEDEselected/cfifDESEDE/option /selectbr br bEnter string to encrypt/bbr textArea name = myString cols = 40 rows = 2 WRAP = VIRTUAL1234567890123456/textArea input type = Submit value = Encrypt my String /form ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351106 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
You need to use a feedback mode other than ECB (the default when you omit it from the algorithm) to use an IV, try using AES/CBC/PKCS5Padding for your algorithm. This KB article has a lot of info about this stuff: http://helpx.adobe.com/coldfusion/kb/strong-encryption-coldfusion-mx-7.html -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Thu, May 10, 2012 at 2:52 PM, Carol Knapp c...@kargo.net wrote: Here's the test code. I'll take AES or DESEDE or better. Running cf enterprise. !--- testenc.cfm ** Purpose:test encryption --- html headtitleTest ENC/title/head body style=margin:20px; font-family:Arial, Helvetica, sans-serif; font-size:12px; background-color:#f2f0db; h3Test ENC/h3 !--- Do the following if the form has been submitted. --- cfif IsDefined(Form.myString) cfscript theKey=generateSecretKey(Form.myAlgorithm); anotherKey=generateSecretKey(Form.myAlgorithm); useasiv = encryptBinary(anotherkey,theKey,Form.myAlgorithm,Form.myEncoding); //Encrypt the string. encrypted=encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding); IVencrypted = encrypt(Form.myString, theKey, Form.myAlgorithm,Form.myEncoding,useasiv); //Decrypt it. decrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding); IVdecrypted=decrypt(encrypted, theKey, Form.myAlgorithm, Form.myEncoding,useasiv); /cfscript !--- Display the values and the results. --- cfoutput bThe algorithm:/b #Form.myAlgorithm#br br bThe key:nbsp;nbsp;/B #theKey#br br bThe string:/b #Form.myString# br br bEncrypted:nbsp;nbsp;nbsp;/b #encrypted#br bIVencrypted:/b #IVencrypted#br br bDecrypted:/b #decrypted#br bIVecrypted:/b #ivdecrypted#br brbr /cfoutput /cfif cfparam name=myEncoding default= cfparam name=myAlgorithm default= !--- The input form. --- form action=cfoutput#CGI.SCRIPT_NAME#/cfoutput method=post input type=hidden name=onetimeid value=cfoutput#onetimeid#/cfoutput bSelect the encoding/bbr select size=1 name=myEncoding option cfif myEncoding IS UUselected/cfifUU/option option cfif myEncoding IS Base64selected/cfifBase64/option option cfif myEncoding IS Hexselected/cfifHex/option /selectbr br bSelect the algorithm/bbr select size=1 name=myAlgorithm option cfif myAlgorithm IS AESselected/cfifAES/option option cfif myAlgorithm IS DESselected/cfifDES/option option cfif myAlgorithm IS DESEDEselected/cfifDESEDE/option /selectbr br bEnter string to encrypt/bbr textArea name = myString cols = 40 rows = 2 WRAP = VIRTUAL1234567890123456/textArea input type = Submit value = Encrypt my String /form ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
You need to use a feedback mode other than ECB (the default when you omit it from the algorithm) to use an IV, try using AES/CBC/PKCS5Padding for your algorithm. This KB article has a lot of info about this stuff: http://helpx.adobe.com/coldfusion/kb/strong-encryption-coldfusion-mx-7.html As usual I get a phone call and Pete beats me to the punch. :) An IV is only used when AES is using a block cipher. CBC is Cipher Block Chaining Mode, so it would use an IV (algorithm = AES/CBC/PKCS5Padding); ECB is the default mode and doesn't use an IV (algorithm = AES). Also, the IV you pass in must be the same length as the block mode of the algorithm (e.g. the same as the key length), so in the original sample code, encrypting the anotherkey value and using that as the IV probably won't work. You can generate another key and use a hash of its value to the appropriate length to get a similar result (e.g. cfset useasiv = left(hash(anotherkey), 16)). -Justin Scott ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351109 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypting with initialization vectors
Got it working. Thanks, guys. rantI don't get why this kind of information wouldn't be available in the cf9 reference./rant I can't seem to get the encrypt function to take an initialization vector. It doesn't matter what I put there. It returns the exact same result as if there is no initialization vector. Is anyone using that? Can you please provide an example where it works? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:351110 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
encrypting data questions
What encryption algorithm would be appropriate for cc data? AES or blowfish? What kind of performance hit would it have? Also, what datatype is used to store the encrypted info in the db? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330779 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting data questions
What encryption algorithm would be appropriate for cc data? AES or blowfish? What kind of performance hit would it have? We've been using Triple DES (DESEDE for the cf encryption functions) and storing it base64 encoded in a varchar field. As for performance, it depends on how many transactions you're doing. We didn't notice much of a difference, but the sites I'm using this on are not all that high volume. Haven't had any problems so far. -Justin ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330780 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting data questions
Just a quick word of caution.if you don't have to store CC data DON'T. Payment processors have recurring billing options where THEY take all the risk of storing such data. If you store it and it leaks out or you get hackedyou/your client/the company you work for will be liable. Keep in mind you may have to go through a security audit if you choose to store CC data OK...warning over ;-) Cheers On Tue, 2010-02-16 at 11:49 -0500, Matthew Smith wrote: What encryption algorithm would be appropriate for cc data? AES or blowfish? What kind of performance hit would it have? Also, what datatype is used to store the encrypted info in the db? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330781 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting data questions
I'll repeat the warning about storing sensitive data in your db. If you don't have to (and there usually isn't a reason that can't be worked around) then don't do it. All of the transaction gateways I've dealt with recently (Authorize.net, Transfirst, Sage) have the ability to set up a profile for the customer on their server and then you can store the profile account info locally instead of the actual credit card. That being said, AES is a good encryption algorithm and the one I would go with by default. The downside to that is that any encryption algorithm you pick in CF means that you are going to need a key that is also accessible to CF. In most circumstances, your app server is going to be publicly reachable and that represents a security risk. That would make me suggest that you consider database-level encryption options as well as your db server should not be publicly accessible at all. MS-SQL supports database-level encryption and, as for 2008 I believe, column level encryption so that only the columns you need encrypted are encrypted. I'm not sure about other dbms encryption setups but I'm sure they exist for at least the major commercial databases. Cheers, Judah On Tue, Feb 16, 2010 at 8:49 AM, Matthew Smith chedders...@gmail.com wrote: What encryption algorithm would be appropriate for cc data? AES or blowfish? What kind of performance hit would it have? Also, what datatype is used to store the encrypted info in the d ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:330782 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Encrypting/Decrypting XML
Hey all, Is there a way to encrypt and decrypt XML on the fly. I'm building a small cms, and want to store the login information in an XML file. I need to be able to read An encrypted file, do the typical login/password check and leave the file encrypted on the server, to keep it away from prying eyes. Why XML, I want to make a totally portable CMS, kinda plug and play. Thanks sas -- Scott Stewart ColdFusion Developer SSTWebworks 4405 Oakshyre Way Raleigh, NC. 27616 (703) 220-2835 http://www.sstwebworks.com http://www.linkedin.com/in/sstwebworks http://www.linkedin.com/in/sstwebworks Boycott Sys-Con http://www.sstwebworks.com/blog/index.cfm/2007/10/16/Boycotting-SysCon http://www.sstwebworks.com/blog/index.cfm/2007/10/16/Boycotting-SysCon ~| ColdFusion 8 - Build next generation apps today, with easy PDF and Ajax features - download now http://download.macromedia.com/pub/labs/coldfusion/cf8_beta_whatsnew_052907.pdf Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:294236 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Encrypting/Decrypting XML
Scott, Is there a way to encrypt and decrypt XML on the fly. I'm building a small cms, and want to store the login information in an XML file. I need to be able to read An encrypted file, do the typical login/password check and leave the file encrypted on the server, to keep it away from prying eyes. You could just hash the password and then store it in clear text in the XML. -Dan ~| Enterprise web applications, build robust, secure scalable apps today - Try it now ColdFusion Today ColdFusion 8 beta - Build next generation apps Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:294249 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Encrypting database information
Can anyone recommend a good encryption method for sensitive information(login details, etc...) stored in database tables? Thanks, Dave ** HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ** ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283987 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Encrypting database information
On Wednesday 18 Jul 2007, [EMAIL PROTECTED] wrote: Can anyone recommend a good encryption method for sensitive information(login details, etc...) stored in database tables? Does simply hashing the value before insert solve your problem ? -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:283996 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Encrypting database information
md5 (one way encrypt) Hash pretty much standard way for passwords. I know alot of people that dont even encrypt passwords any more. The thought is if they have hacked your database what do they need the password for :) As for credit cards,customer details and such Usually requires something around the lines of an (nChiper Key storage box which you would need a backup in case one breaks) to be PCI compliant. I have a cheap way I use for my Web Hosting Billing Software. I have a Ioncube encoded/encrypted php file that Accepts a value and returns an encrypted value. The key for the hash is stored in the file. If my site is compromised they would have to break ioncube's encryption before they can decode any database values. Its just one more step. Ioncube has been broken before but it takes alot of time and money :) Eric On 7/18/07, Tom Chiverton [EMAIL PROTECTED] wrote: On Wednesday 18 Jul 2007, [EMAIL PROTECTED] wrote: Can anyone recommend a good encryption method for sensitive information(login details, etc...) stored in database tables? Does simply hashing the value before insert solve your problem ? -- Tom Chiverton This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at St James's Court Brown Street Manchester M2 2JF. A list of members is available for inspection at the registered office. Any reference to a partner in relation to Halliwells LLP means a member of Halliwells LLP. Regulated by the Law Society. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 8008. For more information about Halliwells LLP visit www.halliwells.com. ~| ColdFusion MX7 and Flex 2 Build sales marketing dashboard RIAâs for your business. Upgrade now http://www.adobe.com/products/coldfusion/flex2?sdid=RVJT Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:284004 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
urlencoding and encrypting
Is there any reason that a value that is encrypted() and urlencodedformat() on a CFMX 7.0.2 machine then passed through the url to a CFMX 6.1 machine to be urldecoded() and decrypted() to not result in the same value? We did make sure to use the form of encrypt/decrypt that is supported by 6.1. -- Ian Skinner Web Programmer BloodSource www.BloodSource.org Sacramento, CA - | 1 | | - Binary Soduko | | | - C code. C code run. Run code run. Please! - Cynthia Dunning Confidentiality Notice: This message including any attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender and delete any copies of this message. ~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:255016 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypting Link Information
On Thursday 29 September 2005 20:03, David Reeves wrote: This idea will be used for our private company website, alot of the users are bookmarking pages but we want them to use the main page as the a portal (rather than lots of portals). How will encrypting the page name help ? My browser doesn't care if the bookmark in '/index.cfm', '/here/there/index.cfm' or '/asghsjhgsdgsd'. -- Tom Chiverton Advanced ColdFusion Programmer ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219857 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Encrypting Link Information
I would like to encrypt the link information that is shown when browsing one of my webpages. For instance instead of showing index.cfm i would like it to show 3227k2725626 or something like that. I hope this makes sence to you. Thanks in advance! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219675 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting Link Information
Not sure about getting rid of the name of the file, you could probably do something in IIS or apache to get that working, but if all you need to do is encrypt the url variables I wrote a pair udfs for this a while ago. They should be up on www.cflib.org as urlEncrypt() and urlDecrypt(). If you're in Fusebox 4 I am going to convert it to a plugin, email me off list and I will send it to you when I am done. Tim Heald Senior Web Developer TeraTech, Inc. 2003 Winner CFDJ awards Best Consulting Service Email: [EMAIL PROTECTED] Voice: 1-301-424-3903 x111 Web: http://www.teratech.com -Original Message- From: David Reeves [mailto:[EMAIL PROTECTED] Sent: Thursday, September 29, 2005 2:36 PM To: CF-Talk Subject: Encrypting Link Information I would like to encrypt the link information that is shown when browsing one of my webpages. For instance instead of showing index.cfm i would like it to show 3227k2725626 or something like that. I hope this makes sence to you. Thanks in advance! ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219678 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting Link Information
Why not have it always say index.cfm, but encrypt the query string? That way you don't have to bother with determining what the file name is? !//-- andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: David Reeves [mailto:[EMAIL PROTECTED] Sent: Thursday, September 29, 2005 1:36 PM To: CF-Talk Subject: Encrypting Link Information I would like to encrypt the link information that is shown when browsing one of my webpages. For instance instead of showing index.cfm i would like it to show 3227k2725626 or something like that. I hope this makes sence to you. Thanks in advance! ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219679 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting Link Information
This idea will be used for our private company website, alot of the users are bookmarking pages but we want them to use the main page as the a portal (rather than lots of portals). Why not have it always say index.cfm, but encrypt the query string? That way you don't have to bother with determining what the file name is? !//-- andy matthews web developer ICGLink, Inc. [EMAIL PROTECTED] 615.370.1530 x737 --//- -Original Message- From: David Reeves [mailto:[EMAIL PROTECTED] Sent: Thursday, September 29, 2005 1:36 PM To: CF-Talk Subject: Encrypting Link Information I would like to encrypt the link information that is shown when browsing one of my webpages. For instance instead of showing index.cfm i would like it to show 3227k2725626 or something like that. I hope this makes sence to you. Thanks in advance! ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219681 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting email with CF5.0
Not in CF 5, in CF 6 there's a Java wrapper for GPG at http://swem.wm.edu/blogs/waynegraham On 5/6/05, Jim Louis [EMAIL PROTECTED] wrote: Is there any way to do this with out cfexecute. I am on a shared server and the do not allow cfexecute. Jim Louis We use the gdata Outlook plugin (uses gpg encryption) http://www3.gdata.de/gpg/download.html You could encrypt the contents of the mail with cfexecute and gpg, open it in Outlook, voila. (Maybe) :-) Ian ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:206053 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Encrypting email with CF5.0
This is what I am trying to do 1. customer submits registration form and is processed. 2. an encrypted email is made and then I recieve it into Outlook, which is then decrypted. Any one have any idea if this is possible? Jim Louis Best Meetings Inc 952.858.8875 ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205863 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting email with CF5.0
We use the gdata Outlook plugin (uses gpg encryption) http://www3.gdata.de/gpg/download.html You could encrypt the contents of the mail with cfexecute and gpg, open it in Outlook, voila. (Maybe) :-) Ian -Original Message- From: Jim Louis [mailto:[EMAIL PROTECTED] Sent: 06 May 2005 17:21 To: CF-Talk Subject: Encrypting email with CF5.0 This is what I am trying to do 1. customer submits registration form and is processed. 2. an encrypted email is made and then I recieve it into Outlook, which is then decrypted. Any one have any idea if this is possible? Jim Louis Best Meetings Inc 952.858.8875 ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205864 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting email with CF5.0
Is there any way to do this with out cfexecute. I am on a shared server and the do not allow cfexecute. Jim Louis We use the gdata Outlook plugin (uses gpg encryption) http://www3.gdata.de/gpg/download.html You could encrypt the contents of the mail with cfexecute and gpg, open it in Outlook, voila. (Maybe) :-) Ian ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205871 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Encrypting JDBC
Is it possible to encrypt the JDBC connection between ColdFusion and the database server? I'm using CFMX 7 Standard and MS SQL Server 2000. Thanks, --Nathan ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205569 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting JDBC
http://www.google.com/search?q=jdbc+encryption Looks like it's probably doable, but not a built-in feature that you can just click a checkbox for. cheers, barneyb On 5/4/05, Nathan Mische [EMAIL PROTECTED] wrote: Is it possible to encrypt the JDBC connection between ColdFusion and the database server? I'm using CFMX 7 Standard and MS SQL Server 2000. Thanks, --Nathan -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com/ Got Gmail? I have 50 invites. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205571 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting JDBC
I would suggest doing a VPN instead, if possible. Windows includes its own VPN system or you might want to try http://www.openvpn.net/ which is multi-platform. -- Damien McKenna - Web Developer - [EMAIL PROTECTED] The Limu Company - http://www.thelimucompany.com/ - 407-804-1014 #include stdjoke.h -Original Message- From: Nathan Mische [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 04, 2005 2:58 PM To: CF-Talk Subject: Encrypting JDBC Is it possible to encrypt the JDBC connection between ColdFusion and the database server? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205573 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypting JDBC
Is it possible to encrypt the JDBC connection between ColdFusion and the database server? I'm using CFMX 7 Standard and MS SQL Server 2000. Yes. Microsoft recommends using SSL for encrypting database connections; this is supported within MS SQL Server 2000. However, I don't think the DataDirect driver supports SSL - most JDBC Type 4 drivers don't, for various reasons. At least, according to the DataDirect site, they don't support it yet: http://knowledgebase2.datadirect.com/kbase.nsf/26536a530e20a22b85256e550079a fc2/b3be2051e6ca6cdb85256ec100500d22?OpenDocumentHighlight=0,ssl The free jTDS driver (http://jtds.sourceforge.net/) does, according to its documentation, but I haven't worked much with jTDS yet. Alternatively, you might use a VPN or IPSec tunnel, as Damien suggested. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205589 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypting JDBC
Thanks everyone for the suggestions. --Nathan On 5/4/05, Dave Watts [EMAIL PROTECTED] wrote: Is it possible to encrypt the JDBC connection between ColdFusion and the database server? I'm using CFMX 7 Standard and MS SQL Server 2000. Yes. Microsoft recommends using SSL for encrypting database connections; this is supported within MS SQL Server 2000. However, I don't think the DataDirect driver supports SSL - most JDBC Type 4 drivers don't, for various reasons. At least, according to the DataDirect site, they don't support it yet: http://knowledgebase2.datadirect.com/kbase.nsf/26536a530e20a22b85256e550079a fc2/b3be2051e6ca6cdb85256ec100500d22?OpenDocumentHighlight=0,ssl The free jTDS driver (http://jtds.sourceforge.net/) does, according to its documentation, but I haven't worked much with jTDS yet. Alternatively, you might use a VPN or IPSec tunnel, as Damien suggested. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:205599 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Encrypting strings
I need to encrypt SSNs. I'm looking for something more powerful than encrypt(). Also, does the length of my encryption key affect the difficulty for people trying to decrypt? For example, is using canine for a key more secure than using dog just because it's longer? Thanks, -- Austin [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Encrypting strings
How about using CFusion_Encrypt() to encrypt your information?I think it's a bit stronger. Also, can't you Hash() the string and then compare it to another hashed value when needed? _ From: Austin Govella [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 2:29 PM To: CF-Talk Subject: Encrypting strings I need to encrypt SSNs. I'm looking for something more powerful than encrypt(). Also, does the length of my encryption key affect the difficulty for people trying to decrypt? For example, is using canine for a key more secure than using dog just because it's longer? Thanks, -- Austin _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Encrypting strings
Are you sure you need to encrypt SSNs? Unless your setup is more sophisticated than most, encryption will only provide a placebo in terms of security. -Matt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Austin Govella Sent: Wednesday, July 07, 2004 3:29 PM To: CF-Talk Subject: Encrypting strings I need to encrypt SSNs. I'm looking for something more powerful than encrypt(). Also, does the length of my encryption key affect the difficulty for people trying to decrypt? For example, is using canine for a key more secure than using dog just because it's longer? Thanks, -- Austin [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Encrypting strings
Actually, cfusion_encrypt() uses extremely weak encryption. It's more like encoding than encryption. >From memory, it loops over the string performing an XOR on each character in the string with the corresponding character in the key. When it reaches the end of the key it starts again. The resulting character from the XOR is converted to base64 or HEX or some such. Essentially it is very easy to reverse engineer if you know anything at all about the key, the string, or the encrypted string. If you can possibly use it, hash() will provide the most secure method of storage, but you can never get back to the original string. If that won't work for you, you might consider using some of the native functionality available in the CFMX internals, or an external class file. Spike Stephen Milligan Code poet for hire http://www.spike.org.uk Do you cfeclipse? http://cfeclipse.tigris.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dawson, Michael Sent: Wednesday, July 07, 2004 12:38 PM To: CF-Talk Subject: RE: Encrypting strings How about using CFusion_Encrypt() to encrypt your information?I think it's a bit stronger. Also, can't you Hash() the string and then compare it to another hashed value when needed? _ From: Austin Govella [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 2:29 PM To: CF-Talk Subject: Encrypting strings I need to encrypt SSNs. I'm looking for something more powerful than encrypt(). Also, does the length of my encryption key affect the difficulty for people trying to decrypt? For example, is using canine for a key more secure than using dog just because it's longer? Thanks, -- Austin _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
Re: Encrypting strings
A salted hash would be best if you can do it.Depends on whether you need to get the numbers back out again, or if you are using it for something like a password. Otherwise, as Matt says all someone has to do is find your encryption key on your server and they own your data.The only way to stop that is to use a public/private key and make people paste it in to access the decrypted data. cflib.org has other encryption algorthms, and there are several that you can buy.My favorite is cfx_textcrypt. -- --Matt Robertson-- MSB Designs, Inc. mysecretbase.com [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: Encrypting URLs
If you're happy with the results of encrypt() (which isn't really that strong of encryption) then all you'd have to do to use it is to URLEncodedFormat() the value before using it on the URL. This will add some length the encrypted value, but if all you're encrypting is an ID number it shouldn't cause problems. Jim Davis _ From: Les Irvin [mailto:[EMAIL PROTECTED] Sent: Saturday, May 22, 2004 12:17 AM To: CF-Talk Subject: Encrypting URLs What's the best way to encrypt URL variables?For example, I'm passing an ID number but do not want it recognizable in the URL The encrypt function doesn't seem to work as it creates reserved url characters. Thanks in advance for any help, Les [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Encrypting URLs
From: Les Irvin What's the best way to encrypt URL variables?For example, I'm passing an ID number but do not want it recognizable in the URL The encrypt function doesn't seem to work as it creates reserved url characters. You can't use Encrypt() for URL variables because of the special characters it creates Here's an idea though, as long as you don't mind long URLs: Have a db table with lookups, store a UUID with all of the URL variables, then when you call a UUID, it looks up the equivalent URL variables and uses them How's that? [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Encrypting URLs
As Jim said, you need to URLEncodedFormat() the result of Encrypt() before putting it in the url... Sam Blog http://www.rewindlife.com TeamMM http://www.macromedia.com/go/team -Original Message- From: Philip Arnold [mailto:[EMAIL PROTECTED] Sent: Saturday, May 22, 2004 8:54 AM To: CF-Talk Subject: RE: Encrypting URLs From: Les Irvin What's the best way to encrypt URL variables?For example, I'm passing an ID number but do not want it recognizable in the URL The encrypt function doesn't seem to work as it creates reserved url characters. You can't use Encrypt() for URL variables because of the special characters it creates Here's an idea though, as long as you don't mind long URLs: Have a db table with lookups, store a UUID with all of the URL variables, then when you call a UUID, it looks up the equivalent URL variables and uses them How's that? [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Encrypting URLs
What's the best way to encrypt URL variables?For example, I'm passing an ID number but do not want it recognizable in the URL The encrypt function doesn't seem to work as it creates reserved url characters. Thanks in advance for any help, Les [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: encrypting SQL Server data
Does anybody have any experience or recommendations about what to use or how to go about doing it? http://developer.perthweb.com.au/textcrypt.html -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: encrypting SQL Server data
That is a public key cryptosystem, he needs symmetric key. You can use one of the encryption functions on the http://www.cflib.org Plus functions there are free to use. TK http://www.tomkitta.com [Tom Kitta] -Original Message- From: Matt Robertson [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 11, 2004 4:29 PM To: CF-Talk Subject: Re: encrypting SQL Server data Does anybody have any experience or recommendations about what to use or how to go about doing it? http://developer.perthweb.com.au/textcrypt.html -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: encrypting SQL Server data
Tom Kitta wrote That is a public key cryptosystem, he needs symmetric key No, the original post didn't say that, and asymmetric key systems work in the scenario he provided.Granted they are more trouble to deal with when used properly (i.e. the decryption key is kept off the server and input -- pasted in -- at the start of each work session), but the sacrifice in convenience is made up for by the increased security. Provided of course the users know not to do things like email someone the private key. -- --- Matt Robertson,[EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
encrypting SQL Server data
Walt I have to build an HR application that will contain sensitive information and they would like to have the data (salary, SSN, etc.) in the database encrypted.We're using CFMX SQL Server 2000.Does anybody have any experience or recommendations about what to use or how to go about doing it? Thanks. Walt [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Encrypting CF code/files
I have been tasked with learning all I can on this. I have searched the knowledge base but didn't find what I thought was encrypting the code. Can anyone send me a link to where this is explained or tell me how you go about doing this? Thanks, Brian [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Encrypting CF code/files
What you're after is cfcrypt.exe here's a link that explains how to use it: http://www.macromedia.com/v1/documents/cf4/Advanced_ColdFusion_Development/11_Building_ColdFusion_Extensions/adv11_09.htm And here's one that explains that encrypted templates can easily be decrypted: http://www.macromedia.com/devnet/security/security_zone/asb99-08.html Cheers Bert -Original Message- From: Brian Yager [mailto:[EMAIL PROTECTED] Sent: 22 March 2004 14:48 To: CF-Talk Subject: Encrypting CF code/files I have been tasked with learning all I can on this. I have searched the knowledge base but didn't find what I thought was encrypting the code. Can anyone send me a link to where this is explained or tell me how you go about doing this? Thanks, Brian [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Encrypting CF code/files
I think cfhub.com has a quick tutorial on making a simple app to use cfencrypt.exe And, yes, it is super easy to decrypt, I think it's MOD10 encryption if I remember correctly. As always, locked doors only keep honest people out. So licensing is important in any boxed product. ~Guy http://guymcdowell.hopto.org [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
Re: Encrypting CF code/files
Thanks much.This is exactly what I needed.This is for a classified site that will be on a classified network...We just want it for an extra layer of security. Brian What you're after is cfcrypt.exe here's a link that explains how to use it: http://www.macromedia. com/v1/documents/cf4/Adva nced_ColdFusion_Development/11_Building_ColdFusion_Extensions/adv11_09. htm And here's one that explains that encrypted templates can easily be decrypted: http://www.macromedia.com/devnet/security/security_zone/asb99-08.html Cheers Bert -Original Message- From: Brian Yager [mailto:[EMAIL PROTECTED] Sent: 22 March 2004 14:48 To: CF-Talk Subject: Encrypting CF code/files I have been tasked with learning all I can on this. I have searched the knowledge base but didn't find what I thought was encrypting the code. Can anyone send me a link to where this is explained or tell me how you go about doing this? Thanks, Brian [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
RE: Encrypting CF code/files
Thanks much.This is exactly what I needed.This is for a classified site that will be on a classified network...We just want it for an extra layer of security. This does not provide a significant layer of security. If someone is capable of accessing your web server's filesystem, a few minutes with Google will let them decrypt your code. Your time would probably be better spent on properly configuring your web server, including the application of filesystem ACLs to prevent users from reading the files in the first place. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444 [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings]
encrypting cfc's
What's the word on encrypting cfc's. Is it possible and are there any particular performance issues. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Host with the leader in ColdFusion hosting. Voted #1 ColdFusion host by CF Developers. Offering shared and dedicated hosting options. www.cfxhosting.com/default.cfm?redirect=10481 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
encrypting password
What would be the best method to encrypt password before it is inserted into the database? I'm using MySQL database. Would cfencrypt and cfdecrypt function sufficient in this case? TIA Anthony ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Use a Hash() on the password for the insert, then on verification/logon hash() the form variable and compare the 2 hashes. HTH -Original Message- From: Anthony Wong [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 17:45 To: CF-Talk Subject: encrypting password What would be the best method to encrypt password before it is inserted into the database? I'm using MySQL database. Would cfencrypt and cfdecrypt function sufficient in this case? TIA Anthony ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
You could use the hash() function. Example: below taken from the docs !--- How to use Hash for password validation. This assumes that UserID value is passed to this page with a URL parameter. --- h3Hash Example/h3 cfquery name = CheckPerson datasource = UserData SELECT PasswordHash FROM SecureData WHERE UserID = cfqueryparam value = #UserID# cfsqltype = CF_SQL_CHARVAR /cfquery cfif Hash(form.password) is not checkperson.passwordHash cflocation url = unauthenticated.cfm cfelse ... /cfif Bryan F. Hogan Director of Internet Development Team Macromedia Volunteer Macromedia Certified ColdFusion MX Developer Digital Bay Media, Inc. 1-877-72DIGITAL -Original Message- From: Anthony Wong [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:45 AM To: CF-Talk Subject: encrypting password What would be the best method to encrypt password before it is inserted into the database? I'm using MySQL database. Would cfencrypt and cfdecrypt function sufficient in this case? TIA Anthony ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug -Original Message- From: Anthony Wong [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:45 AM To: CF-Talk Subject: encrypting password What would be the best method to encrypt password before it is inserted into the database? I'm using MySQL database. Would cfencrypt and cfdecrypt function sufficient in this case? TIA Anthony ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: cfset salt = mysuperS3cRetStr$ng cfif Hash(form.passwordsalt) is not checkperson.passwordHash cflocation url = unauthenticated.cfm cfelse ... /cfif when you insert the hashed password, just append the salt to the end. cfset hashedPwForDBInsertion = Hash(form.passwordsalt) One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Yes but if they have access to your db then you've got generally a bigger problem than a dictionary attack -Original Message- From: Brandon Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 18:21 To: CF-Talk Subject: RE: encrypting password One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: cfset salt = mysuperS3cRetStr$ng cfif Hash(form.passwordsalt) is not checkperson.passwordHash cflocation url = unauthenticated.cfm cfelse ... /cfif when you insert the hashed password, just append the salt to the end. cfset hashedPwForDBInsertion = Hash(form.passwordsalt) One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Thanks guys for the advice. I'm going to try it out. I'm not looking for a piece of expensive encryption solutions, so this would do well. -Original Message- From: Mike Townend [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2003 1:35 AM To: CF-Talk Subject: RE: encrypting password Yes but if they have access to your db then you've got generally a bigger problem than a dictionary attack -Original Message- From: Brandon Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 18:21 To: CF-Talk Subject: RE: encrypting password One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: cfset salt = mysuperS3cRetStr$ng cfif Hash(form.passwordsalt) is not checkperson.passwordHash cflocation url = unauthenticated.cfm cfelse ... /cfif when you insert the hashed password, just append the salt to the end. cfset hashedPwForDBInsertion = Hash(form.passwordsalt) One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
Re: encrypting password
One small disadvantage, depending on your application (and your user base): If you want to implement an I forgot my password page and email the _current_ password to the user, you can't do it. You've got to generate a new password first and email it out before hashing it into the db. I've seen the I forgot my password done at least three different ways on site's I've visited: 1. Email the user his current password. This obviously means they're storing the password either in a retrievable encrypted format or else unencrypted. 2. Generate a new password and email it to the user. This may indicate the password is stored using a one way hash. 3. Generate a new password and email it to the user, then force them to login using that password and immediately create a new password of their own choosing. This adds additional security over #2 in that the password sent via email, which could theoretically be intercepted, exists only for a short time. For most of the applications I do, security, while important, isn't a matter of life and death, so mostly I use method #1, with some type of encrytion/decryption. If someone breaks in and has complete access to a database, the cracking of user passwords is probably not going to be high on their list of priorities. Jim ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Ditto. My question though, is since you must store your salt string in the code (or the db somewhere), access to the db pretty much assumes they have access to the code as well. How is the salt string secure? Yes but if they have access to your db then you've got generally a bigger problem than a dictionary attack -Original Message- From: Brandon Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 18:21 To: CF-Talk Subject: RE: encrypting password One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: cfset salt = mysuperS3cRetStr$ng cfif Hash(form.passwordsalt) is not checkperson.passwordHash cflocation url = unauthenticated.cfm cfelse ... /cfif when you insert the hashed password, just append the salt to the end. cfset hashedPwForDBInsertion = Hash(form.passwordsalt) One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
Re: encrypting password
I want to be sure that I never, ever, ever, send a user's password to them in clear text email. This is important because as many websites as people log into they do not always a different password to each one. Their password on my site could be the same as their password on their personal banking website. Dumb, but frequent. So, my scheme of retrieving hashed passwords is to send the user an email with a link they can use to change their password. Essentially, I send the hashed string - that's used as the old password on the Change your password function. Now, interception of this email can still compromise their account, but only their account on my server... One small disadvantage, depending on your application (and your user base): If you want to implement an I forgot my password page and email the _current_ password to the user, you can't do it. You've got to generate a new password first and email it out before hashing it into the db. I've seen the I forgot my password done at least three different ways on site's I've visited: 1. Email the user his current password. This obviously means they're storing the password either in a retrievable encrypted format or else unencrypted. 2. Generate a new password and email it to the user. This may indicate the password is stored using a one way hash. 3. Generate a new password and email it to the user, then force them to login using that password and immediately create a new password of their own choosing. This adds additional security over #2 in that the password sent via email, which could theoretically be intercepted, exists only for a short time. For most of the applications I do, security, while important, isn't a matter of life and death, so mostly I use method #1, with some type of encrytion/decryption. If someone breaks in and has complete access to a database, the cracking of user passwords is probably not going to be high on their list of priorities. Jim ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
You could store it as a single CFSET tag in an encrypted file that only the CF user has permission to read, or put it somewhere that's really secure (offline DB that you have to do some nasty authentication over SSL to get the data from), and then cache it upon app startup. Both are still suceptible to anything that lets a use execute CF code, as they can just dump the application scope variables, but such is life. --- Barney Boisvert, Senior Development Engineer AudienceCentral (formerly PIER System, Inc.) [EMAIL PROTECTED] voice : 360.756.8080 x12 fax : 360.647.5351 www.audiencecentral.com -Original Message- From: Tony Schreiber [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 10:23 AM To: CF-Talk Subject: RE: encrypting password Ditto. My question though, is since you must store your salt string in the code (or the db somewhere), access to the db pretty much assumes they have access to the code as well. How is the salt string secure? Yes but if they have access to your db then you've got generally a bigger problem than a dictionary attack -Original Message- From: Brandon Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 18:21 To: CF-Talk Subject: RE: encrypting password One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: cfset salt = mysuperS3cRetStr$ng cfif Hash(form.passwordsalt) is not checkperson.passwordHash cflocation url = unauthenticated.cfm cfelse ... /cfif when you insert the hashed password, just append the salt to the end. cfset hashedPwForDBInsertion = Hash(form.passwordsalt) One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
RE: encrypting password
Are we talking about building Bank of America's Online Banking ;) Seems to me, the user asking the question is not looking for a cure-all. Bryan F. Hogan Director of Internet Development Team Macromedia Volunteer Macromedia Certified ColdFusion MX Developer Digital Bay Media, Inc. 1-877-72DIGITAL -Original Message- From: Barney Boisvert [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 1:35 PM To: CF-Talk Subject: RE: encrypting password You could store it as a single CFSET tag in an encrypted file that only the CF user has permission to read, or put it somewhere that's really secure (offline DB that you have to do some nasty authentication over SSL to get the data from), and then cache it upon app startup. Both are still suceptible to anything that lets a use execute CF code, as they can just dump the application scope variables, but such is life. --- Barney Boisvert, Senior Development Engineer AudienceCentral (formerly PIER System, Inc.) [EMAIL PROTECTED] voice : 360.756.8080 x12 fax : 360.647.5351 www.audiencecentral.com -Original Message- From: Tony Schreiber [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 10:23 AM To: CF-Talk Subject: RE: encrypting password Ditto. My question though, is since you must store your salt string in the code (or the db somewhere), access to the db pretty much assumes they have access to the code as well. How is the salt string secure? Yes but if they have access to your db then you've got generally a bigger problem than a dictionary attack -Original Message- From: Brandon Stone [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 2, 2003 18:21 To: CF-Talk Subject: RE: encrypting password One note on security using hash, this still leaves the passwords in the database open to dictionary attacks. Its really only slightly better than storing the passwords unencrypted. That is to say, if the attacker somehow gains access to the database, they just need to use a dictionary file, and try a hash of those words one at a time until a match is found. A generally accepted strategy is to use a salt word as well to create the password. The salt is a string which you know and keep secure, which the attacker hopefully does not. Then they need 2 pieces of information to attack the database. The comparison is essentially the same: cfset salt = mysuperS3cRetStr$ng cfif Hash(form.passwordsalt) is not checkperson.passwordHash cflocation url = unauthenticated.cfm cfelse ... /cfif when you insert the hashed password, just append the salt to the end. cfset hashedPwForDBInsertion = Hash(form.passwordsalt) One more note, using hash() makes lost password retrieval more difficult in that the hash() function is a one way hash. There is no way to unhash. So essentially, if someone loses their password, you need a mechanism for them to reset the password to a new password, rather than just pulling the old one from the db and sending it to them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 11:51 AM To: CF-Talk Subject: RE: encrypting password I'd suggest using CFs hash() function. It's a one way encryption/obfuscation method. Doug ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
Re: encrypting password
Tony Schreiber wrote: I want to be sure that I never, ever, ever, send a user's password to them in clear text email. This is important because as many websites as people log into they do not always a different password to each one. Their password on my site could be the same as their password on their personal banking website. Dumb, but frequent. I think your reasoning here is a little flawed. This is an end user problem, and not sending passwords in a plain text email protects only against a fraction of the ways this mistake can be exploited. I inheritted a site not long ago where the developer stored passwords in plain text. I noticed that many of the users accounts on the site had Yahoo and Hotmail email addresses. So just for grins, I went to Yahoo's webmail Hotmail and tried logging in using those email addresses and stored password. Probably 1/4 to 1/2 of them worked. Imagine how easy it would be for an unscrupulous web site owner or web developer to collect passwords? The only way around this is to generate all passwords and not permit users to set their own. Jim ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89 70.4
Re: encrypting password
I am simply attempting to protect my users from their own ignorance or dangerous habits. Your example is only further proof that what I described is a real problem. I'm certainly not attempting or claiming to attempt to prevent this from occuring, but I don't want any of my websites to contribute to this problem or more importantly, be the source from which nefarious persons gained access to one of my user's much more valuable accounts (banking, bill paying, etc). Storing the passwords encrypted is one way (particularly hashed, so that even the developers, etc. can't access the passwords) is one way to protect your users. Another is by never sending their passwords in clear text. I want to be sure that I never, ever, ever, send a user's password to them in clear text email. This is important because as many websites as people log into they do not always a different password to each one. Their password on my site could be the same as their password on their personal banking website. Dumb, but frequent. I think your reasoning here is a little flawed. This is an end user problem, and not sending passwords in a plain text email protects only against a fraction of the ways this mistake can be exploited. I inheritted a site not long ago where the developer stored passwords in plain text. I noticed that many of the users accounts on the site had Yahoo and Hotmail email addresses. So just for grins, I went to Yahoo's webmail Hotmail and tried logging in using those email addresses and stored password. Probably 1/4 to 1/2 of them worked. Imagine how easy it would be for an unscrupulous web site owner or web developer to collect passwords? The only way around this is to generate all passwords and not permit users to set their own. Jim ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting password
-- Original Message -- From: Matt Robertson [EMAIL PROTECTED] A big 'me too' on never, ever sending a pwd over email. I use a similar system to what Tony described. User enters their email address and I send that email acct the username and an encrypted link back to a special routine that lets the user change the pwd. So, instead of just sending the password over e-mail (which should still require the person to know their username, which shouldn't be included in the e-mail), you're sending a link over e-mail which also includes their username? Is that really less secure? The way I figure, even if the password e-mail is intercepted, the person intercepting the e-mail also needs to know the username. Sure, they could guess (probably based on the user's e-mail address). But it seems to me like your method allows someone intercepting the e-mail to actually change the password to whatever they want, without needing anything but the e-mail (since you're also giving them the username). Unless I'm missing something there. (Obviously, this is without the question/answer option.) Scott Scott Brady http://www.scottbrady.net/ ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting password
No, you're not missing anything. Thats the reason for the question/answer bit. I designed what I described originally after register.com's user account pwd system. Just cuz they use it doesn't make it golden, but it is self-maintaining, which is a big administrative plus, especially with large user populations on systems where letting the user create a new account and dump the old one on their own isn't an option. The interrogation bit at the end is what protects against what you describe. Dictionary attacks were mentioned in an earlier post. As long as we're on the subject a list of forbidden passwords is a good idea. Then you literally put the dictionary in the forbidden list to protect against dictionary attacks. I've got an 84000+ word list that only takes a few ms to check against. Ideally I would have several languages in there to cover more than just English, as well as variations on English (i.e. American vs. UK English: organization vs. organisation etc.). --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- Original Message -- From: Scott Brady [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] date: Wed, 2 Apr 2003 12:56:05 -0700 -- Original Message -- From: Matt Robertson [EMAIL PROTECTED] A big 'me too' on never, ever sending a pwd over email. I use a similar system to what Tony described. User enters their email address and I send that email acct the username and an encrypted link back to a special routine that lets the user change the pwd. So, instead of just sending the password over e-mail (which should still require the person to know their username, which shouldn't be included in the e-mail), you're sending a link over e-mail which also includes their username? Is that really less secure? The way I figure, even if the password e-mail is intercepted, the person intercepting the e-mail also needs to know the username. Sure, they could guess (probably based on the user's e-mail address). But it seems to me like your method allows someone intercepting the e-mail to actually change the password to whatever they want, without needing anything but the e-mail (since you're also giving them the username). Unless I'm missing something there. (Obviously, this is without the question/answer option.) Scott Scott Brady http://www.scottbrady.net/ ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Hash() across CF versions (was: encrypting passwords)
Does anyone know if the hash() function in CF 4.5, 5 and MX return identical results and are thus interchangeable? --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Hash() across CF versions (was: encrypting passwords)
Should be. The hash() function is supposed to be an md5 implementation, so I don't see why they should change across versions. - Original Message - From: Matt Robertson [EMAIL PROTECTED] Date: Wednesday, April 2, 2003 1:20 pm Subject: Hash() across CF versions (was: encrypting passwords) Does anyone know if the hash() function in CF 4.5, 5 and MX return identical results and are thus interchangeable? --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Hash() across CF versions (was: encrypting passwords)
Cool. Thx! --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- Original Message -- From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] date: Wed, 02 Apr 2003 13:18:15 -0700 Should be. The hash() function is supposed to be an md5 implementation, so I don't see why they should change across versions. - Original Message - From: Matt Robertson [EMAIL PROTECTED] Date: Wednesday, April 2, 2003 1:20 pm Subject: Hash() across CF versions (was: encrypting passwords) Does anyone know if the hash() function in CF 4.5, 5 and MX return identical results and are thus interchangeable? --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting password
You are correct. MY goal in not sending the password in clear text is to protect the user's OTHER accounts, no so much their account on my server. As I mentioned, intercepting the change password email WOULD allow the nefarious person to gain access to their account on my server - but still protects the user's password. As Matt described, the challenge/answer part would add that next layer of protection... The way I figure, even if the password e-mail is intercepted, the person intercepting the e-mail also needs to know the username. Sure, they could guess (probably based on the user's e-mail address). But it seems to me like your method allows someone intercepting the e-mail to actually change the password to whatever they want, without needing anything but the e-mail (since you're also giving them the username). Unless I'm missing something there. (Obviously, this is without the question/answer option.) Scott Scott Brady http://www.scottbrady.net/ ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Encrypting password
HI, I'm displaying all the fields from my database which also contains the users password in plain text. Is there a way to encrypt it when I display it to the screen? As *** or just a bunch of gobbly gook? #GetUsers.Password# --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypting password
if you really do not have a valid reason to display the actual pwd, just use * You can use 1 * for each character or just display 10 or so regardless. [EMAIL PROTECTED] 03/26/03 12:58PM HI, I'm displaying all the fields from my database which also contains the users password in plain text. Is there a way to encrypt it when I display it to the screen? As *** or just a bunch of gobbly gook? #GetUsers.Password# --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Encrypting password
Just don't include it on the page, or don't prefill the password text box, then on the server side if Len(Trim(Form.Password)) GT 0 then change the password else don't include the password in the SQL update statement HTH Mikey -Original Message- From: FlashGuy [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 17:59 To: CF-Talk Subject: Encrypting password HI, I'm displaying all the fields from my database which also contains the users password in plain text. Is there a way to encrypt it when I display it to the screen? As *** or just a bunch of gobbly gook? #GetUsers.Password# --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Encrypting password
You could display it in a password form field, or you could just not query/display it at all. :-) -- Ben Doom Programmer General Lackey Moonbow Software, Inc : -Original Message- : From: FlashGuy [mailto:[EMAIL PROTECTED] : Sent: Wednesday, March 26, 2003 12:59 PM : To: CF-Talk : Subject: Encrypting password : : : HI, : : I'm displaying all the fields from my database which also : contains the users password in plain text. Is there a way to : encrypt it when I display it to the screen? : As *** or just a bunch of gobbly gook? : : #GetUsers.Password# : : : : : --- : Colonel Nathan R. Jessop : Commanding Officer : Marine Ground Forces : Guatanamo Bay, Cuba : --- : : : : ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypting password
All kinds of ways. If you just want garbage then use the built in Hash() function to has it. You could also check it's length using Len() and then output that many asterixs. The big question is...Why display it if it's encrypted garbage and useless to the user? Cheers Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. t. 250.920.8830 e. [EMAIL PROTECTED] - Macromedia Associate Partner www.macromedia.com - Vancouver Island ColdFusion Users Group Founder Director www.cfug-vancouverisland.com - Original Message - From: FlashGuy [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 9:58 AM Subject: Encrypting password HI, I'm displaying all the fields from my database which also contains the users password in plain text. Is there a way to encrypt it when I display it to the screen? As *** or just a bunch of gobbly gook? #GetUsers.Password# --- Colonel Nathan R. Jessop Commanding Officer Marine Ground Forces Guatanamo Bay, Cuba --- ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Encrypting password
Displaying in a password field is not secure, because you can just view source and read the password out of the HTML. Much better to fill it in with a series of asterisks, and then on the processing side see if the string is all asterisks, and if it is, ignore it. barneyb --- Barney Boisvert, Senior Development Engineer AudienceCentral (formerly PIER System, Inc.) [EMAIL PROTECTED] voice : 360.671.8708 x12 fax : 360.647.5351 www.audiencecentral.com -Original Message- From: Ben Doom [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 26, 2003 10:07 AM To: CF-Talk Subject: RE: Encrypting password You could display it in a password form field, or you could just not query/display it at all. :-) -- Ben Doom Programmer General Lackey Moonbow Software, Inc : -Original Message- : From: FlashGuy [mailto:[EMAIL PROTECTED] : Sent: Wednesday, March 26, 2003 12:59 PM : To: CF-Talk : Subject: Encrypting password : : : HI, : : I'm displaying all the fields from my database which also : contains the users password in plain text. Is there a way to : encrypt it when I display it to the screen? : As *** or just a bunch of gobbly gook? : : #GetUsers.Password# : : : : : --- : Colonel Nathan R. Jessop : Commanding Officer : Marine Ground Forces : Guatanamo Bay, Cuba : --- : : : : ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
encrypting stored data
What methods are being used by everyone to encrypt data before storing it in a MS SQL database? Has anyone used Blowfish encryption algorithm? Thank You, Dave Bosky ~Sr. Multimedia Web Designer ~HTC Web Services ~[EMAIL PROTECTED] ~office: 843.369.8613 HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting stored data
Bosky, Dave wrote: Has anyone used Blowfish encryption algorithm? We use Blowfish with PostgreSQL. But what is the problem you need to solve? Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting stored data
Yeah used Blowfish/2fish/pgp. Encryption is a very processor intensive operation, so you do run into performance issues. WG -Original Message- From: Bosky, Dave [mailto:[EMAIL PROTECTED]] Sent: 30 January 2003 14:22 To: CF-Talk Subject: encrypting stored data What methods are being used by everyone to encrypt data before storing it in a MS SQL database? Has anyone used Blowfish encryption algorithm? Thank You, Dave Bosky ~Sr. Multimedia Web Designer ~HTC Web Services ~[EMAIL PROTECTED] ~office: 843.369.8613 HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypting stored data
At 09:21 AM 1/30/2003 -0500, you wrote: What methods are being used by everyone to encrypt data before storing it in a MS SQL database? Has anyone used Blowfish encryption algorithm? Thank You, Dave Bosky ~Sr. Multimedia Web Designer ~HTC Web Services ~[EMAIL PROTECTED] ~office: 843.369.8613 We use an XML-based user profile on one of our web properties, and we use CFENCRYPT to encrypt the data and stuff it in an SQLServer text field. Basic encryption, but it does the job. What type of data are you encrypting? -- Alex Sherwood PHS Collection Agency THE COLLECTORS T: 301.215.4200 F: 301.664.6834 W: www.phs-net.com ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Get the mailserver that powers this list at http://www.coolfusion.com Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypting stored data
Just need to encrypt some data before inserting it into our database and decrypt it when its retrieved. Dave -Original Message- From: Jochem van Dieten [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 30, 2003 9:44 AM To: CF-Talk Subject: Re: encrypting stored data Bosky, Dave wrote: Has anyone used Blowfish encryption algorithm? We use Blowfish with PostgreSQL. But what is the problem you need to solve? Jochem ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribeforumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Encrypting cfquery
I am looking into encrypting the data that goes from the application server to the db server. Does anyone have any experience in doing something like this. I am searching around the net to see whats out there, so anything else I could get here would be greatly appreciated. Thanks Mike __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting cfquery
Michael Ross wrote: I am looking into encrypting the data that goes from the application server to the db server. Does anyone have any experience in doing something like this. I am searching around the net to see whats out there, so anything else I could get here would be greatly appreciated. Do you want to encrypt it just while transfered over the network or while stored on disk as well? Jochem __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting cfquery
I am looking into encrypting the data that goes from the application server to the db server. Does anyone have any experience in doing something like this. I am searching around the net to see whats out there, so anything else I could get here would be greatly appreciated. You could use netcat to pipe the raw data via. ssh, similar to an ssh tunnel for HTTP... Tom Chiverton You don't have to be a mad scientist to believe in ColdFusion __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting cfquery
Just to transfer for right now. It comes from someone being able to sniff the communication between the two devices so that important info doesn't get passed in plain text. Thanks Mike [EMAIL PROTECTED] 09/27/02 11:29AM Michael Ross wrote: I am looking into encrypting the data that goes from the application server to the db server. Does anyone have any experience in doing something like this. I am searching around the net to see whats out there, so anything else I could get here would be greatly appreciated. Do you want to encrypt it just while transfered over the network or while stored on disk as well? Jochem __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting cfquery
Just to transfer for right now. It comes from someone being able to sniff the communication between the two devices so that important info doesn't get passed in plain text. You may be able to configure your database client so that all communication is encrypted. SQL Server supports this, for example. Alternatively, you can run your database client connection through IPsec, if you're using Windows 2000 for both the web and database servers. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 : dream :: design :: develop : MXDC 02 :: Join us at this all day conference for designers developers to learn tips, tricks, best practices and more for the entire Macromedia MX suite. September 28, 2002 :: http://www.mxdc02.com/ (Register today, seats are limited!) :: __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting cfquery
You can set up a VPN between the two machines. You can also buy hardware NIC's that can do the encryption for you. Check out: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remo teaccess/vpnoverview.asp - Original Message - From: Michael Ross [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, September 27, 2002 12:44 PM Subject: Re: Encrypting cfquery Just to transfer for right now. It comes from someone being able to sniff the communication between the two devices so that important info doesn't get passed in plain text. Thanks Mike [EMAIL PROTECTED] 09/27/02 11:29AM Michael Ross wrote: I am looking into encrypting the data that goes from the application server to the db server. Does anyone have any experience in doing something like this. I am searching around the net to see whats out there, so anything else I could get here would be greatly appreciated. Do you want to encrypt it just while transfered over the network or while stored on disk as well? Jochem __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting cfquery
Michael Ross wrote: Just to transfer for right now. It comes from someone being able to sniff the communication between the two devices so that important info doesn't get passed in plain text. The easy, fast, simple, reliable, secure and no nonsense solution is to buy 2 NIC's and a cross cable. Else, it depends a lot on what OS etc. you are running, but things that jump to mind are SSL connections (most databases support those), VPN's, IPsec etc. But I would go for the extra NIC's. Jochem __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Encrypting a Demo
We offer our applications as open source, and would like to encrypt so we can offer a demo for download. Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? Example would be to download the application, and it run for say 14 days and then it no longer works. Any suggestions or help would be greatly appreciated. Paul Giesenhagen QuillDesign __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
Well paul, not sure of other encryption methods other than cfencrypt. You could do the encryption and then use cfregistry to write a key and give it the date of the first application load and then use it again to check the value in application.cfm and cflocation them to a sorry!!! expired!!! This of course depends on them having the cfregistry tag enabled. Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: Paul Giesenhagen [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 11:39 AM Subject: Encrypting a Demo We offer our applications as open source, and would like to encrypt so we can offer a demo for download. Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? Example would be to download the application, and it run for say 14 days and then it no longer works. Any suggestions or help would be greatly appreciated. Paul Giesenhagen QuillDesign __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
Or I suppose you could use cffile action=write attributes=hidden and read that in your application.cfm Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: Douglas Brown [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 12:03 PM Subject: Re: Encrypting a Demo Well paul, not sure of other encryption methods other than cfencrypt. You could do the encryption and then use cfregistry to write a key and give it the date of the first application load and then use it again to check the value in application.cfm and cflocation them to a sorry!!! expired!!! This of course depends on them having the cfregistry tag enabled. Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: Paul Giesenhagen [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 11:39 AM Subject: Encrypting a Demo We offer our applications as open source, and would like to encrypt so we can offer a demo for download. Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? Example would be to download the application, and it run for say 14 days and then it no longer works. Any suggestions or help would be greatly appreciated. Paul Giesenhagen QuillDesign __ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
That is what I figured that there isn't really a way around that ... I could compile an archive on the file that was encrypted with an encrypted key that is dated a certain time period. It could work, and it would be alot of fun building! Question for everyone out there .. .I have never seen, but is it pretty easy to find tools to unencrypt a cf file? I am just curious if I want to go through the hassle of encrypting and making our applications available if it is just plain easy and available for developers to unencrypt and fix the checks. Thanks Paul Giesenhagen QuillDesign - Original Message - From: Douglas Brown [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 2:03 PM Subject: Re: Encrypting a Demo Well paul, not sure of other encryption methods other than cfencrypt. You could do the encryption and then use cfregistry to write a key and give it the date of the first application load and then use it again to check the value in application.cfm and cflocation them to a sorry!!! expired!!! This of course depends on them having the cfregistry tag enabled. Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: Paul Giesenhagen [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 11:39 AM Subject: Encrypting a Demo We offer our applications as open source, and would like to encrypt so we can offer a demo for download. Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? Example would be to download the application, and it run for say 14 days and then it no longer works. Any suggestions or help would be greatly appreciated. Paul Giesenhagen QuillDesign __ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
hmm... that is an interesting thought ... I suppose it would keep the honest not real knowledgable coders honest... I will look into that one! Paul - Original Message - From: Douglas Brown [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 2:29 PM Subject: Re: Encrypting a Demo Or I suppose you could use cffile action=write attributes=hidden and read that in your application.cfm Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: Douglas Brown [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 12:03 PM Subject: Re: Encrypting a Demo Well paul, not sure of other encryption methods other than cfencrypt. You could do the encryption and then use cfregistry to write a key and give it the date of the first application load and then use it again to check the value in application.cfm and cflocation them to a sorry!!! expired!!! This of course depends on them having the cfregistry tag enabled. Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: Paul Giesenhagen [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 11:39 AM Subject: Encrypting a Demo We offer our applications as open source, and would like to encrypt so we can offer a demo for download. Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? Example would be to download the application, and it run for say 14 days and then it no longer works. Any suggestions or help would be greatly appreciated. Paul Giesenhagen QuillDesign __ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypting a Demo
yes, it is very easy to decrypt a CF file that has been encrypted within CF (using their encryption). I don't know as if Macromedia would appreciate anyone telling anyone where that is possible however. :-) mike -Original Message- From: Paul Giesenhagen [mailto:[EMAIL PROTECTED]] Sent: Friday, August 02, 2002 3:39 PM To: CF-Talk Subject: Re: Encrypting a Demo That is what I figured that there isn't really a way around that ... I could compile an archive on the file that was encrypted with an encrypted key that is dated a certain time period. It could work, and it would be alot of fun building! Question for everyone out there .. .I have never seen, but is it pretty easy to find tools to unencrypt a cf file? I am just curious if I want to go through the hassle of encrypting and making our applications available if it is just plain easy and available for developers to unencrypt and fix the checks. Thanks Paul Giesenhagen QuillDesign - Original Message - From: Douglas Brown [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 2:03 PM Subject: Re: Encrypting a Demo Well paul, not sure of other encryption methods other than cfencrypt. You could do the encryption and then use cfregistry to write a key and give it the date of the first application load and then use it again to check the value in application.cfm and cflocation them to a sorry!!! expired!!! This of course depends on them having the cfregistry tag enabled. Douglas Brown Email: [EMAIL PROTECTED] - Original Message - From: Paul Giesenhagen [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 11:39 AM Subject: Encrypting a Demo We offer our applications as open source, and would like to encrypt so we can offer a demo for download. Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? Example would be to download the application, and it run for say 14 days and then it no longer works. Any suggestions or help would be greatly appreciated. Paul Giesenhagen QuillDesign __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
Tangorre, Michael wrote: yes, it is very easy to decrypt a CF file that has been encrypted within CF (using their encryption). I don't know as if Macromedia would appreciate anyone telling anyone where that is possible however. :-) I have a tool called AllCFM Power tools that does this. I only used it once when our dev server crashed leaving the changes of the day only in encrypted CFM on our real server... It can also retrieve or nullify your admin password, but that can be done easilly from a cfm page with cfregistry enabled. It even gives you your comments back... Now, before encrypting anything we first run a tool to remove all comments and line breaks (making the code much harder to interpret would you get your hands on them). __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
Why don't you put your demo on your own server? On Fri, 2 Aug 2002, Paul Giesenhagen wrote: We offer our applications as open source, and would like to encrypt so we can offer a demo for download. Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? Example would be to download the application, and it run for say 14 days and then it no longer works. Any suggestions or help would be greatly appreciated. Paul Giesenhagen QuillDesign __ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypting a Demo
We are currently doing that, but alot of folks want to install it in their environment and have their hands on thing going. Paul Giesenhagen QuillDesign - Original Message - From: Alex [EMAIL PROTECTED] To: CF-Talk [EMAIL PROTECTED] Sent: Friday, August 02, 2002 3:50 PM Subject: Re: Encrypting a Demo Why don't you put your demo on your own server? On Fri, 2 Aug 2002, Paul Giesenhagen wrote: We offer our applications as open source, and would like to encrypt so we can offer a demo for download. Besides CF's Encrypt, does anyone have any recommendations on a possible way of encrypting a CF application and then putting a time limit on how long the demo lasts/works? Example would be to download the application, and it run for say 14 days and then it no longer works. Any suggestions or help would be greatly appreciated. Paul Giesenhagen QuillDesign __ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists