Re: Encrypt/Decrypt Files
Hey Rick, You can use more secure forms of FTP as opposed to getting that draconian - just a thought ;-) I haven't done any file encryption in a while, so I'll bow out on that detail - but yes it is doable. Cheers *Bryan Stevenson*B.Comm. President CEO Electric Edge Systems Group Inc. - makers of FACTS^(TM) phone: 250.480.0642 cell: 250.920.8830 e-mail: br...@electricedgesystems.com mailto:br...@electricedgesystems.com web: www.electricedgesystems.com http://www.electricedgesystems.com and www.fisheryfacts.com http://www.fisheryfacts.com Please consider the environment before printing this e-mail -CONFIDENTIALITY-- This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358891 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt Files
Check out https://wikidocs.adobe.com/wiki/display/coldfusionen/EncryptBinary including example at bottom. On Thu, Jul 17, 2014 at 4:10 PM, Bryan Stevenson br...@electricedgesystems.com wrote: Hey Rick, You can use more secure forms of FTP as opposed to getting that draconian - just a thought ;-) I haven't done any file encryption in a while, so I'll bow out on that detail - but yes it is doable. Cheers *Bryan Stevenson*B.Comm. President CEO Electric Edge Systems Group Inc. - makers of FACTS^(TM) phone: 250.480.0642 cell: 250.920.8830 e-mail: br...@electricedgesystems.com mailto: br...@electricedgesystems.com web: www.electricedgesystems.com http://www.electricedgesystems.com and www.fisheryfacts.com http://www.fisheryfacts.com Please consider the environment before printing this e-mail -CONFIDENTIALITY-- This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358892 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt Files
Just to clarify, the problem is not in the transmission, which can be accomplished by FTPs, etc. Once the file resides on the shared FTP server, it needs to be encrypted to maintain security. So, I think the flow is: (1) transmit plain file up to server, and (2) encrypt on the server. Reverse the flow to download. TNX. -- Rick On 7/17/2014 2:10 PM, Bryan Stevenson wrote: Hey Rick, You can use more secure forms of FTP as opposed to getting that draconian - just a thought ;-) I haven't done any file encryption in a while, so I'll bow out on that detail - but yes it is doable. Cheers *Bryan Stevenson*B.Comm. President CEO Electric Edge Systems Group Inc. - makers of FACTS^(TM) phone: 250.480.0642 cell: 250.920.8830 e-mail: br...@electricedgesystems.com mailto:br...@electricedgesystems.com web: www.electricedgesystems.com http://www.electricedgesystems.com and www.fisheryfacts.com http://www.fisheryfacts.com Please consider the environment before printing this e-mail -CONFIDENTIALITY-- This message, including any attachments, is confidential and may contain information that is privileged or exempt from disclosure. It is intended only for the person to whom it is addressed unless expressly authorized otherwise by the sender. If you are not an authorized recipient, please notify the sender immediately and permanently destroy all copies of this message and attachments. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358893 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt Files
Thank you. Good start. There is the question of the best way to keep track of keys for various, different files; or use the same key for all files without exposing it. As you can see, I am very much a security novice when it comes to this stuff. On 7/17/2014 2:18 PM, John M Bliss wrote: Check out https://wikidocs.adobe.com/wiki/display/coldfusionen/EncryptBinary including example at bottom. On Thu, Jul 17, 2014 at 4:10 PM, Bryan Stevenson br...@electricedgesystems.com wrote: ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:358894 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Leigh, I see what you mean, and your recommendation matches the syntax in the Adobe documentation. But, I think I have accounted for both algorithm and encoding in my statement below -- have I not? cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,GenerateSecretKey(AES, 256),UU)# form.CreditCardNumber -string GenerateSecretKey(AES, 256)--- key, plus algorithm (AES, 256-bit) UU --- encoding Does the GenerateSecretKey function account for both the key and the algorithm? I've been studying the documentation and looking for examples. What am I missing? Thank you again, folks. Eric -Original Message- From: Leigh [mailto:cfsearch...@yahoo.com] Sent: Thursday, November 08, 2012 2:47 PM To: cf-talk Subject: RE: encrypt / decrypt question Any idea what the The UU algorithm is not supported error is about? You skipped the algorithm again ;-) The third argument is the encryption algorithm ie AES. Encoding (ie UU) is the fourth argument. Encrypt(yourString, yourKey, theAlgorithm, theEncoding) - ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353101 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Does the GenerateSecretKey function account for both the key and the algorithm? No - not the way you are thinking. You need to supply the algorithm twice. Once when generating the key _and_ once when performing the encryption. To better illustrate: !--- generate a key suitable for AES --- cfset theKey = GenerateSecretKey(AES, 256) !--- now do the actual encryption using the AES algorithm --- cfset result = encrypt(form.CreditCardNumber, ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353107 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
My response got cut off.. Here is the full snippet... assuming it goes through ;-) http://pastebin.com/fPLcU3Kd -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353114 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Leigh, that makes abundant sense. Thank you very much. As always. Eric -Original Message- From: Leigh [mailto:cfsearch...@yahoo.com] Sent: Friday, November 09, 2012 1:37 PM To: cf-talk Subject: RE: encrypt / decrypt question My response got cut off.. Here is the full snippet... assuming it goes through ;-) http://pastebin.com/fPLcU3Kd -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353116 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Leigh, Wil, and Pete: to follow up. This code seems to be working very well to encrypt a credit card number: !--- set default value for variable 'result' in case no value is entered for CreditCardNumber --- cfparam name=result default= !--- generate a key suitable for AES --- cfset theKey = GenerateSecretKey(AES, 256) !--- now do the actual encryption using the AES algorithm --- cfset result = encrypt(form.CreditCardNumber, theKey, AES, UU) !--- update statement --- CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#result#, I will use the same logic to create the decrypt statement. Thank you, again. Have a good evening. Eric -Original Message- From: Leigh [mailto:cfsearch...@yahoo.com] Sent: Friday, November 09, 2012 1:37 PM To: cf-talk Subject: RE: encrypt / decrypt question My response got cut off.. Here is the full snippet... assuming it goes through ;-) http://pastebin.com/fPLcU3Kd -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353127 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Any idea what the The UU algorithm is not supported error is about? You skipped the algorithm again ;-) The third argument is the encryption algorithm ie AES. Encoding (ie UU) is the fourth argument. Encrypt(yourString, yourKey, theAlgorithm, theEncoding) - ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353094 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
OK, I am making progress. And your instructions make sense -- I see where I am going wrong. My update statement now is: CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,GenerateSecretKey(AES, 256),UU)#, When I process the form, I get this error: The UU algorithm is not supported by the Security Provider you have chosen. I am not sure what that means, and a cursory search on this term did not inform me of much. I go back to the documentation: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08 11cbec22c24-7c2f.html And I see that the encoding attribute is optional. And if I take away the UU encoding attribute, the error goes away. (I get another error that I think is not related to encrypt -- I am working on that.) My other encoding options are hex and Base64. Any idea what the The UU algorithm is not supported error is about? Thank you again for your help. Eric -Original Message- From: Pete Freitag [mailto:p...@foundeo.com] Sent: Tuesday, November 06, 2012 10:53 AM To: cf-talk Subject: Re: encrypt / decrypt question You left out the algorithm: AES in your encrypt() call this time - also since you have the unlimited strength policy files you might consider generating a 256 bit key instead of the default 128, by doing: GenerateSecretKey(AES, 256) I have not found that I need the unlimited strength jurisdiction policy on CF9 standard when using the default 128 bit AES encryption, only when going up to 256 bit keys. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Nov 5, 2012 at 7:15 PM, Eric Bourland e...@ebwebwork.com wrote: Hi, Wil, I read up on the generateSecretKey function, both in your very helpful example page, and on adobe: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461 172e08 11cbec22c24-6e72.html I am having a little trouble with syntax. Here is my insert statement: !--- provide default value for form.AES --- cfparam name=form.AES default= !--- insert statement uses encrypt function to place in the database an encrypted value for CreditCardNumber --- CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,generateSecretKey(form.AES),UU )#, This insert statement returns the error: The '' algorithm is not supported by the Security Provider you have chosen. (I am also not clear why the encryption method, AES, needs to be defined in the scope of FORM.) I was wondering if I could do the generateSecretKey function, and store the result in a variable (as you did, I think, in your example on trunkful.com ). But again I get confused. Doesn't the key have to be a constant value? And stored in a constant place? It seems like the generateSecretKey function generates a new key every time the form is processed. Sorry to drag on with this question. I am still reading up in the documentation to see if I can construct a working insert statement. Thank you all again for your time and advice. Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 9:58 PM To: cf-talk Subject: Re: encrypt / decrypt question Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption- in-Col dFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353086 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypt / decrypt question
You left out the algorithm: AES in your encrypt() call this time - also since you have the unlimited strength policy files you might consider generating a 256 bit key instead of the default 128, by doing: GenerateSecretKey(AES, 256) I have not found that I need the unlimited strength jurisdiction policy on CF9 standard when using the default 128 bit AES encryption, only when going up to 256 bit keys. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes On Mon, Nov 5, 2012 at 7:15 PM, Eric Bourland e...@ebwebwork.com wrote: Hi, Wil, I read up on the generateSecretKey function, both in your very helpful example page, and on adobe: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08 11cbec22c24-6e72.html I am having a little trouble with syntax. Here is my insert statement: !--- provide default value for form.AES --- cfparam name=form.AES default= !--- insert statement uses encrypt function to place in the database an encrypted value for CreditCardNumber --- CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,generateSecretKey(form.AES),UU)#, This insert statement returns the error: The '' algorithm is not supported by the Security Provider you have chosen. (I am also not clear why the encryption method, AES, needs to be defined in the scope of FORM.) I was wondering if I could do the generateSecretKey function, and store the result in a variable (as you did, I think, in your example on trunkful.com ). But again I get confused. Doesn't the key have to be a constant value? And stored in a constant place? It seems like the generateSecretKey function generates a new key every time the form is processed. Sorry to drag on with this question. I am still reading up in the documentation to see if I can construct a working insert statement. Thank you all again for your time and advice. Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 9:58 PM To: cf-talk Subject: Re: encrypt / decrypt question Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col dFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353068 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Hi, Wil, I read up on the generateSecretKey function, both in your very helpful example page, and on adobe: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08 11cbec22c24-6e72.html I am having a little trouble with syntax. Here is my insert statement: !--- provide default value for form.AES --- cfparam name=form.AES default= !--- insert statement uses encrypt function to place in the database an encrypted value for CreditCardNumber --- CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,generateSecretKey(form.AES),UU)#, This insert statement returns the error: The '' algorithm is not supported by the Security Provider you have chosen. (I am also not clear why the encryption method, AES, needs to be defined in the scope of FORM.) I was wondering if I could do the generateSecretKey function, and store the result in a variable (as you did, I think, in your example on trunkful.com). But again I get confused. Doesn't the key have to be a constant value? And stored in a constant place? It seems like the generateSecretKey function generates a new key every time the form is processed. Sorry to drag on with this question. I am still reading up in the documentation to see if I can construct a working insert statement. Thank you all again for your time and advice. Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 9:58 PM To: cf-talk Subject: Re: encrypt / decrypt question Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col dFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353067 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypt / decrypt question
Which encryption method are you using? The stronger ones require that you also install the Java Cryptography Extension. http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 4, 2012, at 7:32 PM, Eric Bourland e...@ebwebwork.com wrote: Greetings. I have what is probably a very basic question, about which I have done a lot of reading - I still need some help. I am trying to use the encrypt function to encrypt a credit card number. I am placing the key as a variable in application.cfc, thus: cfset request.encryptionKey = 128-bit character string To encrypt the credit card number, I use this line in my insert statement: CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,request.encryptionkey,AES)#, ColdFusion returns this error: An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string (encryption key).. How would you handle this? I simply want to: 1) Encrypt the credit card number that is placed in the database - so that even if someone compromises the database, the data is encrypted 2) Decrypt the credit card number when it is displayed on a secure administration page Should I not place the 128-bit key in application.cfc - but instead use the generatesecretkey function? Thank you for any advice. Eric *** Eric Bourland Internet Project Development Washington DC email: mailto:e...@ebwebwork.com e...@ebwebwork.com web: ebwebwork.com mobile: 202-390-0185 fax: 202-315-5809 Skype: ericbourland1968 Yahoo IM: eab_68 AOL IM: ebwebwork ICQ IM: 23780065 MSN IM: ebwebwork Google IM: ebwebwork ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353051 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Wil, Which encryption method are you using? The stronger ones require that you also install the Java Cryptography Extension. Yes, I was reading up on that in the Adobe documentation. OK, I will proceed to do that. I had read that an encryption method was optional, but I understand that I should include it. Assuming I use the encryption method, I am guessing my insert statement would look something like: CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,request.encryptionkey,AES,UU)#, And then the decrypt would look like: Display Decrypted Credit Card Number: cfoutput#decrypt(form.CreditCardNumber,request.encryptionkey,AES,UU)# /cfoutput Look ok? Thank you for your advice. =) Eric Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 4, 2012, at 7:32 PM, Eric Bourland e...@ebwebwork.com wrote: Greetings. I have what is probably a very basic question, about which I have done a lot of reading - I still need some help. I am trying to use the encrypt function to encrypt a credit card number. I am placing the key as a variable in application.cfc, thus: cfset request.encryptionKey = 128-bit character string To encrypt the credit card number, I use this line in my insert statement: CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,request.encryptionkey,AES)#, ColdFusion returns this error: An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string (encryption key).. How would you handle this? I simply want to: 1) Encrypt the credit card number that is placed in the database - so that even if someone compromises the database, the data is encrypted 2) Decrypt the credit card number when it is displayed on a secure administration page Should I not place the 128-bit key in application.cfc - but instead use the generatesecretkey function? Thank you for any advice. Eric ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353052 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypt / decrypt question
Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-ColdFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353053 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Wil, Thanks very much for this! I will check it out. Presently I am working on installing the Java Cryptography Extension (JCE) JAR files. Do you have a moment to consider a question about installation? I downloaded and unzipped the unlimited strength JCE JAR policy files. No problem there. The README says to place the JAR files in the \lib\security\ folder. However, there are several \lib\security\ folders on my server, all under the c:\ColdFusion9\ folder. For example: c:\ColdFusion9\runtime\jre\lib\security\ c:\ColdFusion9\inbridge\jre\lib\security\ c:\ColdFusion9\solr\jre\lib\security\ In which of these folders, do you think, I should place these JAR files? Also, should I turn off the ColdFusion service before I place these files? Thank you again. Best from Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 9:58 PM To: cf-talk Subject: Re: encrypt / decrypt question Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col dFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353054 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypt / decrypt question
I downloaded and unzipped the unlimited strength JCE JAR policy files. No problem there. The README says to place the JAR files in the \lib\security\ folder. However, there are several \lib\security\ folders on my server, all under the c:\ColdFusion9\ folder. For example: c:\ColdFusion9\runtime\jre\lib\security\ c:\ColdFusion9\inbridge\jre\lib\security\ c:\ColdFusion9\solr\jre\lib\security\ In which of these folders, do you think, I should place these JAR files? I would think the first one. The other two folders are for separate JVMs that are used by bundled applications. Also, should I turn off the ColdFusion service before I place these files? I think you'll need to restart CF afterwards, yes. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353055 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypt / decrypt question
Sure thing. The best way to know the correct one is to open your jvm.config file in c:\ColdFusion9\runtime\jre\bin and looking at the java path. From the options you gave below I would guess, based on experience, that this is the correct folder. c:\ColdFusion9\runtime\jre\lib\security\ For those with Multi-instance installs the paths will be different. For those that have updated their Java versions the paths may be different. That's why I say look in your jvm.config file(s). Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 4, 2012, at 9:37 PM, Eric Bourland e...@ebwebwork.com wrote: c:\ColdFusion9\runtime\jre\lib\security\ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353056 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
I put the new JCE JAR files in c:\ColdFusion9\runtime\jre\lib\security\ and restarted ColdFusion. Nothing exploded. =) Now I will run some tests based on the code examples that Wil has provided. I will let you know my results. Thanks very much! Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 10:43 PM To: cf-talk Subject: Re: encrypt / decrypt question Sure thing. The best way to know the correct one is to open your jvm.config file in c:\ColdFusion9\runtime\jre\bin and looking at the java path. From the options you gave below I would guess, based on experience, that this is the correct folder. c:\ColdFusion9\runtime\jre\lib\security\ For those with Multi-instance installs the paths will be different. For those that have updated their Java versions the paths may be different. That's why I say look in your jvm.config file(s). Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 4, 2012, at 9:37 PM, Eric Bourland e...@ebwebwork.com wrote: c:\ColdFusion9\runtime\jre\lib\security\ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353057 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: encrypt / decrypt question
Making progress on this task. I'm getting an error about decoding. Here is my current insert statement: CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,request.encryptionkey,AES,UU)# When I submit my update form, I get this error: An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string (string value from request.encryption key) So, in application.cfc, I think I need to set up a value for #request.encryption# that the AES / UU method is able to decode. What do you think is a good way for me to derive a value for #request.encryption# that the AES / UU method will understand? I hope this question makes sense. Thank you again for your advice. Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 9:58 PM To: cf-talk Subject: Re: encrypt / decrypt question Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col dFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353058 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: encrypt / decrypt question
Yes, somewhere in the code you need to do generateSecretKey(Form.encryptType); This is line 44 of the example code in my blog post. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Nov 4, 2012, at 10:23 PM, Eric Bourland e...@ebwebwork.com wrote: Making progress on this task. I'm getting an error about decoding. Here is my current insert statement: CreditCardNumber = cfqueryparam cfsqltype=cf_sql_varchar value=#encrypt(form.CreditCardNumber,request.encryptionkey,AES,UU)# When I submit my update form, I get this error: An error occurred while trying to encrypt or decrypt your input string: '' Can not decode string (string value from request.encryption key) So, in application.cfc, I think I need to set up a value for #request.encryption# that the AES / UU method is able to decode. What do you think is a good way for me to derive a value for #request.encryption# that the AES / UU method will understand? I hope this question makes sense. Thank you again for your advice. Eric -Original Message- From: Wil Genovese [mailto:jugg...@trunkful.com] Sent: Sunday, November 04, 2012 9:58 PM To: cf-talk Subject: Re: encrypt / decrypt question Eric, A while back I was testing all the encryption and decryption types and wrote a short cfm page that let me do the testing. The code there is a good example of how it all works. Instead of trying to write it up and post here I created a very short and sweet blog post about this. http://www.trunkful.com/index.cfm/2012/11/4/Encryption-and-Decryption-in-Col dFusion I hope this helps. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353059 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt / UrlEncode
What was the encrypted string? On Fri, Oct 14, 2011 at 8:17 AM, Jenny Gavin-Wear jenn...@fasttrackonline.co.uk wrote: I took a string, encrypted it and then url encoded. 0%3FJ%3FYBBR6-%3BE%2F)ANL%2F%3AR 5 %0A I'm not sure why the result was a string which contains spaces. Any ideas, please? Jenny Gavin-Wear Fast Track Online Tel: 01262 602013 http://www.fasttrackonline.co.uk/ -- I am using the free version of SPAMfighter. We are a community of 7 million users fighting spam. SPAMfighter has removed 5080 of my spam emails to date. Get the free SPAMfighter here: http://www.spamfighter.com/len The Professional version does not have this message ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348153 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt / UrlEncode
I took a string, encrypted it and then url encoded. Encrypted strings can contain all sorts of interesting characters and using URLEncodedFormat() isn't generally recommended for passing an encrypted string through the URL. Use the toBase64() function to base-64 encode it, THEN use URLEncodedFormat() and pass that through to the URL instead. It will be a lot cleaner and prevent the encrypted string from becoming malformed in transit which could lead to problems decrypting it later. On the receiving end, decode the base-64 format back to another variable and you'll be all set: cfset original = toBinary(url.my_base_64_value) / -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348171 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Encrypt / UrlEncode
That's excellent, thank you Justin, exactly what I need :) Jenny Gavin-Wear Fast Track Online Tel: 01262 602013 http://www.fasttrackonline.co.uk/ -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: 14 October 2011 15:41 To: cf-talk Subject: Re: Encrypt / UrlEncode I took a string, encrypted it and then url encoded. Encrypted strings can contain all sorts of interesting characters and using URLEncodedFormat() isn't generally recommended for passing an encrypted string through the URL. Use the toBase64() function to base-64 encode it, THEN use URLEncodedFormat() and pass that through to the URL instead. It will be a lot cleaner and prevent the encrypted string from becoming malformed in transit which could lead to problems decrypting it later. On the receiving end, decode the base-64 format back to another variable and you'll be all set: cfset original = toBinary(url.my_base_64_value) / -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:348173 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt
Technically yes as this is how hackers reverse engineer encryption keys to create keygens etc. However it does depend on what encryption type you use, some have not yet been hacked, so the chances are of course very very minute, and you would need to be encrypting something that some desperately wanted in order for them to put the effort in. This might help http://en.wikipedia.org/wiki/Blowfish_(cipher) Russ On Fri, Jun 17, 2011 at 6:00 PM, Steve Reich coldfusionst...@gmail.comwrote: If I have Encrypt(x,y) which equals z OR Decrypt(x,y) which equals z, can z be determined (encrypted or decrypted) without having both x and y? Example: cfset variables.secretKey = dj0yJmk9TTJOUXFnakphWjVlJmQ9WVdrOVVtMU9jak5rTjJNbWNHbzlPREV4TVRrNE5EWXkmcz1jb25zdW1lcnNlY3JldCZ4PWQx cfset variables.value = Encrypt(MYPASSWORD, variables.secretKey) if you output variables.value, you get: *'Y^MZ!]F;*=V@ So... if someone gets my MYPASSWORD and *'Y^MZ!]F;*=V@, can they figure out the value of variables.secretKey? Thanks, Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345410 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt
perhaps I really should say virtually impossible just to be syntactically correct. On Fri, Jun 17, 2011 at 8:49 PM, Russ Michaels r...@michaels.me.uk wrote: Technically yes as this is how hackers reverse engineer encryption keys to create keygens etc. However it does depend on what encryption type you use, some have not yet been hacked, so the chances are of course very very minute, and you would need to be encrypting something that some desperately wanted in order for them to put the effort in. This might help http://en.wikipedia.org/wiki/Blowfish_(cipher) Russ On Fri, Jun 17, 2011 at 6:00 PM, Steve Reich coldfusionst...@gmail.comwrote: If I have Encrypt(x,y) which equals z OR Decrypt(x,y) which equals z, can z be determined (encrypted or decrypted) without having both x and y? Example: cfset variables.secretKey = dj0yJmk9TTJOUXFnakphWjVlJmQ9WVdrOVVtMU9jak5rTjJNbWNHbzlPREV4TVRrNE5EWXkmcz1jb25zdW1lcnNlY3JldCZ4PWQx cfset variables.value = Encrypt(MYPASSWORD, variables.secretKey) if you output variables.value, you get: *'Y^MZ!]F;*=V@ So... if someone gets my MYPASSWORD and *'Y^MZ!]F;*=V@, can they figure out the value of variables.secretKey? Thanks, Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345411 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt
No, not really as long as you're using a cipher that hasn't been broken. Encryption uses a special class of functions that are easy to perform one direction but prohibitively hard to perform the other direction. For instance, if you take two very large prime numbers and multiply them together to produce a really big number, that's pretty easy to do. However, it is really really really difficult to take a really big number and figure out which two large prime numbers were used to compose the new number. You can look up the details of a particular algorithm if you want to get a better understanding of how it is implemented. There are differences between public/private key systems, straight up encryption/decryption with a single key and then one way hashing, but essentially, if the private key is kept safe, knowing the input text and the output of the cipher will not generally tell anyone enough to be able to guess the key. Cheers, Judah On Fri, Jun 17, 2011 at 10:00 AM, Steve Reich coldfusionst...@gmail.com wrote: If I have Encrypt(x,y) which equals z OR Decrypt(x,y) which equals z, can z be determined (encrypted or decrypted) without having both x and y? Example: cfset variables.secretKey = dj0yJmk9TTJOUXFnakphWjVlJmQ9WVdrOVVtMU9jak5rTjJNbWNHbzlPREV4TVRrNE5EWXkmcz1jb25zdW1lcnNlY3JldCZ4PWQx cfset variables.value = Encrypt(MYPASSWORD, variables.secretKey) if you output variables.value, you get: *'Y^MZ!]F;*=V@ So... if someone gets my MYPASSWORD and *'Y^MZ!]F;*=V@, can they figure out the value of variables.secretKey? Thanks, Steve ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345412 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt
My preferred encryption algorithm is AES, as this is what the Government uses to encrypt classified documents. :) Paul Alkema http://paulalkema.com http://twitter.com/#!/paulalkema ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345416 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt
My preferred encryption algorithm is AES, as this is what the Government uses to encrypt classified documents. :) AES with a 256-bit key is authorized for use up to top secret, if memory serves. Remember, with any encryption, it's only as safe as the keys you use which is why key management is seeing a lot more scrutiny these days from security auditors. See the FIPS-140-2 guide for the juicy details on the US government's standards for cryptography and key management. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:345417 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Encrypt/Decrypt error
Hi Les, fyi, adobe issued CF 8.0.1 cumulative hotfix 3 yesterday (September 1), which fixes the CFMX_COMPAT bug (among other 20+ bugs). get the hf here: http://kb2.adobe.com/cps/511/cpsid_51180.html Azadi Saryev Sabai-dee.com http://www.sabai-dee.com/ On 28/07/2009 03:30, Les Mizzell wrote: I'm on CF7. Here's my code: (in Application.cfc) cfset request.seed = wPznEZnrpWToMHNR8HcDQ== cfset request.algorithm = CFMX_COMPAT cfset request.encoding = UU (encrypt) encrypt(FORM.password,request.seed,request.algorithm,request.encoding) (decrypt) decrypt(FORM.password,request.seed,request.algorithm,request.encoding) This is my error: There has been an error while trying to encrypt or decrypt your input string: The input and output encodings are not same. Ideas? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325929 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypt/Decrypt error
If the form.password contains characters that the encryption seed will cause to result in a string that contains a space or plus-sign, you will have trouble with the CFMX_COMPAT mode. Suggest going with a different mode. Cheers, Kris I'm on CF7. Here's my code: (in Application.cfc) cfset request.seed = wPznEZnrpWToMHNR8HcDQ== cfset request.algorithm = CFMX_COMPAT cfset request.encoding = UU (encrypt) encrypt(FORM.password,request.seed,request.algorithm,request.encoding) (decrypt) decrypt(FORM.password,request.seed,request.algorithm,request.encoding) This is my error: There has been an error while trying to encrypt or decrypt your input string: The input and output encodings are not same. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325015 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Encrypt/Decrypt error
Your example shows the same input for decrypt as you used for encrypt ... hopefully that was just a typo, otherwise it's probably your issue. (decrypt) decrypt(FORM.password,request.seed,request.algorithm,request.encoding) In other words, I would expect something more like this: encPwd = encrypt(FORM.password, request.seed, request.algorithm, request.encoding); pwd = decrypt(encPwd, request.seed, request.algorithm, request.encoding); decrypt() is expecting string which is already encoded with the requested algorithm. Just a thought. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:325016 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
yes good point, thanks Dave In fact, yes i know we are both thinking 'if someone is good enough to hack into the backend database then they will be good enough to decrypt the data if they really wanted' so the cf app would definitely be sufficient enough The problem with encrypting data from within your application is that the same application will often also decrypt the data, so if your application itself has a vulnerability - which is by far the most likely security problem you'd have - this won't actually protect your data. It would, however, perhaps protect your data from untrustworthy database administrators, but that's probably not the threat profile you're facing. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321473 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
Who will be able to open and read your database, and from which application? Some CF app? yes, a cf app that has alot of security. and only people that have been given rights to the secure data ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321440 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: encrypt database column
Who will be able to open and read your database, and from which application? Some CF app? hmm, i am now wondering whether there is really a need to encrypt the columns, but instead just to control the access to that data through the cf application. i suppose the thing we need to think about is if someone hacks into the database, we have personal data alongside other data, which the client doesnt want, so actually yes some form of encryption on the personal data is required thanks ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321441 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: encrypt database column
i am now wondering whether there is really a need to encrypt the columns, but instead just to control the access to that data through the cf application. You are telling yourself exactly what I was thinking ;-) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321447 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: encrypt database column
yes, a cf app that has alot of security. and only people that have been given rights to the secure data Then what's the big idea to encrypt data, if they have the rights to see it anyway? If there are columns they should not see, just not provide them with the possibility to display those columns in your CF template, no? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321448 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
:) thanks claude, yes it is a good point, but what if someone was to hack into the database... i'm sure we are both thinking the same thing at this point 'well if someone is good enough to hack into a database then they will be good enough to decrypt the data if they really wanted' but we have to satisfy the people that dont understand information systems that there is as much security as possible and they do want something to answer this question! (being, what can we do if someone does get into the database!) what do you think about this? thanks again for your feedback i am now wondering whether there is really a need to encrypt the columns, but instead just to control the access to that data through the cf application. You are telling yourself exactly what I was thinking ;-) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321452 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
In fact, yes i know we are both thinking 'if someone is good enough to hack into the backend database then they will be good enough to decrypt the data if they really wanted' so the cf app would definitely be sufficient enough thanks for your help claude, very much appreciated :) :) thanks claude, yes it is a good point, but what if someone was to hack into the database... i'm sure we are both thinking the same thing at this point 'well if someone is good enough to hack into a database then they will be good enough to decrypt the data if they really wanted' but we have to satisfy the people that dont understand information systems that there is as much security as possible and they do want something to answer this question! (being, what can we do if someone does get into the database!) what do you think about this? thanks again for your feedback i am now wondering whether there is really a need to encrypt the columns, but instead just to control the access to that data through the cf application. You are telling yourself exactly what I was thinking ;-) ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321454 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: encrypt database column
what do you think about this? First point: if your database is correctly stored in a safe area not accessible by HTTP, the risk is really low. If is is stored in an area vieable by HTTP, then so is your template to decrypt and view data any way. It's like hanging the key of your house on the entrance door ;-) Second point, if is was really a concern and an issue, there would be some tool available on your database system to handle it. Database systems provide with other protection schemes. The best option is to use them. Database systems are develop by professionals who know what they are doing, not by customers who think they know where the danger is. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321459 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: encrypt database column
2 excellent points claude thanks again for your help with this richard what do you think about this? First point: if your database is correctly stored in a safe area not accessible by HTTP, the risk is really low. If is is stored in an area vieable by HTTP, then so is your template to decrypt and view data any way. It's like hanging the key of your house on the entrance door ;-) Second point, if is was really a concern and an issue, there would be some tool available on your database system to handle it. Database systems provide with other protection schemes. The best option is to use them. Database systems are develop by professionals who know what they are doing, not by customers who think they know where the danger is. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321460 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
In fact, yes i know we are both thinking 'if someone is good enough to hack into the backend database then they will be good enough to decrypt the data if they really wanted' so the cf app would definitely be sufficient enough The problem with encrypting data from within your application is that the same application will often also decrypt the data, so if your application itself has a vulnerability - which is by far the most likely security problem you'd have - this won't actually protect your data. It would, however, perhaps protect your data from untrustworthy database administrators, but that's probably not the threat profile you're facing. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321467 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
thanks for the reply claude how would i get around the issue of encypting data in integer columns? - as some of the columns are set as smallint(2) for example. just thinking of the top of my head: when a user chooses to encrypt a column of data, the code could create a replica column which is varchar(255) and places all encrypted data in that column and removes it from the original column. if they choose to decrypt it then it puts all decrypted data back into the original column. what do you think? thanks 1) seeing as this can be run on any column (even integer fields) is it possible to encrypt an integer and then place the resulting encrypted string back into the integer column of the database If the encrypted data is also an integer, then yes, but if is can be any string, forget it. Not even woth trying. 2) as this function will run on any table/column how can i write an sql statement that just loops through the column encrypting the data? This depends on the database you're using. May be a stored procedure could do it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321399 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
how would i get around the issue of encypting data in integer columns? - as some of the columns are set as smallint(2) for example. You need to create an extra column to contain the encrypted value. I know no encrypting algorithm capable of encrypting a smallint into a smallint, except may be an equivalence table, but can this still be called encryption. what do you think? Well, frankly, to be honest, before I think anything about this, I'd like to know a little more about the idea behind all this. Why do you need to encrypt a column in the first time? May be there is a better solution. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321411 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
we appreciate your feedback Who will be able to open and read your database, and from which application? Some CF app? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321417 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
thanks again for your response basically the database contains a mixture of non-personal and personal data. our clients wishes to be able to select which columns are personal and are therefore encrypted (this is basically to satisfy data protection people) the initial idea was to create a separate database and when the user clicked to 'secure' a column then our code would remove the column and move it to a seperate database. this of course would not solve the security issues so we dont really see the need to do this, so thought if we could just encrypt the data within the column then it would satisfy the relevant bodies i think creating a separate column would prob be the best way, unless you can think of an alternative we appreciate your feedback how would i get around the issue of encypting data in integer columns? - as some of the columns are set as smallint(2) for example. You need to create an extra column to contain the encrypted value. I know no encrypting algorithm capable of encrypting a smallint into a smallint, except may be an equivalence table, but can this still be called encryption. what do you think? Well, frankly, to be honest, before I think anything about this, I'd like to know a little more about the idea behind all this. Why do you need to encrypt a column in the first time? May be there is a better solution. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321413 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: encrypt database column
1) seeing as this can be run on any column (even integer fields) is it possible to encrypt an integer and then place the resulting encrypted string back into the integer column of the database If the encrypted data is also an integer, then yes, but if is can be any string, forget it. Not even woth trying. 2) as this function will run on any table/column how can i write an sql statement that just loops through the column encrypting the data? This depends on the database you're using. May be a stored procedure could do it. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321327 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt database column
You can change the name of a column in TQL. In MSSQL there is a stored proc called sp_rename that would do it. For getting all fields from a column in a table, that is simply select colname from tablename. If you wanted to pass the encryptes string into the db, not sure that MSSQL or MYSQL can do. Why not use CF to process the encrypetd name and pass that in using cfprocparam in a cfstoredproc tag? Maybe I am missing the complexity of your objective. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321300 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: encrypt database column
Keep in mind that a column rename is very expensive and I believe it changes the underlying dbid of that column (which can cause schema caching issues). What's going on under the hood is: Add new column copy column data Delete old column plus any indexing or FK stuff needed. -Mark -Original Message- From: Tony Bentley [mailto:t...@tonybentley.com] Sent: Friday, April 03, 2009 3:11 PM To: cf-talk Subject: Re: encrypt database column You can change the name of a column in TQL. In MSSQL there is a stored proc called sp_rename that would do it. For getting all fields from a column in a table, that is simply select colname from tablename. If you wanted to pass the encryptes string into the db, not sure that MSSQL or MYSQL can do. Why not use CF to process the encrypetd name and pass that in using cfprocparam in a cfstoredproc tag? Maybe I am missing the complexity of your objective. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321303 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: encrypt/decrypt bug
Could you post the entire encrypt/decrypt code snip? -Original Message- From: Les Mizzell [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 11:45 AM To: CF-Talk Subject: encrypt/decrypt bug This is driving me crazy!! For this code: cfif IsDefined(form.myVAR) AND #form.myVAR# NEQ cfset encrpt_myVAR=encrypt(#trim(FORM.myVAR)#,#encCODE#) /cfif Figure this out. Here's a few test: --- Form Entry: Decrypted output: Form Entry: 2 Decrypted output: = form Entry: 22 Decrypted output: 22 form entry: 3332Decrypted output: 333= form entry: abcdef2 Decrypted output: abcdef2 form entry: abcdef32Decrypted output abcdef3= form entry: abcdef33Decrypted output abcdef33 I can pretty much put anything I want into the form field and it encrypts correctly - UNLESS it ends in a 2. Then it's screwed - sometimes. I can't tell if the problem is on the encrypt or decrypt side either. During these test, the var encCODE was kept constant. I haven't tried yet, but wonder if changing it would make a difference. Will try that next. Something I'll get a some instead of the equal sign. It's ONLY a 2 that does this. WTF? Any ideas at all? Is there a patch from the version below to fix this? It's driving myself and a client insane right now!!! Level: Enterprise Name: ColdFusion Server Version 7,0,2,142559 ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276409 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt/decrypt bug
Hi Les, I've seen similar behavior most typically when I'm also urlencoding the the encrypted value. What I figured out was happening is that if the encrypted value contained a space, when urlencodedformat() was run on it, the space would get converted to %20 as expected. However, when it was decoded, the spaces were converted to + instead of a space, then the decrypt would not function properly. In my situation that either resulted in strange characters being added or usually resulting in a null pointer reference error. Also, this was under CFMX6.1. Cheers, Kris On 4/27/07, Les Mizzell [EMAIL PROTECTED] wrote: This is driving me crazy!! For this code: cfif IsDefined(form.myVAR) AND #form.myVAR# NEQ cfset encrpt_myVAR=encrypt(#trim(FORM.myVAR)#,#encCODE#) /cfif Figure this out. Here's a few test: --- Form Entry: Decrypted output: Form Entry: 2 Decrypted output: = form Entry: 22 Decrypted output: 22 form entry: 3332Decrypted output: 333= form entry: abcdef2 Decrypted output: abcdef2 form entry: abcdef32Decrypted output abcdef3= form entry: abcdef33Decrypted output abcdef33 I can pretty much put anything I want into the form field and it encrypts correctly - UNLESS it ends in a 2. Then it's screwed - sometimes. I can't tell if the problem is on the encrypt or decrypt side either. During these test, the var encCODE was kept constant. I haven't tried yet, but wonder if changing it would make a difference. Will try that next. Something I'll get a some instead of the equal sign. It's ONLY a 2 that does this. WTF? Any ideas at all? Is there a patch from the version below to fix this? It's driving myself and a client insane right now!!! Level: Enterprise Name: ColdFusion Server Version 7,0,2,142559 ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276414 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt/decrypt bug
Since you are running CFMX 7, you might give the new encryption methods a try. If you encode using Hex, you should be able to use the encrypted string directly in a URL without encoding it. example: cfset x = encrypt(var,key,blowfish,hex) Good luck, Mike Chabot On 4/27/07, Kris Jones [EMAIL PROTECTED] wrote: Hi Les, I've seen similar behavior most typically when I'm also urlencoding the the encrypted value. What I figured out was happening is that if the encrypted value contained a space, when urlencodedformat() was run on it, the space would get converted to %20 as expected. However, when it was decoded, the spaces were converted to + instead of a space, then the decrypt would not function properly. In my situation that either resulted in strange characters being added or usually resulting in a null pointer reference error. Also, this was under CFMX6.1. Cheers, Kris On 4/27/07, Les Mizzell [EMAIL PROTECTED] wrote: This is driving me crazy!! For this code: cfif IsDefined(form.myVAR) AND #form.myVAR# NEQ cfset encrpt_myVAR=encrypt(#trim(FORM.myVAR)#,#encCODE#) /cfif Figure this out. Here's a few test: --- Form Entry: Decrypted output: Form Entry: 2 Decrypted output: = form Entry: 22 Decrypted output: 22 form entry: 3332Decrypted output: 333= form entry: abcdef2 Decrypted output: abcdef2 form entry: abcdef32Decrypted output abcdef3= form entry: abcdef33Decrypted output abcdef33 I can pretty much put anything I want into the form field and it encrypts correctly - UNLESS it ends in a 2. Then it's screwed - sometimes. I can't tell if the problem is on the encrypt or decrypt side either. During these test, the var encCODE was kept constant. I haven't tried yet, but wonder if changing it would make a difference. Will try that next. Something I'll get a some instead of the equal sign. It's ONLY a 2 that does this. WTF? Any ideas at all? Is there a patch from the version below to fix this? It's driving myself and a client insane right now!!! Level: Enterprise Name: ColdFusion Server Version 7,0,2,142559 ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276421 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: encrypt/decrypt bug
Interesting - changing the value of #encCODE# to a longer string seems to have fixed the problem. Haven't tested with every possible combination of letters/numbers on the input yet, so ya never know - but it seems to like 2s now. Very odd... For this code: cfif IsDefined(form.myVAR) AND #form.myVAR# NEQ cfset encrpt_myVAR=encrypt(#trim(FORM.myVAR)#,#encCODE#) /cfif Figure this out. Here's a few test: --- Form Entry: Decrypted output: Form Entry: 2 Decrypted output: = form Entry: 22Decrypted output: 22 form entry: 3332 Decrypted output: 333= form entry: abcdef2 Decrypted output: abcdef2 form entry: abcdef32 Decrypted output abcdef3= form entry: abcdef33 Decrypted output abcdef33 I can pretty much put anything I want into the form field and it encrypts correctly - UNLESS it ends in a 2. Then it's screwed - sometimes. I can't tell if the problem is on the encrypt or decrypt side either. During these test, the var encCODE was kept constant. I haven't tried yet, but wonder if changing it would make a difference. Will try that next. Something I'll get a some instead of the equal sign. It's ONLY a 2 that does this. WTF? Any ideas at all? Is there a patch from the version below to fix this? It's driving myself and a client insane right now!!! Level: Enterprise Name: ColdFusion Server Version 7,0,2,142559 ~| Macromedia ColdFusion MX7 Upgrade to MX7 experience time-saving features, more productivity. http://www.adobe.com/products/coldfusion?sdid=RVJW Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276428 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encrypt/decrypt bug
This is going to sound weird but I've seen two issues nesting a trim() inside other functions in the past. When I moved it above the function and cfset to a temp it fixed the error. May not apply here but its only a 15 second test :) ~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276464 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Encrypt Decrypt
Hi Larry, Your immediate problem can be solved by escaping it (##) AND assigning it to another variable. Use this: cfset encryptString = 2:GR4G5_,3++Q]##9:N+?)N4 br#Decrypt(encryptString,7xxT533zrt3d9in)# I have tried and it worked. But just a suggestion, you might want to work with GenerateSecretKey or hash. (For more info, consult the livedocs). Thanks Regards, Phyo Pine Information Systems Specialist DMV - ODOT -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 27, 2006 1:51 PM To: CF-Talk Subject: Encrypt Decrypt I'm using a simple encrypt statement to store info: #Encrypt(SESSION.Customer.xxx, GetX.Item)#', (this is from my INSERT statement) GetX.Item is the key loaded from a table. (I don't profess to be an expert in encryption (obviously) but, other than being a little obtuse in the code, I don't know how to hide the key any better on a server I don't control. I'm certainly open to suggestion.) Hiding the key aside, my decryption routine looks like (I'm moving it to another table that is secure): FieldX = '#Decrypt(FieldSaved, GetX.Item)#', where aaa is the data retrieved from the table and GetX.Item is the same key. And it works, (e.g., decrypting 0Z[ STK6_,;)*!I+!/ )until the encrypted data looks like 3JG$P5[0];!/QM#!O So, I played with it a bit and it became obvious that the problem is the # imbedded in the encrypted data. What now? I can't escape it (##) because that throws an error, too. To illustrate what seems to be happening: !--- this works --- cfset x=Encrypt(730072022000SerNum,7xxT533zrt3d9in) cfoutput #x# !--- this will be: 2:GR4G5_,3++Q]#9:N+?)N4 --- br /#Decrypt(x,7xxT533zrt3d9in)# !--- run routine then uncomment next line and run again --- !---br /#Decrypt(2:GR4G5_,3++Q]#9:N+?)N4 ,7xxT533zrt3d9in)#--- /cfoutput Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:230637 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
So I tried using JSStringFormat The problem here is not with Javascript, but with the URL, so you should use the CF URLEncodedFormat function. Note that, even after the string is URLEncoded, it might not be a bad idea to use JSStringFormat as well. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229901 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
Claude Schneegans wrote: So I tried using JSStringFormat The problem here is not with Javascript, but with the URL, so you should use the CF URLEncodedFormat function. Note that, even after the string is URLEncoded, it might not be a bad idea to use JSStringFormat as well. Actually.. .it is the string within the javascript call because the string contains a quote. It all works fine as long as the string does not contain a quote. At any rate, I tried your suggestion and it does not work. Causes a javascript error, unterminated string literal. here is hte error from the firefox javascript console: Error: unterminated string literal Source File: javascript:didetail('%260I%3EHL%289%5B%0A'); Line: 1, Column: 9 Source Code: didetail('0IHL(9[ That line is generated as such: A HREF=javascript:didetail('cfoutput#JSStringFormat(URLEncodedFormat(encrypt(UDVBIE,(my key#/cfoutput'); The javascript function itself does the url encoding when it creates the url by using the escape() function.. but I'm not getting to the javascript function because the call to the function is failing. At least with my current solution, it works most of the time ;) rick ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229904 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
A HREF=javascript:didetail('cfoutput#JSStringFormat(URLEncodedFormat(encrypt(UDVBIE,(my key#/cfoutput'); The problem now is that you're having too many ... levels in the same line. Break your line into several statements: CFSET JSparam = JSStringFormat(URLEncodedFormat(encrypt(UDVBIE,(my key A HREF=javascript:didetail('cfoutput#JSparam#/cfoutput'); -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229909 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
Claude Schneegans wrote: A HREF=javascript:didetail('cfoutput#JSStringFormat(URLEncodedFormat(encrypt(UDVBIE,(my key#/cfoutput'); The problem now is that you're having too many ... levels in the same line. Break your line into several statements: Actually, that had nothing to do with it. Turns out the problem is that I have to URLEncoded *AFTER* doing the JSStringFormat. And both are required. so the above works fine when JSStringFormat and URLEncodedFormat are reversed. Hooray! Rick ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229919 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
Turns out the problem is that I have to URLEncoded *AFTER* doing the JSStringFormat. And both are required. Depends what you mean by before and after ;-) In the sample you gave: #JSStringFormat(URLEncodedFormat(encrypt(UDVBIE,(my key# URLEncodedFormat is called *BEFORE* and JSStringFormat *AFTER* This is the way it should be, so that javascript:didetail() will receive a correct JS string first, then transmit a correct URL string after. If you do the contrary, I doubt it will always work. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229920 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
Claude Schneegans wrote: Turns out the problem is that I have to URLEncoded *AFTER* doing the JSStringFormat. And both are required. Depends what you mean by before and after ;-) In the sample you gave: #JSStringFormat(URLEncodedFormat(encrypt(UDVBIE,(my key# URLEncodedFormat is called *BEFORE* and JSStringFormat *AFTER* This is the way it should be, so that javascript:didetail() will receive a correct JS string first, then transmit a correct URL string after. If you do the contrary, I doubt it will always work. You are suggesting that it will always work if I call URLEncodedFormat *FIRST* and then JSStringFormat SECOND - as in the sample above? that's simply not correct, because I tested that. Whenever possible, I always test my code before posting solution to mailing lists, lest I post incorrect solutions =) See here: http://www.it.dev.duke.edu/test_cftalk.cfm In fact, it NEVER works with URLEncodedFormat being process BEFORE the JSStringFormat. I tried 10 different strings, and they all failed to work that way... Rick ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229925 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
You are suggesting that it will always work if I call URLEncodedFormat *FIRST* and then JSStringFormat SECOND - as in the sample above? Again, it depends what you call first or before and second or after. In the line: JSStringFormat(URLEncodedFormat(encrypt(UDVBIE,(my key JSStringFormat appears first in the line, but encrypt will be called first, THEN URLEncodedFormat, and LAST JSStringFormat, by ColdFusion. And finally, on client side, the result of all this will be passed to the Javascript function didetail(); It is THIS function which needs to receive a JS string, so you call JSStringFormat() to encode the string passed to it. THEN, JS will possibly pass the string as an URL string, so that string must have been URLEncodedFormat() before, and since you wanted the string to be encrypted, you had to call the encrypt() function first. Furthermore, in the reverse order, JS decodes the JSStringFormat, then passes it as an URL string, then the HTTP server will de-URLEncode it and pass it to the CF template, THEN finally, the CF template will decrypt it back. If it works the reverse way, then good for you, but some day, some time,... smile ! ;-) I always test my code before posting solution to mailing lists, Alas, this is not enough to be sure it will ALWAYS work. ;-) If your encoded string has no quote, no URL uncompatible character, both functions JSStringFormat and URLEncodedFormat will just do nothing, so of course their order is irrelevant. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229943 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
Rick is right. The string is being built by CF as content to send to the browser; the browser will URL decode the string when it is rendered. This means that the remaining string is the one that ends up in the JS function, which will always work because he has used JSStringFormat() it. On 1/19/06, Claude Schneegans [EMAIL PROTECTED] wrote: You are suggesting that it will always work if I call URLEncodedFormat *FIRST* and then JSStringFormat SECOND - as in the sample above? -- CFAJAX docs and other useful articles: http://jr-holmes.coldfusionjournal.com/ ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229952 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: encrypt() and javascript functions
Rick is right. The string is being built by CF as content to send to the browser; Gee, I was too tired after this fight with FCKEditor, of course you're right! :-) -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229957 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
I have seen many instances where a site will collect all of the order information (including CC details), and then store it for manual processing later. They do not have online credit card processing, and instead review each order and then charge the card using an existing terminal at their store. Because of the low volume of orders, many times it doesn't make sense to pay monthly for online processing when they already have a physical terminal present that they can run the cards on. I don't know how well that flies with Visa/MC regulations, but this setup is more common than you might think. -Justin Common or not the CC companies will spank you silly if they find a merchant doing that...VERY against the regs!!...and the fines would not be pretty...far more than monthly Tx fees...and WAY more dangerous from a liability standpoint. Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229609 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
customer ID to store and use for future Txs.they spend all the $$ on security and liability insurance why should you ;-) I have seen many instances where a site will collect all of the order information (including CC details), and then store it for manual processing later. They do not have online credit card processing, and instead review each order and then charge the card using an existing terminal at their store. Because of the low volume of orders, many times it doesn't make sense to pay monthly for online processing when they already have a physical terminal present that they can run the cards on. I don't know how well that flies with Visa/MC regulations, but this setup is more common than you might think. -Justin ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229602 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229441 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Baz, This blog post has some good info... http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=cc.secure The comments below give a lot of insight on various approaches as well. -Mark -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 5:20 PM To: CF-Talk Subject: RE: Encrypt CC number and store in DB I have to store credit card numbers for an internal order processing system. Orders come by fax and the credit card number must be written to DB for later viewing/charging by another employee. Where can I see these regulations? Cheers, Baz -Original Message- From: Jordan Michaels [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 6:13 PM To: CF-Talk Subject: Re: Encrypt CC number and store in DB Dave Watts wrote: What's the best way to encrypt a CC number and store it in DB? Ideally, it's best not to store it at all. Couldn't have said it better myself. Also, keep in mind that CC storage is highly regulated. Non-compliance could lead to heavy fines and, in most cases, cancellation of your merchant account. -- Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229442 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basket basics dot com?) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. ..:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:44 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229449 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Thanks Mark. -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:47 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Baz, This blog post has some good info... http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=cc.secure The comments below give a lot of insight on various approaches as well. -Mark -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 5:20 PM To: CF-Talk Subject: RE: Encrypt CC number and store in DB I have to store credit card numbers for an internal order processing system. Orders come by fax and the credit card number must be written to DB for later viewing/charging by another employee. Where can I see these regulations? Cheers, Baz -Original Message- From: Jordan Michaels [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 6:13 PM To: CF-Talk Subject: Re: Encrypt CC number and store in DB Dave Watts wrote: What's the best way to encrypt a CC number and store it in DB? Ideally, it's best not to store it at all. Couldn't have said it better myself. Also, keep in mind that CC storage is highly regulated. Non-compliance could lead to heavy fines and, in most cases, cancellation of your merchant account. -- Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229455 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Those are good points bobby, but I'm sure you could think of at least 1 valid scenario where CC numbers are required for later charging... What about using a CC number to see if that CC has enough funds and then doing the charging it later? Or better yet, what if you have customers who purchase very frequently? They DEMAND to have their number stored instead of typing it in each time. These are already 2 valid cases. Baz -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:23 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basket basics dot com?) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. ...:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:44 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229456 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Just ensure you are 100% compliant with the PCI Data Security Standard, or you can pay the consequence. -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: 13 January 2006 15:11 To: CF-Talk Subject: RE: Encrypt CC number and store in DB Those are good points bobby, but I'm sure you could think of at least 1 valid scenario where CC numbers are required for later charging... What about using a CC number to see if that CC has enough funds and then doing the charging it later? Or better yet, what if you have customers who purchase very frequently? They DEMAND to have their number stored instead of typing it in each time. These are already 2 valid cases. Baz -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:23 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basket basics dot com?) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. ...:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:44 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229457 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
I read a bit about PCI Data Security Standard and it doesn't seem to be a big deal. This article summarizes it: http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=cc.secure The standard doesn't even ask that you encrypt stored values - just the transmission of values (SSL) It really defines minimums. Baz -Original Message- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:05 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Just ensure you are 100% compliant with the PCI Data Security Standard, or you can pay the consequence. -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: 13 January 2006 15:11 To: CF-Talk Subject: RE: Encrypt CC number and store in DB Those are good points bobby, but I'm sure you could think of at least 1 valid scenario where CC numbers are required for later charging... What about using a CC number to see if that CC has enough funds and then doing the charging it later? Or better yet, what if you have customers who purchase very frequently? They DEMAND to have their number stored instead of typing it in each time. These are already 2 valid cases. Baz -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:23 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basket basics dot com?) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:44 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229460 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? **Yes. If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basketbasics dot com?) *Yes (The shopping cart is going into place soon, but we have people who give us the info with their order now.) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. **Perhaps you can explain how you determine the shipping charge before you have everything boxed up and ready to send. We could send a notice back to people telling them how much it would be, but that depends on their reading email and then responding to us and for what - a figure that is determined by UPS in the first place? Most people just accept that it's going to cost something. In stock can be determined but sometimes people will order several items and want to leave an out-of-stock item on backorder while getting the rest of the shipment. Now you have a split shipment and we don't charge until we ship. If you see a business telling you what the shipping cost is up front then they either have a product that lends itself to easily determining what the cost will be (i.e., not a mix of dissimilar products insofar as size and weight) and is usually purchased as a single item (not a mix of, in our case, bulky but light handles, bulky but heavy reed, shirts, cans of stain, etc.) or else they are tacking on enough hidden cost to cover lower-than-needed postage costs (e.g., SH with the emphasis on handling) or are selling a product that never goes above minimum cost (e.g., CDs). We only charge actual shipping cost without any handling cost to keep prices down from our customers. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229461 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
There may be reasons... just none that I can think of other than not wanting to pay for a merchant account. I've done recurring billing before... verisign stores that in my case though. Better them than us. They also have 'Insufficient funds' error codes that are returned to you and your processing since they are capable of running the cards immediately. But, I'm sure you're right, there may be valid reasons for storing them, but none of them would validate taking a CC number BEFORE telling the user how much they are going to be charged for item(s), shipping, and if they are going to be charged at all because something wasn't in stock. Visa just 'misplaced' some hard drives with customer information on them including credit card numbers. They had to reissue TONS of cards because of it. If THEY can lose that info... so can you. Just be careful with it and know that encryption does nothing but slow down the process of getting that number. ..:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:11 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Those are good points bobby, but I'm sure you could think of at least 1 valid scenario where CC numbers are required for later charging... What about using a CC number to see if that CC has enough funds and then doing the charging it later? Or better yet, what if you have customers who purchase very frequently? They DEMAND to have their number stored instead of typing it in each time. These are already 2 valid cases. Baz -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:23 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basket basics dot com?) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:44 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229462 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Hmm... I'm going to look into that Bryan. I didn't know processors generally gave functionality to store and query CC nums by customer - I'll see if mine does it. You can do an AUTH, then a CAPTURE. The main drawbacks are, 1) as one person said, the time frame. You get about a week or 2, depending on the gateway. And 2) if you don't know the amount. Most gateways, I don't believe you can alter the amount before you do the CAPTURE. You definitely can't raise it. The way I handle it in cf_ezcart is with deferred payments. If we can't calculate shipping for whatever reason, or you have custom items that can't be priced, we write the order with an estimated amount, then notify the customer when the total is final and they then go pay with their credit card. -- Bud Schneehagen - Tropical Web Creations, Inc. _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Web Based Solutions / eCommerce Development Hosting http://www.twcreations.com/ - http://www.cf-ezcart.com/ Toll Free: 877.207.6397 - Local Int'l Phone/Fax: 386.789.0968 ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229466 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
If you work at a publicly traded company you need to look into Sarbanes Oxley as well -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:34 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB I read a bit about PCI Data Security Standard and it doesn't seem to be a big deal. This article summarizes it: http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=cc.secure The standard doesn't even ask that you encrypt stored values - just the transmission of values (SSL) It really defines minimums. Baz -Original Message- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:05 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Just ensure you are 100% compliant with the PCI Data Security Standard, or you can pay the consequence. -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: 13 January 2006 15:11 To: CF-Talk Subject: RE: Encrypt CC number and store in DB Those are good points bobby, but I'm sure you could think of at least 1 valid scenario where CC numbers are required for later charging... What about using a CC number to see if that CC has enough funds and then doing the charging it later? Or better yet, what if you have customers who purchase very frequently? They DEMAND to have their number stored instead of typing it in each time. These are already 2 valid cases. Baz -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:23 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basket basics dot com?) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:44 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229468 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Well doing what you can to keep costs down for your customers is always a good thing in the customer's eyes and actual shipping costs as opposed to a 'guestimate' is admirable but what is shipping based on? Usually it's weight. If it's an automated system, items are being added to the database and pulled from there for display and purchasing so what's to stop someone from storing the weight if they wanted ACTUAL shipping costs for their customers... which can be calculated with UPS web services on the fly BEFORE a credit card is taken or by setting up your own calculations tables and updating it with changed amounts when UPS does. They'll give you that info. The most current info can probably be found on their site... they may even have a remote service for that too... Take Dell, NewEgg, and Tiger Direct for example, they have a ton of items for sale, all different sizes and weights. Their shipping costs are pretty close to actual costs from what I've seen. Granted they generate very high online revenue and can afford (and have little choice otherwise) to make the process as streamlined as possible but it does prove it's possible. If it's working for you, by all means go with it. I personally wouldn't buy anything from anyone without knowing the bottom line before hand and I'm sure I'm not alone. Many of us have done ecommerce sites. We can't please everyone. Let's face it, people are more particular about their money than anything. Many people will see a misspelled word on a cart and decide they don't want to spend their money there; they are picky and cautious about where they will buy online and they should be. It's harder to lure them and their money in than it is to turn them away. I just feel that those three things are 3 very big deterrents for more people than not. (not letting them know its in stock before hand, not giving AT LEAST a shipping estimate before hand, not giving a final tally of all costs) But as I've said before... I'm no expert... I just play one on the internet. ..:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:40 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? **Yes. If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basketbasics dot com?) *Yes (The shopping cart is going into place soon, but we have people who give us the info with their order now.) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. **Perhaps you can explain how you determine the shipping charge before you have everything boxed up and ready to send. We could send a notice back to people telling them how much it would be, but that depends on their reading email and then responding to us and for what - a figure that is determined by UPS in the first place? Most people just accept that it's going to cost something. In stock can be determined but sometimes people will order several items and want to leave an out-of-stock item on backorder while getting the rest of the shipment. Now you have a split shipment and we don't charge until we ship. If you see a business telling you what the shipping cost is up front then they either have a product that lends itself to easily determining what the cost will be (i.e., not a mix of dissimilar products insofar as size and weight) and is usually purchased as a single item (not a mix of, in our case, bulky but light handles, bulky but heavy reed, shirts, cans of stain, etc.) or else they are tacking on enough hidden cost to cover lower-than-needed postage costs (e.g., SH with the emphasis on handling) or are selling a product that never goes above minimum cost (e.g., CDs). We only charge actual shipping cost without any handling cost to keep prices down from our customers. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229475 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens Sorry Larrynot sure what the above has to do with not storing CC numbersif it's a timing issue IMHO the system should be more sophisticated to handle the don't know the total until this stuff is done can be determined without doing it. I do it now with UPSjust takes some more coding ;-) Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229480 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Tim, Sarbanes Oxley is a rule set for tracking compensation of employees - particularly company officers. It does indeed specify a lot of requirments for storage - but mostly of internal company information. CC numbers have more to do with privacy of customer information - yes? -mark -Original Message- From: Tim Heald [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:09 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB If you work at a publicly traded company you need to look into Sarbanes Oxley as well -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:34 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB I read a bit about PCI Data Security Standard and it doesn't seem to be a big deal. This article summarizes it: http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=cc.secure The standard doesn't even ask that you encrypt stored values - just the transmission of values (SSL) It really defines minimums. Baz -Original Message- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:05 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Just ensure you are 100% compliant with the PCI Data Security Standard, or you can pay the consequence. -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: 13 January 2006 15:11 To: CF-Talk Subject: RE: Encrypt CC number and store in DB Those are good points bobby, but I'm sure you could think of at least 1 valid scenario where CC numbers are required for later charging... What about using a CC number to see if that CC has enough funds and then doing the charging it later? Or better yet, what if you have customers who purchase very frequently? They DEMAND to have their number stored instead of typing it in each time. These are already 2 valid cases. Baz -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:23 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basket basics dot com?) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:44 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229481 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
The audit and controls sections of the act could pertain here. -Original Message- From: Mark A Kruger [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 12:37 PM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Tim, Sarbanes Oxley is a rule set for tracking compensation of employees - particularly company officers. It does indeed specify a lot of requirments for storage - but mostly of internal company information. CC numbers have more to do with privacy of customer information - yes? -mark -Original Message- From: Tim Heald [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:09 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB If you work at a publicly traded company you need to look into Sarbanes Oxley as well -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:34 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB I read a bit about PCI Data Security Standard and it doesn't seem to be a big deal. This article summarizes it: http://mkruger.cfwebtools.com/index.cfm?mode=aliasalias=cc.secure The standard doesn't even ask that you encrypt stored values - just the transmission of values (SSL) It really defines minimums. Baz -Original Message- From: Robertson-Ravo, Neil (RX) [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 10:05 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Just ensure you are 100% compliant with the PCI Data Security Standard, or you can pay the consequence. -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: 13 January 2006 15:11 To: CF-Talk Subject: RE: Encrypt CC number and store in DB Those are good points bobby, but I'm sure you could think of at least 1 valid scenario where CC numbers are required for later charging... What about using a CC number to see if that CC has enough funds and then doing the charging it later? Or better yet, what if you have customers who purchase very frequently? They DEMAND to have their number stored instead of typing it in each time. These are already 2 valid cases. Baz -Original Message- From: Bobby Hartsfield [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 9:23 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB Do you actually get people to give you their credit card information without them even knowing: a) how much they are going to be charged b) whether or not you charge them more for shipping because of where they live c) if what they WANT to order is even in stock? If so, you must have one user friendly, warm and fuzzy feeling generating site to make people feel that comfortable. (is it basket basics dot com?) Why would any of that information (in stock, shipping cost, shipping location, etc..., and a FINAL price) not be obtainable BEFORE getting the credit card number? If any of it IS unobtainable without a Credit Card number, it sounds like a flawed system to me. :.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Stephens, Larry V [mailto:[EMAIL PROTECTED] Sent: Friday, January 13, 2006 8:44 AM To: CF-Talk Subject: RE: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do this [snip] Except - we don't know the final cost until the items purchased are packaged and postage/freight is figured. (And we make sure the items are actually in stock and not on order, etc.) The configuration (i.e., number of boxes) can vary a great deal depending on what is ordered (some things will pack inside others, etc.) and, of course, the actual charge depends on where you are shipping it (and keeping up with UPS and USPS shipping tables is no trivial matter). Larry Stephens [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229484 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
We work on a site with a similar issue. The items sold are live plants and customers order them in one batch and the plants get shipped and charged when the are sent (at different times, sometimes months later, depending on a whole host of factors). We don't store the credit card numbers in a database online. We encrypt them using PGP, then write the info to a file and send it via FTP to our clients secure internal network where they then decrypt the numbers and store them for future billing. Only the client has the private key to decrypt. We encrypt on the server using the public key and the CFX_PGP tag. ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229486 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
HINT: #replace(ccnumber, ccnumber, )# ;-) ..:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:. Bobby Hartsfield http://acoderslife.com -Original Message- From: Baz [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 5:47 PM To: CF-Talk Subject: Encrypt CC number and store in DB What's the best way to encrypt a CC number and store it in DB? ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229399 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
What's the best way to encrypt a CC number and store it in DB? The best way is really a business question - what's the best way for one company may not be best for another. My answers below emphasize security above convenience, but that might not be the choice you want to make. Ideally, it's best not to store it at all. If you must store it, you shouldn't allow the same application to encrypt and decrypt the number. For example, using PKI you could have your ecommerce application encrypt the number, and a private internal application on a separate machine could then decrypt it. Choosing an algorithm is much less important than figuring out how you'll manage keys. It doesn't matter how strong your encryption algorithm is, if an attacker can get all the keys from one place. This is the big problem with symmetric encryption, of course. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229400 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
Dave Watts wrote: What's the best way to encrypt a CC number and store it in DB? Ideally, it's best not to store it at all. Couldn't have said it better myself. Also, keep in mind that CC storage is highly regulated. Non-compliance could lead to heavy fines and, in most cases, cancellation of your merchant account. -- Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229401 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
I was expecting an answer like: put encrypt() in your setter method and decrypt() in your getter... heh. Or better yet, a link to a function on cflib... looks like this is going to be a big one. Baz -Original Message- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 5:59 PM To: CF-Talk Subject: RE: Encrypt CC number and store in DB What's the best way to encrypt a CC number and store it in DB? The best way is really a business question - what's the best way for one company may not be best for another. My answers below emphasize security above convenience, but that might not be the choice you want to make. Ideally, it's best not to store it at all. If you must store it, you shouldn't allow the same application to encrypt and decrypt the number. For example, using PKI you could have your ecommerce application encrypt the number, and a private internal application on a separate machine could then decrypt it. Choosing an algorithm is much less important than figuring out how you'll manage keys. It doesn't matter how strong your encryption algorithm is, if an attacker can get all the keys from one place. This is the big problem with symmetric encryption, of course. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229402 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
I have to store credit card numbers for an internal order processing system. Orders come by fax and the credit card number must be written to DB for later viewing/charging by another employee. Where can I see these regulations? Cheers, Baz -Original Message- From: Jordan Michaels [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 6:13 PM To: CF-Talk Subject: Re: Encrypt CC number and store in DB Dave Watts wrote: What's the best way to encrypt a CC number and store it in DB? Ideally, it's best not to store it at all. Couldn't have said it better myself. Also, keep in mind that CC storage is highly regulated. Non-compliance could lead to heavy fines and, in most cases, cancellation of your merchant account. -- Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229403 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
If you must store CC numbers be sure you client understands the risks. We have used CardCrypt and TextCrypt from Perth Web (http://developer.perthweb.com.au/) with good success. Just be sure you NEVER let the private key be stored on the server and NEVER use it without SSL. And NEVER let the private just lay around. The private key MUST be stored in a safe and secure loction just like you would the keys to a safe. I always suggest to clients they remove the CC numbers ASAP after they don't need them anymore like Bobby suggested #replace(ccnumber, ccnumber, )# What's the best way to encrypt a CC number and store it in DB? ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229404 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
If they come by fax why not do an authorization only, which basically creates the transaction with your processor, then later come back and finalize the authorization. Authorize.net allows this but I'm not sure about other gateways. This seems to be the best way to remove all liability from you/your client and placing it on your gateway. The only downfall is I'm sure there is a timespan between the time you authorize to the time you charge. That would be gateway specific. Here's how/why/when I use it. 1) Authorize card (show error if not approved, if so, move on) 2) save to database (if save is successful move on, else show error and remove authorization) 3) Charge credit card This prevents orders from being saved without charging cards and prevents cards from being charged without orders being saved to the db. Unfortunately, I've had both of those issues before on e-comm sites so I was forced to fail-safe it. Also, if they come by fax, are they shredding the fax after receipt? If not, just store the last 4 and reference the fax doc. On 1/12/06, Baz [EMAIL PROTECTED] wrote: I have to store credit card numbers for an internal order processing system. Orders come by fax and the credit card number must be written to DB for later viewing/charging by another employee. Where can I see these regulations? Cheers, Baz -Original Message- From: Jordan Michaels [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 6:13 PM To: CF-Talk Subject: Re: Encrypt CC number and store in DB Dave Watts wrote: What's the best way to encrypt a CC number and store it in DB? Ideally, it's best not to store it at all. Couldn't have said it better myself. Also, keep in mind that CC storage is highly regulated. Non-compliance could lead to heavy fines and, in most cases, cancellation of your merchant account. -- Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ [EMAIL PROTECTED] ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229408 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do thisif it's for recurring billing or for future orders...this can all be setup with your CC processing company...they store the CC Cnum and give you a customer ID to store and use for future Txs.they spend all the $$ on security and liability insurancewhy should you ;-) Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229409 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
Exactly. :-) On 1/12/06, Bryan Stevenson [EMAIL PROTECTED] wrote: The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do thisif it's for recurring billing or for future orders...this can all be setup with your CC processing company...they store the CC Cnum and give you a customer ID to store and use for future Txs.they spend all the $$ on security and liability insurancewhy should you ;-) Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229410 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
I have to store credit card numbers for an internal order processing system. Orders come by fax and the credit card number must be written to DB for later viewing/charging by another employee. Is the 'internal order system' on the web? Or is this inside a protected network? Here is some good info from Visa: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html Jim ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229413 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: Encrypt CC number and store in DB
Hmm... I'm going to look into that Bryan. I didn't know processors generally gave functionality to store and query CC nums by customer - I'll see if mine does it. Baz -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 7:17 PM To: CF-Talk Subject: Re: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do thisif it's for recurring billing or for future orders...this can all be setup with your CC processing company...they store the CC Cnum and give you a customer ID to store and use for future Txs.they spend all the $$ on security and liability insurancewhy should you ;-) Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229416 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt CC number and store in DB
Eeks. This is a great topic to get super vage info since we're all shooting to protect our data and not get sued. Encrypt it and don't lable the filed names like CreditCard or CC Uses something which won't lead the hacker believe it's a CC field. Ever better encrypt every field in the table and use a seperate key with every column. Yes, your playing by ear when you do stuff like this but hey, so are the people who process these high risk things. If your not on a dedicated box with dedicated database i wouldn't recommend it period. have a note or something instead that mentions we will call you to assist in final arrangements and payment.. Casey If your not doing 100,000 plus transactions then your not someone like paypal or On 1/12/06, Baz [EMAIL PROTECTED] wrote: Hmm... I'm going to look into that Bryan. I didn't know processors generally gave functionality to store and query CC nums by customer - I'll see if mine does it. Baz -Original Message- From: Bryan Stevenson [mailto:[EMAIL PROTECTED] Sent: Thursday, January 12, 2006 7:17 PM To: CF-Talk Subject: Re: Encrypt CC number and store in DB The best way is DO NOT DO IT. No I'm not just being sarcasticbut there should be no reason to do thisif it's for recurring billing or for future orders...this can all be setup with your CC processing company...they store the CC Cnum and give you a customer ID to store and use for future Txs.they spend all the $$ on security and liability insurancewhy should you ;-) Bryan Stevenson B.Comm. VP Director of E-Commerce Development Electric Edge Systems Group Inc. phone: 250.480.0642 fax: 250.480.1264 cell: 250.920.8830 e-mail: [EMAIL PROTECTED] web: www.electricedgesystems.com ~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229417 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
RE: encrypt + file append + decrypt
no one? anyway, realised my mistake as soon as I left the office - each message has to be decrypted individually. Just because they are all encrypted using the same algorithm and appended doesnt mean you can decrypt them all in one go. -Original Message- From: Kerry [mailto:[EMAIL PROTECTED] Sent: 09 November 2005 18:48 To: CF-Talk Subject: encrypt + file append + decrypt okay, been looking at this for a while now, cant see why its not working, suggestions appreciated! !--- environment: cfmx 6.1, win2K code objective: encrypt string + linebreak, append to file (repeat), read file, decrypt, display in textarea expected output: 1 2 3 4 5 6 7 8 9 10 actual output: 1 --- cfset logdir = getdirectoryfrompath(getcurrenttemplatepath()) cfset logfil = encrypted.txt cfset logpath = logdirlogfil cfif fileexists(logdirlogfil) cffile action=delete file=#logpath# /cfif cfloop from=1 to=10 index=i cfset message = encrypt(URLEncodedFormat(ichr(13)chr(10)),hash(logfil)) cfif not fileexists(logdirlogfil) cffile action=write file=#logpath# output=#message# addnewline=no cfelse cffile action=append file=#logpath# output=#message# addnewline=no /cfif /cfloop cffile action=read file=#logpath# variable=filcontents cfoutput textarea #URLDecode(decrypt(filcontents,hash(logfil)))# /textarea /cfoutput thx all. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:223809 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)
OK, follow up to this, can anybody suggest ways that they currently encrypt/decrypt sensitive data? I need to encrypt the data to save into the database and then at a later date retrieve that data, decrypt it and let the user edit it. I have looked at using the various algorithms excluding CFMX_COMPAT but I notice that uses the GenerateSecretKey function. I am assuming that the key that is generated is different every time therefore once I have encrypted the data, if I do not save the original key then when I come to decrypt the data it will use a different key and so fail? Or am I completely wrong here? Hi all, I am trying to store specific data into a database in an encrypted format. This data also has to be decrypted so as to be displayed and edited onscreen therefore ruling out using the hash function. The problem that I am having is on the decrypt. Example: cfset foo = encrypt(johnmurray, wibble) foo then equals *5)V%5*.Z59RR$ I save this text to the database. An unusual thing happens when I try to decrypt this text as follows; cfset foo = decrypt(*5)V%5*.Z59RR$, wibble) foo then equals johnmurrax as you can see the 'y' has become an 'x'. Now here is the strange thing, cfset foo = encrypt(johnmurray , wibble) - with an extra space at the end of johnmurray everything encrypts/decrypts correctly using an 11 character string. also cfset foo = encrypt(johnmurra, wibble) - if I make it only 9 characters then this also encrypts/decrypts correctly. It seems to only happen with 10 letter strings? This is on Coldfusion 7, using a SQL database. I have tried URLEncodedFormat before saving to the database and then using URLDecode after retrieveing. As this text is defined by the user then I cannot simply say that there can be no 10 character strings so has anyone ever come across this? Does anyone have any better encryption ideas I could use? This is a really annoying little quirk as to why it only seems to affect 10 character strings, weird huh? ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219251 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)
There is no bug in encrypt/decrypt, the problem is that in that instance, the encrypt result contains a space at the end. As you can see with the following code, the key is not *5)V%5*.Z59RR$, but *5)V%5*.Z59RR$ cfset foo = encrypt(johnmurray, wibble) CFOUTPUT[#htmlEditFormat(foo)#], #decrypt(foo, wibble)#, #decrypt(*5)V%5*.Z59RR$, wibble)# #decrypt(*5)V%5*.Z59RR$ , wibble)# /CFOUTPUT Then you have to make sure the value will not be trimmed at any step. I can also foresee some potential problem when the encrypted key contains quotes, single or double. -- ___ REUSE CODE! Use custom tags; See http://www.contentbox.com/claude/customtags/tagstore.cfm (Please send any spam to this address: [EMAIL PROTECTED]) Thanks. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219261 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)
Does your database itself provide encrypted storage? That'd certainly be easier if it does. On a different topic, executing the code you listed demonstrated the error with 'y' becoming 'x', but if the decrypt operation is changed to use the foo variable directly, the proper result is returned. The difference is that they encrypted string has a trailing space that you're truncating. So you're not actually decrypting the right encrypted value, which is why you're getting the invalid result. cheers, barneyb On 9/26/05, Andy Mcshane [EMAIL PROTECTED] wrote: OK, follow up to this, can anybody suggest ways that they currently encrypt/decrypt sensitive data? I need to encrypt the data to save into the database and then at a later date retrieve that data, decrypt it and let the user edit it. I have looked at using the various algorithms excluding CFMX_COMPAT but I notice that uses the GenerateSecretKey function. I am assuming that the key that is generated is different every time therefore once I have encrypted the data, if I do not save the original key then when I come to decrypt the data it will use a different key and so fail? Or am I completely wrong here? Hi all, I am trying to store specific data into a database in an encrypted format. This data also has to be decrypted so as to be displayed and edited onscreen therefore ruling out using the hash function. The problem that I am having is on the decrypt. Example: cfset foo = encrypt(johnmurray, wibble) foo then equals *5)V%5*.Z59RR$ I save this text to the database. An unusual thing happens when I try to decrypt this text as follows; cfset foo = decrypt(*5)V%5*.Z59RR$, wibble) foo then equals johnmurrax as you can see the 'y' has become an 'x'. Now here is the strange thing, cfset foo = encrypt(johnmurray , wibble) - with an extra space at the end of johnmurray everything encrypts/decrypts correctly using an 11 character string. also cfset foo = encrypt(johnmurra, wibble) - if I make it only 9 characters then this also encrypts/decrypts correctly. It seems to only happen with 10 letter strings? This is on Coldfusion 7, using a SQL database. I have tried URLEncodedFormat before saving to the database and then using URLDecode after retrieveing. As this text is defined by the user then I cannot simply say that there can be no 10 character strings so has anyone ever come across this? Does anyone have any better encryption ideas I could use? This is a really annoying little quirk as to why it only seems to affect 10 character strings, weird huh? -- Barney Boisvert [EMAIL PROTECTED] 360.319.6145 http://www.barneyb.com/ Got Gmail? I have 100 invites. ~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219262 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54
Re: Encrypt/Decrypt Suggestions (WAS Weird Encrypt/Decrypt problem!)
and that trailing space is being trimmed out by the db. Sooner or later you would have other issues even if you work around this one somehow. See my post on this in the other thread. Its an easy fix but you won't make the 'classic' CF algorithm any more secure. -- --mattRobertson-- Janitor, MSB Web Systems mysecretbase.com http://mysecretbase.com ~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:219269 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations Support: http://www.houseoffusion.com/tiny.cfm/54