RE: decryption question
Justin, Good points. >>> Storing credit card data is serious business and not to be taken lightly. OK, CVV is out of there. Good advice. >> In your case, as a place to start, set up a separate temporary script which generates a key, then take the generated key output and put it in a variable in the request scope in your application.cfc file. Then use request.theKey (or whatever you call it) as the key whenever you make an encrypt() or decrypt() call. OK this is a lot to process. I understand the concept; I gotta figure out the script syntax and I am not good at scripting. I will work on this and get back to you. Thank you again for your help. Eric -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Monday, February 18, 2013 10:32 PM To: cf-talk Subject: Re: decryption question > http://pastebin.com/3xtt3b8k At first glance I'm not sure why it wouldn't find the form variable. You might try explicitly setting the scope in all instances of that variable. Also, why are you paraming it in the form scope? Your form doesn't have a variable called "decrypted" so it will always start out blank. I'd just set a blank variable in the "variables" scope and then set that if you decrypt a card number and use it that way so they're all in the same scope. Also, regarding your encryption keys, you're generating a new key just before the encrypt() call, so it'll go into the database encrypted. However, you're not storing the key anywhere so you won't be able to decrypt on subsequent page loads (since the key is changing every time the page loads). Generally you would generate an AES key and then store it somewhere secure (key management is another whole topic) and then fetch that stored key when you need to use it for encryption and decryption calls. In your case, as a place to start, set up a separate temporary script which generates a key, then take the generated key output and put it in a variable in the request scope in your application.cfc file. Then use request.theKey (or whatever you call it) as the key whenever you make an encrypt() or decrypt() call. That will allow you to use the same key for data going into and coming out of the database. Use that as a place to start, but do some reading on encryption key management before you put it into production. Finally, do not store the CVV in the database. It's against the contract rules for every major credit card processor, the PCI-DSS standards, and will create a lot of headaches if your site is ever hacked. CVV codes are meant for online live transactions only and should not be stored anywhere ever (lots of clients will complain that they need it for offline processing to save some processing fees; tell them too bad and don't store it, no good can come of it). If you aren't familiar with the PCI-DSS, please go to https://www.pcisecuritystandards.org/security_standards/ and look over the information there. Storing credit card data is serious business and not to be taken lightly. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354582 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: decryption question
> http://pastebin.com/3xtt3b8k At first glance I'm not sure why it wouldn't find the form variable. You might try explicitly setting the scope in all instances of that variable. Also, why are you paraming it in the form scope? Your form doesn't have a variable called "decrypted" so it will always start out blank. I'd just set a blank variable in the "variables" scope and then set that if you decrypt a card number and use it that way so they're all in the same scope. Also, regarding your encryption keys, you're generating a new key just before the encrypt() call, so it'll go into the database encrypted. However, you're not storing the key anywhere so you won't be able to decrypt on subsequent page loads (since the key is changing every time the page loads). Generally you would generate an AES key and then store it somewhere secure (key management is another whole topic) and then fetch that stored key when you need to use it for encryption and decryption calls. In your case, as a place to start, set up a separate temporary script which generates a key, then take the generated key output and put it in a variable in the request scope in your application.cfc file. Then use request.theKey (or whatever you call it) as the key whenever you make an encrypt() or decrypt() call. That will allow you to use the same key for data going into and coming out of the database. Use that as a place to start, but do some reading on encryption key management before you put it into production. Finally, do not store the CVV in the database. It's against the contract rules for every major credit card processor, the PCI-DSS standards, and will create a lot of headaches if your site is ever hacked. CVV codes are meant for online live transactions only and should not be stored anywhere ever (lots of clients will complain that they need it for offline processing to save some processing fees; tell them too bad and don't store it, no good can come of it). If you aren't familiar with the PCI-DSS, please go to https://www.pcisecuritystandards.org/security_standards/ and look over the information there. Storing credit card data is serious business and not to be taken lightly. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354581 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: decryption question
Justin, is this helpful? http://pastebin.com/3xtt3b8k Sorry about all of the extraneous code in there. I do not think there is sensitive information -- no passwords or usernames. The datasource and the various tables are defined in application.cfc. I really appreciate your time. N.B. This information will be submitted over an SSL / HTTPS connection. -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Monday, February 18, 2013 9:32 PM To: cf-talk Subject: Re: decryption question > Hmm. I am still getting error "Variable DECRYPTED is undefined." which > is weird since I have defined it -- in scope FORM. Hi Eric, I'd recommend throwing the whole file up to somewhere like pastebin and posting a URL so we can see what all is going on in there (make sure to remove any sensitive information before posting, but seeing the whole file will help troubleshoot). -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354580 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: decryption question
> Hmm. I am still getting error "Variable DECRYPTED is undefined." which is > weird since I have defined it -- in scope FORM. Hi Eric, I'd recommend throwing the whole file up to somewhere like pastebin and posting a URL so we can see what all is going on in there (make sure to remove any sensitive information before posting, but seeing the whole file will help troubleshoot). -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354579 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: decryption question
Justin, I was pondering some of your points, too. I've been reading up in the documentation, and trying different ideas. Here is what I have so far: [code] [/code] Hmm. I am still getting error "Variable DECRYPTED is undefined." which is weird since I have defined it -- in scope FORM. I think I am missing a core concept. =) Can you clue me in? Thank you again for your time. Eric -Original Message- From: Justin Scott [mailto:leviat...@darktech.org] Sent: Monday, February 18, 2013 6:46 PM To: cf-talk Subject: Re: decryption question > > GenerateSecretKey("AES", 256)> decrypt(form.CreditCardNumber, theKey, "AES", "UU")> Since the only place where the "decrypted" variable is being set is within the CFIF block, I'd check to ensure the editUser.CreditCardNumber field wasn't blank as a first step. If you want it to default to a blank value if nothing is present in the database, you'll need to move your CFPARAM tag above the CFIF block so it's not contained within that logic and always gets a default value to work with. As an aside, you shouldn't be generating a new key just before you run the decrypt() call. You would need to use the same key that was used with the encrypt() call when the number was first encrypted in order to decrypt successfully. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354578 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: decryption question
> > > > > Since the only place where the "decrypted" variable is being set is within the CFIF block, I'd check to ensure the editUser.CreditCardNumber field wasn't blank as a first step. If you want it to default to a blank value if nothing is present in the database, you'll need to move your CFPARAM tag above the CFIF block so it's not contained within that logic and always gets a default value to work with. As an aside, you shouldn't be generating a new key just before you run the decrypt() call. You would need to use the same key that was used with the encrypt() call when the number was first encrypted in order to decrypt successfully. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354577 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
decryption question
Hi. A while ago, some kind folks on here helped me with encryption for a credit card number: [code] [/code] That works perfectly. Now I am trying to decrypt the encrypted value in the database. Following the guide at http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e08 11cbec22c24-7c1c.html, here is what I have so far: [code] [/code] The output goes in a text field: Credit Card Number (decrypted): But I get an error: Variable DECRYPTED is undefined. I did "cfset" a value for variable "decrypted". Why does ColdFusion insist that "#decrypted#" is undefined? Thank you for any advice. Eric *** Eric Bourland Internet Project Development Washington DC email: e...@ebwebwork.com web: ebwebwork.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354576 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm