Howie,
A User-defined key would not be a bad thing necessarily...it is simply
something that would have to be loaded when the server starts...they could
even use a key creation method similar to what IIS uses when you need to
issue a new certificate...
Basically my premise is this, MM should do something if they are going to
offer the feature...
Regards,
John
-----Original Message-----
From: Howie Hamlin [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 08, 2001 12:09 PM
To: CF-Talk
Subject: Re: Need decryptor tag for CFUG presentation
But, if the key is user-defined then how would someone distribute their
software? the CF server would need to know the key in order
to open the encrypted file. Would each CF server then need to maintain
multiple keys? I don't think that is workable. Like I
said, the decryption needs to be fast for the server and so that is why CF
has a built-in key.
Regards,
Howie
BTW - not sure how many people realize it but the key that Allaire
originally used was actually very clever. It was designed so
that a casual cracker would not find it easily as it looks to be part of the
code. If you look at the binary code of the Allaire
encrypter the key is there but definitely not obvious.
----- Original Message -----
From: "Top-Link Tech (John Ceci)" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Friday, June 08, 2001 12:49 PM
Subject: RE: Need decryptor tag for CFUG presentation
> Howie,
>
> I would agree with getting off the net is impossible, that is why I
> presented #2, change the basic encryption scheme to something different,
> there are plenty of methods to encrypt a file that have a user-defined key
> that are fast...so just change to a different method, now it might only
take
> a week or two for someone to crack that too, but some type of effort by MM
> to combat this is necessary...
>
> John
>
> -----Original Message-----
> From: Howie Hamlin [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 08, 2001 9:58 AM
> To: CF-Talk
> Subject: Re: Need decryptor tag for CFUG presentation
>
>
>
> ----- Original Message -----
> From: "Top-Link Tech (John Ceci)" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Friday, June 08, 2001 11:17 AM
> Subject: RE: Need decryptor tag for CFUG presentation
>
>
> > Ray,
> >
> > I would agree with your statement competely...
> >
> > BUT, since this program exists, and we have known that it exists for
some
> > time there are a couple of things MM should have done...
> > #1. MM needs to find who wrote it and get the tag off the internet
>
> It's no secret:
>
> Matt Chapman ([EMAIL PROTECTED])
>
> And, if you search the net you'll find it all over the place (including
> source code) so getting it off the net is not going to
> happen. I've even seen it offered as shareware (if you can believe that!)
>
> > #2. MM needs to change the encryption methodology inside of CF5.0 in the
> > first SP which will then totally take the program out of usefulness...
> >
>
> The problem with the cf encryption is that it needs to be fast and have a
> know key so this type of encrypton can be compromised.
>
> Regards,
>
> Howie
>
> > John
> >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
