Pooh Bear
I used a similar technique in my custom tag cf_cryp that's in the
developer's gallery. I actually use the encrypt() function in CF and
then do various operations to convert characters, shift bits and flip
nibbles. I also added a checksum (also encoded) so I could validate
the data after it was decrypted. BUT, it is still not secure when
compared with 128-bit RSA encryption.
True, a user would be hard pressed to figure out your (or my)
particular encryption algorithm, but "real" hackers will run a few of
your (or my) strings through software programs designed to recognize
patterns such as yours and break the code. It may take some trial
and error, but they can and will break it.
I use cf_cryp, not to store credit card numbers or other sensitive
information, but, for example, to encrypt values I use in hidden form
fields. This helps ensure that the values are correct when I process
the form. But - I can't be absolutely positive that someone hasn't
broken my code.
cf_cryp also has an error reporting mechanism that allows you to
detect the trial/error method and determine if the decrypted string
has been tampered with. By storing and analyzing this information,
you can see if someone is trying to break the algorithm and even lock
them out (again, not foolproof).
HTH
Jackson Moore
[EMAIL PROTECTED]
On Tue, 24 Jul 2001 14:20:51 -0500, Pooh Bear wrote:
>hey, i'm the Original Inquirer. heh, kinda like that title. ermm
>anyways,
>like i said, the code turns 4665775886868576 into
>"hkjsdhk987697834^*&^@@@Kj=-018^%13534kljdsa986(*@*&(@# dsjfkhk"
>junk.
>someone said that someone could get the pattern, but i think it is
>impossible, since part of the encryption uses ASC or Char to change
>characters (only certain letters according to what the "ith" number
>is), and
>they will never know at which point i used that transformation, or
>how many
>times. MUWHAHAHA! or what else I did (i also used mathematical
>calculations, string appends, and other string functions). I mean
>every
>outcome is sooo different finding a pattern is impossible. And
>every
>outcome comes doesn't have the same amount of character lengths.
>like, the
>only possible way to figure it out is to look at the CF code itself,
>and
>then to work it backwards (which took me a while to figure out too
>bahehehe)
>
>Am i right/wrong in my assumption?
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
