You're right, everything is crackable. I just wouldn't think that you can throw cfencrypt'ed text into some "magic cracker" program and get the decrypted results (keep in mind, this is different from brute forcing keys). Unless the CF developers were idiots and placed the key automatically in the encrypted text. Of course, most "decrypters" for cfencrypt() probably wouldn't take very long to decrypt using brute force techniques, because most developers I know use very short keys, like "abc123" - your encryption key should be very long, and random).
What do you mean by "finding the key was trivial"? The key for that function is user selected. You could brute force them, but I do not believe there's a simple way to "automatically" determine the encryption key used (as opposed to template encryption, which in essence uses a public key) Are you sure you're referring to cfencrypt() the function, and not referring to template decryption? ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, December 04, 2001 2:52 PM Subject: Re: Credit Card Encryption > Why isn't it crackable? Everything's crackable. Anyhoo, it has been > cracked. Finding the key for that function was horribly trivial. Go > to Google and do a search, you'll find some code that'll unencrypt > cfencrypt()'ed material. > > ----- Original Message ----- > From: BILLY CRAVENS <[EMAIL PROTECTED]> > Date: Tuesday, December 4, 2001 1:37 pm > Subject: Re: Credit Card Encryption > > > Are you sure about the cfencrypt() function? I don't think it's > > "crackable", though any encryption is if you throw enough keys at it. > > Rather, the encryption for encrypting files (like encrypted custom > > tags) has > > been cracked for a long time (since it requires no user selectable > > key). > > ----- Original Message ----- > > From: "Jeffrey Polaski" <[EMAIL PROTECTED]> > > To: "CF-Talk" <[EMAIL PROTECTED]> > > Sent: Tuesday, December 04, 2001 2:29 PM > > Subject: RE: Credit Card Encryption > > > > > > > You can also remove the CC numbers from the database. We don't > > process a > > > huge amount of CC's, so we just run some SQL to set all but the > > last four > > > digits to 'x' after having copied the good cc numbers to a > > floppy. The > > > floppies go to a locked managers office. That way the numbers > > aren't even > > > on the network. We don't do it every day, but once a week or so-- > > enoughthat > > > there aren't very many CC number sitting in the db. > > > > > > One suggestion: write a stored procedure that writes the CC > > numbers out to > > > disk, then run GnuPG on the file, and then set all but the last > > four CC > > > digits to 'x'. You could do it with a chron job, or use a > > scheduled task > > in > > > CF. I think that would work for you. > > > > > > One note: cfencrypt(), AFAIK, has been cracked. I'm not sure if > > that'strue > > > of recent versions of CF, though. > > > > > > > > > Jeff Polaski > > > Webmaster > > > Research & Graduate Studies > > > University California, Irvine > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, November 29, 2001 9:43 AM > > > To: CF-Talk > > > Subject: Credit Card Encryption > > > > > > > > > Does anyone have any insight on encrypting data into a Table? A > > client is > > > asking about storing CC numbers and I want to see what level of > > protection> we can provide. > > > > > > TIA! > > > > > > Hatton > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
