Re: [CFCDev] OT: coldfusion encrypt

Tue, 14 Feb 2006 18:36:04 -0800

what i'm showing in the example isn't in a query file at all, just a test file to examine this behaviour.  btw: the value buskirk is just someones last name and isn't a password.

Bill

On 2/14/06, Roland Collins <[EMAIL PROTECTED]> wrote:

Without seeing your queries, it's hard to guess what's going on.  Are you sure there's not a trim statement inside the queries that store the data either?

 

Also, as an alternative, you might want to try hashing the password so that it is completely unrecoverable anyway.  Storing recoverable passwords in the database – even when they're encrypted – is a big no no in my world.  The method described here is much more secure: http://livedocs.macromedia.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00000503.htm.

 

Roland

 

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Bill Rawlinson
Sent: Tuesday, February 14, 2006 5:30 PM
To: CFCDev@cfczone.org
Subject: [CFCDev] OT: coldfusion encrypt

 

I know this isn't specifically a CFC question and I should probably pose this to the CF-Talk message board - but please bear with me.

I am using ColdFusion Server Developer 7,0,1,116466 and am noticing extremely odd behaviour with encrypt and one word.. buskirk

<cfset testkey = "l9jfs9jk34r9dfjkd">

<cfoutput>
    <cfset pwd = encrypt("buskirk",testkey) />
#pwd#END<br />

<cfloop from="1" to="#len(pwd)#" index="i">#ASC(mid(pwd,i,1))#-</cfloop>
<br />
<cfset pwd2 = encrypt("buskirj",testkey) />
#pwd2#END<br />
<cfloop from="1" to="#len(pwd2)#" index="a">#ASC(mid(pwd2,a,1))#-</cfloop>
<br />

#decrypt("'<:FL4KX+) ",testkey)#<br />
#decrypt("'<:FL4KX+)",testkey)#
</cfoutput>

If you run the above code you will notice that when I encrypt buskirk it displays as: '<:FL4KX+) END     the ' and the space are both part of the encrypted result.  The END was put there to make sure I could see the result clearly.
you will also see that buskirj is encrypted as '<:FL4KX+)0 END  - you will notice it too has the ' and the space.


However, in the decrypt statement see what happens with the second one - it has no 0 or space at the end.  It decrypts back as  buskirj 

So, I then went back and put those loop statements in to examine the characters being generated by the encryption - and it turns out they are identical except for the fifth to last character.

I am storing this encrypted string in an Oracle database.  I encrypt buskirk and store it - then when I pull it out and decrypt it and compare it against buskirk it fails because CF thinks the decryption is buskirj  due to the fact that buskirj can be resolved from either:
'<:FL4KX+)0 END  OR
'<:FL4KX+)END
if you remoe the END from both lines.

NOTE: I am not doing a trim at any time on the encrypted password.

what's going on?  What other words are going to cause me trouble?

I have tried different encryption keys and the problem occurs with some - but not others..

for instance the problem persists with the above key, and with [EMAIL PROTECTED]  But it doesn't with the key: fasjf9e3rjlaf
in fact with fasjf9e3rjlaf - i can trim the space off the end of the encrypted buskirk and it decrypts back to buskirk without a problem.


Is this a known problem? Am I just crazy? Unlucky that someone's name is Buskirk?

thanks for your time at considering this,

Bill
--
[EMAIL PROTECTED]
http://blog.rawlinson.us

If you want Gmail - just ask. ----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email.

CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (www.cfxhosting.com).

An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org

----------------------------------------------------------
You are subscribed to cfcdev. To unsubscribe, send an email to cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the email.

CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting ( www.cfxhosting.com).

An archive of the CFCDev list is available at www.mail-archive.com/cfcdev@cfczone.org



--
[EMAIL PROTECTED]
http://blog.rawlinson.us

If you want Gmail - just ask. (¹ªÞ²æìr¸›yÛhq÷zôèº{.nÇ+‰·¬zwZ�隊[hq÷z÷s:'zŠàÂ+a¶°¢·lº{.nÇ+‰·œ}Ç^½«-…ë.n7œ¶‡í…ç¦j)ADB Þ¾++ºvòP™¢w°Ãs:'zŠàjwlºšh®×�o …\z,¶)àà h²Ø§�Ê&Qv«r¯z‡í…à…7¯–+-ŠÆ¯j)ZnWš· 0™¨¥j·!Š÷œ¢oÜ}Ç^½ÇÜΉޢ¸

Reply via email to