Re: [CFCDev] OT: coldfusion encrypt

Tue, 14 Feb 2006 20:12:35 -0800 

Bill, using your (supplied) code I got exactly the same results as you...

'<:FL4KX+) END
39-60-58-70-76-52-75-88-43-41-32-32-32-10-
'<:FL4KX+)0 END
39-60-58-70-76-52-75-88-43-41-48-32-32-10-
buskirk
buskirj


so are you saying that the only diff between the encrypted "k" and "j"
is the space which may get trimmed, changing the decrypted value?




On 15/02/06, Roland Collins <[EMAIL PROTECTED]> wrote:
>
>
>
> Well the example code runs as expected when I run it, so I guess I don't
> understand what the issue is…
>
>
>
> I thought the issue was that the failure occurs after you retrieve the
> password from the database.
>
>
>
>  ________________________________
>
>
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
> Of Bill Rawlinson
>  Sent: Tuesday, February 14, 2006 9:35 PM
>  To: CFCDev@cfczone.org
>  Subject: Re: [CFCDev] OT: coldfusion encrypt
>
>
>
> what i'm showing in the example isn't in a query file at all, just a test
> file to examine this behaviour.  btw: the value buskirk is just someones
> last name and isn't a password.
>
>  Bill
>
>
>
> On 2/14/06, Roland Collins <[EMAIL PROTECTED]> wrote:
>
>
> Without seeing your queries, it's hard to guess what's going on.  Are you
> sure there's not a trim statement inside the queries that store the data
> either?
>
>
>
> Also, as an alternative, you might want to try hashing the password so that
> it is completely unrecoverable anyway.  Storing recoverable passwords in the
> database – even when they're encrypted – is a big no no in my world.  The
> method described here is much more secure:
> http://livedocs.macromedia.com/coldfusion/7/htmldocs/wwhelp/wwhimpl/common/html/wwhelp.htm?context=ColdFusion_Documentation&file=00000503.htm.
>
>
>
> Roland
>
>
>
>  ________________________________
>
>
> From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf
> Of Bill Rawlinson
>  Sent: Tuesday, February 14, 2006 5:30 PM
>  To: CFCDev@cfczone.org
>  Subject: [CFCDev] OT: coldfusion encrypt
>
>
>
>
> I know this isn't specifically a CFC question and I should probably pose
> this to the CF-Talk message board - but please bear with me.
>
>  I am using ColdFusion Server Developer 7,0,1,116466 and am noticing
> extremely odd behaviour with encrypt and one word.. buskirk
>
>  <cfset testkey = "l9jfs9jk34r9dfjkd">
>
>  <cfoutput>
>      <cfset pwd = encrypt("buskirk",testkey) />
>  #pwd#END<br />
>
>  <cfloop from="1" to="#len(pwd)#"
> index="i">#ASC(mid(pwd,i,1))#-</cfloop>
>  <br />
>  <cfset pwd2 = encrypt("buskirj",testkey) />
>  #pwd2#END<br />
>  <cfloop from="1" to="#len(pwd2)#"
> index="a">#ASC(mid(pwd2,a,1))#-</cfloop>
>  <br />
>
>  #decrypt("'<:FL4KX+) ",testkey)#<br />
>  #decrypt("'<:FL4KX+)",testkey)#
>  </cfoutput>
>
>  If you run the above code you will notice that when I encrypt buskirk it
> displays as: '<:FL4KX+) END     the ' and the space are both part of the
> encrypted result.  The END was put there to make sure I could see the result
> clearly.
>  you will also see that buskirj is encrypted as '<:FL4KX+)0 END  - you will
> notice it too has the ' and the space.
>
>
>  However, in the decrypt statement see what happens with the second one - it
> has no 0 or space at the end.  It decrypts back as  buskirj
>
>  So, I then went back and put those loop statements in to examine the
> characters being generated by the encryption - and it turns out they are
> identical except for the fifth to last character.
>
>  I am storing this encrypted string in an Oracle database.  I encrypt
> buskirk and store it - then when I pull it out and decrypt it and compare it
> against buskirk it fails because CF thinks the decryption is buskirj  due to
> the fact that buskirj can be resolved from either:
>  '<:FL4KX+)0 END  OR
>  '<:FL4KX+)END
>  if you remoe the END from both lines.
>
>  NOTE: I am not doing a trim at any time on the encrypted password.
>
>  what's going on?  What other words are going to cause me trouble?
>
>  I have tried different encryption keys and the problem occurs with some -
> but not others..
>
>  for instance the problem persists with the above key, and with
> [EMAIL PROTECTED]  But it doesn't with the key: fasjf9e3rjlaf
>  in fact with fasjf9e3rjlaf - i can trim the space off the end of the
> encrypted buskirk and it decrypts back to buskirk without a problem.
>
>
>  Is this a known problem? Am I just crazy? Unlucky that someone's name is
> Buskirk?
>
>  thanks for your time at considering this,
>
>  Bill
>  --
>  [EMAIL PROTECTED]
>  http://blog.rawlinson.us
>
>
>
>
> If you want Gmail - just ask.
> ----------------------------------------------------------
>  You are subscribed to cfcdev. To unsubscribe, send an email to
> cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the
> email.
>
>  CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
> (www.cfxhosting.com).
>
>  An archive of the CFCDev list is available at
> www.mail-archive.com/cfcdev@cfczone.org
>
> ----------------------------------------------------------
>  You are subscribed to cfcdev. To unsubscribe, send an email to
> cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the
> email.
>
>  CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting (
> www.cfxhosting.com).
>
>  An archive of the CFCDev list is available at
> www.mail-archive.com/cfcdev@cfczone.org
>
>
>
>
>  --
>  [EMAIL PROTECTED]
>  http://blog.rawlinson.us
>
>  If you want Gmail - just ask.
> (¹ªÞ²æìr¸›yÛhq÷zôèº{.nÇ+‰·¬zwZéšŠ[hq÷z÷­s:'zŠàÂ+a¶°¢·lº{.nÇ+‰·œ}Ç^½«-…ë.n7œ¶‡í…ç¦j)ADB
> Þ¾++ºvòP™¢w°Ã­s:'zŠàjwlºšh(r)םo …\z,¶)àÃ
>  h²Ø§Ê&Q[1]v«r¯z‡í…à…7¯–+-ŠÆ¯j)ZnWš·
>  0™¨¥j·!Š÷œ¢oÜ}Ç^½ÇÜΉÞ
>  ----------------------------------------------------------
>  You are subscribed to cfcdev. To unsubscribe, send an email to
> cfcdev@cfczone.org with the words 'unsubscribe cfcdev' as the subject of the
> email.
>
>  CFCDev is run by CFCZone (www.cfczone.org) and supported by CFXHosting
> (www.cfxhosting.com).
>
>  An archive of the CFCDev list is available at
> www.mail-archive.com/cfcdev@cfczone.org

Reply via email to