Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
Steve I wrote a custom tag called cf_cryp that I use in place of encrypt() and decrypt(). It builds on encrypt() and decrypt() by encoding all the characters produced by encrypt() with their ASCII values, shifts some bits to make it a little more unintelligible and adds a similarly encoded checksum to prevent someone from manipulating characters to change the value (helpful for url parameters, hidden form fields and cookies). I also set up a test page with some more information on the drawbacks of encrypt()/decrypt() at http://www.iology.com/products/downloads/cryptest.cfm You can download the code their too; it's free for all commercial purposes and open source. Jackson Moore [EMAIL PROTECTED] On Fri, 29 Jun 2001 15:01:22 -0400, Steve Reich wrote: >> Maybe it's just a wierd browser thing. What do you see if you View >>SOurce? > > >No.. I checked that. It's very strange because there is no >consistency to >it. Some strings encrypt the same everytime, others don't. > >If I run this in my browser > >kd@kfoe%kfps037")#"> > >#encryptedPW #-#Len(encryptedPW)# > >and then hit refresh... it toggles between these two values... > >(78XD6IF#J5&( >and >(78XD6IF#J5' > >. but it returns the Len of both strings as 14. Something with >ASCII, >either spaces or line feeds might be one of the chars that could be >messing >me up. In the database field (SQL7), visually you can see some box >characters that represents an ASCII character that can't be >displayed. >Help!! > >Thanks, >Steve > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
AFAIK it is a feature that Encrypt() does not always return the same value, but is always decryptable to the same value. I think I read it in the comment of an Allaire employee in the Allaire forums. Anyhow, I believe one should not use the Encrypt() at all. Use Hash(), it is one way (nice for safety) and a public algorithm (MD5 is the name among cryptographers I believe), so it is even usable from other applications. Personally, I have zero faith in any cryptographic algorithm that is not open source. Jochem -- It isn't possible I lied in this message, it is probable. ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
> > > Dick, That did the trick! I was trying to compare two encrypted strings and I should have been comparing their decrypted values. Thanks for the help it was driving me nuts! Steve ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
> Maybe it's just a wierd browser thing. What do you see if you View SOurce? No.. I checked that. It's very strange because there is no consistency to it. Some strings encrypt the same everytime, others don't. If I run this in my browser #encryptedPW #-#Len(encryptedPW)# and then hit refresh... it toggles between these two values... (78XD6IF#J5&( and (78XD6IF#J5' but it returns the Len of both strings as 14. Something with ASCII, either spaces or line feeds might be one of the chars that could be messing me up. In the database field (SQL7), visually you can see some box characters that represents an ASCII character that can't be displayed. Help!! Thanks, Steve ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
Steve I encountered a similar problem... here is how I resolved it. 1) I defined the field in the db that holds the encrypted value as NVarChar(255). This is a unicode field. The 255 length takes care of encrypted passwords are larger than the original. 2) I do *not* check the password in the SQL, rather in CF after it has been retrieved, e.g.: . . . HTH Dick At 1:57 PM -0400 6/29/01, Steve Reich wrote: >I am having a problem with the encrypt/decrypt functions. Here is my code: > >*** This creates the user when they register... > > > >username="#application.dsn_username#" password="#application.dsn_password#"> >INSERT INTO users >(fname,lname,email,username,password) >VALUES('#fname#','#lname#','#email#','#username#','#dbPassword#') > > >*** This validates a registered user > > > >username="#application.dsn_username#" password="#application.dsn_password#"> > SELECT userid > FROM users > WHERE username='#username#' > AND password='#dbPassword#' > > >The problem is that if I output the encrypted password on my page, I get... > >(6 W=SO*;E^JD > >The field in the DB says... > >(6 W=SO*;E^H > >Obviously, they don't match, so the user can't get in. I've tried using a >variety of seed values, including various lengths. It seems that the last >one or two chars always come out differently? My questions are, what is a >good length for the seed value and should this be alphnumeric or will any >ascii character work? Also, I'm not sure why I can encrypt the same value >twice and not get the same value. I'm thinking my problem must be in the >seed string length, but I'm not sure? Are there known issues with this? Why >am I having this problem? Can someone shed some light? > >Thanks, >Steve > > > > > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
Maybe it's just a wierd browser thing. What do you see if you View SOurce? === Raymond Camden, Principal Spectra Compliance Engineer for Macromedia Email : [EMAIL PROTECTED] ICQ UIN : 3679482 "My ally is the Force, and a powerful ally it is." - Yoda > -Original Message- > From: Steve Reich [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 29, 2001 1:57 PM > To: CF-Talk > Subject: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt] > > > I am having a problem with the encrypt/decrypt functions. Here is my code: > > *** This creates the user when they register... > > > > username="#application.dsn_username#" > password="#application.dsn_password#"> >INSERT INTO users >(fname,lname,email,username,password) >VALUES('#fname#','#lname#','#email#','#username#','#dbPassword#') > > > *** This validates a registered user > > > > username="#application.dsn_username#" > password="#application.dsn_password#"> > SELECT userid > FROM users > WHERE username='#username#' > AND password='#dbPassword#' > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
> Also, I'm not sure why I can encrypt the same value > twice and not get the same value. I'm thinking my problem must be in the > seed string length, but I'm not sure? Are there known issues with this? Why > am I having this problem? Can someone shed some light? After a little more trial and error, it appears that the first 12 characters are consistant. Anything after that can change, even if encrypting the same string with the same seed value. I guess I can do something like.. if password = Left(dbpassword, "12") I would still appreciate a logical explanation of this if someone knows more about this Thanks, Steve ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Encrypt/Decrypt Functions [NOT cfencrypt/cfdecrypt]
I am having a problem with the encrypt/decrypt functions. Here is my code: *** This creates the user when they register... INSERT INTO users (fname,lname,email,username,password) VALUES('#fname#','#lname#','#email#','#username#','#dbPassword#') *** This validates a registered user SELECT userid FROM users WHERE username='#username#' AND password='#dbPassword#' The problem is that if I output the encrypted password on my page, I get... (6 W=SO*;E^JD The field in the DB says... (6 W=SO*;E^H Obviously, they don't match, so the user can't get in. I've tried using a variety of seed values, including various lengths. It seems that the last one or two chars always come out differently? My questions are, what is a good length for the seed value and should this be alphnumeric or will any ascii character work? Also, I'm not sure why I can encrypt the same value twice and not get the same value. I'm thinking my problem must be in the seed string length, but I'm not sure? Are there known issues with this? Why am I having this problem? Can someone shed some light? Thanks, Steve ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists