Decrypt() Problem

Forum|Forum|18 years ago
August 25, 2007
4 replies
4416 views

It seems that I've got a little problme when trying to decrypt a password that was encrypted when input into the system. Here is the error that I get:

There has been an error while trying to encrypt or decrypt your input string: Given final block not properly padded.

I'm not sure what this means. Here is the code I'm using to decrypt the information received from the query:

<cfset userPswd = "#Trim(FORM.Password)#">
<cfset dbPswd = "#Trim(qVerify.Employee_Password)#">
<cfset dPassword = Decrypt(dbPswd,APPLICATION.Key,"#APPLICATION.pKey1#","#APPLICATION.pKey2#")>
<cfset comparison = #Compare(userPswd, dbPswd)#>

Any help would be appreciated.

Getting started

This topic has been closed for replies.

A

Anonymous

G'day
I don't the CFWACK to hand. I think we've got a copy in the office, I'll try to remember to look up that page tomorrow.

Do you KNOW that the pwds in the DB have used the same key, and same encryption and encoding schemes as that which you're trying to use to decrypt them? Because the error msg is telling you that you're not using the same key (I'm not sure if the error is the same with different encryption/encoding schemes; I only verified the key situation).

Have you written a test rig that does this:
1) takes form input of a pwd;
2) encrypts it;
3) stores it in your DB;
4) fetches it back again;
5) decrypts it;
and found this to fail? It's unclear from what you're saying as to whether that's what you're experimenting with.

What DB are you using? Is it perhaps padding the stored value with trailing spaces or something like that? If you do a compare() of the "pre database" encrypted string and the fetched-back-from-the-DB string, are they the same (compare() returning 0).

That aside, you don't generally want to DECRYPT a password. You'd simply want to ENCRYPT the user-entered pwd (say from a login form) and compare it to the encrypted value in the DB (this is why quite often one-way "encryption" like hashing is used on pwds: they can "never" be decrypted). The only time you'd want to decrypt a password would be to present it in clear text which... you should never really want to do: it's a security concern.

Is the book suggesting you do this... decrypt the pwds? Bleah. Still: it's not a security book, I guess.

My comment about your code is this:
APPLICATION.pKey1. The value of the variable *isn't a key*. It's got nothing to do with *a key*. It's the name of an encryption scheme. Ditto pKey2 (which would hold the name of an encoding scheme). pKey is the only one that's *a key*. Your variable names are inaccurate and misleading. Whether it's test code or not, it should always be written sensibly.

--
Adam

D

DDewbreAuthor

Inspiring

Adam,
I'm just a little slow so give me a moment to review everything you've provided. However, I think that I'm starting to understand what you're saying and need to check my code against what you're saying.

D

N

Newsgroup_User

Inspiring

From googling about the place, it seems like you're not using the same key
to decrypt that was used to encrypt in the first place.

This sample code demonstrates it:
<cfscript>
s = "Secret";
sKeyGood = generateSecretKey("AES");
sKeyBad = generateSecretKey("AES");

sEnc = encrypt(s, sKeyGood, "AES");
sDec = decrypt(sEnc, sKeyBad, "AES");
</cfscript>
<cfdump var="#variables#">

Looking at your code, what you're doing doesn't seem sensible:
<cfset dPassword =
Decrypt(dbPswd,APPLICATION.Key,"#APPLICATION.pKey1#","#APPLICATION.pKey2#")>

The arguments for decrypt() are:
encrypted_string, key[, algorithm, encoding, IVorSalt, iterations]

So the latter two arguments you pass would not be KEYS, they'd be a string
holding an algorithm name, and a string holding an encoding scheme.

Either that, or your using some very poor variable-naming standards there.

You also don't need the quotes or the pound-signs in that expression.
Although that has nothing to do with your problem, it does clutter up your
code unnecessarily / inappropriately.

--
Adam

D

DDewbreAuthor

Inspiring

Adam,
thanks for the response. I'm not sure what you mean about the code.. Here's the trouble shooting I've done so far:

1. I've based my code on the example on page 1212 of the Macromedia ColdFusionMX7 Application Construction Kit book

2. I've tested the encrypt and decrypt code and it works just like it's supposed to on user input from the login form (e.g. I've encrypted the password passed from the form, displayed it, and also decrypted the same encrypted password from the form and it displayed the password correctly) The problem is that it won't decrypt the password from the DB.

Since this is just testing here is the key generation code which is what I think you are eluding too:

<cfset APPLICATION.pKey1 = "DES">
<cfset APPLICATION.pKey2 = "HEX">
<cfset APPLICATION.pKey = GenerateSecretKey("#APPLICATION.pKey1#")>

N

Newsgroup_User

Inspiring

> Does anyone know a good number to get in touch with Adobe CF support so I can get this question answered?

According to the Adobe website, it's 800-642-3623

www.adobe.com > Support > Home > Contact Support > ColdFusion Enterprise >
Go.

Wasn't that hard to find.

--
Adam