Participant

Question

Problem with encrypt and decrypt. Please help

Forum|Forum|4 years ago
March 15, 2021
7 replies
1553 views

Here is my code to encrypt and decrypt. When i change my key to decrpt ( 'Mykey1234') i stil can decrypt the string i just encrypted. The key i used to encrypt i 'Mykey12345678'. Any one can explain why this happen?

<cfoutput>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')> <br>
Decrypt : #decrypt(new_encrypt, 'Mykey1234', 'CFMX_COMPAT','Base64')#
</cfoutput>

This topic has been closed for replies.

BKBK

Community Expert

@farizanm84156226 , you should report a bug. It might help to include in your report a link to this forum thread.

BKBK

Community Expert

Hi @farizanm84156226 , I have reported a bug.

Brian__

Participating Frequently

Bump to an old thread. 🙂 I've added a note to the Bug ID in Tracker too, but this is not a bug. This is how CFMX_COMPAT works (and why it's insecure). The key/seed used for encryption is only 32 bytes (4 characters) and is derived from the user-supplied key. See https://www.synacktiv.com/en/publications/coldfusion-cfmx_compat-lolcryption.html and https://hoyahaxa.blogspot.com/2023/05/why-you-dont-want-to-use-cfmxcompat.html for more details.

Using a stronger algorithm (such as AES-CBC + validating the integrity of the ciphertext with an HMAC prior to decryption) is a better way to go.

James Moberg

Inspiring

FYI: We used these UDFs (from 2005) after the internal cfusion_encrypt & cfusion_decrypt built-in functions were dropped in CF11.
https://www.barneyb.com/barneyblog/2005/10/28/cfusion_encryptcfusion_decrypt-udfs/

<cffunction name="fusion_encrypt" output="false" returntype="string">
	<cfargument name="string" type="string" required="true">
	<cfargument name="key" type="string" required="true">
	<cfset var i = "">
	<cfset var result = "">
	<cfset key = repeatString(key, ceiling(len(string) len(key)))>
	<cfloop from="1" to="#len(string)#" index="i">
	 	 	<cfset result = result & rJustify(formatBaseN(binaryXOR(asc(mid(string, i, 1)), asc(mid(key, i, 1))), 16), 2)>
	</cfloop>
	<cfreturn replace(result, " ", "0", "all")>
</cffunction>
<cffunction name="fusion_decrypt" output="false" returntype="string">
	<cfargument name="string" type="string" required="true">
	<cfargument name="key" type="string" required="true">
	<cfset var i = "">
	<cfset var result = "">
	<cfset key = repeatString(key, ceiling(len(string) 2 len(key)))>
	<cfloop from="2" to="#len(string)#" index="i" step="2">
	 	 	<cfset result = result & chr(binaryXOR(inputBaseN(mid(string, i - 1, 2), 16), asc(mid(key, i 2, 1))))>
	</cfloop>
	<cfreturn result>
</cffunction>
<cffunction name="binaryXOR" output="false" returntype="numeric">
	<cfargument name="n1" type="numeric" required="true">
	<cfargument name="n2" type="numeric" required="true">
	<cfset n1 = formatBaseN(n1, 2)>
	<cfset n2 = formatBaseN(n2, 2)>
	<cfreturn inputBaseN(replace(n1 + n2, 2, 0, "all"), 2)>
</cffunction>

<cfset key = "test">
<cfoutput>
<table>
<cfloop list="barney,is,damn cool!" index="i">
	<tr>
		<td>#i#</td>
		<td>#cfusion_encrypt(i, key)#</td>
		<td>#fusion_encrypt(i, key)#</td>
		<td>#cfusion_decrypt(cfusion_encrypt(i, key), key)#</td>
		<td>#fusion_decrypt(fusion_encrypt(i, key), key)#</td>
	</tr>
</cfloop>
</table>
</cfoutput>

I ran your different encrypt/decrypt keys through it and didn't encounter the same issue (where only the first 8 characters were all that was required to decrypt.)

J

John123

Participating Frequently

CFMX_COMPAT uses a 32 bit key so the key will always be truncated to the first 8 characters.

BKBK

Community Expert

@John123 : CFMX_COMPAT uses a 32 bit key so the key will always be truncated to the first 8 characters.

It's weirder than that I'm afraid. In one of the tests, you could encrypt with the key

z%key012xxx_xyz_abracadabra

and successfully decrypt with

z%koy012

J

John123

Participating Frequently

@BKBK : another good reason not to use CFMX_COMPAT.

pete_freitag

Participating Frequently

CFMX_COMPAT is not really a good choice of algorithm to begin with, if I recall correctly it is just an XOR cipher, so it doesn't provide a lot of assurance. Use something strong like AES instead.

I never realized that about the key, I imagine it is only using the first few bits of your key, so anything you add to the end of it doesn't matter - this is just another reason to avoid CFMX_COMPAT in my book.

Pete Freitag

Foundeo Inc.

farizanm84156226Author

Participant

anybody can help? why i change mykey and i still can decrypt?

BKBK

Community Expert

@farizanm84156226 , what you have discovered is indeed strange. As you can see, I have been able to reproduce the issue with random choices of encryptionKey/decryptionKey pairs.

<cfoutput>
<cfset encryptionKey1="z%KAY012_xyz_abracadabra">
Encrypt1 : #encrypt('This string 1 will be encrypted (you can replace it with more typing).', encryptionKey1, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt1 = encrypt('This string 1 will be encrypted (you can replace it with more typing).', encryptionKey1, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey1="z%KEY012">
Decrypt2 : #decrypt(new_encrypt1, decryptionKey1, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey1 : #encryptionKey1# <br>
DecryptionKey1 : #decryptionKey1# <br><br>

<cfset encryptionKey2="z%key012xxx_xyz_abracadabra">
Encrypt2 : #encrypt('This string 2 will be encrypted (you can replace it with more typing).', encryptionKey2, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt2 = encrypt('This string 2 will be encrypted (you can replace it with more typing).', encryptionKey2, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey2="z%koy012">
Decrypt2 : #decrypt(new_encrypt2, decryptionKey2, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey2 : #encryptionKey2# <br>
DecryptionKey2 : #decryptionKey2# 
</cfoutput>

BKBK

Community Expert

On the basis of this finding, my advice is as follows:

Don't manually generate an encryption key. Instead, use the function generateSecretKey (together with the AES algorithm, for example) to generate the key.
Store this key, then use it later for decryption.

For example:

<cfoutput>
<cfset encryptionKey=generatesecretkey("AES")>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', encryptionKey, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', encryptionKey, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey=encryptionKey><!--- Stored key used for decryption --->
Decrypt : #decrypt(new_encrypt, decryptionKey, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey : #encryptionKey# <br>
DecryptionKey : #decryptionKey# 
</cfoutput>

M

Manan Joshi

Community Expert

Moved to Coldfusion forum and also merged the duplicate posts

-Manan

farizanm84156226Author

Participant

Here is my code to encrypt and decrypt. When i change my key to decrpt ( 'Mykey1234') i stil can decrypt the string i just encrypted. The key i used to encrypt i 'Mykey12345678'. Any one can explain why this happen?

<cfoutput>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')> <br>
Decrypt : #decrypt(new_encrypt, 'Mykey1234', 'CFMX_COMPAT','Base64')#
</cfoutput>

John T Smith

Community Expert

Please post the exact name of the Adobe program you use so a Moderator may move this message to that forum

farizanm84156226Author

Participant

i'm using coldfusion to develope this.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded