AES Encryption - Encrypted value lengths

Report · Mar 18, 2008

HI all -

I am attempting to use CF 8's AES encryption feature, and have not found a critical piece of info in the docs to enable me to progress.

I am using the function to encrypt a password that can be from 6 to 16 characters long, which will be stored in a database. I am using generateSecretKey("AES"), and that gives me a 24 character key that I'm storing for future decryption use. I find that when I use the key to encrypt a 6 character password the resulting encrypted string is 32 characters long, but when I encrypt a 16 character password I get a 64 character encrypted string. This is the case whether I specify "HEX" or "UU" as the encoding.

Without knowing how the length of the resulting encoded string is determined, I cannot know how large to make my database column. (MySQL's AES encryption gives the formula 16 × (trunc(string_length / 16) + 1) to arrive at the resulting string's length, but that formula doesn't yield the results I'm seeing in CFMX). Can anyone point me to a doc, or explain to me how to determine the column length for storing the resulting encrypted value?

Report · Mar 19, 2008

Since AES is a block cipher, the input string is padded to be a multiple of the block size (16). So using the same settings, the size of each encrypted block will always be the same. If 16 characters is the maximum, and your current settings produce a 64 character string, then I believe that should be the maximum size.

I think the difference is due to the string encoding. If the encoding is "hex", which uses pairs of characters, I imagine the size would be doubled.

32 * ( trunc(string_length / 16) + 1 )

I do not know what the rules are for uuencode, but I do not think it should produce the same size string as "hex".

Report · Mar 19, 2008

Thanks for your response. That makes sense. I wasn't sure if the values within the encrypted string or the key would make a difference in the resulting encrypted value - for instance, if encrypting 999 would yield a longer encrypted string than 111 would.

I've made my database table column 64 characters and I think I'll be safe...nevertheless...it would be great to have something documented so that I won't have to worry (as much) about things changing in the next version of CF.

Report · Mar 19, 2008

No. Only things like key, encoding and string size should matter. If the encoding is "hex", 1-15 characters should produce size 32, 16-31 characters should produce 64, etcetera. Unless space is at a premium, you could always increase the field size if that makes you feel more comfortable.

Well, the results are dictated by the AES standard and basic string encoding rules, not CF. I highly doubt either one is going to change any time soon 😉 I agree documentation is good. However, unlike aes_encrypt, the encrypt function supports many different algorithms. Most of which have a distinct set of rules. So it would probably be difficult to provide accurate information about all of them. Especially as the specifications for each one alone probably spans volumes ;-)