• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

AES url encrypt / decrypt failing after ColdFusion (2016 release) Update 10

New Here ,
Apr 16, 2019 Apr 16, 2019

Copy link to clipboard

Copied

Following,  ColdFusion (2016 release) Update 10, the encryption / decryption  of url parameters we have used for the past 3 years is no longer working

We tried rolling back the update on one of our servers and this worked. As update 10 is a Critical update, we cannot roll back our production server farm.

Current encryption process which was deployed 2 or 3 years before:

  1. Created AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))
  2. Encrypted the entire URL parameters with the AES secret key. (AES encryption)
  3. Concatenated secret key and AES encrypted URL.
  4. Encrypted the concatenated data again with “CFMX_COMPAT” algorithm using a defined password. (Second level of encryption).
  5. Sent this data as URL string to the requested page.
  6. On the requested page, we decrypt the data again in the reverse order.
  7. Created URL parameters needed for that page from the decrypted data.

When we got the issue on Update 10, we investigated whether it was because of “CFMX_COMPAT” algorithm. So we removed the second level of encryption, but the issue was not solved.

Also the issue gets cleared when we refresh the page. So it is not related to encryption logic.

Could the issues be related to cache limit, or number of URL variables created or something related to URL scope?

We have had to remove encryption of urls on a number of pages to meet important business deadlines.  This was only possible because the url parameters are of a non sensitive nature and would not present a security issue if tampered with. However we have many other pages where this approach would not be possible as it would allow access to data from other users.

Any help in resolving the above would be much appreciated.

TOPICS
Security

Views

1.5K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Apr 16, 2019 Apr 16, 2019

Copy link to clipboard

Copied

Hi,

can you share your code that does the encryption and the decryption?

Does the string you finally pass into the url contain "funny" characters that might be destroyed somehow (by wrong/repeated url encoding)?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Apr 22, 2019 Apr 22, 2019

Copy link to clipboard

Copied

I think there is a flaw in the above algorithm. Namely the assumption that you can always pass encrypted characters, unchanged, through URL.

There is a second point. You're using AES anyway and CFMX_COMPAT is less secure than AES. So I don't understand why you use CFMX_COMPAT at all.

Your algorithm would be more efficient if it used the following steps instead:

  1. Create AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))
  2. Concatenate message as a string comprising secret key and URL
  3. Encrypt the message with the AES secret key. (AES encryption)
  4. Transform the message into a URL-encoded string using, for example, using urlEncodedEncryptedMessage=urlEncodedFormat(encryptedMessage,"utf-8")
  5. Send this data as URL string to the requested page.
  6. On the requested page, URL-decode then decrypt the data (AES decryption)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Apr 22, 2019 Apr 22, 2019

Copy link to clipboard

Copied

LATEST

Test code:

<cfset key=generateSecretKey("AES")>

<cfset link="https://forums.adobe.com/thread/2614394">

<cfset message=key & link>

<cfset encryptedMessage=encrypt(message,key)>

<cfset urlEncodedEncryptedMessage=urlEncodedFormat(encryptedMessage,"utf-8")>

<cfset urlDecodedEncryptedMessage=urlDecode(urlEncodedEncryptedMessage,"utf-8")>

<cfoutput>

    <p>

    key: #key#<br>

    </p>

    <p>

    message: #message#<br>

    </p>

    <p>

    encryptedMessage: #encryptedMessage#<br>

    </p>

    <p>

    urlEncodedEncryptedMessage: #urlEncodedEncryptedMessage#<br>

    </p>

    <p>

    urlDecodedEncryptedMessage: #urlDecodedEncryptedMessage#<br>

    </p>

    <p>

    decryptedMessage: #decrypt(urlDecodedEncryptedMessage,key)#

    </p>

    </cfoutput>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation