• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Problem with encrypt and decrypt. Please help

New Here ,
Mar 14, 2021 Mar 14, 2021

Copy link to clipboard

Copied

Here is my code to encrypt and decrypt. When i change my key to decrpt ( 'Mykey1234') i stil can decrypt the string i just encrypted. The key i used to encrypt i 'Mykey12345678'. Any one can explain why this happen?

 

<cfoutput>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')> <br>
Decrypt : #decrypt(new_encrypt, 'Mykey1234', 'CFMX_COMPAT','Base64')#
</cfoutput>

Views

775

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 14, 2021 Mar 14, 2021

Copy link to clipboard

Copied

Here is my code to encrypt and decrypt. When i change my key to decrpt ( 'Mykey1234') i stil can decrypt the string i just encrypted. The key i used to encrypt i 'Mykey12345678'. Any one can explain why this happen?

 

<cfoutput>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')> <br>
Decrypt : #decrypt(new_encrypt, 'Mykey1234', 'CFMX_COMPAT','Base64')#
</cfoutput>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 14, 2021 Mar 14, 2021

Copy link to clipboard

Copied

Please post the exact name of the Adobe program you use so a Moderator may move this message to that forum

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 14, 2021 Mar 14, 2021

Copy link to clipboard

Copied

i'm using coldfusion to develope this.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 14, 2021 Mar 14, 2021

Copy link to clipboard

Copied

Moved to Coldfusion forum and also merged the duplicate posts

-Manan

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Mar 14, 2021 Mar 14, 2021

Copy link to clipboard

Copied

anybody can help? why i change mykey and i still can decrypt? 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 15, 2021 Mar 15, 2021

Copy link to clipboard

Copied

@farizanm84156226 , what you have discovered is indeed strange. As you can see, I have been able to reproduce the issue with random choices of encryptionKey/decryptionKey pairs.

<cfoutput>
<cfset encryptionKey1="z%KAY012_xyz_abracadabra">
Encrypt1 : #encrypt('This string 1 will be encrypted (you can replace it with more typing).', encryptionKey1, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt1 = encrypt('This string 1 will be encrypted (you can replace it with more typing).', encryptionKey1, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey1="z%KEY012">
Decrypt2 : #decrypt(new_encrypt1, decryptionKey1, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey1 : #encryptionKey1# <br>
DecryptionKey1 : #decryptionKey1# <br><br>

<cfset encryptionKey2="z%key012xxx_xyz_abracadabra">
Encrypt2 : #encrypt('This string 2 will be encrypted (you can replace it with more typing).', encryptionKey2, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt2 = encrypt('This string 2 will be encrypted (you can replace it with more typing).', encryptionKey2, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey2="z%koy012">
Decrypt2 : #decrypt(new_encrypt2, decryptionKey2, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey2 : #encryptionKey2# <br>
DecryptionKey2 : #decryptionKey2# 
</cfoutput>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 15, 2021 Mar 15, 2021

Copy link to clipboard

Copied

On the basis of this finding, my advice is as follows:

  • Don't manually generate an encryption key. Instead, use the function generateSecretKey (together with the AES algorithm, for example) to generate the key.
  • Store this key, then use it later for decryption.

For example:

<cfoutput>
<cfset encryptionKey=generatesecretkey("AES")>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', encryptionKey, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', encryptionKey, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey=encryptionKey><!--- Stored key used for decryption --->
Decrypt : #decrypt(new_encrypt, decryptionKey, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey : #encryptionKey# <br>
DecryptionKey : #decryptionKey# 
</cfoutput>

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 15, 2021 Mar 15, 2021

Copy link to clipboard

Copied

I am on ColdFusion 2021. What is your ColdFusion version and Update level?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Mar 15, 2021 Mar 15, 2021

Copy link to clipboard

Copied

CFMX_COMPAT is not really a good choice of algorithm to begin with, if I recall correctly it is just an XOR cipher, so it doesn't provide a lot of assurance. Use something strong like AES instead. 

 

I never realized that about the key, I imagine it is only using the first few bits of your key, so anything you add to the end of it doesn't matter - this is just another reason to avoid CFMX_COMPAT in my book. 

 

Pete Freitag

Foundeo Inc.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Mar 15, 2021 Mar 15, 2021

Copy link to clipboard

Copied

CFMX_COMPAT uses a 32 bit key so the key will always be truncated to the first 8 characters.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 18, 2021 Mar 18, 2021

Copy link to clipboard

Copied

@John123 : CFMX_COMPAT uses a 32 bit key so the key will always be truncated to the first 8 characters.

 

It's weirder than that I'm afraid. In one of the tests, you could encrypt with the key

z%key012xxx_xyz_abracadabra

and successfully decrypt with

z%koy012

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Participant ,
Mar 18, 2021 Mar 18, 2021

Copy link to clipboard

Copied

@BKBK : another good reason not to use CFMX_COMPAT.

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Mar 15, 2021 Mar 15, 2021

Copy link to clipboard

Copied

FYI: We used these UDFs (from 2005) after the internal cfusion_encrypt & cfusion_decrypt built-in functions were dropped in CF11.
https://www.barneyb.com/barneyblog/2005/10/28/cfusion_encryptcfusion_decrypt-udfs/

 

<cffunction name="fusion_encrypt" output="false" returntype="string">
	<cfargument name="string" type="string" required="true">
	<cfargument name="key" type="string" required="true">
	<cfset var i = "">
	<cfset var result = "">
	<cfset key = repeatString(key, ceiling(len(string) len(key)))>
	<cfloop from="1" to="#len(string)#" index="i">
	 	 	<cfset result = result & rJustify(formatBaseN(binaryXOR(asc(mid(string, i, 1)), asc(mid(key, i, 1))), 16), 2)>
	</cfloop>
	<cfreturn replace(result, " ", "0", "all")>
</cffunction>
<cffunction name="fusion_decrypt" output="false" returntype="string">
	<cfargument name="string" type="string" required="true">
	<cfargument name="key" type="string" required="true">
	<cfset var i = "">
	<cfset var result = "">
	<cfset key = repeatString(key, ceiling(len(string) 2 len(key)))>
	<cfloop from="2" to="#len(string)#" index="i" step="2">
	 	 	<cfset result = result & chr(binaryXOR(inputBaseN(mid(string, i - 1, 2), 16), asc(mid(key, i 2, 1))))>
	</cfloop>
	<cfreturn result>
</cffunction>
<cffunction name="binaryXOR" output="false" returntype="numeric">
	<cfargument name="n1" type="numeric" required="true">
	<cfargument name="n2" type="numeric" required="true">
	<cfset n1 = formatBaseN(n1, 2)>
	<cfset n2 = formatBaseN(n2, 2)>
	<cfreturn inputBaseN(replace(n1 + n2, 2, 0, "all"), 2)>
</cffunction>

<cfset key = "test">
<cfoutput>
<table>
<cfloop list="barney,is,damn cool!" index="i">
	<tr>
		<td>#i#</td>
		<td>#cfusion_encrypt(i, key)#</td>
		<td>#fusion_encrypt(i, key)#</td>
		<td>#cfusion_decrypt(cfusion_encrypt(i, key), key)#</td>
		<td>#fusion_decrypt(fusion_encrypt(i, key), key)#</td>
	</tr>
</cfloop>
</table>
</cfoutput>

 

I ran your different encrypt/decrypt keys through it and didn't encounter the same issue (where only the first 8 characters were all that was required to decrypt.)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 18, 2021 Mar 18, 2021

Copy link to clipboard

Copied

@farizanm84156226 , you should report a bug. It might help to include in your report a link to this forum thread.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Mar 21, 2021 Mar 21, 2021

Copy link to clipboard

Copied

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 13, 2023 Sep 13, 2023

Copy link to clipboard

Copied

LATEST

Bump to an old thread. 🙂  I've added a note to the Bug ID in Tracker too, but this is not a bug. This is how CFMX_COMPAT works (and why it's insecure). The key/seed used for encryption is only 32 bytes (4 characters) and is derived from the user-supplied key.  See https://www.synacktiv.com/en/publications/coldfusion-cfmx_compat-lolcryption.html and https://hoyahaxa.blogspot.com/2023/05/why-you-dont-want-to-use-cfmxcompat.html for more details.

 

Using a stronger algorithm (such as AES-CBC + validating the integrity of the ciphertext with an HMAC prior to decryption) is a better way to go.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation