Problem with encrypt and decrypt. Please help

Report · Mar 14, 2021

Here is my code to encrypt and decrypt. When i change my key to decrpt ( 'Mykey1234') i stil can decrypt the string i just encrypted. The key i used to encrypt i 'Mykey12345678'. Any one can explain why this happen?

<cfoutput>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')> <br>
Decrypt : #decrypt(new_encrypt, 'Mykey1234', 'CFMX_COMPAT','Base64')#
</cfoutput>

Report · Mar 14, 2021

Here is my code to encrypt and decrypt. When i change my key to decrpt ( 'Mykey1234') i stil can decrypt the string i just encrypted. The key i used to encrypt i 'Mykey12345678'. Any one can explain why this happen?

<cfoutput>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', 'Mykey12345678', 'CFMX_COMPAT','Base64')> <br>
Decrypt : #decrypt(new_encrypt, 'Mykey1234', 'CFMX_COMPAT','Base64')#
</cfoutput>

Report · Mar 14, 2021

Please post the exact name of the Adobe program you use so a Moderator may move this message to that forum

Report · Mar 14, 2021

i'm using coldfusion to develope this.

Report · Mar 14, 2021

Moved to Coldfusion forum and also merged the duplicate posts

-Manan

Report · Mar 14, 2021

anybody can help? why i change mykey and i still can decrypt?

Report · Mar 15, 2021

@farizanm84156226 , what you have discovered is indeed strange. As you can see, I have been able to reproduce the issue with random choices of encryptionKey/decryptionKey pairs.

<cfoutput>
<cfset encryptionKey1="z%KAY012_xyz_abracadabra">
Encrypt1 : #encrypt('This string 1 will be encrypted (you can replace it with more typing).', encryptionKey1, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt1 = encrypt('This string 1 will be encrypted (you can replace it with more typing).', encryptionKey1, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey1="z%KEY012">
Decrypt2 : #decrypt(new_encrypt1, decryptionKey1, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey1 : #encryptionKey1# <br>
DecryptionKey1 : #decryptionKey1# <br><br>

<cfset encryptionKey2="z%key012xxx_xyz_abracadabra">
Encrypt2 : #encrypt('This string 2 will be encrypted (you can replace it with more typing).', encryptionKey2, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt2 = encrypt('This string 2 will be encrypted (you can replace it with more typing).', encryptionKey2, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey2="z%koy012">
Decrypt2 : #decrypt(new_encrypt2, decryptionKey2, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey2 : #encryptionKey2# <br>
DecryptionKey2 : #decryptionKey2# 
</cfoutput>

Report · Mar 15, 2021

On the basis of this finding, my advice is as follows:

Don't manually generate an encryption key. Instead, use the function generateSecretKey (together with the AES algorithm, for example) to generate the key.
Store this key, then use it later for decryption.

For example:

<cfoutput>
<cfset encryptionKey=generatesecretkey("AES")>
Encrypt : #encrypt('This string will be encrypted (you can replace it with more typing).', encryptionKey, 'CFMX_COMPAT','Base64')#
<cfset new_encrypt = encrypt('This string will be encrypted (you can replace it with more typing).', encryptionKey, 'CFMX_COMPAT','Base64')> <br>

<cfset decryptionKey=encryptionKey><!--- Stored key used for decryption --->
Decrypt : #decrypt(new_encrypt, decryptionKey, 'CFMX_COMPAT','Base64')#<br>
EncryptionKey : #encryptionKey# <br>
DecryptionKey : #decryptionKey# 
</cfoutput>

Report · Mar 15, 2021

I am on ColdFusion 2021. What is your ColdFusion version and Update level?

Report · Mar 15, 2021

CFMX_COMPAT is not really a good choice of algorithm to begin with, if I recall correctly it is just an XOR cipher, so it doesn't provide a lot of assurance. Use something strong like AES instead.

I never realized that about the key, I imagine it is only using the first few bits of your key, so anything you add to the end of it doesn't matter - this is just another reason to avoid CFMX_COMPAT in my book.

Pete Freitag

Foundeo Inc.

Report · Mar 15, 2021

CFMX_COMPAT uses a 32 bit key so the key will always be truncated to the first 8 characters.

Report · Mar 18, 2021

@John123 : CFMX_COMPAT uses a 32 bit key so the key will always be truncated to the first 8 characters.

It's weirder than that I'm afraid. In one of the tests, you could encrypt with the key

z%key012xxx_xyz_abracadabra

and successfully decrypt with

z%koy012

Report · Mar 18, 2021

@BKBK : another good reason not to use CFMX_COMPAT.

Report · Mar 15, 2021

FYI: We used these UDFs (from 2005) after the internal cfusion_encrypt & cfusion_decrypt built-in functions were dropped in CF11.
https://www.barneyb.com/barneyblog/2005/10/28/cfusion_encryptcfusion_decrypt-udfs/

<cffunction name="fusion_encrypt" output="false" returntype="string">
	<cfargument name="string" type="string" required="true">
	<cfargument name="key" type="string" required="true">
	<cfset var i = "">
	<cfset var result = "">
	<cfset key = repeatString(key, ceiling(len(string) len(key)))>
	<cfloop from="1" to="#len(string)#" index="i">
	 	 	<cfset result = result & rJustify(formatBaseN(binaryXOR(asc(mid(string, i, 1)), asc(mid(key, i, 1))), 16), 2)>
	</cfloop>
	<cfreturn replace(result, " ", "0", "all")>
</cffunction>
<cffunction name="fusion_decrypt" output="false" returntype="string">
	<cfargument name="string" type="string" required="true">
	<cfargument name="key" type="string" required="true">
	<cfset var i = "">
	<cfset var result = "">
	<cfset key = repeatString(key, ceiling(len(string) 2 len(key)))>
	<cfloop from="2" to="#len(string)#" index="i" step="2">
	 	 	<cfset result = result & chr(binaryXOR(inputBaseN(mid(string, i - 1, 2), 16), asc(mid(key, i 2, 1))))>
	</cfloop>
	<cfreturn result>
</cffunction>
<cffunction name="binaryXOR" output="false" returntype="numeric">
	<cfargument name="n1" type="numeric" required="true">
	<cfargument name="n2" type="numeric" required="true">
	<cfset n1 = formatBaseN(n1, 2)>
	<cfset n2 = formatBaseN(n2, 2)>
	<cfreturn inputBaseN(replace(n1 + n2, 2, 0, "all"), 2)>
</cffunction>

<cfset key = "test">
<cfoutput>
<table>
<cfloop list="barney,is,damn cool!" index="i">
	<tr>
		<td>#i#</td>
		<td>#cfusion_encrypt(i, key)#</td>
		<td>#fusion_encrypt(i, key)#</td>
		<td>#cfusion_decrypt(cfusion_encrypt(i, key), key)#</td>
		<td>#fusion_decrypt(fusion_encrypt(i, key), key)#</td>
	</tr>
</cfloop>
</table>
</cfoutput>

I ran your different encrypt/decrypt keys through it and didn't encounter the same issue (where only the first 8 characters were all that was required to decrypt.)

Report · Mar 18, 2021

@farizanm84156226 , you should report a bug. It might help to include in your report a link to this forum thread.

Report · Mar 21, 2021

Hi @farizanm84156226 , I have reported a bug.

Report · Sep 13, 2023

Bump to an old thread. 🙂 I've added a note to the Bug ID in Tracker too, but this is not a bug. This is how CFMX_COMPAT works (and why it's insecure). The key/seed used for encryption is only 32 bytes (4 characters) and is derived from the user-supplied key. See https://www.synacktiv.com/en/publications/coldfusion-cfmx_compat-lolcryption.html and https://hoyahaxa.blogspot.com/2023/05/why-you-dont-want-to-use-cfmxcompat.html for more details.

Using a stronger algorithm (such as AES-CBC + validating the integrity of the ciphertext with an HMAC prior to decryption) is a better way to go.