Highlighted

AES url encrypt / decrypt failing after ColdFusion (2016 release) Update 10

New Here ,
Apr 16, 2019

Copy link to clipboard

Copied

Following,  ColdFusion (2016 release) Update 10, the encryption / decryption  of url parameters we have used for the past 3 years is no longer working

We tried rolling back the update on one of our servers and this worked. As update 10 is a Critical update, we cannot roll back our production server farm.

Current encryption process which was deployed 2 or 3 years before:

  1. Created AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))
  2. Encrypted the entire URL parameters with the AES secret key. (AES encryption)
  3. Concatenated secret key and AES encrypted URL.
  4. Encrypted the concatenated data again with “CFMX_COMPAT” algorithm using a defined password. (Second level of encryption).
  5. Sent this data as URL string to the requested page.
  6. On the requested page, we decrypt the data again in the reverse order.
  7. Created URL parameters needed for that page from the decrypted data.

When we got the issue on Update 10, we investigated whether it was because of “CFMX_COMPAT” algorithm. So we removed the second level of encryption, but the issue was not solved.

Also the issue gets cleared when we refresh the page. So it is not related to encryption logic.

Could the issues be related to cache limit, or number of URL variables created or something related to URL scope?

We have had to remove encryption of urls on a number of pages to meet important business deadlines.  This was only possible because the url parameters are of a non sensitive nature and would not present a security issue if tampered with. However we have many other pages where this approach would not be possible as it would allow access to data from other users.

Any help in resolving the above would be much appreciated.

TOPICS
Security

Views

1.2K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

AES url encrypt / decrypt failing after ColdFusion (2016 release) Update 10

New Here ,
Apr 16, 2019

Copy link to clipboard

Copied

Following,  ColdFusion (2016 release) Update 10, the encryption / decryption  of url parameters we have used for the past 3 years is no longer working

We tried rolling back the update on one of our servers and this worked. As update 10 is a Critical update, we cannot roll back our production server farm.

Current encryption process which was deployed 2 or 3 years before:

  1. Created AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))
  2. Encrypted the entire URL parameters with the AES secret key. (AES encryption)
  3. Concatenated secret key and AES encrypted URL.
  4. Encrypted the concatenated data again with “CFMX_COMPAT” algorithm using a defined password. (Second level of encryption).
  5. Sent this data as URL string to the requested page.
  6. On the requested page, we decrypt the data again in the reverse order.
  7. Created URL parameters needed for that page from the decrypted data.

When we got the issue on Update 10, we investigated whether it was because of “CFMX_COMPAT” algorithm. So we removed the second level of encryption, but the issue was not solved.

Also the issue gets cleared when we refresh the page. So it is not related to encryption logic.

Could the issues be related to cache limit, or number of URL variables created or something related to URL scope?

We have had to remove encryption of urls on a number of pages to meet important business deadlines.  This was only possible because the url parameters are of a non sensitive nature and would not present a security issue if tampered with. However we have many other pages where this approach would not be possible as it would allow access to data from other users.

Any help in resolving the above would be much appreciated.

TOPICS
Security

Views

1.2K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Apr 16, 2019 0
Participant ,
Apr 16, 2019

Copy link to clipboard

Copied

Hi,

can you share your code that does the encryption and the decryption?

Does the string you finally pass into the url contain "funny" characters that might be destroyed somehow (by wrong/repeated url encoding)?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 16, 2019 0
Adobe Community Professional ,
Apr 22, 2019

Copy link to clipboard

Copied

I think there is a flaw in the above algorithm. Namely the assumption that you can always pass encrypted characters, unchanged, through URL.

There is a second point. You're using AES anyway and CFMX_COMPAT is less secure than AES. So I don't understand why you use CFMX_COMPAT at all.

Your algorithm would be more efficient if it used the following steps instead:

  1. Create AES secret key using Coldfusion inbuilt function (generateSecretKey("AES"))
  2. Concatenate message as a string comprising secret key and URL
  3. Encrypt the message with the AES secret key. (AES encryption)
  4. Transform the message into a URL-encoded string using, for example, using urlEncodedEncryptedMessage=urlEncodedFormat(encryptedMessage,"utf-8")
  5. Send this data as URL string to the requested page.
  6. On the requested page, URL-decode then decrypt the data (AES decryption)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 22, 2019 0
BKBK LATEST
Adobe Community Professional ,
Apr 22, 2019

Copy link to clipboard

Copied

Test code:

<cfset key=generateSecretKey("AES")>

<cfset link="https://forums.adobe.com/thread/2614394">

<cfset message=key & link>

<cfset encryptedMessage=encrypt(message,key)>

<cfset urlEncodedEncryptedMessage=urlEncodedFormat(encryptedMessage,"utf-8")>

<cfset urlDecodedEncryptedMessage=urlDecode(urlEncodedEncryptedMessage,"utf-8")>

<cfoutput>

    <p>

    key: #key#<br>

    </p>

    <p>

    message: #message#<br>

    </p>

    <p>

    encryptedMessage: #encryptedMessage#<br>

    </p>

    <p>

    urlEncodedEncryptedMessage: #urlEncodedEncryptedMessage#<br>

    </p>

    <p>

    urlDecodedEncryptedMessage: #urlDecodedEncryptedMessage#<br>

    </p>

    <p>

    decryptedMessage: #decrypt(urlDecodedEncryptedMessage,key)#

    </p>

    </cfoutput>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 22, 2019 0