Reply to topic
Encrypt/Decrypt issue
shill


Joined: 17 Feb 2007
Posts: 6
Location: Knoxville, TN
Post Posted: Mon Mar 12, 2007 1:57 am Reply with quote
I am working on a project that may require temporarily storing some credit card numbers in a SQL Server 2005 database. To prepare for this, I read over the Macromedia/Adobe LiveDocs articles on CF's encrypt/decrypt functions to see how it works.

I later set up a dummy database table and a couple of CF pages (one with a form and action page to post the data to the database and a second page to retrieve the data (all this over SSL, of course, and not using an actual credit card number). In my test page, I can write an encrypted number to the database using the encrypt function. But when I try to retrieve the data using the decrypt function, I get an error.

Here is some sample code I have used:

Code:

<cfset stringtoEncrypt = "#form.ccNo#" >
<cfset algorithm = "AES">
<cfset encoding = "hex">
<cfset key = GenerateSecretKey(algorithm)>
<cfset variables.enc = Encrypt(stringtoEncrypt, key, algorithm, encoding)>
....then the <cfquery> statement to insert this into the database table...


On my display page ....

Code:

<cfquery> statement to get the data</cfquery>

<cfset algorithm = "AES">
<cfset encoding = "hex">
<cfset key = GenerateSecretKey(algorithm)>

<p>#decrypt(stringtoDecrypt, key, algorithm, encoding)#</p>



I get the following error message...

There has been an error while trying to encrypt or decrypt your input string: Given final block not properly padded.

I am stumped. I have used Adobe example almost to the letter and can't seem to figure out why I am getting an error.

Any suggestions would be appreciated.
cfer


Joined: 29 Oct 2006
Posts: 16
Post Posted: Thu Apr 12, 2007 1:28 am Reply with quote
The reason you got the error msg because "key" on first page is not same as "key" on display page.

There are ways around for this issue:
1. Use session or client variables for key on the first page, reuse it at second page. Drawback of this method is if some is going to bookmark the page for later reference, he will get an error, likely 404 error because session has changed or client variable has expired.

2. Set the key by yourself (vs. generatesecretkey().) One key for all. You can do it this way:
- Obtain your key by generating it from this function:
<cfset key = GenerateSecretKey("AES")>
- Dump/output the variable "key" to see the encrypted phrase. Save this encrypted phrase
- Pass it to where you want to decrypt, in place of "key"
- I do this way, save the phrase in application.cfc, call request.phrase and put it in key place in the decrypt function.
- Drawback: if someone is able to break in the application.cfc (when I am not home), steal the key phrase, my site would be a mess Smile

Hope this helps some.

cfer
www.emikro.com
Encrypt/Decrypt issue
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
 Reply to topic