4 Replies Latest reply on Oct 28, 2014 11:21 AM by jackhuang

    Tempered encryption causing Decrypt to crash

    jackhuang Level 1

      I have made an encryption of "auth" using AES as follows:

       

      <cfset skey = generateSecretKey("AES")>
      <cfset regkey = encrypt("auth", skey, "AES", "hex")>

       

      I attached the result for example to an URL

       

      http://www.mydomain.com/authorization.htm?auth=34D3795AA3696B7F81AEFE414DCA7392FDCC50AFE9D 0312B2B2530A985386B83

       

      (auth is assign regkey   i.e. ,,,,,,htm?auth=#regkey#)

       

      This works perfectly under perfect condition.  However, if I go ahead and try to "hack" the code and make it shorter and change some characters like this:

       

      http://www.mydomain.com/authorization.htm?auth=453424AEFE414DCA7392FDCC50AFE9D0312B2B2530A 985386B83

       

      The Decrypt function:

       

      <cfset theword=decrypt(url.auth, skey, "AES", "hex")>

       

      just crash! It throws an exception. Isn't it supposed to just return bad string rather than crashing?  This is pretty bad.

       

      Is there way to check for the URL.auth before passing to Decrypt?  Thanks in advance.

        • 1. Re: Tempered encryption causing Decrypt to crash
          WolfShade Level 4

          If I may be so bold to ask.. Why are you passing the encryption key in a URL string???  Is this strictly for learning/practicing?  You're not planning on doing that in a production environment, are you?

           

          The CF9 docs don't say what is supposed to happen if the encrypted value is changed.  Place that inside a try/catch and have the issue details emailed to you.

           

          HTH,

           

          ^_^

          • 2. Re: Tempered encryption causing Decrypt to crash
            jackhuang Level 1

            I am going to use it for at least couple things:

             

            1. membership activation

            2. email notifications i.e. when member received an email they will be notified and if they are signed in already, it will bring them to the message directly to reply

             

            I tried try/catch but the exception is being intercepted by cferror

            • 3. Re: Tempered encryption causing Decrypt to crash
              WolfShade Level 4

              I think I misunderstood your original question.  I was tired when I looked at your code samples.

               

              If someone tries to change the encrypted URL parameters and error.cfm is NOT displaying anything other than a generic "something broke" message, but is emailing the details to the admin or developer, then there's really nothing to worry about.

               

              As far as WHY that's happening, I don't know.  The Adobe docs for it don't indicate what is supposed to happen if the encrypted value is altered.

               

              ^_^

              • 4. Re: Tempered encryption causing Decrypt to crash
                jackhuang Level 1

                I can't believe no one thought of this all these time and Adobe not knowing this.  The Decrypt function should either return a decrypt string or return false if it can't do its job and not just throw an exception.  There can be other messages associated with the function to explain what the exception is.  This is very bad user experience.