Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to Obfuscate an AES Key via URL in Coldfusion.

Posted on 2011-10-27
12
Medium Priority
?
1,248 Views
Last Modified: 2012-05-12
I realize this isn't the best practice for encryption but I need to be able to obfuscate (hide it) an encryption key and send it through a URL variable. Then on the next page reveal it and use it for decryption.

This must be done reliably to where the encryption/decryption process is not messed up by the obfuscation method.

I tried creating a simple string manipulation cypher but that caused the encryption to not work reliably.

I"m using Coldfusion 9 and using AES Encryption.

I have to persist the key variable from the GenerateSecretKey function to the next page and I can't use Session or Application scopes. I don't want to send the encryption key via URL in it's true state so it must be obfuscated somehow.

Does anybody have any suggestions on how I can hide the key and still have it work correctly?


0
Comment
Question by:Garbonzo_Horowitz
  • 5
  • 4
  • 3
12 Comments
 
LVL 39

Accepted Solution

by:
gdemaria earned 1000 total points
ID: 37041225
Hmm, curious.  Can I ask why you can't use an application scope variable.  That sounds like the perfect use for to hold an encryption key phrase.

I guess you could encrypt the key, that would be more reliable than obfuscation.  Except when you encrypt the key, don't use a key for that one... :)

Then use the key to decrypt, the primary encrypted value..

Why can't you use application scope again? lol
0
 
LVL 52

Expert Comment

by:_agx_
ID: 37041263
Good question. I'm sure you know passing it through the url is ... an invitation to problems. Security only works if other people don't have a key to your front door :) Once they do, it's open season for thieves.
0
 

Author Comment

by:Garbonzo_Horowitz
ID: 37041690
@gdemaria - Yes, I guess I could try to encrypt with CFMX_COMPAT and then again with AES. I'll see if that works.
The reason I need to do it like this is because I'm opening up a window using ColdFusion.Window.create and using a fusebox like framework that is supposed to send the page through a main circut but I'm using a direct path in the URL parameter of the create method. So when I retrieve the page it doesn't run through application.cfm and no session or application variables are set.

I tried changing the URL path so that it does go through the main cirucit. Doing it that way does give me the session and application variables I need but then I encounter another problem when I try to submit a cfform in the pop up window.
So I'm stuck with having to pass everything through the URL.  Bleh...


@agx - I hear ya. That's why I'm trying to hide my keys.
 

@both
The simple cyper I created should have worked but for some reason the AES encryption started messing up when decrpting. That's why I'm hesitant about jacking with the key so much although I see no way around it.

 
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 

Author Comment

by:Garbonzo_Horowitz
ID: 37041894
Well I'm getting mixed results.

Most of the time it is okay but I encountered an issue that when the encrypted string in the database had a plus sigh '+' then the decrypted string put in an empty space instead so it did not find my record.

Strange.

It works most of the time but most of the time is not good enough.
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 37041933
To me, the problem we should focus on is the lack of session management inside your Coldfusion window... I do that all the time and session variables absolutely exist within a CFwindow..

Is your application.cfc file in your root (top) folder?  Is the window you are creating calling a template within the root directory structure?

... it shouldn't matter that you are using a fusebox framework and not going through the index file.. that should not be a problem.
0
 
LVL 52

Expert Comment

by:_agx_
ID: 37042620
About CFMX_COMPAT, I wouldn't bother with that algorithm. It's very insecure easy to crack (just do a search). It's only included in later versions for backward compatibility.

I agree you should focus on the real problem - application/session management.  I use it that way too, and it shouldn't be an issue.  
0
 

Author Comment

by:Garbonzo_Horowitz
ID: 37042913
Yes, I would prefer to be able to use the session and application scope as well but I just can't figure out what the issue is. I thought that since the framework requires going through index and since calling the pop up window is done asyncronously that was the reason the session and app variables were not being created.

If I could get this to work properly that would be great. Okay so let's give it a shot.

The directory structure uses Appliation cfm that does all the regular stuff nothing exceptional there.
There is an index.cfm page that has a bunch of case statements to display the different templates.
The product listing page where I'm calling the pop up window is on the same directory as the pop up window content page.

MainAppFolder
         |
          --- folder A
         |          |
         |          product list.cfm
         |          windowContent.cfm
         |
         |
         ---- folder B
                  |
                Application.cfm
                INDEX.cfm


When I try to call the windowContent.cfm page from the productList.cfm page by directly referencing it like:
 onclick="ColdFusion.Window.create('popWindow#productID#','Alert!','WindowSource.cfm?prodID=#productID#&...     I get a File not found error:    File not found /MainAppFolder/FolderB/WindowContent.cfm

So it's looking for WindowContent in the folder that contains the application.cfm file.  Note that INDEX.cfm has all the case statements and sends all of the templates to FolderA for processing.

The way I'm calling the pop up window is:
onclick="ColdFusion.Window.create('popWindow#productid#','Alert!','/MainAppFolder/FolderA/WindowContent.cfm?

Open in new window


Doing it that way will access the pop up window but it will not have session variables available.

in order to get the session and application scope working I have to call the window like this:

 onclick="ColdFusion.Window.create('popWindow#productid#','Alert!','index.cfm?fuseaction=showPopUp&ProdID=#URLEncodedFormat(productid)#

That will work but my window content page uses a cfform that will not work. The window conains two buttons one labled Yes and one Labled No.  Selecting Yes will delete a record. Selecting no will close the pop up window.

If you press the yes button (submit button on the cfform) then it just closes the pop up window without doing any of the form processing.

So that's the situation.

Any thoughts?





0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 1000 total points
ID: 37043135
Now the errors make sense.  Your Application.cfm is in the wrong place.  If you want it to cover both subfolders it needs to be directly under MainAppFolder.  

MainAppFolder
         ----Application.cfm
         |
          --- folder A
         |          |
         |          product list.cfm
         |          windowContent.cfm
         |
         |
         ---- folder B
                  |
                INDEX.cfm
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 37044942
.. and as a general rule, the application.cfm file always goes in the root folder of your application.  That way it will be involved in every page request of your application
0
 

Author Comment

by:Garbonzo_Horowitz
ID: 37045239
Thank you that does work.
I moved the application.cfm file up 1 leve and now I'm getting the session vars on the pop up window.
Is there some special security reasons why the app would be set up like this in the first place.
The framework was set up by some high dollar consultants from Adobe and they had security as a top priority.

I'm going to split points on this one.
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 37045264
I can't think of any security benefit to having the application file in a subfolder.. unless the folder evolved over time and originally it didn't have any code in it or wasn't under the web root or something...
0
 

Author Closing Comment

by:Garbonzo_Horowitz
ID: 37045733
Thank you.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month20 days, 21 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question