Encrypt and Decrypt problems

Hugh_Rainey · November 18, 2022, 6:45pm

I’m trying to do some basic encryption for a password table in my database. I’m just testing the code right now before I commit. Here it is:


<cfscript>

$ = (str)=> echo("#str#<br>")

query datasource="XXXXXX" name="q" sql="

select username, pw from user

";

loop query="q"{

	key = generateSecretKey('AES');

	echo("Encrypted with ::>[ #key# ] - ")

	enc = encrypt(pw, key, 'AES')

	echo(enc & "<br><br>")

	dec = decrypt(enc, key, 'AES')

	echo("Decrypted with ::>[ #key# ] - #dec#<hr>")

}
 
</cfscript>

Here is the response that I get:

The decrypt function works on the first pass through of the looped query, without fail. Everything after that is a flop. I generate a new key on every pass thru and encrypt and decrypt with the same key. This is driving me bonkers.

Am I doing something incorrectly here, or is this an issue with Lucee?

OS: >>> macOS Ventura vs. 13.0.1
Java Version: ???
Tomcat Version: 9
Lucee Version: 5.3.9.166

Roberto_Marzialetti · November 18, 2022, 7:24pm

Here seems works fine:

Hugh_Rainey · November 18, 2022, 8:33pm

Turns out the error I was having was my own stupidity. I was testing on a table that already encrypted data. The only one “working” was mine because thats the only one I had changed tp plain text. The others were working as well It’s just the decrypt function was spitting out the already encrypted files that I’d forgotten already had hashed PW’s in them.

andreas · November 18, 2022, 8:55pm

Just a little note. I’m not a security expert at all, but from my understanding, it’s not good security practice to store decryptable passwords anywhere at all. Please, really consider changing that into a one way password hashing and also including salt and pepper into that.

There is a really wonderful blog post about this from @andrew that from my point of view should be a must read to any cfml developer who develops apps with accounts, passwords and logins:

No matter how unimportant or uncritical your app might be, please consider it and try to implementing it as hashing and not as reverse decryptical strings.

andreas · November 18, 2022, 9:01pm

Please, also read the follow up post

Hugh_Rainey · November 18, 2022, 9:38pm

That’s been the reply that I got form a lot of people. Looks like I need to revamp my password recovery system to be more of a change your password instead.

Hugh_Rainey · November 30, 2022, 4:11pm

Hey Andreas – Just wanted you to know that I’ve revamped my login & password ~~recovery~~ reset system to no longer hold encrypt/decrypt data.

Gavin_Baumanis · December 4, 2022, 11:01pm

It’s funny - It always AFTER you post - and seems to be always AFTER someone else has "helped’… that you realise you were the problem… or it was spectacularly obvious…

I’m not saying I’m stupid… but…
Happens to me all the time!