11 Replies - 4275 Views - Last Post: 17 September 2014 - 04:12 PM Rate Topic: -----

#1 xerogee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 15-September 14

encrypt and decrypt AES ECB 256

Posted 15 September 2014 - 03:23 PM

Hello forum, I have been working on a project that encrypts a string with CF and Decrypts the response from

Cfhttp.FileContent. However, I am having issues using a static key to do both. Is there anyone that could possibly

tell me where I am going wrong in the following script.

FYI: the keys are supposed to stay the same while encrypting and decrypting. AND I have enabled Unlimited Strength

Cryptography in ColdFusion by replacing the 2 files from sun as well.


<cfif (request_method is "Post") AND (isDefined("form.saveccdetails"))>
	<cfquery datasource="#application.dsn#" name="checkSession">
		SELECT [webserviceID],bankname,userID,clientID,[session],[Key],IsActive
		  ,DATEDIFF(hour, DateCreated, getDate()) as TotalHours,requestType,password,DateCreated
		FROM sometable
		Where Webserviceid = <cfqueryparam value="1" cfsqltype="cf_sql_numeric" />
		AND   IsActive = <cfqueryparam value="1" cfsqltype="cf_sql_bit" />
	</cfquery>
	<cfset uniquerequestid = dateformat(now(),'mmddyy') & timeformat(now(),'mmss') & NumberFormat(randrange

(1,9999), '00000000')>
	<cfset TheKey = '9PZuobjN0J!a01lFeT1$$$$$$$$8tq3Z'>
	<cfset theAlgorithm  = "AES/CBC/PKCS5Padding" />
	<cfset theEncoding = "base64" />
	<cfset strName = leaddetail.leadlast&','&leaddetail.leadfirst />
	<cfset stFields ={requesttype = "eftaddonetimecompletetransaction"
			,clientid = "XXXXXXXX"
			,urltoredirect = "#RedirectURl#"
			,customerid = "#leaddetail.leadid#"
			,isdebitcardonly = "No"
			,customername = "#strName#"
			,customeraddress1 = "#form.billingaddress#"
			,customercity = "#form.billingcity#"
			,customerstate = "#form.billingstate#"
			,customerzip = "#form.billingzip#"
			,cardbillingaddr1 = "#form.billingaddress#"
			,cardbillingcity = "#form.billingcity#"
			,cardbillingstate = "#form.billingstate#"
			,cardbillingzip = "#form.billingzip#"
			,accounttype = "CC"
			,name_on_card = "#form.leadname#"
			,accountnumber = "#form.ccacctnum#"
			,expmonth = "#Left(form.ccexpdate,2)#"
			,expyear = "#Right(form.ccexpdate,2)#"
			,cvvcode = "#form.ccv2#"
			,amount = "#NumberFormat(esigninfo.esignpayamt,'9999.99')#"
			,startdate = "#DateFormat(Now(),'YYYY-MM-DD')#"
			,transactiontypecode = "WEB"}/>
	<cfset theEncryptedString = encrypt(serializeJson(stFields),thkey,theAlgorithm,theEncoding)>
					<!--- shake hands and login to api --->
	<cfhttp url="https://www.vancodev.com/cgi-bin/wsnvptest.vps" method="post" charset="ISO-8859-1" 

throwonerror="yes" result="httpResponse">
				<!--- vanco login Variables --->
    	<cfhttpparam type="Header" name="User-Agent" value="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-

US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41">
		<cfhttpparam type="header" name="Content-Type" value="application/x-www-form-urlencoded" >
    	<cfhttpparam type="header" name="Accept" value="application/json" >
				<!--- Login Credentials --->
		<cfhttpparam type="formfield"name="nvpvar"value="''"/>
		<cfhttpparam type="formfield"name="requesttype"value="login"/>
		<cfhttpparam type="formfield"name="userid"value="XXXXXXXX"/>
		<cfhttpparam type="formfield"name="password"value="XXXXXXXX"/>
		<cfhttpparam type="formfield"name="requestid"value="#uniquerequestid#"/>
		<cfhttpparam type="formfield"name="PostData" value="#theEncryptedString#"/>
		<cfif isDefined('CheckSession.sessionID') AND CheckSession.sessionID NEQ ''>
			<cfhttpparam type="formfield"name="sessionid" value="#checkSession.sessionID#"/>
		</cfif>
	</cfhttp>
	<cfif checkSession.totalHours GT 23 OR checkSession.totalHours EQ ''>
		<cfquery datasource="#application.dsn#" name="updateSession" maxrows="1">
			UPDATE wsometable
	   			SET [session] =#thesession#
	      		,DateCreated = GetDate()
	 		WHERE WebserviceID = <cfqueryparam value="1" cfsqltype="cf_sql_numeric" />
		</cfquery>
	</cfif>
</cfif>


Is This A Good Question/Topic? 0
  • +

Replies To: encrypt and decrypt AES ECB 256

#2 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 2024
  • View blog
  • Posts: 3,609
  • Joined: 13-January 08

Re: encrypt and decrypt AES ECB 256

Posted 15 September 2014 - 07:35 PM

You're kidding right?
Was This Post Helpful? 0
  • +
  • -

#3 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 2024
  • View blog
  • Posts: 3,609
  • Joined: 13-January 08

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 07:04 AM

Tell you what, I re-opened this in case I was being an ass. It happens frequently enough that I need to check myself. :)

Do us a favor: describe the error you're getting. The way to troubleshoot a piece of code that's not working is to first describe the way it's not working.
Was This Post Helpful? 0
  • +
  • -

#4 xerogee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 15-September 14

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 08:06 AM

OK sorry, didn't mean to offend, but this is a major pain trying to talk to a third party not being able to see what is going on - on the other side.

So my problem is using a static key to encrypt a post and decrypt the response. I know you can use the following to encrypt <cfset thekey = generate("AES",256)> however, I am not looking to generate new keys on the fly. So to break down the code:

I am using this to create a string of variables to post:<<<----this could be a problem as well however I don't know.there is probably a better way to do this.

<cfset theAlgorithm  = "AES/CBC/PKCS5Padding" />
<cfset theEncoding = "base64" />
<cfset stFields ={requesttype = "eftaddonetimecompletetransaction"
			,clientid = "XXXXX"
			,urltoredirect = "#RedirectURl#"
			,customerid = "#leaddetail.leadid#"
			,isdebitcardonly = "No"
			,customername = "#strName#"
			,customeraddress1 = "#form.billingaddress#"
			,customercity = "#form.billingcity#"
			,customerstate = "#form.billingstate#"
			,customerzip = "#form.billingzip#"
			,cardbillingaddr1 = "#form.billingaddress#"
			,cardbillingcity = "#form.billingcity#"
			,cardbillingstate = "#form.billingstate#"
			,cardbillingzip = "#form.billingzip#"
			,accounttype = "CC"
			,name_on_card = "#form.leadname#"
			,accountnumber = "#form.ccacctnum#"
			,expmonth = "#Left(form.ccexpdate,2)#"
			,expyear = "#Right(form.ccexpdate,2)#"
			,cvvcode = "#form.ccv2#"
			,amount = "#NumberFormat(esigninfo.somefield,'9999.99')#"
			,startdate = "#DateFormat(Now(),'YYYY-MM-DD')#"
			,transactiontypecode = "WEB"}/>


There is a key that looks like this, but without the dollar signs:

<cfset TheKey = '9PZuobjN0J!a01lFeT1$$$$$$$$8tq3Z'>


When I post the data to the third party sever I get a response, however I am unable to send the form fields encrypted utilizing the below:

<cfhttp url="https://www.vancodev.com/cgi-bin/wsnvptest.vps" method="post" charset="ISO-8859-1" throwonerror="yes" result="httpResponse">
<cfhttpparam type="formfield"name="PostData" value="#encrypt(stFields,theKey,theAlgorithm,theEncoding)#"/>
</cfhttp>

Was This Post Helpful? 0
  • +
  • -

#5 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 2024
  • View blog
  • Posts: 3,609
  • Joined: 13-January 08

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 08:30 AM

Are you meaning to put the curly brackets in on lines 3 and 25?
Was This Post Helpful? 0
  • +
  • -

#6 xerogee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 15-September 14

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 08:36 AM

Yes. That is how the book says to create the string. If you put all static data into the stfields with the curly brackets you can do something like the following: serializeJson(stfields). It comes out as a string of data in a Json format.
Was This Post Helpful? 0
  • +
  • -

#7 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 2024
  • View blog
  • Posts: 3,609
  • Joined: 13-January 08

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 09:17 AM

Try placing them inside the quotes:
<cfset stFields ="{requesttype = 'eftaddonetimecompletetransaction'

,transactiontypecode = 'WEB'}"/>


The two equal signs suggests that you're creating a literal string that will be evaluated elsewhere. The curly brackets then are probably also meant to be evaluated elsewhere as well.

Try making those changes and see what you get.

Edit: you'll also need to change all your double quotes to single quotes for anything inside the stFields variable.

This post has been edited by Craig328: 16 September 2014 - 09:18 AM

Was This Post Helpful? 0
  • +
  • -

#8 xerogee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 15-September 14

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 09:24 AM

So you dont think there is anything wrong with how I am using the key? The reason I am asking is because when I do a dump with the stfields like it is, I am getting the information I need in the format I need as well. But when I try to encrypt or decrypt is where I am getting the errors.
Was This Post Helpful? 0
  • +
  • -

#9 Craig328  Icon User is offline

  • I make this look good
  • member icon

Reputation: 2024
  • View blog
  • Posts: 3,609
  • Joined: 13-January 08

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 09:29 AM

So you're saying this is the part that's erroring?
#encrypt(stFields,theKey,theAlgorithm,theEncoding)#


If so, try this and see what you get:
<cfset variables.encString = encrypt(stFields,theKey,theAlgorithm,theEncoding)>
<cfdump var="#variables.encString#">
<cfhttp url="https://www.vancodev.com/cgi-bin/wsnvptest.vps" method="post" charset="ISO-8859-1" throwonerror="yes" result="httpResponse">
<cfhttpparam type="formfield"name="PostData" value="#variables.encString#"/>
</cfhttp>



Basically, encrypt the string outside of the cfhttpparam tag and see whether that errors or not. If that cfset errors then it is something to do with the encryption for certain.

In cases like this, it helps to make sure you're targeting the correct piece of code for an error fix.
Was This Post Helpful? 0
  • +
  • -

#10 xerogee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 15-September 14

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 10:14 AM

Yes.. The encryption decryption part is what is failling. When I do this <cfset theKey = generateSecretKey("AES",256)>

It encrypts fine however, I need to do something like this <cfset theKey = SomeKeyAlreadygeneratedFromThirdParty> When eve r I swithc the two it fails.
Was This Post Helpful? 0
  • +
  • -

#11 xerogee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 15-September 14

Re: encrypt and decrypt AES ECB 256

Posted 16 September 2014 - 11:06 AM

If it helps even more, I have already encrypted the string outside of the cfhttpparam tag and the encryption works when you encrypt like the following
<cfset OurKey = generateSecretKey('AES',256)>
<cfset theEncryptedStr = encrypt(serializeJson(stFields),OurKey,theAlgorithm,theEncoding)/>


However when encrypting like this:
<cfset OurKey = "ABCdeFgHiJklmnoP")>
<cfset theEncryptedStr = encrypt(serializeJson(stFields),OurKey,theAlgorithm,theEncoding)/>


is when the error occurs.
Was This Post Helpful? 0
  • +
  • -

#12 xerogee  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 7
  • Joined: 15-September 14

Re: encrypt and decrypt AES ECB 256

Posted 17 September 2014 - 04:12 PM

OK so I have found the issue with coldfusion. Seems it doesn't like the when you introduce a static key like the following:
<cfset OurKey = "ABCdeFgHiJklmnoP")>
<cfset theEncryptedStr = encrypt(serializeJson(stFields),OurKey,theAlgorithm,theEncoding)/>

So I opted to use the following instead:

<cfscript>
	  // some sample data to encrypt
	  stFields = {requesttype = "eftaddonetimecompletetransaction"
				,clientid = "XXXXXXX"
				,urltoredirect = "#RedirectURl#"
				,customerid = "#leaddetail.leadid#"
				,isdebitcardonly = "No"
				,customername = "#strName#"
				,customeraddress1 = "#form.billingaddress#"
				,customercity = "#form.billingcity#"
				,customerstate = "#form.billingstate#"
				,customerzip = "#form.billingzip#"
				,cardbillingaddr1 = "#form.billingaddress#"
				,cardbillingcity = "#form.billingcity#"
				,cardbillingstate = "#form.billingstate#"
				,cardbillingzip = "#form.billingzip#"
				,accounttype = "CC"
				,name_on_card = "#form.leadname#"
				,accountnumber = "#form.ccacctnum#"
				,expmonth = "#Left(form.ccexpdate,2)#"
				,expyear = "#Right(form.ccexpdate,2)#"
				,cvvcode = "#form.ccv2#"
				,amount = "#NumberFormat(esigninfo.esignpayamt,'9999.99')#"
				,startdate = "#DateFormat(Now(),'YYYY-MM-DD')#"
				,transactiontypecode = "WEB"};

	  // some 256 bit key, must be base64 encoded
	  // hard coded for demo purposes only
	  keyInBase64 = "NWIhUi1papapapap0W02czhxemdOdE12Qms3NEtYM1Q=";

	  // AES encrypt the value, and base64 encode the result
	  encryptedValue = encrypt(serializeJson(stFields)
	                                     , keyInBase64
	                                     , "AES/ECB/PKCS5Padding"
	                                     , "base64"
	                           );
	  // Now decrypt the base64 encoded encryption string
	  decryptedValue = decrypt(encryptedValue
	                                      , keyInBase64
	                                      , "AES/ECB/PKCS5Padding"
	                                      , "base64"
	                           );
	       //WriteDump(variables);
	</cfscript>


This worked however it presented a new problem. The problem is now the response string comes back encrypted as it should, but It wont decrypt the response string. So If I have the following:
<cfhttp url="https://www.somesite/cgi-bin/test.vps" method="post" charset="ISO-8859-1" throwonerror="yes" result="httpResponse">
<!--- login Variables --->
<cfhttpparam type="Header" name="User-Agent" value="Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41">
		<cfhttpparam type="header" name="Content-Type" value="application/x-www-form-urlencoded" >
    	<cfhttpparam type="header" name="Accept" value="application/json" >
				<!--- Login Credentials --->
		<cfhttpparam type="formfield"name="nvpvar"value="''"/>
		<cfhttpparam type="formfield"name="requesttype"value="login"/>
		<cfhttpparam type="formfield"name="userid"value="XXXXX"/>
		<cfhttpparam type="formfield"name="password"value="XXXXXX"/>
		<cfhttpparam type="formfield"name="requestid"value="#uniquerequestid#"/>
		<cfhttpparam type="formfield"name="PostData" value="#encryptedValue#"/>
		<cfif isDefined('CheckSession.sessionID') AND CheckSession.sessionID NEQ ''>
			<cfhttpparam type="formfield"name="sessionid" value="#checkSession.sessionID#"/>
		</cfif>
	</cfhttp>


Beneath the above I insert the following:

<cfset content = httpResponse.filecontent>
	<cfset authdata = structNew()>
	<cfloop index="line" list="#content#" delimiters="#chr(10)#">
		<cfset dtype = listFirst(line, "=")/>
		<cfset value = listRest(line, "=")/>
	</cfloop>
	<cfscript>
	  keyInBase64 = "SomeBase64Key";
	  // Now decrypt the base64 encoded encryption string
	  decryptedValue = decrypt(value
	                                 , keyInBase64
	                                 , "AES/ECB/PKCS5Padding"
	                                 , "base64"
	                           );
	       //WriteDump(variables);
	</cfscript>

<cfdump var ="#decryptedValue#">


Any reason why the decrypted value will not dump.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1