Decryption

[LarrySteele]

I have an internal site that has access to sensitive data. We have link from another internal site on a different domain. We're passing variables across as url name/value pairs. This provides a big gaping security hole that we're trying to plug. I thought we could use ColdFusion's strong encryption. Silly me, I thought we were running CFMX 7, but turns out we're running CFMX 6.1.

Unfortunately, we're at crunch time and don't have enough time to request/approve/purchase/receive/install/blah-blah to CFMX 7.

Stuck at CFMX 6.1 for now, what options do I have to decrypt Triple DES encoded text? Said text is coming from html pages created via some Java program and they're using standard Triple DES encryption to Base64.

Funny how these always creep up just before delivery.

TIA,
Larry

 

[cfSearching]

Well, at least you are using MX6. So you can tap into java. What about using the same java code they use for encrypt to do the decrypt? If it is a jar, you might be able to install it and use it with a few lines of code.

Funny how these always creep up just before delivery.

Yes, they do. No, it is not at all funny

----------------------------------

http://cfsearching.blogspot.com/

 

[cfSearching]

Silly me. I am forgetting about JVM versions. Can you install whatever strong encryption files are needed, with the jvm version your CF installation is using?

In other words, if your jvm supports it, then it should work from CF (using java code).

----------------------------------

http://cfsearching.blogspot.com/

 

[LarrySteele]

It's actually decryption I'm trying to accomplish. Nevertheless, I am looking at an option that's very similar to your suggestion. Our company has a few aspx websites and they're using a .net com object to decrypt. I'm all about re-use, so I'm going to grab their com object and use it on our CF server. At least that's the theory.

 

[cfSearching]

It's actually decryption I'm trying to accomplish

Yes, but if the java files encrypt, it is extremely likely they also have a routine to decrypt. In fact, I would be surprised if they did not ;-)

they're using a .net com object to decrypt

If it produces the same results, and you can easily use it from CF .. go for it.

----------------------------------

http://cfsearching.blogspot.com/

 

[LarrySteele]

Well, got their COM object registered. Learned that you can't use regsvr32 to register a .net object - have to use regasm. Lost a good hour chasing my tail on that one.

New error message is so vague, I'm not even sure how to approach it.

[tt]An exception occurred when instantiating a Com object.
The cause of this exception was that: AutomationException: 0x80070002 - .[/tt]

ColdFusion highlights the class name/value pair in my cfobject declaration statement.

65 :     <cfobject type="COM"
66 :               name="decryp"
[b]67 :               class="myHRTools.SSOToken"[/b]
68 :               action="create">

This is program id. Not only was it passed along to me by the programmer, it's also what's listed in the Registry. So I'm confident it's not an issue with the name.

So here's my question. How would you approach troubleshooting this error?

Larry

 

[cfSearching]

Unfortunately, I have zero experience tracing COM errors. That is why I suggested the java route. So my mundane suggestion would be google ;-)

http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33932#170783

----------------------------------

http://cfsearching.blogspot.com/

 

[LarrySteele]

No problem. The link you provided... been there a few times today.

Right now I'm working in the direction that CF is trying to invoke the object using .net 1.1, but this object is written for 2.0. At least I feel like I'm doing something, even if it's nothing more than chasing my tail. Again

 

[cfSearching]

Do you know if is even compatible with .net 1.1? If you have a development version of 8 (or possibly 7) handy, you might try a quick test. If the COM object works right out of the gate, it might suggest a version problem. Also, is there some other way you can call the object? IIRC you can run vbs scripts from cfexecute with wscript.exe. Just wondering if there is another way to test it.

If all else fails, there has to be some program you can call via cfexecute, or a custom tag even. I am virtually certain you are not the first person to need strong encryption under MX 6. Unfortunately, it has been a while since I have used it. But failing everything else you could always take a look at the external java program. See if you could get it to work.







----------------------------------

http://cfsearching.blogspot.com/

 

[LarrySteele]

We ended up making a quick vbscript file. The script ran on one of the developer's boxes no problem. WSH displayed essentially the same error on our server. I registered the dll on my machine (compatible .net framework and WSH version) and same error popped up on my machine.

Unfortunately, we're quickly approaching critical mass. I have to abandon this and use a highly undesired work-around. But it's either that or we lose the project. So, I'll pack my pride away in a box for a few days and get this project delivered.

Thanks much for your help. Oh, and agree with the java approach. Wish I had more experience with it. Then again, if we had CFMX 7, this never would've been an issue.

 

[cfSearching]

At least that will buy you some time to implement a more robust solution.

Yes, obviously the ideal is to use a built in CF function, as you can with MX7. But I think the hardest part about the java route is making sure you are using a compatible jvm version (if running an external jar) and that strong encryption files are properly installed. Other than that it should be relatively simple .. theoretically of course ;-) If you do decide to go that route, and need any assistance, let me know.



----------------------------------

http://cfsearching.blogspot.com/