Re: encryption madness
This WebDNA talk-list message is from 2003
It keeps the original formatting.
numero = 47121
interpreted = N
texte = BrianGreat explanation :)On Thursday, January 23, 2003, at 12:23 PM, Brian Fries wrote:> In my experience, there is no problem with the encrypt/decrypt > contexts themselves, only confusion regarding how to properly apply > them in conjunction with URL / UNURL. Here's some sample code:>> [text]tIn=bob!@#$%^&*()_-+=[{]}\|:;',<.>?/`~éåaî[/text]> [text]tEn=[url][encrypt seed=ABC123][tIn][/encrypt][/url][/text]> [text]tDe=[decrypt seed=ABC123][unurl][tEn][/unurl][/decrypt][/text]> [tIn]
> [tEn]
> [tDe]
> [if > [url][tIn][/url]=[url][tDe][/url]][then]Good[/then][else]Bad[/ > else][/if]
>> Feel free to try any value you want to as the tIn value. Regardless > of what you feed it, it should spit out the original value, the URL'ed > encrypted value, the decrypted value, and the word Good. If you get > the word Bad instead, then something is wrong with WebDNA. All my > tests work fine (4.5.0 / OSX).>> The only time that a double-URL is required is when you are writing > the data out - to a db, an order file, a cookie, whatever -and it is > needed because you want to actually store %20 for spaces, along with > the URL escape sequences for the more dangerous characters like > returns, ampersands, tabs, control characters and high-ASCII > characters.>> WebDNA always performs an implied UNURL on the parameters you pass in > to its contexts, then works with the resulting data. By performing the > second URL, you are converting %20 to %2520 - that is, the % in the > %20 is converted to %25 - so that the implied UNURL will result in the > %20 that you want to write.>> So, general rules of encryption that I follow are...>> Encrypt into a text variable - URL once, outside the ENCRYPT context:>> [text]tEn=[url][encrypt seed=ABC123]the data[/encrypt][/url][/text]>> Writing the encrypted value to a DB - URL the already once-URL'ed > value so it gets written out URL'ed:>> [append ...]encField=[url][tEn][/url][/append]>> The same as above applies to SETCOOKIE or storing in an order file...>> Decrypting a once-URL'ed encrypyted value - which includes the text > variable I created, or any value retrieved from a DB, COOKIE or ORDER > FILE - use UNURL INSIDE the DECRYPT:>> [text]tDe=[decrypt > seed=ABC123][unurl][encField][/unurl][/decrypt][/text]>> At this point, [tDe] contains exactly the same data that was > originally passed in to the ENCRYPT.>> - brian>> On Wednesday, January 22, 2003, at 02:56 PM, Andrew Simpson wrote:>>> Yes. 99.9% accuracy isn't really good enough when dealing with >> somebody>> elses money.>>>> it wouldn't take too long to write a script that tested >> encrypt/decrypt in>> an endless loop with random seeds to see if there are any >> inconsistencies.>> but i agree, this should have already been done by SMSI and >> documented...>>>> Its an important part of an ecomerce engine for people to be able to >> pay for>> products securely...>>>>>>>> ----- Original Message ----->> From: Tim Robinson
>> To: WebCatalog Talk >> Sent: Thursday, January 23, 2003 11:46 AM>> Subject: Re: encryption madness>>>>>>> Maybe it's stating the bleedingly obvious, but shouldn't it be up to>>> SmithMicro to fix it?!?! There shouldn't be disagreements and endless>>> testing to see it one [url] or two does the job. You should just be >>> able>> to>>> use [encrypt] to encrpyt it, and [decrypt] to decrypt it.... and that>> should>>> work. You know it makes sense! ;-)>>>>>> Regards,>>> Tim>>> -->>> Tim Robinson>>> IDFK Web Developments>>> tim@idfk.com.au>>> 114a/40 Yeo Street>>> Neutral Bay 2089>>> Australia>>> Phone +612 9908 2134>>> Fax +612 9908 4837>>>>>>> From: Glenn Busbin >>>> Reply-To: (WebCatalog Talk)>>>> Date: Wed, 22 Jan 2003 17:42:12>>>> To: (WebCatalog Talk)>>>> Subject: Re: encryption madness>>>>>>>>> FOR THE ARCHIVES...>>>>>>>>>> Ok, Windoze 2k Server with IIS and WC4.5 you only need one [url] >>>>> when>>>>> writing to the dbase and it seems to work just fine in the >>>>> orderfile.>>>>> HOWEVER... in this case the orderfile is not being processed by>> WebMerchant.>>>>>>>>>> Solution based on about 10 tests at this point.>>>>>>>>>>>>>>>>> I use>>>> [URL][URL][Encrypt Seed=abc123][Stuff][/Encrypt][/URL][/URL]>>>> and>>>> [Decrypt Seed=abc123][UnURL][Stuff][/UnURL][/Decrypt]>>>>>>>> This works on Mac Classic and OS X. It may differ on a Windoze box.>>>>>>>> Experiment.>>>>>>>> A lot.>>>>>>>> A 99.99% success rate indicates that something is wrong.>>>>>>>> Glenn>>>>>>>> ------------------------------------------------------------->>>> This message is sent to you because you are subscribed to>>>> the mailing list .>>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to>>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/>>>>>>>>>>>>>>>> ------------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list .>>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to>> >>> Web Archive of this list is at: http://webdna.smithmicro.com/>>>>>> ------------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/>>>>> -- Brian Fries, BrainScan Software -- > http://www.brainscansoftware.com -->>> -------------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/>>RegardsStuart Tremainidfk web developments114a/40 yeo street neutral bay 2089 australiat +612 9908 2134f +612 9908 4837-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Associated Messages, from the most recent to the oldest:
BrianGreat explanation :)On Thursday, January 23, 2003, at 12:23 PM, Brian Fries wrote:> In my experience, there is no problem with the encrypt/decrypt > contexts themselves, only confusion regarding how to properly apply > them in conjunction with URL / UNURL. Here's some sample code:>> [text]tIn=bob!@#$%^&*()_-+=[{]}\|:;',<.>?/`~éåaî[/text]> [text]tEn=[url][encrypt seed=ABC123][tIn][/encrypt][/url][/text]> [text]tDe=[decrypt seed=ABC123][unurl][tEn][/unurl][/decrypt][/text]> [tIn]
> [tEn]
> [tDe]
> [if > [url][tIn][/url]=[url][tDe][/url]][then]Good[/then][else]Bad[/ > else][/if]
>> Feel free to try any value you want to as the tIn value. Regardless > of what you feed it, it should spit out the original value, the URL'ed > encrypted value, the decrypted value, and the word Good. If you get > the word Bad instead, then something is wrong with WebDNA. All my > tests work fine (4.5.0 / OSX).>> The only time that a double-URL is required is when you are writing > the data out - to a db, an order file, a cookie, whatever -and it is > needed because you want to actually store %20 for spaces, along with > the URL escape sequences for the more dangerous characters like > returns, ampersands, tabs, control characters and high-ASCII > characters.>> WebDNA always performs an implied UNURL on the parameters you pass in > to its contexts, then works with the resulting data. By performing the > second URL, you are converting %20 to %2520 - that is, the % in the > %20 is converted to %25 - so that the implied UNURL will result in the > %20 that you want to write.>> So, general rules of encryption that I follow are...>> Encrypt into a text variable - URL once, outside the ENCRYPT context:>> [text]tEn=[url][encrypt seed=ABC123]the data[/encrypt][/url][/text]>> Writing the encrypted value to a DB - URL the already once-URL'ed > value so it gets written out URL'ed:>> [append ...]encField=[url][tEn][/url][/append]>> The same as above applies to SETCOOKIE or storing in an order file...>> Decrypting a once-URL'ed encrypyted value - which includes the text > variable I created, or any value retrieved from a DB, COOKIE or ORDER > FILE - use UNURL INSIDE the DECRYPT:>> [text]tDe=[decrypt > seed=ABC123][unurl][encField][/unurl][/decrypt][/text]>> At this point, [tDe] contains exactly the same data that was > originally passed in to the ENCRYPT.>> - brian>> On Wednesday, January 22, 2003, at 02:56 PM, Andrew Simpson wrote:>>> Yes. 99.9% accuracy isn't really good enough when dealing with >> somebody>> elses money.>>>> it wouldn't take too long to write a script that tested >> encrypt/decrypt in>> an endless loop with random seeds to see if there are any >> inconsistencies.>> but i agree, this should have already been done by SMSI and >> documented...>>>> Its an important part of an ecomerce engine for people to be able to >> pay for>> products securely...>>>>>>>> ----- Original Message ----->> From: Tim Robinson >> To: WebCatalog Talk >> Sent: Thursday, January 23, 2003 11:46 AM>> Subject: Re: encryption madness>>>>>>> Maybe it's stating the bleedingly obvious, but shouldn't it be up to>>> SmithMicro to fix it?!?! There shouldn't be disagreements and endless>>> testing to see it one [url] or two does the job. You should just be >>> able>> to>>> use [encrypt] to encrpyt it, and [decrypt] to decrypt it.... and that>> should>>> work. You know it makes sense! ;-)>>>>>> Regards,>>> Tim>>> -->>> Tim Robinson>>> IDFK Web Developments>>> tim@idfk.com.au>>> 114a/40 Yeo Street>>> Neutral Bay 2089>>> Australia>>> Phone +612 9908 2134>>> Fax +612 9908 4837>>>>>>> From: Glenn Busbin >>>> Reply-To: (WebCatalog Talk)>>>> Date: Wed, 22 Jan 2003 17:42:12>>>> To: (WebCatalog Talk)>>>> Subject: Re: encryption madness>>>>>>>>> FOR THE ARCHIVES...>>>>>>>>>> Ok, Windoze 2k Server with IIS and WC4.5 you only need one [url] >>>>> when>>>>> writing to the dbase and it seems to work just fine in the >>>>> orderfile.>>>>> HOWEVER... in this case the orderfile is not being processed by>> WebMerchant.>>>>>>>>>> Solution based on about 10 tests at this point.>>>>>>>>>>>>>>>>> I use>>>> [url][url][Encrypt Seed=abc123][Stuff][/Encrypt][/URL][/URL]>>>> and>>>> [Decrypt Seed=abc123][unurl][Stuff][/UnURL][/Decrypt]>>>>>>>> This works on Mac Classic and OS X. It may differ on a Windoze box.>>>>>>>> Experiment.>>>>>>>> A lot.>>>>>>>> A 99.99% success rate indicates that something is wrong.>>>>>>>> Glenn>>>>>>>> ------------------------------------------------------------->>>> This message is sent to you because you are subscribed to>>>> the mailing list .>>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to>>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/>>>>>>>>>>>>>>>> ------------------------------------------------------------->>> This message is sent to you because you are subscribed to>>> the mailing list .>>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to>> >>> Web Archive of this list is at: http://webdna.smithmicro.com/>>>>>> ------------------------------------------------------------->> This message is sent to you because you are subscribed to>> the mailing list .>> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/>>>>> -- Brian Fries, BrainScan Software -- > http://www.brainscansoftware.com -->>> -------------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/>>RegardsStuart Tremainidfk web developments114a/40 yeo street neutral bay 2089 australiat +612 9908 2134f +612 9908 4837-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Stuart Tremain
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
searching multiple databases (1997)
notification solutions (1997)
docs for WebCatalog2 (1997)
How Many SKU's is enough? (1997)
Emailer help....! (1997)
UPS QuickCost and More (2000)
[isfile] ? (1997)
emailer (1997)
WC1.6 to WC2 date formatting (1997)
formula??? (2000)
Replacing entry (1998)
WebCat2b15MacPlugIn - [authenticate] not [protect] (1997)
BIG PROBLEMS with Checkboxes!!! (1998)
unique ascending numbers (2003)
Emailer setup (1997)
Still having install problems (2000)
WebCat2 - Getting to the browser's username/password data (1997)
Frames and WebCat (1997)
Webcatalog quitting (1997)
WebCat2: Items xx to xx shown, etc. (1997)