Re: encryption madness

This WebDNA talk-list message is from

2003


It keeps the original formatting.
numero = 47121
interpreted = N
texte = BrianGreat explanation :) On Thursday, January 23, 2003, at 12:23 PM, Brian Fries wrote:> In my experience, there is no problem with the encrypt/decrypt > contexts themselves, only confusion regarding how to properly apply > them in conjunction with URL / UNURL. Here's some sample code: > > [text]tIn=bob!@#$%^&*()_-+=[{]}\|:;',<.>?/`~éåaî[/text] > [text]tEn=[url][encrypt seed=ABC123][tIn][/encrypt][/url][/text] > [text]tDe=[decrypt seed=ABC123][unurl][tEn][/unurl][/decrypt][/text] > [tIn]
> [tEn]
> [tDe]
> [if > [url][tIn][/url]=[url][tDe][/url]][then]Good[/then][else]Bad[/ > else][/if]
> > Feel free to try any value you want to as the tIn value. Regardless > of what you feed it, it should spit out the original value, the URL'ed > encrypted value, the decrypted value, and the word Good. If you get > the word Bad instead, then something is wrong with WebDNA. All my > tests work fine (4.5.0 / OSX). > > The only time that a double-URL is required is when you are writing > the data out - to a db, an order file, a cookie, whatever -and it is > needed because you want to actually store %20 for spaces, along with > the URL escape sequences for the more dangerous characters like > returns, ampersands, tabs, control characters and high-ASCII > characters. > > WebDNA always performs an implied UNURL on the parameters you pass in > to its contexts, then works with the resulting data. By performing the > second URL, you are converting %20 to %2520 - that is, the % in the > %20 is converted to %25 - so that the implied UNURL will result in the > %20 that you want to write. > > So, general rules of encryption that I follow are... > > Encrypt into a text variable - URL once, outside the ENCRYPT context: > > [text]tEn=[url][encrypt seed=ABC123]the data[/encrypt][/url][/text] > > Writing the encrypted value to a DB - URL the already once-URL'ed > value so it gets written out URL'ed: > > [append ...]encField=[url][tEn][/url][/append] > > The same as above applies to SETCOOKIE or storing in an order file... > > Decrypting a once-URL'ed encrypyted value - which includes the text > variable I created, or any value retrieved from a DB, COOKIE or ORDER > FILE - use UNURL INSIDE the DECRYPT: > > [text]tDe=[decrypt > seed=ABC123][unurl][encField][/unurl][/decrypt][/text] > > At this point, [tDe] contains exactly the same data that was > originally passed in to the ENCRYPT. > > - brian > > On Wednesday, January 22, 2003, at 02:56 PM, Andrew Simpson wrote: > >> Yes. 99.9% accuracy isn't really good enough when dealing with >> somebody >> elses money. >> >> it wouldn't take too long to write a script that tested >> encrypt/decrypt in >> an endless loop with random seeds to see if there are any >> inconsistencies. >> but i agree, this should have already been done by SMSI and >> documented... >> >> Its an important part of an ecomerce engine for people to be able to >> pay for >> products securely... >> >> >> >> ----- Original Message ----- >> From: Tim Robinson >> To: WebCatalog Talk >> Sent: Thursday, January 23, 2003 11:46 AM >> Subject: Re: encryption madness >> >> >>> Maybe it's stating the bleedingly obvious, but shouldn't it be up to >>> SmithMicro to fix it?!?! There shouldn't be disagreements and endless >>> testing to see it one [url] or two does the job. You should just be >>> able >> to >>> use [encrypt] to encrpyt it, and [decrypt] to decrypt it.... and that >> should >>> work. You know it makes sense! ;-) >>> >>> Regards, >>> Tim >>> -- >>> Tim Robinson >>> IDFK Web Developments >>> tim@idfk.com.au >>> 114a/40 Yeo Street >>> Neutral Bay 2089 >>> Australia >>> Phone +612 9908 2134 >>> Fax +612 9908 4837 >>> >>>> From: Glenn Busbin >>>> Reply-To: (WebCatalog Talk) >>>> Date: Wed, 22 Jan 2003 17:42:12 >>>> To: (WebCatalog Talk) >>>> Subject: Re: encryption madness >>>> >>>>> FOR THE ARCHIVES... >>>>> >>>>> Ok, Windoze 2k Server with IIS and WC4.5 you only need one [url] >>>>> when >>>>> writing to the dbase and it seems to work just fine in the >>>>> orderfile. >>>>> HOWEVER... in this case the orderfile is not being processed by >> WebMerchant. >>>>> >>>>> Solution based on about 10 tests at this point. >>>>> >>>> >>>> >>>> I use >>>> [URL][URL][Encrypt Seed=abc123][Stuff][/Encrypt][/URL][/URL] >>>> and >>>> [Decrypt Seed=abc123][UnURL][Stuff][/UnURL][/Decrypt] >>>> >>>> This works on Mac Classic and OS X. It may differ on a Windoze box. >>>> >>>> Experiment. >>>> >>>> A lot. >>>> >>>> A 99.99% success rate indicates that something is wrong. >>>> >>>> Glenn >>>> >>>> ------------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>> >>> >>> >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> > -- Brian Fries, BrainScan Software -- > http://www.brainscansoftware.com -- > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > RegardsStuart Tremain idfk web developments 114a/40 yeo street neutral bay 2089 australia t +612 9908 2134 f +612 9908 4837------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: encryption madness ( Thierry Almy 2004)
  2. Re: encryption madness ( "Scott Anderson" 2004)
  3. Re: encryption madness ( Thierry Almy 2004)
  4. Re: encryption madness ( Squaredancer@t-online.de (Squaredancer) 2004)
  5. encryption madness ( Thierry Almy 2004)
  6. Re: encryption madness (John Hill 2003)
  7. Re: encryption madness (Kimberly D. Walls 2003)
  8. Re: encryption madness (Brian Fries 2003)
  9. Re: encryption madness (Kenneth Grome 2003)
  10. Re: encryption madness (John Hill 2003)
  11. Re: encryption madness (Kimberly D. Walls 2003)
  12. Re: encryption madness (Kenneth Grome 2003)
  13. Re: encryption madness (Kimberly D. Walls 2003)
  14. Re: encryption madness (Kimberly D. Walls 2003)
  15. Re: encryption madness (Kimberly D. Walls 2003)
  16. Re: encryption madness (Stuart Tremain 2003)
  17. Re: encryption madness (Brian Fries 2003)
  18. Re: encryption madness (Kenneth Grome 2003)
  19. Re: encryption madness (Stuart Tremain 2003)
  20. Re: encryption madness (Kenneth Grome 2003)
  21. Re: encryption madness (Donovan 2003)
  22. Re: encryption madness (Glenn Busbin 2003)
  23. Re: encryption madness (Andrew Simpson 2003)
  24. Re: encryption madness (Stuart Tremain 2003)
  25. Re: encryption madness (Tim Robinson 2003)
  26. Re: encryption madness (Andrew Simpson 2003)
  27. Re: encryption madness (Kimberly D. Walls 2003)
  28. Re: encryption madness (Glenn Busbin 2003)
  29. Re: encryption madness (Stuart Tremain 2003)
  30. Re: encryption madness (Rob Marquardt 2003)
  31. Re: encryption madness (Kimberly D. Walls 2003)
  32. Re: encryption madness (Kimberly D. Walls 2003)
  33. Re: encryption madness (Glenn Busbin 2003)
  34. Re: encryption madness (Bob Minor 2003)
  35. encryption madness (Kimberly D. Walls 2003)
BrianGreat explanation :) On Thursday, January 23, 2003, at 12:23 PM, Brian Fries wrote:> In my experience, there is no problem with the encrypt/decrypt > contexts themselves, only confusion regarding how to properly apply > them in conjunction with URL / UNURL. Here's some sample code: > > [text]tIn=bob!@#$%^&*()_-+=[{]}\|:;',<.>?/`~éåaî[/text] > [text]tEn=[url][encrypt seed=ABC123][tIn][/encrypt][/url][/text] > [text]tDe=[decrypt seed=ABC123][unurl][tEn][/unurl][/decrypt][/text] > [tIn]
> [tEn]
> [tDe]
> [if > [url][tIn][/url]=[url][tDe][/url]][then]Good[/then][else]Bad[/ > else][/if]
> > Feel free to try any value you want to as the tIn value. Regardless > of what you feed it, it should spit out the original value, the URL'ed > encrypted value, the decrypted value, and the word Good. If you get > the word Bad instead, then something is wrong with WebDNA. All my > tests work fine (4.5.0 / OSX). > > The only time that a double-URL is required is when you are writing > the data out - to a db, an order file, a cookie, whatever -and it is > needed because you want to actually store %20 for spaces, along with > the URL escape sequences for the more dangerous characters like > returns, ampersands, tabs, control characters and high-ASCII > characters. > > WebDNA always performs an implied UNURL on the parameters you pass in > to its contexts, then works with the resulting data. By performing the > second URL, you are converting %20 to %2520 - that is, the % in the > %20 is converted to %25 - so that the implied UNURL will result in the > %20 that you want to write. > > So, general rules of encryption that I follow are... > > Encrypt into a text variable - URL once, outside the ENCRYPT context: > > [text]tEn=[url][encrypt seed=ABC123]the data[/encrypt][/url][/text] > > Writing the encrypted value to a DB - URL the already once-URL'ed > value so it gets written out URL'ed: > > [append ...]encField=[url][tEn][/url][/append] > > The same as above applies to SETCOOKIE or storing in an order file... > > Decrypting a once-URL'ed encrypyted value - which includes the text > variable I created, or any value retrieved from a DB, COOKIE or ORDER > FILE - use UNURL INSIDE the DECRYPT: > > [text]tDe=[decrypt > seed=ABC123][unurl][encField][/unurl][/decrypt][/text] > > At this point, [tDe] contains exactly the same data that was > originally passed in to the ENCRYPT. > > - brian > > On Wednesday, January 22, 2003, at 02:56 PM, Andrew Simpson wrote: > >> Yes. 99.9% accuracy isn't really good enough when dealing with >> somebody >> elses money. >> >> it wouldn't take too long to write a script that tested >> encrypt/decrypt in >> an endless loop with random seeds to see if there are any >> inconsistencies. >> but i agree, this should have already been done by SMSI and >> documented... >> >> Its an important part of an ecomerce engine for people to be able to >> pay for >> products securely... >> >> >> >> ----- Original Message ----- >> From: Tim Robinson >> To: WebCatalog Talk >> Sent: Thursday, January 23, 2003 11:46 AM >> Subject: Re: encryption madness >> >> >>> Maybe it's stating the bleedingly obvious, but shouldn't it be up to >>> SmithMicro to fix it?!?! There shouldn't be disagreements and endless >>> testing to see it one [url] or two does the job. You should just be >>> able >> to >>> use [encrypt] to encrpyt it, and [decrypt] to decrypt it.... and that >> should >>> work. You know it makes sense! ;-) >>> >>> Regards, >>> Tim >>> -- >>> Tim Robinson >>> IDFK Web Developments >>> tim@idfk.com.au >>> 114a/40 Yeo Street >>> Neutral Bay 2089 >>> Australia >>> Phone +612 9908 2134 >>> Fax +612 9908 4837 >>> >>>> From: Glenn Busbin >>>> Reply-To: (WebCatalog Talk) >>>> Date: Wed, 22 Jan 2003 17:42:12 >>>> To: (WebCatalog Talk) >>>> Subject: Re: encryption madness >>>> >>>>> FOR THE ARCHIVES... >>>>> >>>>> Ok, Windoze 2k Server with IIS and WC4.5 you only need one [url] >>>>> when >>>>> writing to the dbase and it seems to work just fine in the >>>>> orderfile. >>>>> HOWEVER... in this case the orderfile is not being processed by >> WebMerchant. >>>>> >>>>> Solution based on about 10 tests at this point. >>>>> >>>> >>>> >>>> I use >>>> [url][url][Encrypt Seed=abc123][Stuff][/Encrypt][/URL][/URL] >>>> and >>>> [Decrypt Seed=abc123][unurl][Stuff][/UnURL][/Decrypt] >>>> >>>> This works on Mac Classic and OS X. It may differ on a Windoze box. >>>> >>>> Experiment. >>>> >>>> A lot. >>>> >>>> A 99.99% success rate indicates that something is wrong. >>>> >>>> Glenn >>>> >>>> ------------------------------------------------------------- >>>> This message is sent to you because you are subscribed to >>>> the mailing list . >>>> To unsubscribe, E-mail to: >>>> To switch to the DIGEST mode, E-mail to >>>> >>>> Web Archive of this list is at: http://webdna.smithmicro.com/ >>>> >>> >>> >>> >>> ------------------------------------------------------------- >>> This message is sent to you because you are subscribed to >>> the mailing list . >>> To unsubscribe, E-mail to: >>> To switch to the DIGEST mode, E-mail to >> >>> Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> >> ------------------------------------------------------------- >> This message is sent to you because you are subscribed to >> the mailing list . >> To unsubscribe, E-mail to: >> To switch to the DIGEST mode, E-mail to >> >> Web Archive of this list is at: http://webdna.smithmicro.com/ >> >> > -- Brian Fries, BrainScan Software -- > http://www.brainscansoftware.com -- > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > RegardsStuart Tremain idfk web developments 114a/40 yeo street neutral bay 2089 australia t +612 9908 2134 f +612 9908 4837------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Stuart Tremain

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

emailer (1997) WebCatalog for Postcards ? (1997) why do I get authorization requests, even though (1999) Date problems-more (1997) truncating email part II (1997) [SMSI] WebDNA is too good to go away! (2006) WC2f3 (1997) Examples Link? (2000) 2.0Beta Command Ref (can't find this instruction) (1997) Folder modify times (2003) Dummy Credit Card Number for debug? (1997) Generating Report Totals (1997) WebCat2b14MacPlugIn - [include] doesn't hide the search string (1997) RE: [WebDNA] TCPConnect/cURL alternative for windows? (2010) expired beta (1997) [returnraw] and form variables (1998) test (2001) Automated FTP from Shell - Update (2004) Two prices in shoppingcart? (1997) What is WebDNA (1997)