[encrypt] and [decrypt] allow you to store sensitive data in your databases without risk of exposing it to prying eyes.
[encrypt seed=secret_value]passwords, credit card number, etc.[/encrypt]
[decrypt seed=secret_value][YourEncryptedField][/decrypt]
[encrypt method=blowfish&seed=secret_value]passwords, credit card number, etc.[/encrypt]
Do not lose or change your seed value, as it is unrecoverable; even the programmers at WSC cannot recover encrypted values without the original seed.
[replace ...]UserPassword=[url][url][Encrypt
seed=1234][UserPassword][/Encrypt][/url][/url][/replace]
[search ...][founditems]
[sendmail ...]
Your password is:
[decrypt seed=1234][unurl][UserPassword][/unurl][/decrypt]
[/sendmail]
[/founditems][/search]
[url][/url] / [unurl][/unurl]'ing conventions ensure a proper decrypt value! | ||
type | ratio [url]'s to [/unurl]'s | example |
---|---|---|
Variables | 1 to 1 | [text]var=some value[/text] |
Databases | 2 to 1 | [text]var=some value[/text] |
Cookies | 2 to 0 | [text]var=some value[/text] |
Orderfile | 2 to 1 | [text]var=some value[/text] |
Parameter | Description |
---|---|
method | (optional) "CyberCash", "APOP", "Base64", "SHA1", "blowfish", "AES", "SHA256", "GCM" or "twofish". If not specified, then standard WebDNA encryption is assumed. CyberCash is the triple-DES encryption used to communicate with the CyberCash CashRegister servers. Base64 is the encoding (not safe for encryption) standard HTML browsers use for Basic Authentication. APOP is the MD5 encryption used by email servers that support APOP authentication. It is a hash method. A hash is simply a one-way function, that will take a string or data source and create an encrypted looking string. BLOWFISH is a symmetric-key block cipher, designed in 1993 by Bruce Schneier. Blowfish provides a good encryption rate in software and no effective cryptanalysis of it has been found to date. However, TwoFish or AES will be prefered in most cases. The following method have been implemented from WebDNA version 8.1: SHA256 is one of the strongest hash method, meaning that no way is known to recover the original string from the hash. It is a Secure Hash Standard. TWOFISH is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits. Twofish is related to the earlier block cipher Blowfish and improves it further. AES (Advanced Encryption Standard), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology. AES has been adopted by the U.S. government and is now used worldwide. AES is included in the ISO/IEC 18033-3 standard. AES is available in many different encryption packages, and is the first publicly accessible and open cipher approved by the National Security Agency (NSA) for top secret information when used in an NSA approved cryptographic module. The following method have been implemented from WebDNA version 8.2: SHA1 is considered as a weak method but is still requested by services like cloudify. Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance. GCM throughput rates for state of the art, high speed communication channels can be achieved with reasonable hardware resources. The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality (see below how to implement it in WebDNA) Bcrypt (8.6) is a password salt / hashing setup that conforms with current standards. |
seed | (required, except for Base64, SHA256 and APOP/MD5) Key used to encrypt the text. For CyberCash, this should be the MerchantKey you were assigned when you created a CyberCash merchant account. For standard WebDNA encryption, this is your secret key for decryption later. CyberCash encryption is one-way; it cannot be decrypted by your server. |
file | (optional) Specifies a file that is to be encoded using Base64. This is useful for sending e-mail attachments using the WebDNA sendmail context. Note that anything between the opening and closing encrypt tag will be ignored if this parameter is present. |
emailformat | (optional) For Base64 only, this specifies if the resulting encoded string should contain line breaks suitable for e-mail applications. Valid values are either 'T' or 'F' the later being the default. This should be used in conjunction with the file parameter above when sending e-mail attachments from a WebDNA template. |
Hash algorithms are one way functions. They turn any amount of data into a fixed-length "fingerprint" that cannot be reversed. They also have the property that if the input changes by even a tiny bit, the resulting hash is completely different. This is great for protecting passwords, because we want to store passwords in a form that protects them even if the password file itself is compromised, but at the same time, we need to be able to verify that a user's password is correct.
When the user attempts to login, the hash of the password they entered is checked against the hash of their real password (retrieved from the database). If the hashes match, the user is granted access. If not, the user is told they entered invalid login credentials. The password is not stored anywhere.
[encrypt method=bcrypt]secretpassword[/encrypt]
[text]myhash=$2y$10$jVw1GVXv56uAr2.zDDriK.BkuxORc1y9.qJbkGyRDLWK26Gy3hRSq[/text]
[encrypt method=bcrypt&seed=[myhash]]secretpassword[/encrypt]
[encrypt prefix=$2a$&count=12]password[/encrypt]
All optional parameters are not required, but if they are provided, they need to be identical during encryption and decryption to avoid a hash failure error.
A failure produces this output:
Exception in DECRYPT command: HashVerificationFilter: message hash or MAC not valid.
TWOFISHGCM:
[encrypt method=twofishgcm&seed=secret_value]Twofish: passwords, credit card number, etc.[/encrypt]
AESGCM:
[encrypt method=aesgcm&seed=secret_value]passwords, credit card number, etc.[/encrypt]
AESGCM with IV and ADATA and TAGSIZE:
[encrypt method=aesgcm&seed=secret_value&iv=0123456789abcdef&adata=abcdefabcdef&tagsize=8]passwords, credit card number, etc.[/encrypt]
[decrypt method=twofishgcm&seed=secret_value&iv=89e12236ce056aa2&adata=89e12236ce056aa2]999fe9ff644e7e835c3d9d46cfedce88b2de6d1b5d114e29f161e6246d40380b639e73f006a073db567c6e7aa5740f9db45d81fd6a646cbd[/decrypt]
[decrypt method=twofishgcm&seed=secret_value]89e12236ce056aa2999fe9ff644e7e835c3d9d46cfedce88b2de6d1b5d114e29f161e6246d40380b639e73f006a073db567c6e7aa5740f9db45d81fd6a646cbd[/decrypt]
[decrypt method=aesgcm&seed=secret_value] 1a0ce107ed9ede09835b4c25336d8fd49699d21edd4fa365c545ed52b598b341df124b606934ca10f09bd31fbd3f03e993ca82c3f4d0eb[/decrypt]
[decrypt method=aesgcm&seed=secret_value&iv=0123456789abcdef&adata=abcdefabcdef&tagsize=8]7888f14d14bf5d87df292ad7171d391b9da2d6d42da0247683e95d2774bac82e580bde64c9e56bd97e8783[/decrypt]
[writefile file=newfile.dna&secure=F]Copyright 2015 Your Name Here
http://www.yourwebsitehere.com/
<!--HAS_WEBDNA_TAGS[!][/!]_ENCRYPTED_2-->
[encrypt]seed=XXXX&product=WDNA[/encrypt]
[encrypt seed=XXXX][include file=file.dna&raw=T][/encrypt][/writefile]
[!][/!] is a special trick to fool WebDNA into thinking this page is not an encrypted page, and should be treated like a normal template. The [!][/!] is removed during processing, which causes the resulting template to contain the correct tag that indicates it is encrypted.
In order to prevent someone from displaying or accessing the decrypted templates, the following precaution has been made: [include raw=T] cannot be done on encrypted templates; nothing is returned.
Terry WilsonDOWNLOAD WEBDNA NOW!
A compilation of some user's questions...
AWS Raw WebDNA LAMP-Plus WebServerAmazon Web Services (AWS) README for Machine Image ID...
WebDNA ModulesA list of the currently available modules...
WebDNA LibrariesA list of available libraries for WebDNA...
Download WebDNA ApplicationsWebDNA applications...
Tips and TricksA list of user-submitted tips ...
Using [password] and [username] is an easy was to show the browser login dialog box...
[SQLconnect]Opens and persists a 'named' connection to a SQL server...
[fileinfo]Displays information about a particular file or folder...
[copyfolder]Copy a folder and all its contenton your webspace...
[addfields][addfields db=...
[loop]Loops through the enclosing text the specified number of times...