Decrypt_Blowfish tag

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Decrypt_Blowfish tag

Patrick Larkin-2
Hello -

One one page, I have a URL with an ID encrypted with the Blowfish tag:

http://MyHost/item.lasso?id=d6e6254ae6321dd2

Then on the item.lasso page, I use Decrypt_Blowfish to get the actual item ID and show the results.  

This all works but if a user tries goofing around with the URL - like adding a character:

http://MyHost/item.lasso?id=d6e6254ae6321dd2x

I get the following Lasso error blowing my scheme and scaring users.  :)

------------------
Invalid data passed to Decrypt_BlowFish. The data was less that 16 characters long or was not an even number of characters. 'd6e6254ae6321dd2x'
------------------

What's the best way to deal with this situation?  


Patrick

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Decrypt_Blowfish tag

Daniel Logue
You can protect it:

protect;
        handle_error;
                ('Sorry, but we you goofed with the URL.');
                abort;
        /handle_error;
        decrypt_blowfish(...);
/protect;

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Patrick Larkin
Sent: Thursday, November 29, 2012 9:50 AM
To: Lasso Talk
Subject: Decrypt_Blowfish tag

Hello -

One one page, I have a URL with an ID encrypted with the Blowfish tag:

http://MyHost/item.lasso?id=d6e6254ae6321dd2

Then on the item.lasso page, I use Decrypt_Blowfish to get the actual item ID and show the results.  

This all works but if a user tries goofing around with the URL - like adding a character:

http://MyHost/item.lasso?id=d6e6254ae6321dd2x

I get the following Lasso error blowing my scheme and scaring users.  :)

------------------
Invalid data passed to Decrypt_BlowFish. The data was less that 16 characters long or was not an even number of characters. 'd6e6254ae6321dd2x'
------------------

What's the best way to deal with this situation?  


Patrick

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Decrypt_Blowfish tag

Rick Draper-2
In reply to this post by Patrick Larkin-2
Hi Patrick,

If this is 8.*, can I suggest you use blowfish2? (http://reference.lassosoft.com/Reference.LassoApp?[Encrypt_BlowFish2]) There were known issues when using the first implementation.

Very best regards,

Rick



#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt_Blowfish tag

Neil Enock
The trouble with Blowfish2 is that it doesn't give you a URL-safe code.  I tried using it for that and it put a bunch of characters that had to be encoded in the result - not useable for me.

Neil
--
    Chromata: Custom B2C, B2B Website Design, Hosting & Marketing
                       ePrint-Network: i-t-p:  internet to Print
             Cribscapes.com:  Incredible 3D Cribbage Boards!

ph 403.452.5253         http://www.chromata.com         [hidden email]
fx 877.509.1771         http://www.ePrint-Network.com   [hidden email]





On Nov 29, 2012, at 11:20 AM, Rick Draper wrote:

> Hi Patrick,
>
> If this is 8.*, can I suggest you use blowfish2? (http://reference.lassosoft.com/Reference.LassoApp?[Encrypt_BlowFish2]) There were known issues when using the first implementation.
>
> Very best regards,
>
> Rick
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt_Blowfish tag

Trevor Borgmeier

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Decrypt_Blowfish tag

Rick Draper-2
In reply to this post by Neil Enock
> The trouble with Blowfish2 is that it doesn't give you a URL-safe code.  I tried using it for that and it put a bunch of characters that had to be encoded in the result - not useable for me.

Hi Neil,

If you are using a value in a URL (irrespective of source), it is always wise to wrap it in encode_url (or strict).  Note that the Lasso 9 implementation uses blowfish2 (although the 2 has been dropped from the method name).

Very best regards,


Rick


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt_Blowfish tag

Patrick Larkin-2
In reply to this post by Daniel Logue
Thanks!


Patrick



On Nov 29, 2012, at 1:09 PM, Daniel Logue wrote:

> You can protect it:
>
> protect;
> handle_error;
> ('Sorry, but we you goofed with the URL.');
> abort;
> /handle_error;
> decrypt_blowfish(...);
> /protect;
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Patrick Larkin
> Sent: Thursday, November 29, 2012 9:50 AM
> To: Lasso Talk
> Subject: Decrypt_Blowfish tag
>
> Hello -
>
> One one page, I have a URL with an ID encrypted with the Blowfish tag:
>
> http://MyHost/item.lasso?id=d6e6254ae6321dd2
>
> Then on the item.lasso page, I use Decrypt_Blowfish to get the actual item ID and show the results.  
>
> This all works but if a user tries goofing around with the URL - like adding a character:
>
> http://MyHost/item.lasso?id=d6e6254ae6321dd2x
>
> I get the following Lasso error blowing my scheme and scaring users.  :)
>
> ------------------
> Invalid data passed to Decrypt_BlowFish. The data was less that 16 characters long or was not an even number of characters. 'd6e6254ae6321dd2x'
> ------------------
>
> What's the best way to deal with this situation?  
>
>
> Patrick
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt_Blowfish tag

Neil Enock
In reply to this post by Rick Draper-2
Hi Rick,

I've just encrypted 600,000 URLs with 8.5 Blowfish and am wondering if you can tell me what the 'Issues' are.  

Many of these are already quite lliterally hard-coded (into wood)!  Scan the cube at http://www.QR-Cube.com and you will see what I mean.

If I'm going to have issues I need to program around the issues now!

Thanks,
Neil
--
    Chromata: Custom B2C, B2B Website Design, Hosting & Marketing
                       ePrint-Network: i-t-p:  internet to Print
             Cribscapes.com:  Incredible 3D Cribbage Boards!

ph 403.452.5253         http://www.chromata.com         [hidden email]
fx 877.509.1771         http://www.ePrint-Network.com   [hidden email]





On Nov 29, 2012, at 11:20 AM, Rick Draper wrote:

> Hi Patrick,
>
> If this is 8.*, can I suggest you use blowfish2? (http://reference.lassosoft.com/Reference.LassoApp?[Encrypt_BlowFish2]) There were known issues when using the first implementation.
>
> Very best regards,
>
> Rick
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt_Blowfish tag

stevepiercy
In theory, you should be able to [decrypt_blowfish] URLs that
were encrypted with [encrypt_blowfish], then [encrypt_blowfish2]
the result so that it is interoperable with third party implementations.

If, however, you do not need third party interoperability, then
there is no need to change to blowfish2.  The original blowfish
tags still work just fine.

Unfortunately the change notes are rather vague on what exactly
were the issues.

--steve


On 11/29/12 at 10:00 PM, [hidden email] (Neil Enock) pronounced:

>Hi Rick,
>
>I've just encrypted 600,000 URLs with 8.5 Blowfish and am
>wondering if you can tell me what the 'Issues' are.
>Many of these are already quite lliterally hard-coded (into
>wood)!  Scan the cube at http://www.QR-Cube.com and you will
>see what I mean.
>
>If I'm going to have issues I need to program around the issues now!
>
>Thanks,
>Neil
>--
>Chromata: Custom B2C, B2B Website Design, Hosting & Marketing
>ePrint-Network: i-t-p:  internet to Print
>Cribscapes.com:  Incredible 3D Cribbage Boards!
>
>ph 403.452.5253         http://www.chromata.com         [hidden email]
>fx 877.509.1771         http://www.ePrint-Network.com   [hidden email]
>
>
>
>
>
>On Nov 29, 2012, at 11:20 AM, Rick Draper wrote:
>
>>Hi Patrick,
>>
>>If this is 8.*, can I suggest you use blowfish2?
>(http://reference.lassosoft.com/Reference.LassoApp?[Encrypt_BlowFish2])
>There were known issues when using the first implementation.
>>
>>Very best regards,
>>
>>Rick
>>
>>
>>
>>#############################################################
>>This message is sent to you because you are subscribed to
>>the mailing list Lasso
>>[hidden email]
>>To unsubscribe, E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>#############################################################
>This message is sent to you because you are subscribed to
>the mailing list Lasso
>[hidden email]
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
-- --
Steve Piercy               Web Site Builder              
Soquel, CA
<[hidden email]>                  <http://www.StevePiercy.com/>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt_Blowfish tag

Neil Enock
Sounds like I should be OK then,

Thanks,
Neil
--
    Chromata: Custom B2C, B2B Website Design, Hosting & Marketing
                       ePrint-Network: i-t-p:  internet to Print
             Cribscapes.com:  Incredible 3D Cribbage Boards!

ph 403.452.5253         http://www.chromata.com         [hidden email]
fx 877.509.1771         http://www.ePrint-Network.com   [hidden email]





On Nov 29, 2012, at 10:50 PM, Steve Piercy - Web Site Builder wrote:

> In theory, you should be able to [decrypt_blowfish] URLs that were encrypted with [encrypt_blowfish], then [encrypt_blowfish2] the result so that it is interoperable with third party implementations.
>
> If, however, you do not need third party interoperability, then there is no need to change to blowfish2.  The original blowfish tags still work just fine.
>
> Unfortunately the change notes are rather vague on what exactly were the issues.
>
> --steve
>
>
> On 11/29/12 at 10:00 PM, [hidden email] (Neil Enock) pronounced:
>
>> Hi Rick,
>>
>> I've just encrypted 600,000 URLs with 8.5 Blowfish and am wondering if you can tell me what the 'Issues' are.
>> Many of these are already quite lliterally hard-coded (into wood)!  Scan the cube at http://www.QR-Cube.com and you will see what I mean.
>>
>> If I'm going to have issues I need to program around the issues now!
>>
>> Thanks,
>> Neil
>> --
>> Chromata: Custom B2C, B2B Website Design, Hosting & Marketing
>> ePrint-Network: i-t-p:  internet to Print
>> Cribscapes.com:  Incredible 3D Cribbage Boards!
>>
>> ph 403.452.5253         http://www.chromata.com         [hidden email]
>> fx 877.509.1771         http://www.ePrint-Network.com   [hidden email]
>>
>>
>>
>>
>>
>> On Nov 29, 2012, at 11:20 AM, Rick Draper wrote:
>>
>>> Hi Patrick,
>>>
>>> If this is 8.*, can I suggest you use blowfish2?
>> (http://reference.lassosoft.com/Reference.LassoApp?[Encrypt_BlowFish2]) There were known issues when using the first implementation.
>>>
>>> Very best regards,
>>>
>>> Rick
>>>
>>>
>>>
>>> #############################################################
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso
>>> [hidden email]
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso
>> [hidden email]
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
> Steve Piercy               Web Site Builder               Soquel, CA
> <[hidden email]>                  <http://www.StevePiercy.com/>
>
> #############################################################
> This message is sent to you because you are subscribed to
> the mailing list Lasso
> [hidden email]
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt_Blowfish tag

French, Shelane
In reply to this post by stevepiercy
I never could get blowfish2 to work with the blowfish encryptions in php.
We were hoping to have an app work internally in Lasso and another work
externally in php for the same data. However, we were going to have to
secure sensitive data in the database but could not successfully decrypt
in lasso what was encrypted in php or vice versa.

On 11/29/12 9:50 PM, "Steve Piercy - Web Site Builder"
<[hidden email]> wrote:

>In theory, you should be able to [decrypt_blowfish] URLs that
>were encrypted with [encrypt_blowfish], then [encrypt_blowfish2]
>the result so that it is interoperable with third party implementations.
>
>If, however, you do not need third party interoperability, then
>there is no need to change to blowfish2.  The original blowfish
>tags still work just fine.
>
>Unfortunately the change notes are rather vague on what exactly
>were the issues.
>
>--steve
>
>
>On 11/29/12 at 10:00 PM, [hidden email] (Neil Enock) pronounced:
>
>>Hi Rick,
>>
>>I've just encrypted 600,000 URLs with 8.5 Blowfish and am
>>wondering if you can tell me what the 'Issues' are.
>>Many of these are already quite lliterally hard-coded (into
>>wood)!  Scan the cube at http://www.QR-Cube.com and you will
>>see what I mean.
>>
>>If I'm going to have issues I need to program around the issues now!
>>
>>Thanks,
>>Neil
>>--
>>Chromata: Custom B2C, B2B Website Design, Hosting & Marketing
>>ePrint-Network: i-t-p:  internet to Print
>>Cribscapes.com:  Incredible 3D Cribbage Boards!
>>
>>ph 403.452.5253         http://www.chromata.com         [hidden email]
>>fx 877.509.1771         http://www.ePrint-Network.com
>>[hidden email]
>>
>>
>>
>>
>>
>>On Nov 29, 2012, at 11:20 AM, Rick Draper wrote:
>>
>>>Hi Patrick,
>>>
>>>If this is 8.*, can I suggest you use blowfish2?
>>(http://reference.lassosoft.com/Reference.LassoApp?[Encrypt_BlowFish2])
>>There were known issues when using the first implementation.
>>>
>>>Very best regards,
>>>
>>>Rick
>>>
>>>
>>>
>>>#############################################################
>>>This message is sent to you because you are subscribed to
>>>the mailing list Lasso
>>>[hidden email]
>>>To unsubscribe, E-mail to: <[hidden email]>
>>>Send administrative queries to  <[hidden email]>
>>
>>#############################################################
>>This message is sent to you because you are subscribed to
>>the mailing list Lasso
>>[hidden email]
>>To unsubscribe, E-mail to: <[hidden email]>
>>Send administrative queries to  <[hidden email]>
>
>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
>-- --
>Steve Piercy               Web Site Builder
>Soquel, CA
><[hidden email]>                  <http://www.StevePiercy.com/>
>
>#############################################################
>This message is sent to you because you are subscribed to
>  the mailing list Lasso
>[hidden email]
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: Decrypt_Blowfish tag

Rick Draper-2
Hi Shalene,

Cross platform encryption / decryption can be painful to get right, but we have done so and I wouldn't want your post to be the final word on this.  We have solutions using a variety of encryption techniques, including storing and transferring encrypted data to 3rd parties.  The choice of algorithm and key handling is the underlying challenge, but it can be done (and in accordance with the RFCs).

Very best regards,

Rick  

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of French, Shelane
Sent: Saturday, 1 December 2012 2:07 AM
To: [hidden email]
Subject: Re: Decrypt_Blowfish tag

I never could get blowfish2 to work with the blowfish encryptions in php.
We were hoping to have an app work internally in Lasso and another work externally in php for the same data. However, we were going to have to secure sensitive data in the database but could not successfully decrypt in lasso what was encrypted in php or vice versa.


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Decrypt_Blowfish tag

James Harvard
I’ve been having a frustrating time trying to use Lasso for encryption too. FWIW I think that’s partly down to the pretty limited Lasso (8.6) encryption tags but also substantially due to encryption being inherently complicated (and, after all, I’m sitting here trying to make people’s web sites work, rather than making or breaking ciphers for GCHQ).

This has worked for me for passing encrypted data from Lasso to PHP:

<?lassoscript
var(‘for_php’) = encode_base64(cipher_encrypt( 'Hello world', -cipher='BF-CBC', -key='16_char_password' )) ;
?>

<?php
$from_lasso = mcrypt_decrypt( MCRYPT_BLOWFISH, '16_char_password’, base64_decode($ciphertext), MCRYPT_MODE_CBC );
?>

I had to suppress a PHP warning from mcrypt about not using an initialisation vector (iv) thus:
error_reporting( error_reporting() & ~E_WARNING);

HTH,
James

On 30 Nov 2012, at 19:45, Rick Draper wrote:

> Hi Shalene,
>
> Cross platform encryption / decryption can be painful to get right, but we have done so and I wouldn't want your post to be the final word on this.  We have solutions using a variety of encryption techniques, including storing and transferring encrypted data to 3rd parties.  The choice of algorithm and key handling is the underlying challenge, but it can be done (and in accordance with the RFCs).
>
> Very best regards,
>
> Rick  

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>