Encryption Issues with ColdFusion

Question

I'm trying to store some encrypted (short) information in a cookie. I'm generating a short string (around 64 chars), generating the key using generateSecretKey(), and attempting either AES or Blowfish encryption.

I've tried the default UUEncoding, Base64, and Hex using the parameters in the encode() and decode() functions.

With AES, I get the error

An error occurred while trying to encrypt or decrypt your input string: com.rsa.jsafe.crypto.dr: Could not perform unpadding: invalid pad byte..

With Blowfish, I get the error

An error occurred while trying to encrypt or decrypt your input string: Given final block not properly padded.

What am I doing wrong?

Answer 1

Due to time constraints, we ended up using cfmx_copat encryption.

I apologize to both people who answered, as I never was able to experiment with their responses as fully as I would have liked.

Answer 2

Blowfish has a 64 bit block size, that is 8 bytes. AES has a block size of 128 bits, that is 16 bytes.

Block size implies it can only do that size blocks. So something with a block size of 8 bytes cannot do 7,6,5,4,3,2,1 bytes.

If you have less than th required number of bits or bytes (8 and 16 bytes here), you have to pad those with something to arrive at a 8/16 byte long block. (Padding in English means you have to append unused bits/bytes - sometimes of content prescribed by the protocol/algorithm, sometimes content doesn't matter) until you have something that is of the required size.)

Both errors complain about bad padding. So my hunch is that you are not passing the right size (length) of data to the encryption/decryption algorithms. Check your documentation to see whether they accept as input data:

• exactly one block (8 or 16 bytes here)
• an exact multiple of the block size (= in this case you will have to do the padding)
• an arbitrary size of data (= you don't have to do padding - but then why did you get the error to begin with?)

Any chance you have accidentally done your UU/Base64/Hex encoding before the encryption step?

You should:

• do the encryption first,
• then the UU/Base64/Hex Encoding,
• then sending the data out.

Obviously, reverse the sequence upon receipt of the data:

• first UU/Base64/Hex decode,
• then decrypt,
• then use the data.

Answer 3

I am not sure which version you are using, but this seems to work fine with CF9, OpenBD and Railo (using either AES or Blowfish)

<!--- create an encrypted cookie --->
<cfset text = "testing, 1, 2, 3" >
<cfset key = generateSecretKey("AES")>
<cfset encrypted = encrypt(text, key, "AES", "hex")>
<cfcookie name="secretValue" value="#encrypted#">

<!--- display test values used--->
<form method="post">
    DEBUG:<hr />
    <cfoutput>
    Text: #text#<br />
    Key: #key#<br />
    Encrypted:  #encrypted# <br />

    <input type="hidden" name="text" value="#text#">
    <input type="hidden" name="key" value="#key#">
    <input type="submit" value="Decrypt Cookie"> 
    </cfoutput>
</form>

<!--- decrypt test values --->
<cfif structKeyExists(FORM, "key") AND structKeyExists(COOKIE, "secretValue")>
    <cfset decrypted = decrypt(cookie.secretValue, key, "AES", "hex") >
    <cfoutput>
        form.text = #text# <br />
        form.key = #key# <br />
        cookie.secretValue = #cookie.secretValue# <br />
        decrypted = #decrypted# <br />
    </cfoutput>
</cfif>