ColdFusion 7 Strong Encryption

coldfusion

ColdFusion MX 7 adds strong encryption support to the Encrypt and Decrypt functions. In addition to the legacy algorithm used in Encrypt, and Decrypt - ColdFusion MX 7 now makes it incredibly easy to use AES, Blowfish, DES, and Triple DES encryption. It also adds the ability to encode the encrypted string using three different binary encoding algorithms Base64, Hexidecimal, and the UUEncode algorithm.

Here's an example:

<!--- options for algorithm are
CFMX_COMPAT (default), AES, BLOWFISH, DES, and DESEDE --->
<cfset algorithm = "AES">
<!--- encoding options, Base64, hex, or uu --->
<cfset encoding = "hex">
<!--- generate a key --->
<cfset key = GenerateSecretKey(algorithm)>
<cfset str = "This is my secret string." >
<cfset enc = Encrypt(str, key, algorithm, encoding)>
<cfset dec = Decrypt(enc, key, algorithm, encoding)>
<cfoutput>
<pre>
string=#str#
encrypted=#enc#
decrypted=#dec#
key=#key#
algorithm=#algorithm#
</pre>
</cfoutput>

Encoding

The default encoding algorithm is UUEncode, this algorithm however may not be best if you need to pass the encrypted value around (as the possible character values are greatest). The safest choice for encoding is hex which will only use the characters A-F and 0-9 - it also will yield the longest string. The next best choice is Base64 encoding, this encoding will use characters a-z A-Z 0-9 and sometimes will use = signs at the end for padding.

Encryption Algorithms

The DES (Data Encryption Standard) algorithm was developed in the US in the 1970's by the NSA. DES is no longer considered secure and can be broken in hours or days by exhaustive key search. There are around 72 quadrillion possible keys.

Triple DES (DESEDE) to make it harder to break we encrypt using one key, encrypt using another key, and finally decrypt using the first key. Triple DES is still considered a secure algorithm, and is in wide use.

The AES/Rijndael (Advanced Encryption Standard) algorithm is your strongest choice, it uses at least 128 bit keys (can use 128, 192, or 256), and even executes faster than DES and Triple DES algorithms (which use 56 bit keys).

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key.NIST AES Fact Sheet

The blowfish algorithm was also designed as a replacement to DES - it uses variable key lengths (32-448 bits) and is appropriate for both domestic (US) and international use. Blowfish is significantly faster than DES (20x).

Algorithm Strength Speed Key Length
DES Low Slow 256
Triple DES Good Slowest 256
Blowfish Strong Fast, but time consuming to initialize a new key 232 - 2448
AES Strong Fast 2128, 2192, 2256

Other Sources: An introduction to modern crypto systems, and Do we need AES?, Description of a new variable-length key, 64-bit block cipher (blowfish) all good reads.



Related Entries

5 people found this page useful, what do you think?

 Download FuseGuard WAF for ColdFusion

Trackbacks

Trackback Address: 222/7BA986346ADE8663A4EB3A8EBDEB9297

Comments

On 02/10/2005 at 5:05:32 PM EST Rob Brooks-Bilson wrote:
1
Pete,

One interesting thing I pulled form the docs on the new encryption features is this gem:

"The JCE framework includes facilities for using other provider implementations; however, Macromedia cannot provide technical support for third-party security providers."

What this means is that the encryption framework in CF is now plugable, and you can theoretically add any additional encryption types supportable through JCE.

On 02/10/2005 at 6:01:18 PM EST Peter J. Farrell wrote:
2
It's a little disappointing that SHA1, SHA256, SHA512 and its' variations weren't included in the new encryption.

SHA was developed as a replacement for triple-DES. I would use SHA-1 or higher over triple-DES any day.

"SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 are the required secure hash algorithms for use in U.S. Federal applications, including use by other cryptographic algorithms and protocols, for the protection of sensitive unclassified information. FIPS PUB 180-1 also encouraged adoption and use of SHA-1 by private and commercial organizations." - http://en.wikipedia.org/wiki/SHA1

Try SHA1 at: http://www.cs.eku.edu/faculty/styer/460/Encrypt/JS-SHA1.html (sorry, will not work with safari users)

.pjf

On 02/10/2005 at 6:17:00 PM EST Dave Carabetta wrote:
3
I'm sure this is a stupid question but, based on your post, why would you use anything other than the AES algorithm (CF-wise, at least) if it's both the strongest and fastest option?

On 02/10/2005 at 6:21:36 PM EST Pete Freitag wrote:
4
Dave, blowfish might be faster in some cases, depends how you use it.

You might also use other encryption methods if your integrating with a legacy system, or there are cryptography restrictions (blowfish is safe to use internationally).

On 02/10/2005 at 6:24:48 PM EST Peter J. Farrell wrote:
5
I don't think it's a stupid question.

I can think of a couple of things: 1. Be compatible with older systems or athentication methods - web services, interfacing with other systems, etc. 2. If I remember correctly, AES is subject to U.S. customs export controls. In short, it would be illegal to export it to specific countries (the list is quite long with I remember correctly).

Best, .pjf

On 02/10/2005 at 6:37:06 PM EST Dave Carabetta wrote:
6
Thanks Pete and Peter, this makes sense.

Regards, Dave.

On 02/11/2005 at 3:58:28 PM EST Anj wrote:
7
Peter - SHA-1 and AES serve two entirely different purposes. AES is a data encryption/DECRYPTION protocol.

SHA-1, et al, are hashing functions - it's a one-way encrypt. You can't take an SHA-1 encryption and restore the original data.

On 02/11/2005 at 7:08:09 PM EST Peter J. Farrell wrote:
8
Anj,

Yeah, I wasn't very clear about that - sha is a one-way hash. I wasn't thinking about decrypting anything. Just about a translucent DB I was working on.

.pjf

On 02/11/2005 at 7:19:11 PM EST Rob Brooks-Bilson wrote:
9
.pjf,

If you don't mind using UDFs, there are ones for SHA1, SHA256, and RIPEMD160 over at cflib.org.

On 02/11/2005 at 7:22:49 PM EST Peter J. Farrell wrote:
10
Thanks Rob, I already use them... ;-)

.pjf

On 05/01/2005 at 11:45:47 PM EDT Derek wrote:
11
what about encoding...which is the best choice?

On 07/14/2005 at 8:05:35 PM EDT Dan wrote:
12
Does anyone know of any new CF7 features regarding asymmetrical public/private key schemes? I've read this article (http://cfdj.sys-con.com/read/46359.htm) but was just wondering if anything was easier in 7.

On 03/03/2006 at 11:15:16 PM EST mona wrote:
13
Dear I became able to encrypt data using 128bit AES,but couldnot able to decrypt it.(i used asHex())it's showing badpadding exception. please help me

On 05/29/2006 at 6:06:56 AM EDT Shyam wrote:
14
How to decrypt password which are encrypted by SHA1 Algorithm

On 05/29/2006 at 12:37:32 PM EDT Peter J. Farrell wrote:
15
Shyam, SHA is a one-way hashing alogithm. Once hashed, there is no way to un-hash the text. A lot of systems use this type of encryption for passwords. In order to compare the passwords, you take the user input and hash it and then compare it to the hash in your DB. If they match, then the person entered the correct password.

On 12/12/2006 at 2:39:59 PM EST gregory wrote:
16
has any one ever written a version of des that uses an extension of 3des there creating 7des eg(ededede and dededed) which uses 7 56 bit keys plus cypher block chaining if you would like such a program contact me at <gdk2008uk@hotmail.co.uk>

On 02/16/2007 at 3:13:45 PM EST AJ wrote:
17
So you are saying there is no way to decrypt SHA-1 passwords even if I have the key?

On 07/04/2007 at 3:52:27 AM EDT Specifyiing IV & Key Values wrote:
18
I had a total nightmare getting AES to work. The third party we're working with specifies both key and initialization vector an there's almost no documentation on this for CF.

I've got some notes (and step by step details) at http://tales-of-coldfusion.blogspot.com/ if anybody needs it.

On 07/23/2007 at 9:20:47 AM EDT irfan wrote:
19
will you please tell me wat is BASE64.. and explain some example...

On 11/04/2008 at 3:42:37 PM EST slee wrote:
20
What data type should you use to store the encrypted value if you select the AES algorithm and use hex for the encoding?

On 06/11/2009 at 6:51:02 AM EDT john wrote:
21
can anyone help me out in writing the sample code for TRIPLEDES encrytion.

On 02/12/2011 at 4:04:36 AM EST Brad wrote:
22
Good stuff! Thanks for sharing.

On 05/07/2014 at 1:36:54 PM EDT ?????????`?? ??å? ???? wrote:
23
??g?H ???????? ???????????????{??`???`??|??|??????l??????ä?????????????????????? |??????????????L??????????????????????????????????k?? ColdFusion 7 Strong Encryption ?????????? ?????????`?? ??å? ???? http://www.avondalequipment.com/images/katespade.html

On 05/10/2014 at 12:03:28 PM EDT ???`????` ???? wrote:
24
???_?g????????????????????????????????P????????????????????????? ColdFusion 7 Strong Encryption ????????????????????????????????????????? ???`????` ???? http://www.neuroart2006.com

On 05/11/2014 at 6:04:47 AM EDT ??å????????? ?L??? wrote:
25
??r?? ?????????ä? Web?????? ColdFusion 7 Strong Encryption ???????g ????F?????????R???v????????}??{??? ??å????????? ?L??? http://www.shbokanedu.com/

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?